Firms fear software stack breach as attack surface widens

Almost 80% believe their organization is vulnerable to multi-tiered cyber attacks that can impact the entire application stack in the next 12 months, with 48% noting that an expanded attack surface has posed more challenges.
Written by Eileen Yu, Senior Contributing Editor
Fiber optics carrying computer virus attacking binary code
Getty Images/Westend61

Organizations feel they are vulnerable to multi-tiered cyber attacks that can impact the entire software stack, as they face more challenges with a widening attack surface. As it is, 92% acknowledge making compromises in application security due to the urgency to innovate and respond to changing customer needs during the global pandemic.

Also: Phishing attacks are getting scarily sophisticated. Here's what to watch out for

In fact, all respondents in Singapore admitted the rush to innovate had come at the expense of security during software development, according to a study released by Cisco Systems AppDynamics. The global survey polled 1,150 IT organizations across 13 markets, including Australia, India, Japan, Germany, the UK, and the US, all of which had a turnover of more than $500 million with the exception of Colombia, which included companies with more than $100 million in revenue.

Across the board, 78% believed their business was vulnerable to multi-staged security attacks over the next 12 months that could affect their entire software stack. Some 89% said they now had a wider attack surface compared to two years ago, with 46% noting this already was posing more challenges. 

Some 59% pointed to an increased use of Internet of Things (IoT) and connected devices as the main reason they now had a wider attack surface, while 56% cited an accelerated cloud adoption and 51% said rapid digital transformation expanded their attack surface. 

The majority, at 88%, acknowledged more could be done to secure their modern applications across the entire software lifecycle. However, 81% said insufficient software security skills and resources was proving a challenge for their organization, with 78% noting the lack of a shared vision between their application development and security teams would pose a challenge to software security over the next 12 months. 

Respondents pointed to various software security challenges they would face this year, including a lack of visibility of attack surfaces and vulnerabilities, protecting sensitive data, and difficulties prioritising threats based on severity and business context.

"The widespread adoption of multi-cloud environments and availability of low-code and no-code platforms enable developers to accelerate release velocity and build more dynamic applications across more platforms," Eric Schou, Cisco AppDynamics' vice president and CMO, said in a post. "But with application components increasingly running on a mix of platforms and on-premises databases, this exposes visibility gaps and dramatically increases the risk of a security event."

He noted that 68% of respondents said their security tools worked well in silos, but not cohesively, which resulted in an inability to gain a comprehensive view of their organization's security posture.

Also: 3 security gadgets I never leave home without

Schou added: "New cybersecurity threats are exposing flaws in traditional approaches to application security and, in particular, the lack of input that security has had into the application development process. In many organizations, there has been little, if any, ongoing collaboration between developer and security teams. They have only engaged when a security issue has arisen, essentially when it is already too late."

He noted that more IT departments now were embracing a DevSecOps approach, which helped ensure the integration of application security and compliance testing across the software development lifecycle. "Developers can embed robust security into every line of code, resulting in more secure applications and easier security management before, during, and after release," he said. 

Some 93% of respondents also believed it was important to contextualize security, so they could correlate risks in relation to other key areas such as software performance, user experience, and business metrics. This would allow them to better prioritize vulnerability fixes based on potential business impact, the study found. 

In Singapore, 96% said the ability to contextualize security was essential. Another 88% pointed to the adoption of a security framework that encompasses the entire software stack as a priority for their business. Some 81% noted a lack in software security skills and resources was a challenge for their organization, 96% saying their attack surface had widened over the last two years. Another 81% believed they were vulnerable to a multi-staged security attack over the next 12 months. 

Some 37% in the Asian market said they had taken their first steps in adopting a DevSecOps model, while 58% were considering doing likewise. 

Across the globe, 76% believed a DevSecOps approach was important to enable companies to effectively protect against multi-staged cyber attacks targeting the software stack. Some 43% had started adopting this application development model, while 46% were considering doing likewise. 

Editorial standards