Research

Abstract:

Securing applications has become more difficult than ever thanks to heterogeneous application environments, distributed responsibility for application security, and advanced attack campaigns. Converged application protection platforms have emerged to address many of these issues, but organizations can struggle with prioritizing the capabilities they require, assessing the different types of tools available, and meeting the diverse needs of a broad set of stakeholders.

Abstract:

As organizations add more IT assets, their attack surfaces also grow, and so does the organization's need for better security hygiene and posture management. Security hygiene and posture management rely on a broad range of tools such as vulnerability management, asset management, attack surface management and security testing to monitor all IT assets in an organization.

Abstract:

Developer velocity – the speed at which new applications can be developed and deployed – often determines success for digital transformation and digital business initiatives. Many businesses, however, don't have the infrastructure in place to optimize application development efforts and fully maximize the potential of these initiatives. Given the prominent role that IT transformation plays in digital transformation initiatives, businesses need to take a holistic "infrastructure-out" approach to their digital transformation journeys, with a focus on regular and constant collaboration between IT operations and application development teams.

Research Objectives:

Securing applications has become more difficult than ever. Increasingly heterogeneous application environments coupled with distributed responsibility for application security has resulted in security complexity and tool sprawl. Further, attackers understand this challenge and use it to their advantage. While exploits against known application vulnerabilities remain common, advanced campaigns use bots to amplify denial of service and credential attacks that target web applications as well as the APIs they rely upon. Converged application protection platforms have emerged to address many of these issues, but organizations can struggle with prioritizing the capabilities they require, assessing the different types of tools available, and meeting the diverse needs of a broad set of stakeholders.

In order to gain insight into these trends, ESG surveyed 366 IT, cybersecurity, and application development professionals personally involved with web application protection technology and processes at North American organizations.

This study sought to answer the following questions:

• How many public-facing web applications and websites do organizations support? What percentage run on public cloud infrastructure today, and how is this expected to change over the next 24 months?
• What percentage of organizations' public-facing web applications are based on microservices today, and how is this expected to change over the next 24 months? To what extent do organizations plan to incorporate security processes and controls via DevOps processes?
• How do organizations view web application protection? What challenges do organizations face with protecting their public-facing web applications?
• What kind of web applications and API attacks have organizations experienced in the last year? What impacts do organizations experience from the attacks?
• Is ensuring secure and available applications among the top cybersecurity priorities for organizations? Will organizations increase spending on web application and API protection technologies, services, and personnel? What are the critical drivers of spending?
• Which discrete tools and capabilities do organizations use to protect web applications? Why do organizations use multiple web application protection tools? What challenges do organizations face with the tools they use to protect applications?
• What proportion of organizations' public-facing web applications and websites use APIs today, and how is this expected to change over the next 24 months? What are the biggest challenges with protecting APIs?
• What are organizations' plans regarding WAAP? To what extent have they deployed WAAP? What types of applications and APIs do organizations anticipate would use a WAAP platform? Which tools are the most important in a WAAP platform? How would organizations prefer to deploy a WAAP platform?

Survey participants represented a wide range of industries including manufacturing, technology, financial services, and retail/wholesale. For more details, please see the Research Methodology and Respondent Demographics sections of this report.

Research Objectives:

In order to gain insight into how public cloud computing services are impacting network security strategies, ESG surveyed 255 cybersecurity and IT/information security professionals at organizations in North America (US and Canada) familiar with their organization’s network security tools and processes and responsible for evaluating, purchasing, and/or operating corporate network security controls across public cloud infrastructure and on-premises data centers/private cloud.

This study sought to answer the following questions:

• How difficult is operating public cloud infrastructure compared to two years ago? What are the greatest challenges organizations face when it comes to public cloud security?
• What tools do organizations currently use to protect their public cloud infrastructure environment?
• What are the biggest reasons organizations use security groups or network firewalls from cloud security providers?
• How difficult is on-premises data center/private cloud security compared to two years ago? What are the greatest challenges organizations face when it comes to public cloud infrastructure security?
• What are the most important attributes when it comes to on-premises data center/private cloud network security tools?
• How do organizations view hybrid cloud models?
• What are the biggest challenges with respect to supporting applications spanning public cloud infrastructure and on-premises data center infrastructure?
• How often do organizations evaluate their network security tools for public cloud and on-premises data center/private cloud infrastructure?
• Do organizations spend more on public cloud infrastructure or on on-premises data center/private cloud security? How will security spending change in the next 24 months?
• What groups are responsible for the security processes, policies, and technologies associated with protecting the organization's public cloud infrastructure and on-premises data center/private cloud? How is their day-to-day collaboration characterized? How willing are they to invest in and support public cloud security initiatives?
• Do organizations use microsegmentation today? How will this change 24 months from now? How will organizations employ microsegmentation? Why would organizations not use microsegmentation more widely?
• How often are security incidents a result of encrypted traffic? What is the most attractive method of encrypted traffic visibility?

Survey participants represented a wide range of industries including manufacturing, financial services, retail, healthcare, and technology. For more details, please see the Research Methodology and Respondent Demographics sections of this report.

Executive Summary:

Report Conclusions

In late 2021 and early 2022, ESG in partnership with the Information Systems Security Association (ISSA) conducted a survey of 280 cybersecurity professionals focused on security processes and technologies at organizations of all sizes in industries such as technology, government, financial services, and business services, among others, spanning countries in North/Central/South America, Europe, Asia, and Africa.

Based upon the research collected for this project, ESG and ISSA reached the following conclusions:

• Security professionals want more industry cooperation and technology standards.
• Organizations are actively consolidating security vendors and integrating technologies.
• and more...

Abstract:

ESG’s Complete Survey Results provide the complete output of syndicated research surveys in graphical format. In addition to the data, these documents provide background information on the survey, including respondent profiles at an individual and organizational level. It is important to note that these documents do not contain analysis of the data.

This Complete Survey Results presentation focuses on how modern application environments and API usage have impacted security strategies, including the inflection point organizations have reached with traditional web application firewalls, as well as preferences for converged web application and API protection solutions.

Abstract:

Security hygiene and posture management is still one of the least mature areas of cybersecurity, and the external attack surface continues to be vulnerable and prone to exploitation at many organizations. While diligent efforts, such as improved asset management and security testing, can help, security hygiene and posture management remains a challenge. Organizations that are addressing their security hygiene and posture management proactively are currently making the most progress. This brief looks at the research data and reports on some of the things these organizations are doing to get ahead.

Abstract:

As enterprises digitally transform, business application environments scale at an accelerated pace and become more distributed not only in the cloud, but also on premises. As a result, a siloed approach to infrastructure and operations is no longer viable. The tendency among many organizations is to view migration to the cloud as the sole remedy for simplifying operations and increasing the velocity of app development. However, on-premises application environments are alive and well, and the data center is far from dead. Therefore, standing still is not an option for data center environments, where app modernization strategies need to reflect the transformation activities of existing and net-new applications in multiple environments while overcoming integration challenges in a variety of cloud and on-premises locations.

Abstract:

IT operations teams continue to strive to improve collaboration with developers on building modern application architectures. As companies accelerate or embark on their digital transformation journeys, what is the expected role of ITSM in enabling businesses to realize the benefits of automation, observability, intelligence, and optimization? ESG recently surveyed IT, DevOps, and application development professionals responsible for application infrastructure to find the answers.

Find out what ESG research uncovered with this free infographic, Distributed Cloud Series: Observability from Code to Cloud.

Abstract:

Organizations continue to rely on user and machine identities that are susceptible to compromise, misuse, and theft. Modern, cloud-managed identity services are available, but organizations have been slow to pivot their security programs to an approach that focuses on identity orchestration and experiences. ESG surveyed IT and cybersecurity professionals responsible for identity and access management programs and solutions to gain insights into these trends.