The State of Cloud-Native Application Security Is at a Crossroads
June 29, 2023

Shahar Man
Backslash Security

The pace of cloud-native innovations is accelerating — more enterprise organizations are deploying code multiple times per week, with many doing so daily. In fact, the percentage of large organizations that deploy code to production daily is expected to increase from 5% in 2021 to 70% in 2025 (IDC FutureScape).

Cloud-native has changed application development in other significant ways. The configuration of the layers of cloud-native applications (e.g. code, containers, apps as containers) is now done with Infrastructure as Code (IaC) tools, which effectively blur the lines between application security (AppSec) and infrastructure security. Security risks that were once squarely in the domain of AppSec now bleed over into infrastructure security.

Access to complementary cloud-native capabilities does not extend to AppSec teams, who struggle to match the pace of their development counterparts and take Infrastructure security into account. This burden is compounded by current AppSec solutions like SAST and SCA, which often produce excessive low-value alerts and "noise" because assessments are performed without the full cloud context required.

My colleagues and I at cloud-native application security provider Backslash Security have been fascinated by the fact that dev teams outnumber AppSec teams and the amount of alert noise the latter struggle with on a daily basis. We wanted to dig deeper, so we commissioned a report to find out from US-based AppSec professionals (managers and engineers) themselves how they are faring with these dynamics at play. The resulting report, Breaking the Catch-up Cycle: The New Cloud-Native AppSec Paradigm Survey Report, illuminated our understanding of AppSec teams' day-to-day challenges and their perspective on the solution capabilities needed to likewise usher in their own cloud-native era.

Appsec Teams Using Cloud-Native Solutions See Declining Utility for Traditional Appsec Solutions

The study revealed that SAST and SCA solutions — long considered staples of the AppSec ecosystem — are losing ground, with just 32% using either of the tools extensively. However, there's evidence that the size and resources of enterprises do influence what solutions are used by its AppSec teams. Enterprise organizations with lower employee headcounts (<5,000 employees) use SAST and SCA technologies more extensively, as they lack the budget and resources to abandon the tools in favor of more complex solutions.

Enterprises Using Traditional Appsec Tools Are Subject to a Costly "Defensive Tax"

AppSec teams using current solutions spend an inordinate amount of time to compensate for their shortcomings. Over half (58%) of AppSec teams report that they spend 50%+ their workday chasing vulnerabilities, and a mind-blowing 89% of AppSec respondents said they spend at least 25% of their time on the same pursuit.

As the old adage goes, "Time is Money." AppSec professionals forced to work in a state of perpetual defense instead of establishing and driving a comprehensive cloud-native application security program has consequences. It introduces Defensive Tax, which refers to the financial loss suffered by stifled efficiency and innovation. By conservative estimates, enterprises lose an average of $1.2 million annually to unnecessary operating costs.

Low "Signal-To-Noise" Ratio Is Chief of Several Prevailing Appsec Solution Shortcomings

The challenge of noisy AppSec solutions were well documented by the time cloud-native development innovations came into play. However, its arrival substantially magnified the "signal-to-noise" shortcomings current AppSec solutions have. Research showed that most oft-cited grievances AppSec had regarding their solutions were: "Prioritizing findings takes a considerable amount of time" (at 48%); and "Existing AppSec tools are pretty noisy" (at 45%). Nearly all respondents (94%) had multiple grievances, but respondents working on the front lines — AppSec engineers — consistently cited more grievances with current tools than the AppSec managers surveyed.

Appsec Solution Shortcomings Can Negatively Affect Other Professional Spheres of the Enterprise

Nearly all AppSec professionals surveyed said current cloud-native AppSec tooling limitations drove negative business impact across multiple aspects of their enterprise organization. The list of challenges includes: increased friction between AppSec and development teams (39%); jeopardized ability to generate revenue (39%); and an inability to retain high-value dev talent (38%) and AppSec talent (35%).

Despite a Consensus on the Cloud-Native Solution Capabilities They Need, Most Appsec Teams Are Not Enabled by Their Organizations to Act

The new cloud-native AppSec paradigm is best characterized by three core tenets: end-to-end visualization of cloud-native app threat models (reduces manual work); correlating AppSec risk to an app's exposure to the outside world; and effective differentiation between general code weakness and critical vulnerabilities.

Despite the consensus of this paradigm within the AppSec world, there is a considerable gap between what AppSec teams need and the enablement to introduce change. While 85% of respondents agree it's critical to differentiate between real security risks and noise in their daily work, only 38% feel that their organization is enabled to do so. This trend persists across all of the most other critical capabilities, including: "Correlating security findings to the developer or dev team responsible for the fix" (78% vs. 43%); "Meeting compliance standards" (78% vs. 38%); "Analyzing threat impact in the context of their production environment" (74% vs 30%); and "Efficient triaging between Dev and AppSec" (73% vs. 42%).

The State of Cloud-Native Application Security Is in a State of Flux - How Do We Move the Needle Forward?

Much like the inflection point that led to the development life cycle shift from the legacy waterfall model to today's model of continuous development, the insights gained from this study illustrate that we've arrived at a similar point for AppSec tools — one that will prompt its adaptation to today's new, cloud-native reality. The cloud-native application development paradigm calls for a new, unified approach to application security — spanning code, application, and production context. Traditional dividing lines between application security and cloud security are quickly dissolving, and this study makes it abundantly clear that today's teams need only the enablement for the tools and technologies that similarly bridge the gap of this dichotomy and meet cloud-native application development where it stands.

Shahar Man is Co-founder and CEO of Backslash Security
Share this

Industry News

December 06, 2023

ngrok unveiled its JavaScript and Python SDKs, enabling developers to programmatically serve their applications and manage traffic by embedding ingress with a single line of code.

December 06, 2023

Data Theorem introduced API Attack Path Visualization capabilities for the protection of APIs and the software supply chain.

December 05, 2023

Security Journey announced support for WCAG, SCIM and continued compliance with SOC2 Type 2, which are leading industry standards.

December 05, 2023

Vercel announced a new suite of features for its Developer Experience (DX) Platform, made for enterprise teams with large codebases.

December 04, 2023

Atlassian Corporation has completed the acquisition of Loom, a video messaging platform that helps users communicate through instantly shareable videos.

December 04, 2023

Orca Security announced that the Orca Cloud Security Platform has achieved the Amazon Web Services (AWS) Built-in Competency.

November 30, 2023

Parasoft, a global leader in automated software testing solutions, today announced complete support for MISRA C++ 2023 with the upcoming release of Parasoft C/C++test 2023.2.

November 30, 2023 achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 29, 2023

CircleCI implemented a gen2 GPU resource class, leveraging Amazon Elastic Compute Cloud (Amazon EC2) G5 instances, offering the latest generation of NVIDIA GPUs and new images tailored for artificial intelligence/machine learning (AI/ML) workflows.

November 29, 2023

XM Cyber announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes environments.

November 29, 2023

PerfectScale has achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 28, 2023

BMC announced two new product innovations, BMC AMI DevX Code Insights and BMC AMI zAdviser Enterprise.

November 28, 2023

Rafay Systems announced the availability of the Rafay Cloud Automation Platform — the evolution of its Kubernetes Operations Platform — to enable platform teams to deliver automation and self-service capabilities to developers, data scientists and other cloud users.

November 28, 2023

Bitrise is integrating with Amazon Web Services (AWS) to provide compliance-conscious companies with greater access to CI/CD capabilities for mobile app development.

November 28, 2023

Armory announced a new unified declarative deployment capability for AWS Lambda.