75% of CISOs worried too many app vulnerabilities leak into production despite multi-layered approach

75% of CISOs worried too many app vulnerabilities leak into production despite multi-layered approach

Software intelligence company, Dynatrace, has announced the findings of an independent global survey of 1,300 Chief Information Security Officers (CISOs) in large-size organisations. The research, Observability and security must converge to enable effective vulnerability management, reveals that the speed and complexity created by using multi-cloud environments, multiple coding languages and open source software libraries are making vulnerability management more difficult. A large proportion (75%) of CISOs say that despite having a multi-layered security posture, persistent coverage gaps allow vulnerabilities into production. This highlights the growing need for observability and security to converge, paving the way towards AISecDevOps practices. This will empower organisations with a more effective way of managing vulnerabilities at runtime and the ability to detect and block attacks in real time.

Findings from the research include:

  • 69% of CISOs say vulnerability management has become more difficult as the need to accelerate Digital Transformation has increased.
  • 79% of CISOs say that automatic, continuous runtime vulnerability management is key to filling the gap in the capabilities of existing security solutions. However, just 4% of organisations have real-time visibility into runtime vulnerabilities in containerised production environments.
  • Only 25% of security teams can access a fully accurate, continuously updated report of every application and code library running in production in real time.

“These findings underscore that there are always opportunities for vulnerabilities to slip past security teams, regardless of how robust their defences might be,” said Bernd Greifeneder, Chief Technology Officer, Dynatrace. “Both new applications and stable legacy software are prone to vulnerabilities that are more reliably detected in production. Log4Shell was the poster child for this problem and there will undoubtedly be other scenarios like it in the future. It’s also clear that most organisations still lack real-time visibility into runtime vulnerabilities. The problem stems from the growing use of cloud-native delivery practices, which enable greater business agility, but also introduce new complexity for vulnerability management, attack detection and blocking. The rapid pace of Digital Transformation means that already overstretched teams are bombarded by thousands of security alerts that make it impossible to see through the noise and focus on what matters. Teams find it impossible to respond manually to every alert and organisations are exposed to unnecessary risk by allowing vulnerabilities to escape into production.”

Additional findings include:

  • On average, organisations receive 2,027 alerts of potential application security vulnerabilities each month.
  • 32% of the application security vulnerability alerts organisations receive each day require action, compared to 42% last year.
  • On average, application security teams waste 28% of their time on vulnerability management tasks that could be automated.

Browse our latest issue

Intelligent CISO

View Magazine Archive