New cloud-native solution aims to address time-consuming, manual methods for discovering and mapping application code security risks. Credit: picjumbo Backslash Security has announced its launch with a new cloud-native application security (AppSec) solution designed to identify toxic code flows and automate threat models. The solution is built to address time-consuming and manual methods for discovering and mapping applications code risks, along with filling the cloud-native context gaps left by traditional static application security testing (SAST) tools, Backslash stated.Organizations are embracing the cloud and cloud-native application development with the percentage of large businesses that deploy code to production daily expected to increase from 5% in 2021 to 70% in 2025, according to IDC research. Meanwhile, AppSec teams face ongoing challenges in keeping pace with their fast-paced development counterparts.Backslash helps AppSec teams reduce false positive alerts and alert fatigueThe Backslash solution provides AppSec teams with security insights and business context surrounding code risks, tracking the security posture of different applications and teams involved, the vendor said. Through unified visual mapping of threat models and application posture, AppSec teams can reduce false positive alerts and alert fatigue, cutting mean time to recovery (MTTR) by enabling developers with the evidence they need to take ownership of the process, Backslash added. The firm said the solution offers:Contextual visibility that empowers AppSec teams with automatic discovery and mapping of cloud-native application code and its dependencies via contextual visual dashboards, without the need to read or understand the underlying codeAutomatic threat model visualization that maps and serves up preferred threat modelsAutomatic high-risk code prioritization informed by application cloud posture in productionQuick-fix remediation that simplifies vulnerability and risk remediation with automated risk identificationScale by policy alignment that frees up AppSec teams to set and enforce optimal cloud-native security policies and cutting the time and resources needed to chase code issuesTraditional AppSec methods create friction between developers, security teamsFriction can arise between developers and security teams because traditional AppSec methods are disruptive to cloud-native development, commented Melinda Marks, senior industry analyst at ESG. “Developers need an accurate way to efficiently identify and fix code issues in their workflows without being overwhelmed by alerts or false positives, while security needs a scalable way to manage risk,” she added. Brian Fielder, general manager, CTO enterprise security at Microsoft, echoed similar sentiments. “AppSec teams are struggling as companies rapidly shift to cloud-based deployment environments, because the traditional solutions just aren’t keeping up.”Problems are compounded by AppSec tools that produce an excessive number of low-value alerts, leading to an overwhelming amount of noise and security false positives. What’s more, security teams spend upwards of 25 minutes investigating each one and, due to the volume, cost, and time involved, almost a quarter of alerts are simply ignored. The Backslash solution addresses such challenges by using the properties of the stack and modern development environments to give security teams the context they need to support development as it scales, Marks said.Tailoring cybersecurity training to developers to tackle risksAside from investing in more effective AppSec and developer-focused security technologies, another approach security leaders support is to tailor security awareness training to software developers to help address a lack of cohesion between software development teams and cybersecurity functions. Security awareness training has, for a long time, failed developers, Tiffany Ricks, CEO and founder of automated security and awareness training provider HacWare, previously told CSO. “The tricky thing about security training for developers is it has to be relevant content, at the right time, to promote innovation.”Legacy, classroom-based approaches don’t engage developers or impart the knowledge required to match the fast-paced threat landscape and dynamic technology fundamentals of the software development lifecycle, whilst 81% of developers have knowingly released vulnerable applications, according to an Immersive Labs report. Related content brandpost Shifting security left: DevSecOps meets virtualization By Anthony Ricco, CMO of Corellium. 01 Jul 2023 4 mins Security news analysis Attackers add hacked servers to commercial proxy networks for profit Proxyjacking allows attackers to sell unknowing victims' unused network bandwidth. By Lucian Constantin 30 Jun 2023 4 mins Cybercrime news Command-and-control framework PhonyC2 attributed to Iran’s Muddywater group PhonyC2 was used to exploit the log4j vulnerability in the Israeli software SysAid, the attack against Israel’s Technion institute, and the ongoing attack against the PaperCut print management software. By Apurva Venkat 30 Jun 2023 4 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news First state-sponsored cyberattack against UK government revealed two decades later Rare insight marks the 20th anniversary of a state-backed malware attack on a UK government department. By Michael Hill 30 Jun 2023 3 mins Cyberattacks Government Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe