The new edition of Dynatrace’s annual CISO report criticizes a number of those surveyed as serious security gaps in cloud-native applications. Around 700 Chief Information Security Officers (CISO) took part in the survey. The majority of them can apparently spot blind spots in microservices, container technology and Kubernetes in their everyday work: 89 percent of respondents from Germany stated this – internationally this perception fluctuates only slightly between 82 percent (Brazil) and 92 percent (USA).
A key result of the report is that cloud-native architectures and multicloud environments break with previous methods for application security and thus call into question the traditional division of roles and responsibilities of teams. According to the respondents, manually operated processes lead to problems because they are no longer up to the current setting with the coexistence of a large number of systems and microservices.
Accelerated release cycles increase the error rate
A key finding of the survey is that the faster delivery of software in shorter release cycles means that errors and weak points are more difficult to find (63 percent of those questioned criticized this). Very few companies have real-time insight into the potential runtime vulnerabilities of their containerized production environments, according to the answers. The respondents said that vulnerabilities are often only scanned once a month or even less frequently. This apparently affects more than two thirds of the companies from which those responsible for information technology security were surveyed (68 percent).
False positive warnings wear out attention
It is therefore not helpful that the shorter-timed and therefore more frequent releases probably lead to an overhang of false positive warnings: According to the CISOs surveyed, only about 42 percent of the warnings triggered require action. For the teams concerned, over-alarming leads to overload and exhaustion. Most of the respondents would consider automated scanning to be helpful in locating errors more quickly and accurately and in closing security gaps (77 percent).
Unclear areas of responsibility are likely to cause friction losses, as the weak points often affect mixed areas that affect several departments. Apparently, most of the respondents (85 percent), who are themselves located in the security area, see the neighboring application and DevOps teams as having an obligation to manage and treat weak points. A cross-role and cross-team collaboration apparently rarely takes place, this would be a possible conclusion.
Unclear responsibilities and unsuitable tools
Giving developers more responsibility would be a solution – almost two thirds of those surveyed (64 percent) said, however, that they usually do not have time to patch vulnerabilities before the code goes into production. Apparently, over a quarter of the application teams completely omit scanning for vulnerabilities. The CISO report shows that engineering and development teams are often not integrated with those responsible for security and that DevSecOps principles have not yet penetrated the organizations.
Another problem from the respondents’ point of view (69 percent) are ineffective security tools that slow down work processes and are too closely tailored to the software delivery cycle and its individual phases. According to the respondents, the security check becomes particularly complicated under multi-tool conditions in the cloud when numerous microservices, containers and Kubernetes interact: Manual maintenance can no longer be guaranteed with the large number of parallel and interlinked systems.
Anyone interested in the exact dates and further detailed results of the survey can download the report free of charge from Dynatrace. The 2021 edition is entitled “Precise, automatic risk and impact assessment is key for DevSecOps”. Dynatrace is a provider best known for Application Performance Monitoring (APM) and is active in the business area that the survey is about. The report presented here is therefore not an independent scientific study, but also reflects the business interests of the provider through the tailoring of the questions and the type of presentation.