A new research study by Backslash Security, a cloud-native application security solution provider, reveals that application security teams are struggling to keep up with the rapid development pace of cloud-native applications, leading to an unproductive vulnerability chase. The study surveyed CISOs, AppSec managers, and AppSec engineers from enterprise organizations with 1,000 or more employees and mature cloud-native app development environments.
According to the report, 58% of respondents spend over 50% of their time chasing vulnerabilities, while 89% spend at least 25% of their time in this defensive mode. This ‘defensive tax’ is estimated to cost around $1.2 million annually and is due to AppSec teams’ inability to keep up with the accelerated pace of digital innovation across enterprises of all sizes.
Another major issue highlighted in the study is the outdated nature of prevailing AppSec tools. Nearly all organizations (94% of respondents) cited multiple issues with today’s AppSec technologies and that existing AppSec tools are noisy (45%). The report reveals that AppSec professionals are losing faith in the current standards, with SAST and DAST quickly losing traction, as only 32% of respondents stated that they use them extensively.
The report emphasizes the need for a new AppSec paradigm, characterized by end-to-end visualization of microservices, automatic identification and prioritization of risks, and intelligent triaging and remediation. The study assessed the importance of these three key tenets of modern AppSec and found that 82% of respondents agree that automating threat model visualization would help save time and manual labor analyzing cloud-native application risks.
The study also found that while the most critical capabilities that define the new cloud-native AppSec paradigm are acknowledged by respondents, there is still a massive cloud-native enablement gap. Only 38% of respondents can differentiate between real risks and noise, even though 85% say this is critical to their success. Similarly, correlating security findings with the developer or dev team responsible for the fix (78% vs. 43%), meeting compliance standards (78% vs. 38%), and efficient triaging between Dev and AppSec (73% vs. 42%) are areas where respondents report low enablement levels.
Shahar Man, co-founder and CEO of Backslash, urged the industry to put an end to the AppSec catch-up game. He stated that the outdated AppSec methodologies hamper productivity, innovation, and talent retention for both AppSec and dev teams and called for a new, unified approach to application security that would make the friction between development and AppSec teams a thing of the past, enable enterprises to retain valuable talent, and accelerate innovation and growth.
Backslash Security’s cloud-native application security solution provides unified security and business context to cloud-native code risk, coupled with automated threat modeling, code risk prioritization, and simplified remediation across applications and teams. With Backslash, AppSec teams can see and easily act upon the critical toxic code flows in their cloud-native applications, quickly prioritize code risks based on the relevant cloud context, and significantly cut MTTR (mean time to recovery) by enabling developers with the evidence they need to take ownership of the process.
Backed by StageOne Ventures, First Rays Venture Partners, D.E. Shaw & Co., and a roster of security veterans as angel investors, Backslash has been deployed across leading technology organizations and Fortune 100 companies.