Dynatrace has released the findings from its 2022 CISO Report. Application security continues to be the fastest growing attack surface for most companies with CISOs facing a number of challenges.
The application landscape is changing rapidly, not just from a development perspective or from a monitoring and reliability perspective, but also in terms of application security. In this episode of TFiR Let’s Talk, Swapnil Bhartiya sits down with Amit Shah, Director of Product Marketing at Dynatrace, to discuss the changes seen in the security landscape with this increasingly quick pace of digital transformation. Shah takes a deep dive into the key findings from the Dynatrace 2022 CISO Report and also shares insights into the challenges CISOs (chief information security officers) are facing.
In addition, he shares his tips for securing applications and how Dynatrace’s application security solution is helping people navigate these security complexities.
Key highlights of this video interview are:
- Dynatrace aims to deliver answers and intelligent automation from data in order to enable secure and flawless transactions. The company primarily focuses on cloud applications, although it covers most types of applications. Shah gives an introduction to the company and what areas of the observability segment it covers.
- The Dynatrace report aims to uncover the current state of application security from a CISO’s perspective, understanding how application vulnerabilities are being managed and the challenges CISOs are facing. Shah explains that it is a relatively new concern, which is now the fastest growing attack surface for most companies.
- Securing the software supply chain continues to be a big concern since most modern applications’ code is made up of 80% open source components with new vulnerabilities being discovered all the time. Shah explains why the traditional method of finding vulnerabilities is not effective and the repercussions of this approach.
- Shah shares some of the more surprising findings from the CISO report, of which probably the most shocking was that only 4% of CISOs have visibility into vulnerabilities in a runtime environment.
- Finding security talent is at an all-time level of difficulty and it is difficult for CISOs to find the manpower to tackle application vulnerabilities. In light of this, technology is being used to bridge this barrier and take the heat of the skill shortage. Shah shares how technology solutions like Dynatrace’s are being used to tackle these problems.
- Shah goes into depth about Dynatrace’s application security solution and its unique approach to securing cloud-native workloads, explaining how the runtime vulnerability analysis works. He also explains the DevSecOps automation solution and how it is helping automate handoffs between security, development, and back.
- Dynatrace’s mission is to provide answers from data. Shah explains how their David AI engine provides true criticality of any given vulnerability by looking at where it is in the topology of the application. Shah discusses how this process helps users get to the answers and not just the data.
Snapshot of key findings from the CISO report from the video interview:
- 67% of CISOs say the developing teams do not have enough time to scan for vulnerabilities before any release or fix is moved into production.
- Less than half of CISOs that were surveyed in the report were confident all Log4Shell vulnerabilities were fully eradicated.
- 75% of CISOs are worried that too many application vulnerabilities are leading to production despite taking a multilayer approach.
- 69% of CISOs feel that vulnerability management has become more difficult with digital transformation.
- 4% of CISOs have real-time visibility into vulnerabilities in a runtime environment.
Connect with Amit Shah (LinkedIn)
The summary of the show is written by Emily Nicholls.
Here is the automated and unedited transcript of the recording. Please note that the transcript has not been edited or reviewed.
Swapnil Bhartiya: Hi. This is your host, Swapnil Bhartiya, and welcome to another episode of TFiR. Today, we have with us, Amit Shah, director of product marketing at Dynatrace. Amit, it’s good to have you on the show.
Amit Shah: Oh, very nice to be here, Swapnil. Thanks for having me.
Swapnil Bhartiya: Today we are going to talk about the Dynatrace study related to the CISO research report. Before we go there, of course, we have covered Dynatrace on a regular basis, but since you are here, I would love to just quickly give viewers what Dynatrace is all about, so that we will understand from the perspective of this report.
Amit Shah: Yeah, sure. Certainly, Swapnil, so, at the very highest level, Dynatrace’s mission, is to deliver answers and intelligent automation from data. And we do this in order to enable secure and flawless transactions. And we primarily focus on cloud applications, although we cover pretty much any kind of application. We’re a market leader in the observability segment, that includes everything from application performance monitoring, to digital experience monitoring, infrastructure monitoring, and most recently, now, application security.
And so, yeah, that’s who we are and what we do. And yeah, in the application security space, we’re fairly new, but we have a very unique observability field offering in the space that can add an additional layer of security for DevOps teams and DevSecOps team.
Swapnil Bhartiya: Excellent. And that helps us to also understand what was the goal behind this report that you’re focusing on releasing. And if you can also talk about the frequency of the report, is it the first time, or you have been doing it for a while?
Amit Shah: Yeah. So, this is the second annual CISO report. We’ve been doing this since last year. And the purpose of the report is really just to uncover the current state of application security from a CISO’s perspective. And we were trying to primarily understand how application vulnerabilities are being managed and how CISOs are feeling about the opportunities they might have, or some of the challenges they might be facing as they relate to application vulnerabilities, whether they’re open source components or custom code.
It’s one of the largest and fastest growing attack surfaces for most companies. And so, it’s a very important space that traditionally CISOs might not have had to worry about as recently as just a few years ago, potentially.
Swapnil Bhartiya: Right. I will talk about the report in depth, but before we go there, I also want to understand how has the security landscape changed, especially we are talking about cloud work, I mean, but not everybody’s moving to cloud. There are a lot of folks which are still on-prem and, you know, there is a lot of applications which are running locally as well.
So, if you look at the whole evolution of how we are writing and deploying applications, how has the security landscape changed? Not only from the perspective of the support, you have been doing it for two years now, but from your perspective in general, because you have been looking at the industry for so long.
Amit Shah: There’s a few different ways, I think the most important way in which the… Whether your application is on-prem or in the cloud, I think it’s undisputable that the pace of change in digital transformation changing. The application landscape, not just from a development perspective, from a monitoring and reliability perspective, but also, from an application security perspective. There was a time when you could do releases of software once every six months, every once every 18 months. The frequency of releases has now been shortened to anywhere from two to three times a week, many times, up to just once every week or a couple of weeks.
And so, it’s a very fast pace of development. And with that fast pace of development and digital transformation, that has introduced some new and unique challenges for application security specifically. 67% of CISOs say the developing teams don’t really have enough time to scan for vulnerabilities before any release or fix is moved into a production. Log4Shell, for example, that was a fairly recent application, security vulnerability.
Less than half of CISOs that were surveyed in this report were confident that all Log4Shell vulnerabilities fully eradicated, and this report was done like three to four months after Log4Shell first came out. And so, this fast pace of development is one of the reasons why there’s the new challenges coming up in terms of application vulnerabilities.
And 75% of CISOs are worried that too many application vulnerabilities are leaking into production despite of taking a multilayer approach, combine that with the pace of development and the fact that developers simply don’t have the time to fix everything before it goes out. It means that CISOs really need a new way to add another layer of security at runtime to catch things that might have slipped through the cracks through the development process.
Swapnil Bhartiya: Now, when we talk about application security, what’s also interesting, you talk about some points there, is also software supply chain. Because what is happening is we are consuming more and more open source code base. It’s not just that applications are coming from different, or packages are coming from different sources, within the same package, there are different libraries, there are different frameworks.
Then, if you look at just container images, there are different multiple maintenance and providers of the same package as well. So, how much of that is also a concern where you also have to keep an eye on the source or software supply chain of whatever is going finally into your application?
Amit Shah: That’s a huge concern. Like in most modern applications, more than 80% of the code base is composed of these open source components. And there are new vulnerabilities being discovered in these components all the time. There is a constant stream of new vulnerabilities being added to the CVE database, and a lot of them are severe. But the other thing to remember about the severity of those vulnerabilities is that is the maximum possible severity, that doesn’t necessarily… Just because a vulnerability is potentially severe, does not mean that it’s actually severe for you.
And so, what ends up happening is that your traditional ways of finding these vulnerabilities, like software composition analysis, or vulnerability assessments, they typically only tell you the most severe outcome or the most severe thing that could happen if the vulnerability was exploited. But the reality is that, many times, those vulnerabilities are not actually in the execution path of the application, meaning, they’re present somewhere, but they’re not actually exploitable.
Sometimes, those vulnerabilities are not actually either adjacent to the internet, meaning, they’re not actually exploitable, or they’re not next to any interesting source of data like customer data or anything like that. And so, even if you were… And so, they don’t really take into account the vulnerability impact.
And so, teams are often, then, left with thousands of such vulnerabilities that they need to sift through. And there’s no way to know which one is actually the significant one without doing a lot of analysis and spending a lot of time and this is time that development teams simply don’t have.
Swapnil Bhartiya: Now, let’s just talk about the report quickly. Now, we had a very good discussion around how the situation, the state of application vulnerability, not just, if you look at this report, how much of the discussion we just had, some of the findings that aligned with that, or if you can share, hey, these were some of the key findings which gave us incentive, either you were expecting, hey, this is what is happening, or you’re like, oh my God, we would not expect that, and this is what is the reality there.
Amit Shah: Yeah. I guess one of the surprising things, if you want to call it that of the report, was how unsurprising some of the findings were. I think the fact that 79% of CISOs are worried that too many vulnerabilities are slipping into production. We knew that that’s always a concern on the part of CISOs, but the fact that so many of them recognize it, I think at this point, is I think is somewhat interesting and surprising.
The fact that vulnerability management has become more difficult with digital transformation is another… Something that you might expect, but is surprising to see the level to which CISOs recognize this. 69% of CISOs feel that vulnerability management has become more difficult with digital transformation. But at the same time… And this was, I think, the true shocker for me personally, only 4% of CISOs actually have visibility into vulnerabilities in a runtime environment.
They might know that a file that could be vulnerable is present somewhere in their runtime environment, but whether it’s actually in production, whether it’s actually being run or not, virtually, nobody has visibility into that. And I think that, to me, was the most shocking, or surprising result from this report.
Swapnil Bhartiya: When we look at this report, and also, as you’re talking about the vulnerability, how empowered are today’s CISOs to actually tackle these risks that are there? When I talk about empowered, it could be either technological solutions that are there, cultural awareness is there. And third is also that the velocity that they have to maintain to release it. Because when you have vulnerability, you cannot update it, you cannot release it. And then, last but not least, there’s a big gap in supply and demand of skilled folks as well. So, you don’t even have enough folks who can do that.
So, talk about, when CISOs, they do look at their number, they talk about it, but they’re like, what can we do about it?
Amit Shah: Yeah. So, tackling, I guess, from a people process and technology standpoint, how empowered CISOs might be to tackle these issues, I think from a people standpoint, finding security talent has never been harder, right? CISOs are resource-constrained even more so than the rest of us. One of our partners, Snyk, they have an interesting statistic, that they say, which is that for every eight developers, there’s typically only one security ops person.
You know, the ratio for… Especially given the rise in application vulnerabilities, it’s very difficult for CISOs to find the manpower to do this. And so, it becomes extremely important to have technology in order to be able to help really find what are the true vulnerabilities out there that you really do need to fix so that you can continue to remain safe and secure.
There are technology solutions like ours out there to help CISOs with that problem. In fact, we are actually one of the very few, the technology solutions out there that can help CISOs tackle this problem, and do so in a way that’s easy to adopt and in a way that does not introduce any additional risk into your overall application runtime.
A lot of past attempts at solving this problem have result in application instability, have been really complicated to adopt. And so, one of the things that CISOs and everyone in general should be looking at is how easy it is to adopt these solutions, how much risk they add, and whether they actually provide the insights required to solve the problem.
So I think from a technology standpoint, it is looking promising. We’re definitely here to help. From a process standpoint, again, there’s been a lot of talk about silos between development and security. And so, it’s extremely important to be able to bridge those silos through a common view of what’s happening within the application and in the runtime environment. So, a solution like ours, especially ours, is pretty uniquely positioned to provide that, because we, typically, in use by development and operations teams, and now, security teams can get an additional visibility that they were not able to in the past.
So that’s one way to break that silo. And the other way is through automation, like the handoff process from development to security, or… sorry. From security to development has typically been one that’s a little fraught in part, because developers and security teams are looking at different sets of data in order to be able to make decisions about how critical a vulnerability it is.
And so, having one common view and automating the handoffs between development in security would be probably the way to address these concerns from a process perspective.
Swapnil Bhartiya: Can you talk about solutions? I do want to get quickly into Dynatrace’ solutions. So, if you can just quickly talk about… I mean, of course, you do have different portfolio for different… But if you can just specifically talk about application security, that would be great.
Amit Shah: Yeah, for sure. So, our application security solution is a unique approach to securing cloud native workloads. And we do that by providing an additional layer of security that complements all the other security tools and practices that you might have in place right now. Whatever it is that you’re doing, you should probably keep doing it.
Each one of these serves a particular purpose, but in order to be able to solve the issues we mentioned around just general, the alert storms, the ability to prioritize what you truly need to fix automating handoffs, for that, we have a pretty unique solution. And we’re constantly enhancing it, constantly adding new capabilities to it.
But where we started with the solution is in runtime vulnerability analysis. And so, that’s the ability to see, in your runtime environment, what are your key vulnerabilities, and how severe are they actually, by taking into account, whether the vulnerabilities are sitting next to… Are they exploitable, meaning, are they next to the internet? Are they critical? Meaning, do they have access to sensitive data?
So, we do this by being one of the few security solutions out there that’s actually topology aware. And one of the reasons we’re able to do this is because of our observability background. And so, Dynatrace is one of the few observative solutions out there that is able to map the entire topology of hosts, entities, applications, processes. And so, with this level of visibility, we can tell exactly which code is running, compare that in real time to one of the best vulnerability databases out there that’s provided by our partner, Snyk.
So, a case in point, when Log4Shell was out, when that was first announced, our customers were able to pinpoint within less than an hour after this vulnerability was announced, whether they had it in their environment, where it was and what the urgency was in order to be able to fix it. So that’s one part of the solution.
Complementary to that, we also have DevSecOps automation, which cover some of the process aspects that we just talked about, to automate handoffs between security and development and back. And we also have runtime application protection as well, which is the ability to detect and block common types of attacks, like SQL injections or command injections or JNDI attacks, the types of things that are commonly associated with vulnerabilities, whether they’re open source or custom code.
Because the reality is that even after you’ve identified a vulnerability in your application, you know where it is, you know you need to fix it, rolling out a fix to it, if you’re looking at an open source vulnerability to which there’s a known solution, that could still take days or even weeks. And if you’re looking at custom code, that could take weeks or even months to figure out how to best fix that vulnerability.
And so, in the interim, the customers have the ability to block the attack that would’ve exploited that vulnerability. So, that’s the third thing that we do.
Swapnil Bhartiya: When we talk about observability, without actionability, absolutely, you know, knowing that something went wrong, that’s fine, but doing something about it is equally important. So, can you look at it from that perspective as well, and what Dynatrace is doing there?
Amit Shah: Absolutely. And so, coming back to our mission, our mission is to provide answers from data. Not just provide you with the data itself, not just put it up on a pretty dashboard, so that you can go and figure out what you need to do with it. And we do that through our Davis AI engine. And specifically within the application security landscape, the Davis AI engine is able to give you the true criticality of any given vulnerability by looking at where the vulnerability is in the topology of the application.
Again, whether it’s adjacent to… Whether it’s actually exploitable or not. And so, with that information, you can then decide whether or not, one, this is something you need to fix now, or if it’s something you can do in the due course of application development processes, and what mitigation steps you can take to prevent the vulnerability from being exploited.
We’re a firm believer in the ability to provide not just information and data, but answers as well with the use of AI.
Swapnil Bhartiya: Excellent. I think, now, I have everything that was there in my notes. Is there anything else, or you think that we have covered everything that was there today?
Amit Shah: I think we’ve covered everything, unless, yeah… So, in case anyone wants to check out more findings, there’s a real treasure trove of actionable insights in the report. I would highly recommend you go to dynatrace.com and find it in the resources section.
Swapnil Bhartiya: Amit, thank you so much for taking time out today, and not only discussing the findings from this report, but also, sharing your insights about how to actually secure those applications. That was, I think, most valuable and useful there. So, thanks for sharing those insights. And I would love to have you back on the show, not just to discuss the next report, but to talk about how the whole security landscape is evolving and changing. Thank you.
Amit Shah: Thank you very much for having me, and thank you for the opportunity, Swapnil, it was truly an honor.