With the explosion in the number of cyber-attacks and their increased sophistication over the last few years, application security is now a high priority for technologists in the region, and across the globe for that matter.
IT teams have been operating under relentless pressure to increase application velocity and deliver ever more intuitive and personalised digital experiences to customers and employees. And as a result, application security has largely failed to keep pace. The latest research from Cisco AppDynamics, The shift to a security approach for the full application stack, reveals that all technologists, that were surveyed from the UAE, feel that rapid innovation during the pandemic has come at the expense of robust application security.
With the availability of low-code and no-code platforms, IT teams have been able to develop apps at ever higher speeds and run them across a multitude of platforms. Application components increasingly run on a mix of platforms and on-premise databases, leading to a big expansion in attack surfaces and applications becoming increasingly vulnerable to gaps in security.
Fully aware of the risks this presents, technologists are urgently looking to evolve their approach to application security to manage risk across cloud native applications and architectures.
Based on the research, there are six steps organisations need to take to ensure robust application security within modern application stacks.
1. Securing the full application stack
A security approach that accounts for the full application stack delivers complete protection for applications, from development through to production, across code, containers and Kubernetes. Not surprisingly, according to the research, 93 percent of technologists in the Emirates state that the implementation of a security approach for the full application stack is now a priority for their organisation.
With runtime application self-protection (RASP), technologists can protect applications from the inside out, wherever they live and however they are deployed. They can see what is happening inside the code to prevent known exploits and simplify vulnerability fixes. Developers can generate targeted insights into their application environments that allow them to respond to threats at scale — whether that’s in containers, on-premises, or in the cloud — and integrate security throughout the entire application lifecycle.
2. Automation to continuously detect and prioritise threats
Robust automation strengthens security postures, identifying threats and resolving them independent of an admin. This reduces human error, increases efficiency, and drives greater agility in development — enabling teams to ship and deploy applications even faster.
Automation can also help to contextualise security, correlating risk in relation to other key areas such as the application, user and business. Business transaction insights enable technologists to measure the importance of threats based on severity scoring, factoring in the context of the threat. This means that they can prioritise threats that could damage a business critical area of the environment or application. Technologists can cut through the data noise caused by high volumes of security alerts and focus on the things that really matter.
3. Lead with a DevSecOps approach
82 percent of technologists in the UAE believe that DevSecOps — which integrates application security throughout the development cycle — is critical to effectively protecting against multi-stage security attacks.
With DevSecOps, security becomes a consideration at every stage of the application lifecycle and a shared responsibility. Rather than security being an afterthought, DevOps works with SecOps to identify and prioritise security issues at every step, resulting in better, more secure products and improved security management before, during, and after release.
4. Invest in upskilling developers and engineers
Currently, only 63 percent of UAE technologists are fully confident that they have the skills required to manage current application security threats. This skills gap is something that organisations need to address as a matter of priority, through upskilling and cross-skilling.
In particular, the shift to a DevSecOps approach will require all technologists, whether they come from the development, performance or security side, to broaden their skill sets to be able to work effectively as part of an integrated application team. So security professionals will have to develop new skills and greater understanding in application development, and developers will need to become more knowledgeable about security.
88 percent of technologists in the Emirates believe that successful modern technologists are those who can be both specialists in their particular field, but generalists across other areas of the technology stack.
5. Embed Artificial Intelligence into application security processes
Given the volume and sophistication of threats organisations in the region are facing, it is imperative that they lean into Artificial Intelligence (AI) and Machine Learning (ML) to identify gaps, predict vulnerabilities and automate processes to remediate any security holes. As bad actors ramp up their use of AI and ML, it’s vital that enterprise security teams don’t fall behind. AIOps extend human capabilities in multiple cybersecurity tasks, including monitoring, assessing, and resolving security issues — freeing up security teams to focus on higher-value issues and enabling them to collaborate more effectively and strategically throughout the development lifecycle.
The need for AI will only increase in the future — 88 percent of UAE technologists believe that AI will play an increasingly important role in addressing the challenges around speed, scale and skills that their organisation faces in application security.
6. Look to integrate SREs into the organisation
Site Reliability Engineer (SRE) is now one of the most sought after roles in the IT industry.
Many development and operations teams have traditionally operated with a ‘silo mentality’, with essentially conflicting goals. Development teams have prioritised release velocity and product features above all else, while ops teams have been focused solely on production stability, ensuring that applications don’t suffer from performance issues or outages.
The SRE role is crucial to overcome this long-standing conflict of interests, bringing together these two functions for the overall benefit of the project, end users and business.
And at the risk of belaboring the point, application security can no longer be an afterthought within the application lifecycle, instead, it must be embedded in the process from the very outset. A holistic and integrated strategy for application security is now essential for organisations to reap the benefits of cloud native technologies, while managing an increasingly complex risk landscape.
