71% of CISOs aren't confident code is free of vulnerabilities before live production
Research from Dynatrace found 71% of CISOs say they're not confident code is free of vulnerabilities before going into live production.
Software intelligence company Dynatrace has released the findings from an independent global survey of 700 CISOs, that reveals the rising adoption of cloud-native architectures, DevOps, and agile methodologies, have broken traditional approaches to application security.
Organisations have started to shift more responsibility to developers to increase innovation. Complex IT ecosystems and outdated security tooling can slow releases by leaving blind spots and forcing teams to manually triage large numbers of alerts, many of which are false positives reflecting vulnerabilities in libraries not used in production.
The report, Precise Automatic Risk and Impact Assessment is Key for DevSecOps, focuses on this. The research shows that:
- 89% of CISOs say microservices, containers, and Kubernetes have created application security blind spots.
- 97% of organisations do not have real-time visibility into runtime vulnerabilities in containerised production environments.
- Nearly two-thirds (63%) of CISOs say DevOps and Agile development have made it more difficult to detect and manage software vulnerabilities.
- 74% of CISOs say traditional security controls such as vulnerability scanners no longer fit today's cloud-native world.
- 71% of CISOs admit they are not fully confident code is free of vulnerabilities before going live in production.
“The increased use of cloud-native architectures has fundamentally broken traditional approaches to application security,” says Dynatrace founder and chief technology officer, Bernd Greifeneder.
“This research confirms what we've long anticipated, manual vulnerability scans and impact assessments are no longer able to keep up with the pace of change in today's dynamic cloud environments and rapid innovation cycles. Risk assessment has become nearly impossible due to the growing number of internal and external service dependencies, runtime dynamics, continuous delivery, and polyglot software development which uses an ever-growing number of third-party technologies.
He adds that already stretched teams are forced to choose between speed and security, exposing their organisations to unnecessary risk.
“As organisations embrace DevSecOps, they also need to give their teams solutions that offer automatic, continuous, and real-time risk and impact analysis for every vulnerability, across both pre-production and production environments, and not based on point-in-time snapshots,” says Greifeneder.
“With the Application Security Module on the Dynatrace Software Intelligence Platform, organisations can leverage the automation, AI, scalability, and enterprise-grade robustness of Dynatrace, and extend this to deliver more secure release cycles with confidence their cloud-native applications are free from exposures.
The report is based on a global survey of 700 CISOs in large enterprises with over 1,000 employees, it was commissioned by Dynatrace and conducted by Coleman Parkes. The sample included 200 respondents in the U.S., 100 in the UK, France, Germany, and Spain, and 50 in Brazil and Mexico, respectively.