Eight out of the top 10 data breaches in 2023 can be attributed to application attack surfaces, as attackers shift focus from classic infrastructure configurations to targeting vulnerable applications and APIs, according to a study from CrowdStrike.
Eight breaches alone exposed around 1.7 billion records, according to the study, which surveyed 400 US-based security professionals across different industries.
âCompanies are getting more mature around securing the basic infrastructure with tooling like cloud security posture management (CSPM) as their first line of defense against attacks,â said Raj Rajamani, head of products at CrowdStrike. âNaturally, attackers are moving to the newer and weaker links, or to the path of lower resistance: the applications.â
The CrowdStrike survey focused on application security (AppSec) observed complex code architecture and poor security reviews added to the application attack surface.
Evolving coding architecture adds to complexity
The survey found that as the number of applications and development teams and the frequency of deployment increased, the number of programming languages used within an organization peaked too, adding to the security workload.
Java, JavaScript, Python, and C++ were the cloud-native application programming languages with the highest deployment frequencies in 2023, but theyâre being joined by others.
âNewer languages show up every few years and it definitely adds to the complexity,â Rajamani said. âFor instance, Golang and Rust have become popular in the last two-three years. The tooling used for security reviews and finding application vulnerabilities isnât always mature enough to support new languages and generally needs time to catch up.â
Documentation is often a sticking-point, regardless of language. While 71% of organizations reported releasing application updates at least once a week, teams are still using maual documentation (74%) and spreadsheets (68%) to catalog and inventory their applications and APIs. The over-reliance on manual efforts, the study points out, opens these practices to errors.
The study also uncovered a lack of attention paid to security reviews.
Security requires more support
Survey respondents estimated that, on average, only 54% of major code changes undergo a full security review before deploying to production, with 22% respondents reviewing 24% or fewer code changes.
That finding didnât surprise Forrester senior Analyst Janet Worthington.
âCloud, containers, and DevOps tools have empowered product development teams to deploy more frequently,â said Worthington. âTeams are now able to release on a monthly, weekly, daily, and even hourly basis in some cases. Considering the limited number of security professionals in comparison to the number of developers, it is impossible for security teams to manually review all code changes.â
In order for security to scale, organizations must embrace a DevSecOps methodology where security validation is automated and integrated into developer workflows and CI/CD pipelines, she said.
âIn this scenario, developers receive prompt feedback on the impact of their code changes on the application’s security posture, either through their IDE or a pull request,â Worthington added. âThis allows developers to address any security findings before the code is integrated into the larger application.â
AppSec suffers visibility and prioritization challenges
Security reviews took more than one business day for 81% of respondents, while another 35% said it took them more than three. This has to do with security teams facing alerts that have grown in complexity and frequency, according to the study.
When it comes to detecting and prioritizing vulnerabilities and threats, no one tool stands out, with 90% of respondents using three or more tools to do the job.
Prioritization was among the top three challenges for 61% of respondents, and 22% said deciding what to fix first was their top obstacle.
Multiple challenges made that prioritization difficult. These included receiving too many alerts (cited by 37% of respondents), having too many tools (31%), and the difficulty of correlating alerts among multiple tools (55%).
For Paul Furtado, vice president and analyst at Gartner, those numbers highlight the importance of finding a balance.
âIt ultimately comes down to two items: efficacy and efficiency,â Furtado said. âThe chosen tool must work in that it must be effective in finding the security holes, but equally important is the speed at which it happens. Each organization must decide whether the efficacy and efficiency needed for an organization lies within a single toolset or a combination of disparate tools.â
Sometimes the challenge isnât related to technology per se, but rather corporate resistance to modify existing processes to accommodate the time necessary for security activities, Furtado added.