ARN

IoT, connected devices biggest contributors to expanding application attack surface

New report shines light on application security challenges impacting global businesses.

The growth of the internet of things (IoT) and connected devices are the biggest contributing factors to organisations’ expanding attack surfaces.

That’s according to a new report from Cisco AppDynamics, which revealed that 89 per cent of global IT professionals believe their organisation has experienced an expansion in its attack surface over the last two years.

The Shift to a Security Approach for the Full Application Stack report surveyed 1,150 IT professionals in organisations across a range of sectors and international markets to outline the current application security challenges impacting IT departments.

Businesses face significant application security risks in 2023

Along with IoT and connected device growth, rapid cloud adoption, accelerated digital transformation, and new hybrid working models have also significantly expanded the attack surface, the report noted.

Microservice-based application architectures and DevOps methodologies are playing a notable role too, exposing applications to new vulnerabilities, it added. These factors will affect the application security challenges businesses face in 2023, with 78 per cent of respondents stating their organisation’s full application stack could be vulnerable to attack over the next 12 months.

The top six application security challenges detailed in the report in 2023 are:

  • Lack of visibility into attack surfaces and vulnerabilities
  • Difficulty prioritising threats based on severity, impact, and business context
  • Discovery and protection of sensitive data
  • Issues keeping up with a rapidly changing application security landscape
  • Challenges balancing speed, application performance and security
  • Volume of security threats and alerts

Inefficient visibility and contextualisation of application security risks leave organisations in “security limbo” because they don’t know what to focus on and prioritise, 58 per cent of respondents said.

“IT teams are being bombarded with security alerts from across the application stack, but they simply can’t cut through the data noise,” the report read.

“It’s almost impossible to understand the risk level of security issues in order to prioritise remediation based on business impact. As a result, technologists are feeling overwhelmed by new security vulnerabilities and threats.”

Lack of collaboration and understanding between IT operations teams and security teams is having several negative effects too, the report found, including increased vulnerability to security threats and blind spots, difficulties balancing speed, performance and security priorities, and slow reaction times when addressing security incidents.

Tellingly, 55 per cent of technologists said they consider security to be more of an inhibitor than an enabler of innovation within their organisations.

Technology, culture shifts key to achieving DevSecOps

DevSecOps is key to addressing the application security risks modern businesses face, but the shift to a DevSecOps approach requires both technological and cultural change, the report stated.

Increased automation to detect and block security issues is an avenue most respondents are exploring, but the report also exposed a need for ITOps/developer teams to become more aware of and knowledgeable about security, and for security professionals to gain a deeper understanding of application development and factors that affect performance.

One approach experts think can assist organisations in this area is to tailor security training to developers to help tackle risks.

This involves replacing outdated security education with awareness training that is more engaging and relevant for developers to better impart the knowledge required to match the threat landscape and dynamic technology fundamentals of application security.