Siloed teams, point solutions and cloud ecosystem complexity are making it more likely that software vulnerabilities slip into production, CISOs have admitted.
Observability specialist Dynatrace polled 1300 global CISOs in large organizations with more than 1000 employees to compile its 2023 Global CISO Report.
Over two-thirds (68%) of respondents said that vulnerability management is more difficult because of the complexity of their software supply chain and cloud ecosystem, while three-quarters (75%) claimed siloed teams and DevSecOps point solutions mean that critical vulnerabilities are being missed.
Prioritization and visibility are two key challenges. Only 50% of CISOs are fully confident that software has been completely tested for vulnerabilities before going live, and 77% said it is difficult to know which to fix first because they don’t have information about the risk these bugs pose to their environment.
For example, over half (58%) of vulnerability alerts flagged as “critical” are not actually important in production, meaning they are false positives that do nothing but waste development time.
Read more on cloud security challenges: Cloud Security Alerts Take Six Days to Resolve.
Each team member in development and app security spends an average of 11 hours, or 28% of their weekly time, on vulnerability management tasks that could be automated, Dynatrace claimed.
The vast majority (81%) of those CISOs polled for the report claimed that effective DevSecOps processes would help them arrest this trend and stop vulnerabilities before they reach production. Yet only 12% claimed to have a mature DevSecOps function.
Dynatrace CTO, Bernd Greifeneder, argued that organizations are struggling to balance the needs for faster innovation with governance and safety controls.
“The growing complexity of software supply chains and the cloud-native technology stacks that provide the foundation for digital innovation make it increasingly difficult to quickly identify, assess, and prioritize response efforts when new vulnerabilities emerge,” he added.
“These tasks have grown beyond human ability to manage. Development, security, and IT teams are finding that the vulnerability management controls they have in place are no longer adequate in today’s dynamic digital world, which exposes their businesses to unacceptable risk.”