The State of Application Security

Organizations are moving from monolithic applications to microservices by taking advantage of perfectly suited container architecture. As a result, the responsibility to protect these environments increases as companies are exposed to a greater set of security risks and vulnerabilities.

Here we are facing a conflict between CISOs and DevOps. CISOs must protect organizations by all means and costs. At the same time, DevOps is about flexibility, so developers tend to find compromises and choose “just good enough” security. Sometimes they strongly oppose protective measures proposed by the CISO.

What can this mean for cybersecurity and businesses?

Companies readily implement innovative technologies

In general, companies understand that the introduction of new standards and solutions in the transition to digital technologies requires a positive attitude and a large budget. Many businesses try and purchase new security tools.

More and more companies use containers/microservices. Almost half of them have already implemented container protection technologies.

All this looks promising, but it seems that companies are going through trial and error and using multiple technologies without ensuring interoperability. They hope that the availability of a variety of technologies will provide effective protection.

Since microservices and containers are still considered emerging technologies, companies must explore which solutions and practices are appropriate for new infrastructure and data flows. Undue reliance on existing security models leads to unforeseen security incidents and, as a result, data breaches.

Businesses apply security measures

Businesses not only strive to introduce new protection technologies but also widely apply established practices. For example:

  • Control East-West traffic.
  • Review code and do security testing
  • Use WAF solutions

In addition, business leaders are aware of the security threats posed by the API and are actively working to eliminate them. This is a correct approach since APIs link various tools, applications, systems, and environments.

We see that more and more organizations create DevOps or DevSecOps teams.

And yet applications get regularly hacked

Hackers are winning so far, and application attacks continue to pose a threat. Every single day we read news about security incidents. Most of them end up with data breaches. Reports are full of cases of access violations, SQL injections, session hijacking, DDoS attacks, cookie spoofing, cross-site request forgery, cross-site scripting, API manipulation, and more.

We see that it is difficult for companies and cloud service providers to delineate security responsibilities. Many organizations face different types of application attacks every week.

API gateways do not seem to help with the problem. Typically used for authentication, IP filtering, and basic load balancing, API gateways obviously cannot block all API manipulation attempts.

In general, solutions based on rigid heuristics and static rules do not provide an adequate level of protection for constantly changing applications. Today, many applications are constantly changing, sometimes several times a day. In this situation, engineers are simply not able to keep everything under control as this requires identifying a change, setting up a policy, validating and executing it, which is impossible without automation.

Because of the rapid pace of change, responsibility shifts to others responsible for agile development, delivering applications and microservices, creating SDLC environments, and choosing tools. DevOps and DevSecOps are beginning to have a greater impact on security decisions.

Who makes the decisions?

Security experts still do not call the shots. The IT department influences the choice of tools, policy setting, and implementation of application protection. The IT department controls the budget, and most of the CISOs do not have a casting vote.

Digital transformation is not just digitalization

The success of various cyberattacks is due to the fact that enterprises do not fully consider the impact of digitalization. In this process, technology initiates change. The simplest thing is to acquire and implement new technologies and platforms. However, technologies will not start working on their own. Despite organizations striving to follow security rules, hackers continue to attack successfully. Why? Because companies are not taking the second – non-digital step of this transition: acquiring new competencies, adapting business processes, redistributing roles and responsibilities.

is a weak point in application security. If security professionals can do their job and make security a defining factor in the business, perhaps we will finally see how the evolution of security systems will match the speed of the business.