Precise, automatic risk and impact assessment is key for

©2021 Dynatrace

Precise, automatic risk and impact assessment is key for DevSecOps

Global CISO report

©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 2

Chapter header

©2021 Dynatrace 2Precise, automatic risk and impact assessment is key for DevSecOps

What’s inside

Section 1

Cloud-native architectures and multicloud environments have broken traditional approaches to application security

3Section 2

Faster innovation has made it more difficult to manage security vulnerabilities effectively

5Section 3

Vulnerability scanners and manual processes don’t work in a cloud-native world

8Section 4

Security teams are overwhelmed by alerts, making it difficult to prioritize vulnerability remediation

12

Section 5

Fully automated runtime security is essential to the future of vulnerability management and DevSecOps

14Section 6

The Dynatrace difference16

Introduction

This report is based on a global survey of 700 CISOs

in large enterprises with over 1,000 employees, conducted

by Coleman Parkes and commissioned by Dynatrace in 2021.

The sample included 200 respondents in the U.S., 100 each

in the UK, France, Germany, and Spain, and 50 each in Brazil

and Mexico.

Demand for faster innovation is driving organizations toward agile, cloud-native architectures

built on microservices, containers, and Kubernetes. The dynamic nature of these container-

based environments, however, makes it harder for teams to detect and manage application

security vulnerabilities.


3©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps

of organizations say microservices,

containers, and Kubernetes have created

application security blind spots

89%

Section 1

©2021 DynatracePrecise, automatic risk and impact assessment is key for DevSecOps 4©2021 Dynatrace 4

Section 1

65% Microservice application architectures

62% Container runtime environments

59% Hybrid or multicloud environments

CISOs say the following factors impact their ability to detect and manage software vulnerabilities:Traditional security tools, which were designed for an era with static

IT environments, are unable to provide the same level of monitoring

and protection they once did. Previously, a single monthly scan allowed

teams to identify most vulnerabilities before they could be exploited. In

containerized environments, lifespans are measured in days, or even hours.

Security teams are left struggling with a barrage of alerts and false

positives and yet they are still faced with multiple blind spots where their

tools simply cannot provide visibility.


Organizations are also embracing agile software delivery approaches to keep up with the

demand for digital innovation, including the use of open-source code libraries and DevSecOps

practices. However, these approaches shift responsibility “left” by asking DevOps teams to

ensure code is free from vulnerabilities, though they often don’t have the resources to do this

effectively.

Developers often don’t have time to conduct manual security scans, or the resources needed to

automatically differentiate between potential vulnerabilities and critical exposures. This makes

it harder for DevSecOps teams to drive faster, more secure release cycles, and enables even

the most common vulnerabilities to slip through into containerized production environments,

where they’re missed by traditional security tools.

Faster innovation has made it more difficult to manage security vulnerabilities effectively

of CISOs say application and DevOps teams

must take more responsibility for vulnerability

management to protect the organization effectively

85%

Section 2


Section 2

New ways of working (i.e., DevOps

and Agile development practices)

CISOs say the shift to modern delivery models has impacted their ability to detect and manage software vulnerabilities, due to:

63% 60%

Faster release or delivery cycles

©2021 Dynatrace 7©2021 Dynatrace 7Precise, automatic risk and impact assessment is key for DevSecOps

Section 2

of CISOs say they’re not fully confident

code is free of vulnerabilities

before going live in production

71%say developers don’t always have time to resolve vulnerabilities before

code goes into production

say developers lack the skills they need to take responsibility for security

say application and DevOps teams often don’t work with the security

team to avoid slowing down

say application teams sometimes bypass vulnerability scans to speed

up delivery

64%

45%

31%

28%

CISOs highlight these problems related to software vulnerability management:

Precise, automatic risk and impact assessment is key for DevSecOps 8©2021 Dynatrace

In dynamic cloud-native environments, containers spin up and down within seconds, and

dependencies between microservices are constantly shifting, sometimes crossing over cloud

boundaries. Against this backdrop, manual impact assessment has become impossible, as the

dependencies between vulnerable components change rapidly.


of CISOs say traditional security controls

such as vulnerability scanners are no longer fit

for purpose in today’s cloud-native world

74%

Section 3


Section 3

Vulnerability scanners only offer a static view at a single moment in time,

and they also lack the ability to differentiate between a potential risk and

an actual exposure. As a result, they are largely ineffective.

Alternative approaches, such as scanning source code or container images

in pre-production environments, cannot offer real-time visibility into

live exposures. This means vulnerabilities often remain undetected in

production, where attackers can exploit them.

CISOs highlight several challenges with existing security tools and approaches, including:

say security tools slow down DevOps because they

focus on just one stage of the software delivery lifecycle69%

63%

53%

38%

say it’s become more difficult for security tools to keep up

with the rapid change of containerized environments

say it can be difficult to detect vulnerabilities that were discovered

post-deployment quickly enough to minimize the risk

say lack of context on application vulnerabilities makes it hard

to find and apply fixes quickly


Section 3


*Calculated based on the average percentage of security teams’ time collectively spent on manual vulnerability management tasks each week (29%), applied to organizations’ average total spend ($5.22 million) on security team and contractor salaries per annum.

$1.51 million

is the average proportion of time application

security teams in large enterprises (1,000+

employees) spend each week doing vulnerability

management tasks that could be automated*

29%

is the average annual labor cost organizations incur

for the time their application security teams spend

on manual vulnerability management tasks that

could be automated*


Section 3


of organizations have real-time visibility

into runtime vulnerabilities

in containerized production environments

3% 68%

of organizations admit they only scan

for vulnerabilities in production

once a month or less

Not only do traditional security tools often miss which code and libraries are running in

production, they also fail to distinguish between potential vulnerabilities and critical exposures.

As a result, teams are bombarded with thousands of alerts, many of which turn out to be false

positives or low priority.

Security teams are overwhelmed by alerts, making it difficult to prioritize vulnerability remediation


On average, organizations need to react to

2,169 new alerts

only 42%

of potential application security vulnerabilities

each month.

of these application security vulnerability alerts

actually require actioning.

BUT…

Section 4


Section 4

This, paired with the limited context teams have for the real vulnerabilities

that surface, makes it very difficult for organizations to understand their

risk exposure, and leaves DevSecOps teams unable to prioritize which

issues to target for resolution. Instead, they waste countless people-

hours triaging long lists of vulnerabilities, which steals valuable time from

innovation and leaves organizations exposed to critical risks.

say most security alerts and vulnerabilities are false positives

that don’t require actioning as they’re not actual exposures

CISOs highlight challenges their teams face when dealing with security vulnerability alerts:

77%

68%

57%

say the volume of alerts makes it very difficult to prioritize

vulnerabilities based on risk and impact

say alerts lack information needed to ensure the most critical

vulnerabilities are fixed first


Organizations will only be able to ensure the security of their cloud-native applications

if they empower DevSecOps teams to identify and understand the precise impact

of runtime vulnerabilities in their production environments in real-time. To do so, they need

a single platform-based approach that eliminates any blind spots by offering observability

across their cloud-native environment and all stages of the software development lifecycle.

By combining this approach with AI and automation, DevSecOps teams can gain precise

answers about the cause, nature, and impact of vulnerabilities in real-time, helping to eliminate

false positives, prioritize alerts, and reduce their reliance on manual security tests and scans.

Ultimately, this will free DevSecOps teams to drive faster, more secure release cycles,

and accelerate innovation for the organization and its customers.


Section 5


Section 5


of CISOs are most worried

about the runtime phase,

underscoring the importance

of runtime controls

of CISOs believe application

security would be easier

to manage if vulnerability

testing tools and observability

solutions converged into

a single platform that can

provide the full context

needed to manage digital

services effectively

of CISOs say it would be

easier to deliver innovation

at the speed the business

needs if they had a single

security platform that

extends across the entire

software lifecycle

of CISOs say the only way

for security to keep up

with modern cloud-native

application environments

is to replace manual

deployment, configuration,

and management with

automated approaches

50% 89% 90% 77%


Dynatrace® Application Security enables teams to accelerate DevSecOps

processes through automation and the elimination of mundane work. Runtime

application security automatically and continuously analyzes applications,

libraries, and code at runtime in production and pre-production.

This helps ensure development teams don’t have blind spots and are not

wasting time chasing false positives. In addition, this provides the C-suite

with confidence in the security of their cloud-native production deployments.

The Dynatrace difference

Section 6

Chapter headerChapter header


Why Dynatrace is radically different:

Deploy with confidence

through continuous

automatic coverage

for dynamic containerized

cloud-native stacks

Prevent, identify, and resolve

exposures faster with precise

automatic risk

and impact assessment

Reduce false positives

and focus DevSecOps teams

on resolving vulnerabilities

that matter

All-in-one observability

and security powered

by the Dynatrace Software

Intelligence Platform

Section 6


Global data summary

Appendix


Appendix — Global Data Summary

Table 1:


Country

Organizations say microservices, containers, and Kubernetes have caused

application security blind spots

U.S. 92%

UK 88%

France 89%

Germany 89%

Spain 88%

Brazil 82%

Mexico 86%



Table 2:


Factors impacting ability to detect and manage software vulnerabilities U.S. UK France Germany Spain Brazil Mexico

Microservice application architectures 70% 54% 69% 60% 68% 62% 70%

Container runtime environments 66% 56% 62% 59% 60% 56% 74%

Hybrid or multicloud environments 61% 49% 67% 62% 66% 44% 44%



Table 3:

CISOs say the shift to modern delivery models has impacted their ability to detect and manage software vulnerabilities

Country

New ways of working (i.e. DevOps and Agile

development practices)Faster release

or deliver cycles

U.S. 70% 67%

UK 60% 53%

France 71% 70%

Germany 60% 58%

Spain 67% 56%

Brazil 38% 50%

Mexico 52% 54%



Table 4:

CISOs say the shift to modern delivery models has impacted their ability to detect and manage software vulnerabilities

Country

Application and DevOps teams must take more responsibility for vulnerability management

CISOs say they are not fully confident code is free of vulnerabilities

before going live in production

U.S. 85% 54%

UK 81% 77%

France 85% 67%

Germany 88% 87%

Spain 85% 75%

Brazil 90% 80%

Mexico 84% 84%



Table 5:

CISOs admit they encounter problems addressing software vulnerabilities, including:

Factors impacting ability to detect and manage software vulnerabilities U.S. UK France Germany Spain Brazil Mexico

Developers don’t always have time to resolve vulnerabilities before code goes into production

61% 70% 55% 78% 64% 44% 72%

Developers lack the skills they need to take responsibility for security

36% 41% 42% 43% 61% 44% 62%

Application and DevOps teams often don’t work with the security team to avoid slowing down

30% 24% 37% 41% 33% 26% 22%

Application teams sometimes bypass vulnerability scans to speed up delivery

21% 28% 25% 38% 25% 22% 48%



Table 6:


Country

Traditional security controls such as vulnerability scanners are no longer fit

for purpose in today’s cloud-native world

Organizations that do not have real-time visibility into runtime vulnerabilities

in containerized production environments

Organizations that only scan for vulnerabilities in production

once a month or less

U.S. 74% 97% 54%

UK 80% 96% 70%

France 74% 97% 73%

Germany 80% 99% 80%

Spain 78% 100% 74%

Brazil 64% 92% 74%

Mexico 58% 98% 78%



Table 7:

Challenges with existing security tools and approaches highlighted by CISOs

Country

Security tools slow down DevOps because they focus on just one stage

of the software delivery lifecycle

It’s become more difficult for security tools to keep up with the rapid change

of containerized environments

It can be difficult to detect vulnerabilities that were discovered

post-deployment quickly enough to minimize the risk

Lack of context on application vulnerabilities makes it hard

to find and apply fixes quickly

U.S. 68% 62% 54% 32%

UK 82% 75% 49% 40%

France 67% 61% 55% 32%

Germany 84% 69% 49% 44%

Spain 65% 57% 52% 43%

Brazil 40% 60% 58% 38%

Mexico 60% 54% 54% 44%



Table 8:

Time and labor costs of manual vulnerability management

Country

Average percentage of time application security teams waste per week

on vulnerability management tasks that could be automated

Average annual labor cost organizations incur for the time their application security teams spend

on manual vulnerability management tasks that could be automated ($m)

U.S. 30% $1.12

UK 28% $1.96

France 27% $1.55

Germany 28.5% $1.37

Spain 26.5% $1.63

Brazil 33% $1.67

Mexico 30% $1.85



Country

Average number of alerts to potential application security vulnerabilities that

organizations receive each month

Percentage of application security vulnerability alerts

that require actioning

U.S. 2,026 47%

UK 2,230 41%

France 1,600 42%

Germany 3,018 37%

Spain 1,921 36%

Brazil 2,305 46%

Mexico 2,422 36%

Table 9:

Security teams are overwhelmed by alerts



Table 10:

Security teams are overwhelmed by alerts

Challenges teams face when dealing with security vulnerability alerts U.S. UK France Germany Spain Brazil Mexico

Most security alerts and vulnerabilities are false positives that don’t require actioning as they are not actual exposures

70% 78% 74% 86% 88% 64% 88%

The volume of alerts makes it very difficult to prioritize vulnerabilities based on risk and impact

60% 67% 72% 87% 63% 62% 66%

Alerts lack information needed to ensure the most critical vulnerabilities are fixed first

52% 67% 69% 66% 49% 32% 52%



Table 11:


U.S. UK France Germany Spain Brazil Mexico

CISOs are most worried about the runtime phase, underscoring the importance of runtime controls

60% 49% 43% 46% 46% 46% 50%

CISOs believe application security would be easier to manage if vulnerability testing tools and observability solutions converged into a single platform that can provide the full context needed to manage digital services effectively

92% 86% 91% 87% 87% 88% 94%

CISOs say it would be easier to deliver innovation at the speed the business needs if they had a single security platform that extends across the entire software lifecycle

93% 88% 90% 90% 87% 88% 94%

CISOs say the only way for security to keep up with modern cloud-native application environments is to replace manual deployment, configuration, and management with automated approaches

74% 74% 80% 76% 79% 76% 86%

About Dynatrace

Dynatrace provides software intelligence to simplify cloud complexity and accelerate digital transformation. With automatic and intelligent observability at scale, our all-in-one platform delivers precise answers about the performance and security of applications, the underlying infrastructure, and the experience of all users to enable organizations to innovate faster, collaborate more efficiently, and deliver more value with dramatically less effort. That’s why many of the world’s largest enterprises trust Dynatrace® to modernize and automate cloud operations, release better software faster, and deliver unrivalled digital experiences.

blog @dynatrace

Eliminate security blind spots with automatic and intelligent observability

We hope this ebook has inspired you to take the next step in your digital journey.Dynatrace is committed to providing enterprises the data and intelligence they need to be successful with their

enterprise cloud and digital transformation initiatives, no matter how complex.

If you are ready to learn more, please visit www.dynatrace.com/platform for assets, resources, and a free 15-day trial.

©2021 Dynatrace

Learn more

06.25.21 12595_EBK_cs

https://twitter.com/Dynatrace

https://www.dynatrace.com/news/blog/

http://dynatrace.com

https://www.dynatrace.com/news/blog/

https://twitter.com/Dynatrace

https://www.dynatrace.com/

www.dynatrace.com/platform

https://www.dynatrace.com/platform/application-security/

Documents

Precise, automatic risk and impact assessment is key for