This chimes with my anecdotal evidence from CISO conversations recently. How about a simple rule: “You can only have a new shiny toy if you get rid of at least two others.”…:
[…] Radware recently surveyed some 300 senior executives, security researchers, app developers, and IT professionals from organizations with worldwide operations. The survey focused on the types of application security technologies that organizations are deploying; responsibility for the AppSec function; the most prevalent threats and other topics related to Web application security.
The security vendor discovered that a high percentage of organizations are using an array of technologies — not always optimized for interoperability — to try and keep AppSec risks low.
Seventy-five percent in the survey had a Web Application Firewall (WAF), 63% a cloud WAF service, 59% did code reviews and 53% were using tools for dynamic application security testing (DAST), static testing (SAST) and runtime application self protection (RASP). More than half of those using containers also had container security tools including those specific to Docker.
“While this may sound promising, it feels like organizations are taking the ‘spaghetti on the wall’ approach,” to application security Radware said in a blog this week. “They hope that having multiple solutions in place will do the job.”