AppSec, Devs Clash Flags Need for Paradigm Shift in Software Industry

According to a recent software industry security report, there is a notable increase in tension between application security (AppSec) workers and application developers over consensus on cloud-native needs. Additionally, there is a growing concern about retaining developer talent in this context.

The fundamental issue lies in the inadequacy of traditional AppSec tools for cloud environments. As a result, AppSec teams grapple with the repercussions of lacking appropriate cloud-native tooling daily. This ongoing situation causes team friction, issues with talent retention, revenue concerns, reputation squabbles, and wasting more than half of their time chasing vulnerabilities.

The good news? AppSec teams know what they need, and AppSec pros are overwhelmingly aligned on what a modern, cloud-native AppSec paradigm should look like. However, despite this understanding, only a limited number of teams have the necessary capabilities to fulfill these requirements effectively.

Study Reveals Effect of Inadequate Cloud-Native Tools

In May, cloud-native AppSec solutions provider Backslash Security released a study titled “Breaking the Catch-up Cycle: The New Cloud-Native AppSec Paradigm Survey Report.” It explores how application security has evolved since the rise of cloud-native application development.

The study examines the practices, tools, and needs of CISOs, AppSec managers, and AppSec engineers at enterprise organizations of 1,000 or more employees with mature cloud-native app development environments. The results show that 85% of AppSec pros said the ability to differentiate between real risks and noise is critical. Only 38% can do so today.

According to researchers, mature DevOps organizations cite widespread impact due to the lack of cloud-native tools. AppSec teams are stuck in a catch-up cycle, unable to keep up with the increasingly rapid, agile dev pace and playing security defense via an endless and unproductive vulnerability chase.

“Inadequate cloud-native tooling is a root cause of friction between AppSec teams and developers. Current-gen AppSec tools lack the ability to report the level of evidence required for dev teams to act on alerts,” Backslash Security CEO and co-founder Shahar Man told TechNewsWorld.

AppSec Playing Defense

Notably, while 58% of respondents report spending over 50% of their time chasing vulnerabilities, a shocking 89% spend at least 25% of their time in this defensive mode, according to the report. Far and wide, enterprises are victims of this costly defensive tax.

The so-called tax, estimated to be over $1.2 million annually, is the cost of employing AppSec engineers who chase vulnerabilities rather than drive a comprehensive cloud-native AppSec program. Application security teams are struggling to keep up with increasingly fast-paced development teams who are rapidly deploying code to the cloud, Man complained.

A significant problem is that their tools are outdated, he offered. They lack the cloud context critical to enabling AppSec teams to do their jobs successfully. Furthermore, the current application security tools exacerbate the issue by generating an excessive number of low-value alerts.

Man urged that AppSec teams need to be equipped with modernized, cloud-native tools. The most common complaints about the current tools AppSec pros have at their disposal are no surprise. AppSec workers claim their traditional tools are noisy and make prioritizing findings too time-consuming.

“That said, we have found that AppSec professionals are very much aligned on the cloud-native capabilities that are most important to their day-to-day. The core aspects of modern AppSec are the automatic correlation of AppSec risk to app exposure to the outside world,” Man explained.

A large majority of respondents (91%) said this is important. There is growing friction between AppSec and developers due to the lack of consensus on general code weaknesses and critical vulnerabilities. Furthermore, 82% of the respondents highlighted the importance of end-to-end visualization of cloud-native application threat models.

Lack of Action Fueling the Rift

Combined with the sheer volume of false positives reported, AppSec teams end up losing credibility in the eyes of developers. When surveyed about the impact of the lack of cloud-native tools for this report, respondents cited the growing AppSec/dev friction as the number one issue, followed by retaining dev and AppSec talent.

“Clearly, AppSec teams know what they need, but the bigger question is whether the industry is ready to give it to them,” challenged Man.

For example, an overwhelming majority (85%) of AppSec pros want the ability to differentiate real code risks from low-risk issues, making it the most crucial cloud-native capability. But only 38% are fully enabled to do this using their current toolset.

“These massive enablement gaps extend across core cloud-native capabilities,” he noted.

Pining for Easing Tensions

Man added that one of the things AppSec teams want most is to work well with their dev counterparts — a core concern that came up throughout the survey. Each AppSec role has its own perspective on how the lack of cloud-native tools impacts the growing friction between AppSec/devs relationships.

For instance, AppSec engineers spend their days very much in the trenches. They worry most about retaining dev talent. But their managers are concerned most with retaining AppSec talent. Meanwhile, CISOs, with their top-level view of both sides of the equation, worry about friction between the two teams.

Also of note, according to Man, is the missing cloud-native capabilities that enable AppSec and dev to work well together. They are notably lacking, the survey disclosed.

For example, 78% of respondents said correlating security findings to the dev team responsible for the fix is essential. But only 43% are fully enabled to do this now.

The study showed that efficient triaging between Dev and AppSec is similar at 73% vs. 42%.

Costly Consequences

Man confided that one of the biggest surprises in the results was the sheer volume of wasted AppSec time attributed to inadequate tools. That inefficiency is costing companies immensely.

“The cost of playing defense, aka the defensive tax, is major. Conservative estimates put the average enterprise’s cost of wasted AppSec time at over $1 million per year,” he offered.

That estimate is based on average AppSec employee salaries and AppSec team size. That calculation fails to take into account the cost of inadequately securing the given enterprise’s applications, added Man.

Key Takeaways Show New Market Direction

Slightly less than half of the respondents reported their organizations push code at least once per day. The pace of developers is steadily increasing.

“Teams are losing faith in the traditional AppSec tools, as they can’t keep up and are stuck in a perpetual game of catch-up. The impact is far-reaching, with the vast majority of organizations seeing the widespread impact of inadequate cloud-native AppSec tools,” said Man.

The “people” impact is particularly significant, he added. The core takeaway is that the AppSec industry is ready for a substantial change and deserves tools explicitly built to understand the cloud.

Man believes that application security posture management (ASPM) — a new security approach — gives AppSec teams more control and improves the security posture of their applications.

“Finally, there is a new mindset, one that provides a holistic view of the application security posture, allowing AppSec to strike a balance between a ‘shift left’ mentality and being empowered to identify and mitigate vulnerabilities before they can be exploited,” concluded Man.