The events of 2020 greatly accelerated digital transformation, with organizations of all sizes scrambling to compete for online shoppers and service the needs of remote employees. This has increased use of the platforms and processes that underpin digital transformation efforts: multicloud environments, cloud-native applications, fast release cycles, and DevSecOps. At a time when teams are already stretched thin, the pace of digital transformation – and the complexity it’s created – has exploded over the last year.
Dynatrace’s 2020 research shows 89% of CIOs said their organizations’ digital transformation projects had accelerated over the prior year, with 86% facilitating that transformation through the adoption of cloud-native technologies such as Kubernetes, containers, and microservices. As organizations have adopted these technologies, they’ve found their dynamic multicloud environments have become too complex and too large to manage manually anymore—and those challenges also extend to application security.
Traditional security buckling under pressure
With increased reliance on cloud-native application architectures, traditional application security approaches are failing. Conventional application security tools, such as static application security testing (SAST) and software composition analysis (SCA), might have been adequate approaches in 2015. However, by today’s standards, they are too slow and place too large a burden on software development teams, who are forced to sift through page after page of vulnerability alerts, manually finding and applying corrections while also wasting time on false positives.
Similarly, most security tools that are designed for production environments, such as vulnerability scanners, have blind spots. These tools were not designed for the containers, microservices, and Kubernetes platforms that organizations commonly use today, and they fail to capture real-time changes as they occur in pre-production and production environments. These tools require too much manual configuration, and in many cases, they just don’t work as expected in modern production environments. Just as multicloud environments have outgrown any one person’s ability to monitor and manage them, they’ve also outgrown traditional application security methods.
DevSecOps has reached an unsustainable status quo. The typical security tools that development teams have at their disposal are built with waterfall-based development in mind. That doesn’t mesh with DevSecOps’ more agile approach. And it’s not just that these tools are too time consuming or not developer-friendly; they’re also heavily prone to generating false positives. If vulnerability scanners are already failing to separate the false positives from the real vulnerabilities, every alert will get treated like a real problem. Consequently, application developers end up spending unnecessary amounts of time and effort manually chasing down red flags that aren’t real .
As a result, DevOps teams are now dealing with the following issues:
Make that next-generation upgrade to application security
If traditional application security can’t handle an organization’s need for speed, automation, and accuracy, then it needs a next-generation upgrade. Organizations need to arm their DevSecOps teams with highly automated security systems that are built to handle the rapid pace of software development as well as rapidly changing production environments. That means prioritizing the following capabilities:
Application security is a ticking clock, where every second counts—and organizations simply don’t have time to waste with yesterday’s solutions. As IT environments become more complex, and as the scope of threats they face becomes more robust, organizations need to rely on an AI-driven, continuously automated system of vulnerability detection and risk assessment that keeps them secure.
Dave Anderson, digital and brand evangelist, Dynatrace
The post As cloud environments get more complex, app security needs an AI-powered upgrade appeared first on SC Media.
Click to Open Code Editor