Gartner research finds no single tool protects app security

Did you miss a session from MetaBeat 2022? Head over to the on-demand library for all of our featured sessions here.

Overcoming the challenges of securing devops and software supply chains from malicious, unpredictable attacks with new technologies dominates Gartner’s latest Hype Cycle for Application Security. One of the most concerning insights this year’s hype cycle shed light on is that no single application security innovation can deliver comprehensive security.  In light of this, CISOs are also forcing the consolidation of their tech stacks to improve their teams’ efficiency at identifying risks while reducing costs.

Consolidating tech stacks while improving cloud security by removing risks of misconfiguration is a high priority for CISOs and is reflected throughout the hype cycle. Seventy-five percent of organizations who responded to a separate Gartner trends survey say they are actively pursuing security vendor consolidation. 

It’s unsurprising to see cloud-native application protection platforms (CNAPP), and software-as-a-service (SaaS) security posture management (SSPM) included in the hype cycle for the first time, given the challenges organizations have securely integrating cloud instances. However, service mesh, dynamic data masking (DDM), and business-critical application security have all been dropped for this year’s hype cycle. Gartner explained that it dropped service mesh because it is generally challenging to use and delivers limited results.

Consolidation drives app security growth   

Gartner’s latest forecast projects end-user spending for the information security and risk management market to reach $169.2 billion this year. The research giant predicts that will increase to $261.9 billion in 2026 — attaining a constant currency compound annual growth rate (CAGR) of 11.1% from 2021 to 2026. On top of that, Gartner also predicts that spending on application security will more than double in the upcoming years and grow from $6 billion this year to $13.7 billion by 2026. Spending in this sector is the second-fastest growing segment of the market, projected to grow at a CAGR of 22.7% between 2021 and 2026, second only to Cloud Security spending growing at a CAGR of 24.6%. 


Low-Code/No-Code Summit

Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.

Register Here

CrowdStrike’s successful strategy of turning consolidation into a growth strategy became clear at this year’s Fal.Con 2022. The cybersecurity provider’s ability to capitalize on telemetry data using artificial intelligence (AI) and machine learning (ML) continues to improve. As a result, their customers are willing to invest in their solutions because they help reduce application clutter while ensuring tech stacks stay current with the latest technologies, all on a cloud platform. What’s new in this year’s hype cycle shows how devops, software supply chains, and cloud security dominate enterprises’ priorities, balanced by the need to consolidate tech stacks to reduce risks.    

Securing devops dominates  

In its hype cycle report on app security, Gartner wrote that, “Application security is now top of mind for developers and security staff, and the attention is now going to applications deployed in public clouds.” 

Securing devops and ensuring app security is a high priority for Gartner clients. One can infer that their clients are looking to secure devops quickly, given Gartner’s emphasis on this area in the hype cycle and their remarks across recent reports on application security. 

Here are some of the highlights of the most significant new additions to the application security hype from a devops standpoint:

4 new devops focused technologies added to secure supply chains. 

DevSecOps, software composition analysis (SCA), application security orchestration and correlation (ASOC), and security service edge (SSE) are on the hype cycle for the first time this year. SCA is used for application security testing, including identifying potential supply chain risks in open-source code. 

It has also proven helpful for identifying known vulnerabilities in code. Secure service edge (SSE) allows a business and its remote systems to support virtual workforces and enforce security policies governing access to cloud services, private applications, web apps, and the web.  

3 categories added reflect app security’s rapid evolution 

Software bill of materials (SBOMs), cloud-native application protection platforms (CNAPP), and SaaS security posture management (SSPM) are the three new categories added by Gartner this year. 

SSPM is the fastest growing of the three as CISOs and their teams struggle to secure SaaS-based devops workflows, cloud app deployment, and app lifecycle support.

Software bill of materials (SBOMs) are core to application security

According to Gartner, “SBOMs can provide software engineering and vendor risk management teams with increased transparency into how software gets built, which components make up that software, and how quickly security vulnerabilities can be identified and remediated.” 

Getting SBOMs right is essential for an enterprise to secure its devops process and ensure the quality of its resulting cloud apps deployed across an organization. The reason is that SBOMs look to solve the challenges of working with and sharing open-source software. 

While multiple devops teams may use the same open-source components, there needs to be greater consistency in traceability, compliance, and tracking vulnerabilities in the code. Gartner cites the need for common SBOM standards that include SPDX and CycloneDX. devops teams have successfully used these to create a stable, consistent infrastructure and a data exchange format. 

Getting cloud configurations right to Reduce breaches 

Most cloud breaches happen because of misconfigurations and errors in cloud configurations. Realizing how complex configurations are and how challenging it is to get integrations right without putting infrastructure at risk, SaaS security posture management (SSPM) was designed to take on this challenge. SSPM tools reduce the risks of misconfiguration by relying on real-time monitoring and continuous scanning to identify permissions that aren’t consistent with usage policies and eliminate configuration mistakes. Some of the leading vendors offering SSPM include Adaptive Shield, AppOmni, Atmosec, DoControl, Obsidian, Palo Alto Networks, RevCult, Zilla Security, Zscaler and others. 

What’s on the horizon for app security 

Gartner’s hype cycle for app security shows that no single platform can secure devops, its software supply chain, and an organization’s continuous integration and deployment (CI/CD) pipeline. Instead, the hype cycle makes the most sense as a framework for prioritizing which application security innovations make the most sense for a given business’s security needs. 

Developers and engineers are becoming more involved in securing their organization’s devops and DevSecOps processes. The core concepts of SBOMs and software composition analysis (SCA) need to guide how devops teams implement zero-trust network access (ZTNA) across their organizations, hardening the software delivery pipeline. devops teams also need to look at how ZTNA-based frameworks can help improve their API security within the CI/CD pipeline.

Devops and app security are moving targets, attracting significant innovation — and cyberattackers looking to out-innovate solutions providers and the enterprises using them. The latest hype cycle shows how critical it is to get the core areas of devops security right at a foundational level.

Originally appeared on: TheSpuzz