Missed a session of MetaBeat 2022? Visit the on-demand library for all our recommended sessions here.
Overcoming the challenges of securing devops and software supply chains from malicious, unpredictable attacks with new technologies dominates Gartner’s latest Application Security Hype Cycle. One of the most disturbing insights highlighted this year’s hype cycle is that no innovation in application security can provide comprehensive security. In light of this, CISOs are also forcing the consolidation of their tech stacks to improve the efficiency of their teams in identifying risks while reducing costs.
Consolidating technical stacks and improving cloud security by eliminating misconfiguration risks is a high priority for CISOs and reflected throughout the hype cycle. Seventy-five percent of organizations that responded to a separate Gartner trend survey say they are actively seeking to consolidate security vendors.
It’s not surprising to see cloud-native Application Protection Platforms (CNAPP) and Software-as-a-Service (SaaS) Security Posture Management (SSPM) entered the hype cycle for the first time, given the challenges organizations face. to securely integrate cloud instances . However, service mesh, dynamic data masking (DDM), and mission-critical application security have all been scrapped for this year’s hype cycle. Gartner explained that it dropped service mesh because it is generally challenging to use and produces limited results.
Consolidation Drives App Security Growth
Gartner’s latest forecast expects end-user spending on the information security and risk management market to reach $169.2 billion this year. The research giant predicts this will grow to $261.9 billion by 2026, reaching a constant compound annual growth rate (CAGR) of 11.1% from 2021 to 2026. In addition, Gartner also predicts that spending on application security will more than double in the coming years, growing from $6 billion this year to $13.7 billion by 2026. Spending in this sector is the second fastest growing segment of the market, is expected to grow at a CAGR of 22.7% between 2021 and 2026, second only to Cloud Security spending growing at a CAGR of 24.6%.
Top with little code/no code
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
CrowdStrike’s successful strategy to turn consolidation into a growth strategy became apparent during this year’s Fal.Con 2022. The cybersecurity provider’s ability to take advantage of telemetry data using artificial intelligence (AI) and machine learning (ML) continues to improve. As a result, their customers are willing to invest in their solutions as they help reduce application clutter and keep technical stacks up to date with the latest technologies, all on a cloud platform. What’s new in this year’s hype cycle shows how devops, software supply chains, and cloud security dominate enterprise priorities, balanced with the need to consolidate tech stacks to mitigate risk.
Securing devops dominates
In its hype cycle report on app security, Gartner wrote, “Application security is now top of mind for developers and security personnel, and the focus is now on applications deployed in public clouds.”
Securing devops and ensuring app security is a high priority for Gartner customers. You can infer that their customers want to secure devops quickly, given Gartner’s emphasis on this area in the hype cycle and their comments in recent application security reports.
Here are some of the highlights of the major new additions to the application security hype from a devops point of view:
Added 4 new devops-focused technologies to secure supply chains.
DevSecOps, Software Composition Analysis (SCA), Application Security Orchestration and Correlation (ASOC), and Security Service Edge (SSE) are in the hype cycle for the first time this year. SCA is used for application security testing, including identifying potential supply chain risks in open source code.
It has also proven useful for identifying known vulnerabilities in code. Secure Service Edge (SSE) enables a company and its remote systems to support virtual employees and enforce security policies for access to cloud services, private applications, web apps, and the Internet.
3 added categories reflect the rapid evolution of app security
Software Bill of Materials (SBOMs), cloud-native Application Protection Platforms (CNAPP), and SaaS Security Posture Management (SSPM) are the three new categories added by Gartner this year.
SSPM is the fastest growing of the three as CISOs and their teams struggle to secure SaaS-based devops workflows, cloud app deployment, and app lifecycle support.
Software Bill of Materials (SBOMs) are at the heart of application security
According to Gartner, “SBOM’s software engineering and vendor risk management teams can provide greater transparency about how software is built, what components that software consists of, and how quickly security vulnerabilities can be identified and addressed.”
Having the right SBOMs is essential for an enterprise to secure the devops process and ensure the quality of the resulting cloud apps deployed across the organization. The reason is that SBOMs want to solve the challenges of working with and sharing open source software.
While multiple devops teams can use the same open source components, there needs to be more consistency in traceability, compliance, and vulnerability tracking in the code. Gartner mentions the need for common SBOM standards, including SPDX and CycloneDX. devops teams have successfully used it to create a stable, consistent infrastructure and data exchange format.
Getting the right cloud configurations to reduce breaches
Most cloud breaches occur because of misconfigurations and cloud configuration errors. Realizing how complex configurations are and how challenging it is to get integrations right without compromising infrastructure, SaaS Security Attitude Management (SSPM) is designed to meet this challenge. SSPM tools reduce the risks of misconfiguration by relying on real-time monitoring and continuous scanning to identify permissions inconsistent with usage policies and eliminate configuration errors. Some of the leading vendors offering SSPM include Adaptive Shield, AppOmni, Atmosec, DoControl, Obsidian, Palo Alto Networks, RevCult, Zilla Security, Zscaler, and others.
What’s ahead for app security
Gartner’s app security hype cycle shows that no platform can secure an organization’s devops, software supply chain, and continuous integration and deployment (CI/CD) pipeline. Instead, the hype cycle makes the most sense as a framework for prioritizing which application security innovations make the most sense for a given company’s security needs.
Developers and engineers are increasingly involved in securing their organization’s devops and DevSecOps processes. The core concepts of SBOMs and software composition analysis (SCA) should guide how devops teams implement zero-trust network access (ZTNA) in their organizations, strengthening the software delivery pipeline. devops teams should also look at how ZTNA-based frameworks can help improve their API security within the CI/CD pipeline.
Devops and app security are moving targets, attracting significant innovations — and cyber attackers looking to outpace the solution providers and the companies that use them. The latest hype cycle shows how critical it is to get the core areas of devops security down to a fundamental level.
The mission of VentureBeat is a digital city square for tech decision makers to learn about transformative business technology and transactions. Discover our briefings.