the challenges of rapid digital transformation – PCR

As many businesses seek to digitally transform, Sean Leach, Chief Product Architect at Fastly, explains how many are unprepared for the security issues that this entails…

A year of transformation
The pandemic has accelerated the need for many businesses to digitally transform, from offering virtual services to customers to suddenly shifting to remote working. This shift has also triggered an increase in cybersecurity threats, with more than 50% of organizations experiencing security breaches and cyberattacks in 2020.[1] These two developments increased the vulnerability of companies that had to quickly adjust their web applications and security tools. In fact, recent research found that almost half (46%) of organizations said their security infrastructure was not ready to handle the changes brought on by COVID-19.[2]

This growing demand for digital transformation means that security is becoming more complex and costly for organizations as they are increasingly required to protect traditional and new architectures, in addition to cloud environments. As such, this article will discuss current security issues facing those looking to digitally transform.

Web applications and API security
The pandemic has introduced a wave of new fraud trends, causing many businesses to turn to more advanced web applications and API security tools. The National Cyber ​​Security Center – part of GCHQ – has revealed that it has identified more internet scams in the past year than in the previous three years combined. In a recent survey we conducted at Fastly, we found that more than half of organizations (54%) believe that most, if not all, of their applications will use APIs in the next two years.[3]. Additionally, despite a projected increase in API enforcement, 50% of organizations said web application and API security is more challenging than it was two years ago, indicating difficulties in maintaining adequate security in new application architectures.[4]. This is further supported by research from Salt Labs which found that 94% of organizations experienced an API-related security issue in the past year.[5]

But what is driving these difficulties? Mainly the shift to public cloud and API-centric applications without a modern security solution to support these innovations. As organizations rush to implement faster, more agile technology, they overlook security offerings that protect those technologies or use ineffective tools.

Ineffective tools resulting in lost revenue
Fastly found that, overall, UK businesses deploy an average of 11 web applications and API security tools, spending nearly £365,000 on these assets. However, 40% of all security alerts are still false positives. Additionally, 1 in 4 UK businesses (23%) have suffered a loss of revenue in the last 12 months due to false positives from web applications and API security tools.[6] Rather than informing security experts of innocuous attacks, these technologies completely block them and falsely flag them as critical events.

Similar trends can be seen across the industry. Infosecurity Magazine found that 37% of correspondents reported receiving more than 10,000 alerts each month, and more than 52% of those alerts were false positives.[7] To put that into perspective, it typically takes a SOC analyst 10 minutes to assess a false positive and the time to assess 52,000 false positives on an annual basis would take around 866 hours.[8] Security experts need to rethink how they use these tools and technologies to detect critical vulnerabilities, which are no longer able to cope with the demands of the Internet.

If not web tools and API, what security is needed?
The past year has made it clear that web application and API security solutions are neither efficient nor effective security tools on which a company can base its digital service. As companies seek to advance their technology, the security solutions that form the foundation of any successful business are being left behind. Given the old practice of bundling security tools at the end of the deployment pipeline in an effort to save time, it’s clear that convenience can often trump functionality.

The result is, predictably, that security teams have limited time to identify weaknesses and implement protection. A more comprehensive solution to ensuring proper implementation of secure DevOps is to change the perception of what it actually requires, moving it from an add-on to an integral part of the software development lifecycle. This will allow teams to focus on delivering secure software, as well as empowering security professionals who were not previously considered part of the team.

Experts need to consider the higher security risk factors in their business infrastructure that have been driven by the pandemic. They must ensure that development, security and operations work together effectively enough to meet new challenges. Along with this need for more effective teamwork, organizations must begin to use a new generation of security tools for web applications and APIs that can distinguish real attacks from fake ones. Otherwise, they will continue to waste time on an overwhelming number of false positives. Companies that can quickly build this fortified environment will be the ones that succeed in their digital transformation.

Read the latest edition of the PCR monthly magazine here:

Do you like this content ? Sign up for the Free PCR Daily Digest email service to get the latest tech news straight to your inbox. You can also follow the PCR on Twitter and Facebook.

Comments are closed.