Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
©2021 Dynatrace
Precise, automatic risk and impact assessment is key for DevSecOps
Global CISO report
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 2
Chapter header
©2021 Dynatrace 2Precise, automatic risk and impact assessment is key for DevSecOps
What’s inside
Section 1
Cloud-native architectures and multicloud environments have broken traditional approaches to application security
3Section 2
Faster innovation has made it more difficult to manage security vulnerabilities effectively
5Section 3
Vulnerability scanners and manual processes don’t work in a cloud-native world
8Section 4
Security teams are overwhelmed by alerts, making it difficult to prioritize vulnerability remediation
12
Section 5
Fully automated runtime security is essential to the future of vulnerability management and DevSecOps
14Section 6
The Dynatrace difference16
Introduction
This report is based on a global survey of 700 CISOs
in large enterprises with over 1,000 employees, conducted
by Coleman Parkes and commissioned by Dynatrace in 2021.
The sample included 200 respondents in the U.S., 100 each
in the UK, France, Germany, and Spain, and 50 each in Brazil
and Mexico.
Demand for faster innovation is driving organizations toward agile, cloud-native architectures
built on microservices, containers, and Kubernetes. The dynamic nature of these container-
based environments, however, makes it harder for teams to detect and manage application
security vulnerabilities.
Cloud-native architectures and multicloud environments have broken traditional approaches to application security
3©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps
of organizations say microservices,
containers, and Kubernetes have created
application security blind spots
89%
Section 1
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 4©2021 Dynatrace 4
Section 1
65% Microservice application architectures
62% Container runtime environments
59% Hybrid or multicloud environments
CISOs say the following factors impact their ability to detect and manage software vulnerabilities:Traditional security tools, which were designed for an era with static
IT environments, are unable to provide the same level of monitoring
and protection they once did. Previously, a single monthly scan allowed
teams to identify most vulnerabilities before they could be exploited. In
containerized environments, lifespans are measured in days, or even hours.
Security teams are left struggling with a barrage of alerts and false
positives and yet they are still faced with multiple blind spots where their
tools simply cannot provide visibility.
5©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps
Organizations are also embracing agile software delivery approaches to keep up with the
demand for digital innovation, including the use of open-source code libraries and DevSecOps
practices. However, these approaches shift responsibility “left” by asking DevOps teams to
ensure code is free from vulnerabilities, though they often don’t have the resources to do this
effectively.
Developers often don’t have time to conduct manual security scans, or the resources needed to
automatically differentiate between potential vulnerabilities and critical exposures. This makes
it harder for DevSecOps teams to drive faster, more secure release cycles, and enables even
the most common vulnerabilities to slip through into containerized production environments,
where they’re missed by traditional security tools.
Faster innovation has made it more difficult to manage security vulnerabilities effectively
of CISOs say application and DevOps teams
must take more responsibility for vulnerability
management to protect the organization effectively
85%
Section 2
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 6
Section 2
New ways of working (i.e., DevOps
and Agile development practices)
CISOs say the shift to modern delivery models has impacted their ability to detect and manage software vulnerabilities, due to:
63% 60%
Faster release or delivery cycles
©2021 Dynatrace 7©2021 Dynatrace 7Precise, automatic risk and impact assessment is key for DevSecOps
Section 2
of CISOs say they’re not fully confident
code is free of vulnerabilities
before going live in production
71%say developers don’t always have time to resolve vulnerabilities before
code goes into production
say developers lack the skills they need to take responsibility for security
say application and DevOps teams often don’t work with the security
team to avoid slowing down
say application teams sometimes bypass vulnerability scans to speed
up delivery
64%
45%
31%
28%
CISOs highlight these problems related to software vulnerability management:
Precise, automatic risk and impact assessment is key for DevSecOps 8©2021 Dynatrace
In dynamic cloud-native environments, containers spin up and down within seconds, and
dependencies between microservices are constantly shifting, sometimes crossing over cloud
boundaries. Against this backdrop, manual impact assessment has become impossible, as the
dependencies between vulnerable components change rapidly.
Vulnerability scanners and manual processes don’t work in a cloud-native world
of CISOs say traditional security controls
such as vulnerability scanners are no longer fit
for purpose in today’s cloud-native world
74%
Section 3
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 9©2021 Dynatrace 9
Section 3
Vulnerability scanners only offer a static view at a single moment in time,
and they also lack the ability to differentiate between a potential risk and
an actual exposure. As a result, they are largely ineffective.
Alternative approaches, such as scanning source code or container images
in pre-production environments, cannot offer real-time visibility into
live exposures. This means vulnerabilities often remain undetected in
production, where attackers can exploit them.
CISOs highlight several challenges with existing security tools and approaches, including:
say security tools slow down DevOps because they
focus on just one stage of the software delivery lifecycle69%
63%
53%
38%
say it’s become more difficult for security tools to keep up
with the rapid change of containerized environments
say it can be difficult to detect vulnerabilities that were discovered
post-deployment quickly enough to minimize the risk
say lack of context on application vulnerabilities makes it hard
to find and apply fixes quickly
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 10
Section 3
Fully automated runtime security is essential to the future of vulnerability management and DevSecOps
*Calculated based on the average percentage of security teams’ time collectively spent on manual vulnerability management tasks each week (29%), applied to organizations’ average total spend ($5.22 million) on security team and contractor salaries per annum.
$1.51 million
is the average proportion of time application
security teams in large enterprises (1,000+
employees) spend each week doing vulnerability
management tasks that could be automated*
29%
is the average annual labor cost organizations incur
for the time their application security teams spend
on manual vulnerability management tasks that
could be automated*
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 11
Section 3
Fully automated runtime security is essential to the future of vulnerability management and DevSecOps
of organizations have real-time visibility
into runtime vulnerabilities
in containerized production environments
3% 68%
of organizations admit they only scan
for vulnerabilities in production
once a month or less
Not only do traditional security tools often miss which code and libraries are running in
production, they also fail to distinguish between potential vulnerabilities and critical exposures.
As a result, teams are bombarded with thousands of alerts, many of which turn out to be false
positives or low priority.
Security teams are overwhelmed by alerts, making it difficult to prioritize vulnerability remediation
12©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps
On average, organizations need to react to
2,169 new alerts
only 42%
of potential application security vulnerabilities
each month.
of these application security vulnerability alerts
actually require actioning.
BUT…
Section 4
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 13©2021 Dynatrace 13
Section 4
This, paired with the limited context teams have for the real vulnerabilities
that surface, makes it very difficult for organizations to understand their
risk exposure, and leaves DevSecOps teams unable to prioritize which
issues to target for resolution. Instead, they waste countless people-
hours triaging long lists of vulnerabilities, which steals valuable time from
innovation and leaves organizations exposed to critical risks.
say most security alerts and vulnerabilities are false positives
that don’t require actioning as they’re not actual exposures
CISOs highlight challenges their teams face when dealing with security vulnerability alerts:
77%
68%
57%
say the volume of alerts makes it very difficult to prioritize
vulnerabilities based on risk and impact
say alerts lack information needed to ensure the most critical
vulnerabilities are fixed first
14©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps
Organizations will only be able to ensure the security of their cloud-native applications
if they empower DevSecOps teams to identify and understand the precise impact
of runtime vulnerabilities in their production environments in real-time. To do so, they need
a single platform-based approach that eliminates any blind spots by offering observability
across their cloud-native environment and all stages of the software development lifecycle.
By combining this approach with AI and automation, DevSecOps teams can gain precise
answers about the cause, nature, and impact of vulnerabilities in real-time, helping to eliminate
false positives, prioritize alerts, and reduce their reliance on manual security tests and scans.
Ultimately, this will free DevSecOps teams to drive faster, more secure release cycles,
and accelerate innovation for the organization and its customers.
Fully automated runtime security is essential to the future of vulnerability management and DevSecOps
Section 5
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 15
Section 5
Fully automated runtime security is essential to the future of vulnerability management and DevSecOps
of CISOs are most worried
about the runtime phase,
underscoring the importance
of runtime controls
of CISOs believe application
security would be easier
to manage if vulnerability
testing tools and observability
solutions converged into
a single platform that can
provide the full context
needed to manage digital
services effectively
of CISOs say it would be
easier to deliver innovation
at the speed the business
needs if they had a single
security platform that
extends across the entire
software lifecycle
of CISOs say the only way
for security to keep up
with modern cloud-native
application environments
is to replace manual
deployment, configuration,
and management with
automated approaches
50% 89% 90% 77%
16©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps
Dynatrace® Application Security enables teams to accelerate DevSecOps
processes through automation and the elimination of mundane work. Runtime
application security automatically and continuously analyzes applications,
libraries, and code at runtime in production and pre-production.
This helps ensure development teams don’t have blind spots and are not
wasting time chasing false positives. In addition, this provides the C-suite
with confidence in the security of their cloud-native production deployments.
The Dynatrace difference
Section 6
Chapter headerChapter header
17©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps
Why Dynatrace is radically different:
Deploy with confidence
through continuous
automatic coverage
for dynamic containerized
cloud-native stacks
Prevent, identify, and resolve
exposures faster with precise
automatic risk
and impact assessment
Reduce false positives
and focus DevSecOps teams
on resolving vulnerabilities
that matter
All-in-one observability
and security powered
by the Dynatrace Software
Intelligence Platform
Section 6
18©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps
Global data summary
Appendix
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 19
Appendix — Global Data Summary
Table 1:
Cloud-native architectures and multicloud environments have broken traditional approaches to application security
Country
Organizations say microservices, containers, and Kubernetes have caused
application security blind spots
U.S. 92%
UK 88%
France 89%
Germany 89%
Spain 88%
Brazil 82%
Mexico 86%
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 20
Appendix — Global Data Summary
Table 2:
Cloud-native architectures and multicloud environments have broken traditional approaches to application security
Factors impacting ability to detect and manage software vulnerabilities U.S. UK France Germany Spain Brazil Mexico
Microservice application architectures 70% 54% 69% 60% 68% 62% 70%
Container runtime environments 66% 56% 62% 59% 60% 56% 74%
Hybrid or multicloud environments 61% 49% 67% 62% 66% 44% 44%
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 21
Appendix — Global Data Summary
Table 3:
CISOs say the shift to modern delivery models has impacted their ability to detect and manage software vulnerabilities
Country
New ways of working (i.e. DevOps and Agile
development practices)Faster release
or deliver cycles
U.S. 70% 67%
UK 60% 53%
France 71% 70%
Germany 60% 58%
Spain 67% 56%
Brazil 38% 50%
Mexico 52% 54%
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 22
Appendix — Global Data Summary
Table 4:
CISOs say the shift to modern delivery models has impacted their ability to detect and manage software vulnerabilities
Country
Application and DevOps teams must take more responsibility for vulnerability management
CISOs say they are not fully confident code is free of vulnerabilities
before going live in production
U.S. 85% 54%
UK 81% 77%
France 85% 67%
Germany 88% 87%
Spain 85% 75%
Brazil 90% 80%
Mexico 84% 84%
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 23
Appendix — Global Data Summary
Table 5:
CISOs admit they encounter problems addressing software vulnerabilities, including:
Factors impacting ability to detect and manage software vulnerabilities U.S. UK France Germany Spain Brazil Mexico
Developers don’t always have time to resolve vulnerabilities before code goes into production
61% 70% 55% 78% 64% 44% 72%
Developers lack the skills they need to take responsibility for security
36% 41% 42% 43% 61% 44% 62%
Application and DevOps teams often don’t work with the security team to avoid slowing down
30% 24% 37% 41% 33% 26% 22%
Application teams sometimes bypass vulnerability scans to speed up delivery
21% 28% 25% 38% 25% 22% 48%
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 24
Appendix — Global Data Summary
Table 6:
Vulnerability scanners and manual processes don’t work in a cloud-native world
Country
Traditional security controls such as vulnerability scanners are no longer fit
for purpose in today’s cloud-native world
Organizations that do not have real-time visibility into runtime vulnerabilities
in containerized production environments
Organizations that only scan for vulnerabilities in production
once a month or less
U.S. 74% 97% 54%
UK 80% 96% 70%
France 74% 97% 73%
Germany 80% 99% 80%
Spain 78% 100% 74%
Brazil 64% 92% 74%
Mexico 58% 98% 78%
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 25
Appendix — Global Data Summary
Table 7:
Challenges with existing security tools and approaches highlighted by CISOs
Country
Security tools slow down DevOps because they focus on just one stage
of the software delivery lifecycle
It’s become more difficult for security tools to keep up with the rapid change
of containerized environments
It can be difficult to detect vulnerabilities that were discovered
post-deployment quickly enough to minimize the risk
Lack of context on application vulnerabilities makes it hard
to find and apply fixes quickly
U.S. 68% 62% 54% 32%
UK 82% 75% 49% 40%
France 67% 61% 55% 32%
Germany 84% 69% 49% 44%
Spain 65% 57% 52% 43%
Brazil 40% 60% 58% 38%
Mexico 60% 54% 54% 44%
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 26
Appendix — Global Data Summary
Table 8:
Time and labor costs of manual vulnerability management
Country
Average percentage of time application security teams waste per week
on vulnerability management tasks that could be automated
Average annual labor cost organizations incur for the time their application security teams spend
on manual vulnerability management tasks that could be automated ($m)
U.S. 30% $1.12
UK 28% $1.96
France 27% $1.55
Germany 28.5% $1.37
Spain 26.5% $1.63
Brazil 33% $1.67
Mexico 30% $1.85
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 27
Appendix — Global Data Summary
Country
Average number of alerts to potential application security vulnerabilities that
organizations receive each month
Percentage of application security vulnerability alerts
that require actioning
U.S. 2,026 47%
UK 2,230 41%
France 1,600 42%
Germany 3,018 37%
Spain 1,921 36%
Brazil 2,305 46%
Mexico 2,422 36%
Table 9:
Security teams are overwhelmed by alerts
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 28
Appendix — Global Data Summary
Table 10:
Security teams are overwhelmed by alerts
Challenges teams face when dealing with security vulnerability alerts U.S. UK France Germany Spain Brazil Mexico
Most security alerts and vulnerabilities are false positives that don’t require actioning as they are not actual exposures
70% 78% 74% 86% 88% 64% 88%
The volume of alerts makes it very difficult to prioritize vulnerabilities based on risk and impact
60% 67% 72% 87% 63% 62% 66%
Alerts lack information needed to ensure the most critical vulnerabilities are fixed first
52% 67% 69% 66% 49% 32% 52%
©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 29
Appendix — Global Data Summary
Table 11:
Fully automated runtime security is essential to the future of vulnerability management and DevSecOps
U.S. UK France Germany Spain Brazil Mexico
CISOs are most worried about the runtime phase, underscoring the importance of runtime controls
60% 49% 43% 46% 46% 46% 50%
CISOs believe application security would be easier to manage if vulnerability testing tools and observability solutions converged into a single platform that can provide the full context needed to manage digital services effectively
92% 86% 91% 87% 87% 88% 94%
CISOs say it would be easier to deliver innovation at the speed the business needs if they had a single security platform that extends across the entire software lifecycle
93% 88% 90% 90% 87% 88% 94%
CISOs say the only way for security to keep up with modern cloud-native application environments is to replace manual deployment, configuration, and management with automated approaches
74% 74% 80% 76% 79% 76% 86%
About Dynatrace
Dynatrace provides software intelligence to simplify cloud complexity and accelerate digital transformation. With automatic and intelligent observability at scale, our all-in-one platform delivers precise answers about the performance and security of applications, the underlying infrastructure, and the experience of all users to enable organizations to innovate faster, collaborate more efficiently, and deliver more value with dramatically less effort. That’s why many of the world’s largest enterprises trust Dynatrace® to modernize and automate cloud operations, release better software faster, and deliver unrivalled digital experiences.
blog @dynatrace
Eliminate security blind spots with automatic and intelligent observability
We hope this ebook has inspired you to take the next step in your digital journey.Dynatrace is committed to providing enterprises the data and intelligence they need to be successful with their
enterprise cloud and digital transformation initiatives, no matter how complex.
If you are ready to learn more, please visit www.dynatrace.com/platform for assets, resources, and a free 15-day trial.
©2021 Dynatrace
Learn more
06.25.21 12595_EBK_cs