How managed services can help organisations plug the application security gap
According to research, mobile app downloads continue to increase year-over-year, from 140.6 billion in 2016 to 258 billion by 2021, an 83% increase in a span of five years. This trend is also mirrored in the enterprise world with the pace of software development growing at a rapid pace. This means development teams are under pressure to continuously deliver as App backlogs grow at an alarming rate.In 2021, 258 billion mobile apps were downloaded. Click To Tweet
Senior leadership teams – unaware of the problem – demand rapid development and faster release cycles. But the constant and growing presence of cyberthreats means apps need to be secure. However, unfortunately security around apps isn’t always prioritised in the way that it should be and now apps are a potential ‘open front door’ to a business for hackers to take advantage of.
The problem is exacerbated as developers are often more concerned with the usability and ‘look and feel’ of an app. Their focus is on creating great apps, on time and budget, not necessarily secure apps, and all too often security is an afterthought.
Digital transformation, multi and hybrid cloud environments are exacerbating the problem
Furthermore, traditional approaches to application security can’t keep up with constantly changing multi cloud environments and fast-moving DevOps processes. This causes blind spots and uncertainty about exposures and their impact on cloud-native applications. Put simply, cloud-native architectures and multi cloud environments have broken traditional approaches to application security.
Now, demand for faster innovation is driving organisations toward agile, cloud-native architectures built on microservices, containers, and Kubernetes. The dynamic nature of these container-based environments, however, makes it even harder for teams to detect and manage application security vulnerabilities.
Most application security tools require manual configuration, take a long time to produce results, and can’t distinguish between a vulnerability that is a real exposure versus a potential exposure—so they alert on all of them. As a result, developers waste precious time investigating false positives and this means that software innovation slows down.
Additionally, in the production environment, most vulnerability scanners miss scanning containers in Kubernetes clusters that spin up and down rapidly. They also have no knowledge of the runtime context of applications, therefore can’t distinguish between a vulnerability that’s exposed to the Internet versus one that’s protected by a firewall. As a result, the organisation gets a poor understanding of the real level of risk.
Application security slows down productivity
Developers think security slows down productivity. Too many false positives create tension between application security teams and developers, who either ignore alerts or get overwhelmed by the sheer scale of vulnerabilities identified. This derails developer output and efficiency and gets in the way of innovation.
That said, in recent years there has been a growing realisation that security is now a shared responsibility between development and security teams. Organisations are also embracing agile software delivery approaches to keep up with the demand for digital innovation, including the use of open-source code libraries and modern DevSecOps practices.
There has been a ‘shift left’ movement as organisations shift as much security as possible to where applications are being coded. This allows organisations to remediate risks more easily with less pain and effort than if those risks aren’t identified until production, especially if an attacker finds them first.
A growing IT developer shortage
But this all puts an additional load on already resource-stretched developers, who themselves are in short supply. For many years there has been a huge skills shortage in IT. According to Gartner, the demand for business apps is 5x higher than current IT capacities.According to Gartner the demand for business apps is 5x higher than current IT capacities. Click To Tweet
One of the reasons, as outlined above, is this overwhelming demand to create software solutions for every possible kind of problem. Take that, along with the fact that there are simply not enough developers and IT professionals in general, and you end up with a market that consistently cannot deliver. For example, one IDC study found that over 52% of IT leaders say that the skills gap is a major challenge in their organisation.
Meanwhile, Appian’s Digital Transformation Readiness Survey, found that 82% of organisations can’t attract and retain the quality and quantity of software engineers they need to feed the business with innovative technology.
Managed services could solve the application security dilemma
As this skills shortage continues to deepen in 2022, more businesses are turning towards managed services – often in areas they wouldn’t have previously. Employing permanent developers is not only expensive but it is also hard to get hold of the right skills, therefore managed services could provide a solution to the application security challenge. For all but the largest enterprises, investing in in-house support capabilities for all deployed technologies is likely to be economically unviable – and a distraction from core activities.
Here at Northdoor, our managed services capabilities provide customers with support for key systems, which means customers can improve their focus on their core business, secure in the knowledge that their application security is well managed, with vulnerabilities being monitored, and their applications are protected and secure.
Webinar: Understanding Software Security Risk.
Join Veracode and Northdoor plc on Tuesday 17th May at 11am as we explore the findings from the latest State of Software Security report within the financial services sector.
– How the financial service sector approaches software security compared to other sectors
– Trends over time to fix flaws
– Most common flaws by scan type
– Most vulnerable libraries