Security leaders call for more observability for cloud native apps

A global survey conducted by Coleman Parkes for Dynatrace has found that multicloud deployments are making IT security more complex.

The survey, based on a poll of 1,300 chief information security officers (CISOs) in organisations with more than 1,000 employees, reported that, in spite of having a multi-layered approach to IT security, three-quarters of CISOs (75%) are worried that too many application vulnerabilities leak into production.

When asked about their approach to securing open source software, just a quarter (25%) of respondents said their security teams can access a fully accurate, continuously updated report of every application and code library running in production in real time. A third (33%) admit their security teams do not always know which third-party code libraries they have running in production. Almost all (95%) said their organisations faced risk exposure from Log4Shell, and 35% cited their risk as ‘high’ or ‘severe’.

Over two-thirds (69%) of CISOs said vulnerability management has become more difficult as the need to accelerate digital transformation has increased. The survey found that the speed and complexity created by using multicloud environments, multiple coding languages, and open source software libraries are making vulnerability management more difficult. Three quarters of the CISOs surveyed say that despite having a multi-layered security posture, persistent coverage gaps allow vulnerabilities into production. .

According to Dynatrace, the drive for faster transformation is also prompting organisations to adopt agile practices such as DevSecOps, to remove traditional bottlenecks that can tax understaffed security teams. DevSecOps empowers developers to secure their own code, so organisations can release new services faster. However, Dynatrace warned that this practice is still maturing, and many developers lack the resources to take more accountability for security. Shifting responsibility for security ‘left’ to development is not sufficient, according to Dynatrace. It recommended that organisations also need to shift ‘right’ to ensure that applications run securely in production. Without this, vulnerabilities that have leaked into production run the risk of going undetected and so remain open to exploitation.

“Organisations realise that to manage vulnerabilities in the cloud-native era effectively, security must become a shared responsibility,” said Bernd Greifeneder, chief technology officer at Dynatrace. “The convergence of observability and security is critical to providing development, operations and security teams with the context needed to understand how their applications are connected, where the vulnerabilities lie, and which need to be prioritised. This accelerates risk management and incident response.”