AppSec Spaghetti on the Wall Tool Strategy Undermining Security

At many organizations, the attitude to securing software appears to be throwing a lot of technology at the problem, a new study finds.

New research suggests that the strategy for many companies to reduce application security risk is to simply stack up on multiple tools and hope they do the job.
Radware recently surveyed some 300 senior executives, security researchers, app developers, and IT professionals from organizations with worldwide operations. The survey focused on the types of application security technologies that organizations are deploying; responsibility for the AppSec function; the most prevalent threats and other topics related to Web application security.
The security vendor discovered that a high percentage of organizations are using an array of technologies — not always optimized for interoperability — to try and keep AppSec risks low.
Seventy-five percent in the survey had a Web Application Firewall (WAF), 63% a cloud WAF service, 59% did code reviews and 53% were using tools for dynamic application security testing (DAST), static testing (SAST) and runtime application self protection (RASP). More than half of those using containers also had container security tools including those specific to Docker.
While this may sound promising, it feels like organizations are taking the spaghetti on the wall approach, to application security Radware said in a blog this week. They hope that having multiple solutions in place will do the job.
And Radwares data showed that for a majority of companies, that strategy is not working especially well, at least in terms of a breach mitigation standpoint. Ninety percent of the organizations that Radware surveyed had experienced an application security related data breach, and nearly the same proportion — 88% — reported application-level attacks throughout the year. The most common security issues included access violations, SQL-injection, DoS and protocol attacks, session/cookie poisoning, API manipulations, and cross-site request forgery.
We found that while embracing emerging technologies and concepts — and following all security practices — attacks happen [because] organizations struggle to adjust the required structures, roles, processes, and skillsets, says Ben Zilberman, senior product marketing manager at Radware.
Containers, Microservices Proliferate
Radware
found
a majority of organizations have moved away from a predominantly monolithic application model to architectures that are more oriented towards microservices, containers, and serverless-infrastructures.
More than two-thirds (67%) had deployed microservices/containers, and 90% had a DevOps or DevSecOps team in place. Some of the organizations with DevSecOps teams said they had at least one DevSecOps professional for every six software developers. Others pegged the ratio at one for every 10.
The data suggests that many organizations are embracing new technologies and approaches to keep up with broader digital transformation goals. But attitudes towards security have still to catch up. DevOps teams focused on agility often settle for a good enough or even a hell no approach to security, Radware said.
Not surprisingly, while its the CISO or CSO whos primarily responsible for enterprise security, at many organizations they are not the ones calling the shots on application security. Radware found that the broader IT department is still the main influencer for security tools selection, policy definition, and application security implementation. When it comes to tool selection, in fact, Radware found the CISO has less of a say than IT, the business owner, and the DevOps team.
The fact that DevOps and security are still equal powers in terms of influence and [that] its still IT that has the most weight in decision making is surprising, says Zilberman.
False confidence in technology is another issue. Sixty-seven percent of the respondents in the Radware survey described open-source code as being more secure — though many have identified it as being one of the primary sources of security vulnerabilities in software. Sixty-eight percent felt that microservices provide for better security and 77% believed that going serverless would help improve proactive defense capabilities.
The biggest mistake that organizations are making is assuming that technology itself can solve all the problems, Zilberman notes. To make the best use, they should engage security professionals better and let them be business enablers rather than pushing them off, he says.
Related Content:
Web App Vulnerabilities Flying Under Your Radar
APIs Get Their Own Top 10 Security List
Microservices Flip App Security on Its Head
6 Serverless and Containerization Trends CISOs Should Track
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
Works of Art: Cybersecurity Inspires 6 Winning Ideas

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
AppSec Spaghetti on the Wall Tool Strategy Undermining Security