79% from CISOs say ongoing runtime vulnerability management is a key capability to keep up with the increasing complexity of multicloud environments
Dynatrace, the benchmark in Software Intelligence, announces the results of its latest independent global survey of 1,300 chief information security officers (CISOs) in large organizations. Research reveals that the speed and complexity brought by using multicloud environments, multiple coding languages and open source software libraries are making vulnerability management difficult. The 75% study indicates that CISOs say that despite having a multi-layered security posture, persistent gaps in coverage allow for vulnerabilities in software production.
As a consequence, the research highlights the growing need for observability and security convergence, paving the way for AISecDevOps practices. This will empower organizations with a more effective way to manage runtime vulnerabilities and the ability to detect and block attacks in real time. The report states that observability and security must converge to enable effective vulnerability management.
The search results include important points such as:
– 69% from CISOs say vulnerability management has become more difficult as the need to accelerate digital transformation has increased.
– More than three-quarters (79%) of CISOs say that automatic and continuous management of vulnerabilities at runtime is critical to filling the gap in capabilities of existing security solutions. However, only 4% of organizations have real-time visibility into runtime vulnerabilities in containerized production environments.
– Only 25%'s security teams can access a fully accurate and continuously updated report of every application and code library running in real-time production.
“These findings underscore that it is always possible for vulnerabilities to go unnoticed by security teams, regardless of how robust their defenses are. Both new applications and stable legacy software are prone to vulnerabilities that are most reliably detected in the production and analysis stages. Log4Shell was the poster child for this issue and there will undoubtedly be other scenarios like this in the future,” says Bernd Greifeneder, Chief Technology Officer at Dynatrace.
The executive also highlights that most organizations still do not have real-time visibility into runtime vulnerabilities. “The issue stems from the increasing use of cloud-native delivery practices, which enable greater business agility but also introduce new complexity for vulnerability management, attack detection and blocking. The rapid pace of digital transformation means that already overworked teams are bombarded by thousands of security alerts that make it impossible to see through the noise and focus on what matters. Teams find it impossible to manually respond to all alerts and organizations are exposed to unnecessary risk by allowing vulnerabilities to escape into production.”
The report with the CISOs also includes findings such as:
– On average, organizations receive 2,027 alerts of potential application security vulnerabilities each month.
– Less than a third (32%) of the application security vulnerability alerts organizations receive each day require action, compared to 42% last year.
– On average, application security teams waste 28% of their time on vulnerability management tasks that can be automated.
“Organizations realize that to effectively manage vulnerabilities in the age of the Cloud, security must become a shared responsibility. Convergence between observability and security is critical to giving development, operations, and security teams the context they need to understand how applications are connected, where vulnerabilities are, and what actions need to be prioritized. This accelerates risk management and incident response”, reinforces Greifeneder.
“To be truly effective, organizations must look for solutions that have AI and automation capabilities at their core, enabling the evolution of AISecDevOps. These solutions empower your teams to quickly identify and prioritize vulnerabilities at runtime, block attacks in real-time, and fix software flaws before they can be exploited. This means teams can stop wasting time in war rooms or chasing false positives and potential vulnerabilities that will never make it to production. Instead, they confidently deliver better, more secure software faster.”
The report is based on a global survey of 1,300 CISOs in large organizations with more than 1,000 employees and was conducted by consultancy Coleman Parkes and commissioned by Dynatrace in April 2022. The sample included 200 respondents in the United States, 100 leaders from each country in the UK, France, Germany, Spain, Italy, Nordic countries, the Middle East, Australia and India, and 50 information security officers from each country in Singapore, Malaysia, Brazil and Mexico.
