The State of Cloud-Native Application Security Is at a Crossroads
June 29, 2023

Shahar Man
Backslash Security

The pace of cloud-native innovations is accelerating — more enterprise organizations are deploying code multiple times per week, with many doing so daily. In fact, the percentage of large organizations that deploy code to production daily is expected to increase from 5% in 2021 to 70% in 2025 (IDC FutureScape).

Cloud-native has changed application development in other significant ways. The configuration of the layers of cloud-native applications (e.g. code, containers, apps as containers) is now done with Infrastructure as Code (IaC) tools, which effectively blur the lines between application security (AppSec) and infrastructure security. Security risks that were once squarely in the domain of AppSec now bleed over into infrastructure security.

Access to complementary cloud-native capabilities does not extend to AppSec teams, who struggle to match the pace of their development counterparts and take Infrastructure security into account. This burden is compounded by current AppSec solutions like SAST and SCA, which often produce excessive low-value alerts and "noise" because assessments are performed without the full cloud context required.

My colleagues and I at cloud-native application security provider Backslash Security have been fascinated by the fact that dev teams outnumber AppSec teams and the amount of alert noise the latter struggle with on a daily basis. We wanted to dig deeper, so we commissioned a report to find out from US-based AppSec professionals (managers and engineers) themselves how they are faring with these dynamics at play. The resulting report, Breaking the Catch-up Cycle: The New Cloud-Native AppSec Paradigm Survey Report, illuminated our understanding of AppSec teams' day-to-day challenges and their perspective on the solution capabilities needed to likewise usher in their own cloud-native era.


Appsec Teams Using Cloud-Native Solutions See Declining Utility for Traditional Appsec Solutions

The study revealed that SAST and SCA solutions — long considered staples of the AppSec ecosystem — are losing ground, with just 32% using either of the tools extensively. However, there's evidence that the size and resources of enterprises do influence what solutions are used by its AppSec teams. Enterprise organizations with lower employee headcounts (<5,000 employees) use SAST and SCA technologies more extensively, as they lack the budget and resources to abandon the tools in favor of more complex solutions.

Enterprises Using Traditional Appsec Tools Are Subject to a Costly "Defensive Tax"

AppSec teams using current solutions spend an inordinate amount of time to compensate for their shortcomings. Over half (58%) of AppSec teams report that they spend 50%+ their workday chasing vulnerabilities, and a mind-blowing 89% of AppSec respondents said they spend at least 25% of their time on the same pursuit.

As the old adage goes, "Time is Money." AppSec professionals forced to work in a state of perpetual defense instead of establishing and driving a comprehensive cloud-native application security program has consequences. It introduces Defensive Tax, which refers to the financial loss suffered by stifled efficiency and innovation. By conservative estimates, enterprises lose an average of $1.2 million annually to unnecessary operating costs.

Low "Signal-To-Noise" Ratio Is Chief of Several Prevailing Appsec Solution Shortcomings

The challenge of noisy AppSec solutions were well documented by the time cloud-native development innovations came into play. However, its arrival substantially magnified the "signal-to-noise" shortcomings current AppSec solutions have. Research showed that most oft-cited grievances AppSec had regarding their solutions were: "Prioritizing findings takes a considerable amount of time" (at 48%); and "Existing AppSec tools are pretty noisy" (at 45%). Nearly all respondents (94%) had multiple grievances, but respondents working on the front lines — AppSec engineers — consistently cited more grievances with current tools than the AppSec managers surveyed.

Appsec Solution Shortcomings Can Negatively Affect Other Professional Spheres of the Enterprise

Nearly all AppSec professionals surveyed said current cloud-native AppSec tooling limitations drove negative business impact across multiple aspects of their enterprise organization. The list of challenges includes: increased friction between AppSec and development teams (39%); jeopardized ability to generate revenue (39%); and an inability to retain high-value dev talent (38%) and AppSec talent (35%).

Despite a Consensus on the Cloud-Native Solution Capabilities They Need, Most Appsec Teams Are Not Enabled by Their Organizations to Act

The new cloud-native AppSec paradigm is best characterized by three core tenets: end-to-end visualization of cloud-native app threat models (reduces manual work); correlating AppSec risk to an app's exposure to the outside world; and effective differentiation between general code weakness and critical vulnerabilities.

Despite the consensus of this paradigm within the AppSec world, there is a considerable gap between what AppSec teams need and the enablement to introduce change. While 85% of respondents agree it's critical to differentiate between real security risks and noise in their daily work, only 38% feel that their organization is enabled to do so. This trend persists across all of the most other critical capabilities, including: "Correlating security findings to the developer or dev team responsible for the fix" (78% vs. 43%); "Meeting compliance standards" (78% vs. 38%); "Analyzing threat impact in the context of their production environment" (74% vs 30%); and "Efficient triaging between Dev and AppSec" (73% vs. 42%).

The State of Cloud-Native Application Security Is in a State of Flux - How Do We Move the Needle Forward?

Much like the inflection point that led to the development life cycle shift from the legacy waterfall model to today's model of continuous development, the insights gained from this study illustrate that we've arrived at a similar point for AppSec tools — one that will prompt its adaptation to today's new, cloud-native reality. The cloud-native application development paradigm calls for a new, unified approach to application security — spanning code, application, and production context. Traditional dividing lines between application security and cloud security are quickly dissolving, and this study makes it abundantly clear that today's teams need only the enablement for the tools and technologies that similarly bridge the gap of this dichotomy and meet cloud-native application development where it stands.

Shahar Man is Co-founder and CEO of Backslash Security
Share this

Industry News

October 03, 2024

Check Point® Software Technologies Ltd. announced its position as a leader in The Forrester Wave™: Enterprise Firewalls, Q4 2024 report.

October 03, 2024

Sonar announced two new product capabilities for today’s AI-driven software development ecosystem.

October 03, 2024

Redgate announced a wide range of product updates supporting multiple database management systems (DBMS) across its entire portfolio, designed to support IT professionals grappling with today’s complex database landscape.

October 03, 2024

Elastic announced support for Google Cloud’s Vertex AI platform in the Elasticsearch Open Inference API and Playground.

October 02, 2024

Progress announced the recipients of its 2024 Women in STEM Scholarship Series.

October 02, 2024

SmartBear has integrated the load testing engine of LoadNinja into its automated testing tool, TestComplete.

October 01, 2024

Check Point® Software Technologies Ltd. announced the completion of its acquisition of Cyberint Technologies Ltd., a highly innovative provider of external risk management solutions.

October 01, 2024

Lucid Software announced a robust set of new capabilities aimed at elevating agile workflows for both team-level and program-level planning.

October 01, 2024

Perforce Software announced the Hadoop Service Bundle, a new professional services and support offering from OpenLogic by Perforce.

October 01, 2024

CyberArk announced the successful completion of its acquisition of Venafi, a provider of machine identity management, from Thoma Bravo.

October 01, 2024

Inflectra announced the launch of its AI-powered SpiraApps.

October 01, 2024

The former Synopsys Software Integrity Group has rebranded as Black Duck® Software, a newly independent application security company.

September 30, 2024

Check Point® Software Technologies Ltd. announced that it has been recognized as a Visionary in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms.

September 30, 2024

Harness expanded its strategic partnership with Google Cloud, focusing on new integrations leveraging generative AI technologies.

September 30, 2024

OKX announced the launch of OKX OS, an onchain infrastructure suite.