Fatigue in the cybersecurity field is by no means a new phenomenon. But for application security (AppSec) teams at many organizations, it continues to be a confoundingly hard challenge to address.
The reasons are multiple and varied. The issue of alert overload, which has long been the primary driver of AppSec fatigue, has only gotten worse in recent years because of tool sprawl. A recent survey of 500 CISOs and other decision makers found that enterprise AppSec teams manage an average of 49 security tools these days.
An overwhelming majority of organizations (95%), including those with only one AppSec employee, have deployed 20 or more tools in their environment to mitigate threats. And tool sprawl is an even bigger problem at larger organizations.
Here's what you need to know about AppSec alert fatigue — and four ways to combat it in your organization.
[ Get RL's new guide: Software Supply Chain Security for Dummies ]
False positives, vulnerability backlogs, and a lack of context
The sheer volume of alerts from these myriad security products continues to be a top contributor to AppSec fatigue. And fatigue is a big problem, 85% of CISOs in Cycode's survey said their software and development teams had a strained relationship because of alert fatigue and vulnerability noise.
Large backlogs of unresolved vulnerabilities are another major stress factor. Security vulnerability debt can quickly accumulate when organizations are unable to remediate vulnerabilities — especially critical ones — because of alert fatigue and development imperatives. Nearly nine in 10 of the respondents in Cycode's survey said alert fatigue was keeping developers from remediating critical vulnerabilities quickly enough to mitigate business risk.
Other contributors to AppSec stress include a lack of contextual Information around new alerts and vulnerabilities — such as asset criticality and business impact, unrealistically tight remediation deadlines, and resource constraints. A 2023 ISC2 survey found that 67% of respondents said a shortage of security skills hampered their ability to troubleshoot and prevent security vulnerabilities, and 92% said they had a skills gap at their organization.
Eric Schwake, director of cybersecurity strategy at Salt Security, said the use of multiple, disparate tools — and the plague of false positives — often ends up fragmenting visibility and complicates workflows for security teams.
"The high volume of alerts, often including many false positives, generated by a range of security tools such as intrusion detection systems and vulnerability scanners, can overwhelm security teams. The lack of clear prioritization mechanisms further exacerbates the situation, making it difficult to distinguish malicious intent from less significant anomalous behavior."
—Eric Schwake
Here are four ways organizations can tackle the alert fatigue problem — and deliver better AppSec.
1. Automate AppSec triage and prioritization processes
Establish a process for triaging and prioritizing alerts based on factors such as severity, asset criticality, and potential impact. This can help focus efforts on the most significant risks, Schwake said. "Automating triage processes can alleviate the burden on security personnel, allowing them to dedicate their time to more complex tasks," he said. He advocates that organizations implement intelligent alert prioritization mechanisms to help focus attention on the most critical threats to their environments.
Resources are available—such as the guide on Stakeholder-Specific Vulnerability Categorization (SSVC) from the U.S. Cybersecurity and Infrastructure Security Agency and the CISA's Known Exploited Vulnerabilities (KEV) catalog, which can help security teams prioritize remediation based on a more comprehensive assessment of new vulnerabilities.
2. Improve AppSec alert quality
A lot of the problems related to AppSec fatigue stem from security teams having to deal with a high volume of alerts that turn out to be false alarms or false positives. A Censys study of 200 threat hunters earlier this year found that nearly one-third had identified more than 20% of their threat hunting alerts as false positives. Besides causing alert fatigue, false positives result in wasted time and effort, an erosion of trust in the security products generating the alerts, and poor decision making overall, the study found.
The survey identified several issues as triggering false positives including overly aggressive signature-based detection rules, a lack of contextual information, and stale intelligence, said Tamir Passi, senior product director at DoControl.
"[False positives] are the worst. They waste time and energy, making it harder to spot real threats. It's like chasing a ghost – you're expending resources on something that's not even a real threat."
—Tamir Passi
To improve decision making regarding application vulnerabilities and threats, focus on reducing false positives, Passi said. "This includes making sure that you are not flooding the team with alerts that are just informational."
3. Consolidate your AppSec tools
Cybersecurity tool consolidation, or security stack consolidation, can help alleviate some of the major contributors to AppSec fatigue‚ and reduce some of the issues related to tool sprawl.
The biggest benefits include better visibility and control, reduced complexity, improved operational efficiency, and improved threat detection and response. Tool consolidation also means security teams have to deal with fewer redundant alerts from multiple standalone security tools, leading to better prioritization of the threats that really matter.
A 2022 Gartner survey found that many security and IT decision makers were dissatisfied with the lack of integration and resulting operational inefficiencies of their heterogeneous security stack. A large portion (75%) of the 418 survey respondents said their organizations were looking to consolidate their security vendors. Their primary goal was to improve their overall risk posture.
Consolidating security tools into a centralized platform can help streamline visibility and management, Salt Security's Schwake said. "This enables teams to better understand the overall security landscape," he said.
4. Adopt a risk-based approach for your AppSec
Not all AppSec threats are created equal. Context is key when it comes to vulnerability management. As the CISA outlines in its SSVC guide, organizations need to prioritize vulnerabilities based on the threat that they might present to their own environments. This means things such as considering factors like the technical impact of a vulnerability, its exploitation status, the prevalence of the threat, and whether the mitigation is something that can be automated or not.
The information that organizations require for a more contextual understanding of new vulnerabilities is available via the Common Platform Enumeration (CPE), Common Vulnerability Scoring System (CVSS), Common Weakness Enumeration (CWE), and Known Exploited Vulnerabilities status that the CISA has now started providing through its so-called vulnrichment program.
Threat intelligence platforms can give further context by helping organizations identify artifacts in their internal security telemetry that correspond with known indicators of compromise and other threat actor tactics, techniques, and procedures. The analyst firm IDC foresees AI-enabled threat intelligence platforms playing a key role in helping organizations move from a detection-and-response stance to a more proactive stance focused on uncovering patterns and anomalies in security data that identity a potential threat.
"Adopting a risk-based approach to security allows organizations to prioritize remediation efforts based on the potential impact of vulnerabilities, ensuring that resources are allocated efficiently."
—Eric Schwake
Upgrade your AppSec tools for fatigue relief — and a modern approach
Monique Becenti, director at Zimperium, said organizations should implement runtime visibility across various threat vectors, including device, network, application, and phishing. This can be especially crucial in the context of mobile applications, Becenti said.
"Security and development teams frequently operate in the dark, constrained by a limited understanding of the mobile threats targeting their applications on end-user devices in real time."
—Monique Becenti
Most organizations today use static application security testing (SAST), but other tooling such as software composition analysis (SCA) and runtime application self-protection (RASP) are not the norm. The SANS Institute found in its most recent "State of DevSecOps" report that less than a third of organizations use some kind of operational runtime protection or shielding today.
The movement in the past decade or more to shift AppSec to the left, or earlier in the software development lifecycle (SDLC), can be beneficial, and many DevSecOps practitioners have adopted it. But shifting left isn't necessarily translating to a shift in positive AppSec outcomes. In its "State of Security Remediation" report earlier this year, the Cloud Security Alliance found that one in three organizations say that over 40% of their code contains flaws.
As important as it is to test early, doing it often and doing it again at the end of the build is equally important for holistic visibility and management of AppSec risks. Complex binary analysis, which is designed to provide a final test for all software before release, is recommended by the Enduring Security Framework (ESF) public-private working group for upgrading an AppSec stack.
Saša Zdjelar, chief trust officer for ReversingLabs, said complex binary analysis provides visibility well beyond traditional AppSec tools and focuses on what matters: malware, tampering, secrets leaks, and more. Zdjelar stressed that binary analysis also extends visibility beyond open-source vulnerabilities, providing software assurance for third-party commercial software — at the right time, when the code is in final form at the end of the development process.
"What I think is missing in the SDLC of these producers, as well as on the consumer side, is the very, very last check of whether you are shipping a safe product when everything is built."
—Saša Zdjelar
