Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersCircleEventsBlog

Every App Will Be Vulnerable. Security Needs to Be Automated Inside and Outside the App.

Published 06/06/2022

Home
Industry Insights
Every App Will Be Vulnerable. Security Needs to Be Automated Inside and Outside the App.

This blog was originally published by Valtix here.

Written by Vishal Jain, Co-Founder and CTO of Valtix.

Recent vulnerabilities and customer conversations have made a few things crystal clear in the last few months:

  1. There is no such thing as an invulnerable app, so inline defenses protecting the app are a must (yes, even in the cloud).
  2. All defenses must be automated in the cloud – discover apps, deploy defenses, and enforce policy. Or defenses will be bypassed – remember that the developers are in charge.

Our recent research report on how Log4shell has changed cloud security further supports the impact of these types of vulnerabilities and highlights some key understandings among enterprises.

  • 95% said log4j was a wake-up call for cloud security
  • 82% said log4j vulnerability changed their priorities
  • 77% still dealing with Log4j patching

In other words, these vulnerabilities are universal, there will be more of them, and each will have a long tail. You can see the research report here.

Back to my original key points – there will always be vulnerabilities in software. The difference is that with open source software, a single supply chain vulnerability applies to multiple applications (thousands), and so attackers will work harder to find and exploit them. On the positive side – developers are in charge (good for business), moving rapidly, and in many cases, motivated to fix security issues, e.g., shifting left.

Despite these positives, there are still two things that folks are concerned about:

  1. There is always going to be a window of vulnerability. It might be 6 hours, 6 days, 6 weeks, or 6 months – depending on how big the issue is, how much control the org has, and how good they are at exercising that control. During that window, security people will not sleep.
  2. Sometimes “patching” is worse. Or simple app configuration errors.

Therefore, defenses that protect the app from outside the app (network-based, agent-based, firewalls, IPS, WAF, DLP, etc), will always be necessary. The issue here is that previous implementations of those controls (hardware appliances in the data center, virtual appliances in the cloud), aren’t up to cloud pace. They’re not natively automated to discover apps, deploy defenses, and enforce policy.

In the cloud world, anything that can’t keep pace with cloud deployment gets routed around by developers on behalf of the business. In other words: we need defenses inside and outside the app, and those defenses must be automated.

Enhancing cloud security strategyVulnerabilities

Share this content on your favorite social network today!

Latest from CSA
Managed Business Continuity Cloud Solutions
Read the State of SaaS Security Report 2025
Register now to attend this free Summit, June 11–12!
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Enhance your cloud security skills with CSA's online training options.
Related Articles:
Why We’re Launching a Trusted AI Safety Knowledge Certification Program

Published: 04/26/2025

Phishing Tests: What Your Provider Should Be Telling You

Published: 04/24/2025

Virtual Patching: How to Protect VMware ESXi from Zero-Day Exploits

Published: 04/21/2025

AI Red Teaming: Insights from the Front Lines of GenAI Security

Published: 04/21/2025