Streamlining application security with Microsoft: PwC

Streamlining application security with Microsoft: PwC Skip to content Skip to footer Featured insights Capabilities Industries Technology About us Careers More

Search Menu

Featured insights Featured insights 2026 Global Digital Trust Insights Survey Board governance issues C-suite insights Case studies Policy on Demand Podcasts PwC Executive Pulse Tech Effect Viewpoint Webcasts All Research and insights Menu

Featured insights 2026 Global Digital Trust Insights Survey Menu

Featured insights Board governance issues Menu

Featured insights C-suite insights Board of directors Chief AI Officer (CAIO) Chief Executive Officer (CEO) Chief Financial Officer (CFO) Chief Information Officer (CIO) Chief Information Security Officer (CISO) Chief Marketing Officer (CMO) Chief Operating Officer (COO) Chief Risk Officer (CRO) Controller Corporate development Legal officer Sustainability leader Tax leader Menu

Featured insights Case studies Menu

Featured insights Policy on Demand Menu

Featured insights Podcasts Menu

Featured insights PwC Executive Pulse Menu

Featured insights Tech Effect Menu

Featured insights Viewpoint Menu

Featured insights Webcasts Menu

Featured insights All Research and insights

Featured

America in motion Executive leadership hub - What’s important to the C-suite? Menu

Capabilities Capabilities Audit and Assurance Alliances and ecosystems Artificial Intelligence (AI) Board governance issues Consulting Cybersecurity, Risk and Regulatory Deals Digital assets and crypto Digital assurance and transparency Engineering & AI Enterprise Strategy Financial Markets & Real Estate Finance and Accounting Financial statement audit Front Office Managed Services Metaverse Operations PwC Private Risk Modeling Services Sustainability and ESG Tax services Workforce All capabilities Menu

Capabilities Audit and Assurance Menu

Capabilities Alliances and ecosystems Adobe Amazon Web Services Google Guidewire Microsoft Oracle Salesforce SAP Workday All alliances Menu

Capabilities Artificial Intelligence (AI) Menu

Capabilities Board governance issues Menu

Capabilities Consulting Menu

Capabilities Cybersecurity, Risk and Regulatory Menu

Capabilities Deals Menu

Capabilities Digital assets and crypto Menu

Capabilities Digital assurance and transparency Menu

Capabilities Engineering & AI Menu

Capabilities Enterprise Strategy Menu

Capabilities Financial Markets & Real Estate Menu

Capabilities Finance and Accounting Menu

Capabilities Financial statement audit Menu

Capabilities Front Office Menu

Capabilities Managed Services Menu

Capabilities Metaverse Menu

Capabilities Operations Menu

Capabilities PwC Private Family enterprises Law firms Private equity and portfolio companies Ultra high net worth individuals US inbounds Menu

Capabilities Risk Modeling Services Menu

Capabilities Sustainability and ESG ESG reporting Sustainability strategy Sustainable technology and digital Menu

Capabilities Tax services Menu

Capabilities Workforce Menu

Capabilities All capabilities Menu

Industries Industries Aerospace and defense Asset and wealth management Automotive Banking and capital markets Chemicals Consumer markets Consumer packaged goods Energy Energy and industrials Engineering and construction Financial services Gaming Health industries Health services Hospitality and leisure Industrial manufacturing Insurance Media Medical technology Pharmaceutical and life sciences Power and utilities Private equity Real estate Restaurants, wholesale and agriculture Retail Space Sports Technology Technology, media and telecommunications Telecommunications Travel, transportation and logistics Menu

Industries Aerospace and defense Menu

Industries Asset and wealth management Menu

Industries Automotive Menu

Industries Banking and capital markets Menu

Industries Chemicals Menu

Industries Consumer markets Menu

Industries Consumer packaged goods Menu

Industries Energy Menu

Industries Energy and industrials Menu

Industries Engineering and construction Menu

Industries Financial services Menu

Industries Gaming Menu

Industries Health industries Menu

Industries Health services Menu

Industries Hospitality and leisure Menu

Industries Industrial manufacturing Menu

Industries Insurance Menu

Industries Media Menu

Industries Medical technology Menu

Industries Pharmaceutical and life sciences Menu

Industries Power and utilities Menu

Industries Private equity Menu

Industries Real estate Menu

Industries Restaurants, wholesale and agriculture Menu

Industries Retail Menu

Industries Space Menu

Industries Sports Menu

Industries Technology Menu

Industries Technology, media and telecommunications Menu

Industries Telecommunications Menu

Industries Travel, transportation and logistics Menu

Technology Technology Alliances and ecosystems Delivery platforms Emerging technology Engineering & AI Products Tech-enabled services Tech Effect Menu

Technology Alliances and ecosystems Adobe Amazon Web Services Google Cloud Guidewire Microsoft Oracle Salesforce SAP Workday Menu

Technology Delivery platforms Concourse Sightline Menu

Technology Emerging technology Artificial Intelligence (AI) Digital assets and crypto Metaverse Responsible AI Web3 Menu

Technology Engineering & AI Menu

Technology Products Analytics Foundation Beacon Bookkeeping Connect Connected Solutions Enterprise Control Investor Survey Model Edge Next Level HR Profit Seeker Ready Assess Saratoga Risk Link View all products Menu

Technology Tech-enabled services Agile Commerce Carbon Ledger Culture Thumbprint Enhanced insurance analytics for Salesforce ESG Geospatial Climate Intelligence (GCI) Insights to Enablement Market Advantage Payer Advocacy Center Ready Command Shovel Ready Menu

Technology Tech Effect Menu

About us About us Alumni Analyst relations Investing in our people Newsroom Offices Our leadership Purpose and values Menu

About us Alumni Join the PwC Alumni Network Meet our alumni Menu

About us Analyst relations Menu

About us Investing in our people Menu

About us Newsroom Menu

About us Offices Menu

About us Our leadership Menu

About us Purpose and values Be Well, Work Well Environmental sustainability Inclusion Social impact

Featured

Tech Effect Menu

Careers Careers Why PwC Entry Level Careers Experienced Careers University Relations Menu

Careers Why PwC Benefits & Compensation The PwC Professional US Careers Podcast hub Menu

Careers Entry Level Careers Search opportunities Recruiting process Student Development Programs Advance Internship Military and Veterans Student programs quiz Menu

Careers Experienced Careers Search opportunities Contract opportunities Alumni Careers Military and Veterans Menu

Careers University Relations University Relations Faculty Newsletter

Featured

Shared success benefits Loading Results

No Match Found

View All Results An agile approach to application security with Microsoft Defender Copy link Link copied to clipboard Summary Securing applications often requires a shift in mindset, tooling and ways of working.  Developers should take an agile approach to application security. Developers can work hand in hand with security teams using a cyber-risk-based approach and automated tools. Microsoft Defender, a cloud-native application protection platform, can help prioritize risks and prevent threats.  

Just when you’d thought it was safe to host your enterprise applications in the cloud, your cloud environment changes. Now, you should change how you secure those apps, with an approach every bit as agile as the process your developers used to create them. Application security can be easy to overlook, but critical to maintain. If your company depends on its apps to generate the lion’s share of revenues, your application security can help protect more than a technology. It can also safeguard the very core of your business.

As you move your apps away from your cloud service provider’s (CSP) infrastructure-as-a-service (IaaS) space to a platform-as-a-service (PaaS) environment, nimbly adjusting how you secure them can be key to your business’s success.

In the process, the third-party applications you use will also need rigorous scrutiny, as their developers often face the same security challenges that yours do — challenges that could compromise your systems, networks and data.

The development dilemma PaaS has become a popular cloud alternative for the convenience it can offer, especially to development teams. They can design, develop, build and test apps and updates directly in the cloud, using software the CSP provides. Increasingly, these platforms can push out updates, so users don’t have to. But moving to PaaS comes with a caveat. Developing your apps on a cloud platform can make your developers primarily responsible for securing your apps. Are they ready for this responsibility?

Developers, after all, thrive in a fast-paced work environment, driven by the need for speed and agility. Security may take a back seat until the design process is underway, or even later. Then, they may tack security onto the finished app using APIs or code from libraries or containers, which they can obtain from security staff.

Application security isn’t a one-size-fits-all proposition. The plug-and-play approach can be risky if the added code doesn’t quite fit or if it’s improperly placed into the application.

The consequences of not “shifting left” on security — not accounting for it in the earliest planning stages and weaving it into the design — could be serious, as some recent high-profile breaches show.

Still, developers trained in agile processes can take an agile approach to application security, in tandem with security teams grounded in a cyber-risk-based approach and equipped with automated tools.

When vulnerabilities creep in, cybercriminals can follow Cybercriminals are attacking enterprise apps with gusto. Web application breaches made up more than 60 percent of security incidents in 2022, according to one study.

Though designed to serve consumers and increase business revenues, apps also increase the risk of security incidents. In the Apache Log4j breach of late 2021, hackers exploited misconfigured code to infiltrate and gain remote control of Log4j users’ systems. The mistake reportedly put hundreds of millions of computing devices at risk.

In addition to coding errors, we also see deficiencies in enterprise workload protection, including identity and access management. It’s quite common for developers to have more access privileges than they need. So-called superusers can literally go almost anywhere and do almost anything in the system, increasing the chance of misuse and even abuse.

Someone could mistakenly or even intentionally approve a financial transaction that shouldn’t be authorized, at great cost to the business, or they could release customer personal data. And if bad actors were to get hold of a superuser’s login credentials (via a phishing email, for example), they might get carte blanche access to your systems, networks and data.

2024 Global Digital Trust Insights Putting security at the epicenter of innovation A playbook for executives who are ready to advance their companies' cybersecurity strategies.

Learn more

Then there are the software-as-a-service (SaaS) apps your organization uses, produced by others. The Cloud Security Alliance (CSA) reports that, on average, businesses have about a hundred applications in their technology stack. Some have many more. At least one enterprise reported using more than 5,000 applications.

And if there are security flaws in those applications? They could be treacherous to your enterprise. The SolarWinds hack, in which attackers inserted malicious code into software updates that gave them access to 100 companies and several government agencies, succeeded in part because update recipients trusted that those updates did not have bad code.

More than half of respondents to the CSA survey said they check their third-party applications for coding errors and misconfigurations only once a month or less. Five percent said they never check. And when they find misconfigurations? About a quarter take a week or more to remedy them, often giving cybercriminals more time to exploit the vulnerability.

Bar chart titled App security is a cyber investment priority in 2024, second only to cloud security Cyber security investment priorities over the next 12 months

Cloud security % Application security % IoT security % Network security % OT security % Managed security services % API security % Security operations % Identity and access management % Security awareness training and cross training security operations % Endpoint security % Mobile security % Unsure % Source: PwC's Digital Trust Insights Surveys, Final Results, August 2023.
Q14a. Which of the following investments are you prioritising when allocating your organisation’s cyber budget in the next 12 months? (Ranked in top three) Base: IT respondents: 1919 Modern app security: A two-pronged approach There’s no such thing as perfect security. Trying to achieve it, you’re more likely to restrict your applications’ usefulness. And the money you’d spend would almost certainly exceed your return. But you can take application security actions that can work well in today’s fast-paced, speed-driven, cloud-based, ever-changing digital environment, be it IaaS, PaaS or SaaS.

We recommend an overlapping approach rooted in risk management and then automated by technologies.

1. Know and manage your application security risks. Do you know which applications your business uses? Do you know what open source software (OSS) is used in your applications? What about unauthorized, “jailbreak” apps on your enterprise devices? Assessing the risk that each poses can help you to focus your energies on monitoring and securing more critical in terms of likelihood and impact of breach.

Also, how sensitive is the data your third-party applications contain? Unlike with your company-generated applications, you don’t have access to these applications' underlying database, so you will need to place your own controls on access and actions you’ll allow. Could someone take a screenshot and send it outside the company?

And what does your CSP offer in terms of security? The shared responsibility model — cloud providers can help secure the infrastructure but users should protect the data they place there — is widely understood by now, but different CSPs offer different security options. Knowing what’s available to you there can help you know where you need to supplement.

Knowing who has superuser and other high-level access to your applications, whether they need that access, and for how long they need that access can also be essential to strong application security. How are you monitoring their activities for anomalies or risky moves? What kinds of identity and access management controls do you have in place, and where should you strengthen them?

2. Select tools can help you measure, maintain and monitor. Clouds change, but so do technologies. For application security in the cloud, cloud-native application protection platforms (CNAPP) are gaining traction for their risk-to-response and multi-cloud-management abilities.

To help properly secure your applications in the cloud, be it IaaS, PaaS, SaaS or a hybrid environment, you’ll likely need to not only amend your processes — by switching, for instance, from a DevOps model to DevSecOps, in which security can be an integral part of every project — but also reconsider your architecture.

In the past, your teams might have checked your IaaS buckets to identify if they were properly configured, or they might have relied on traditional agents to help monitor your workloads. But these approaches don’t work with cloud-native apps in the PaaS cloud.

With cloud-native, you can work to identify that your application’s database isn’t publicly available, and that it has in place proper identity, logging and monitoring controls so you can protect your workloads.

Streamlining security with PwC and Microsoft Microsoft Defender for Cloud, a CNAPP solution, can help you prioritize your risks, check for misconfigurations and remediate problems quicker. Defender uses data can help provide context and help you anticipate your threats. It also can automatically check for misconfigurations and controls, and help you prevent, detect and respond to threats.

Working with Microsoft, PwC has developed a security control framework that can help your developers and security teams work together more smoothly so you can secure your enterprise applications.

Traditionally, we’ve offered this framework for use with IaaS-based applications, but we’re expanding the service for use with PaaS-hosted, cloud-native apps. We can help guide you as to which Microsoft Azure services you may wish to use and which security controls can help you enable at the platform level.

For many of the platform services that you use, Microsoft can help provide a process or solution for visibility into identities and roles, accesses and permission “drift,” or individuals accumulating permissions that they no longer need.

We can also help your security teams create security-as-code or policy-as-code templates for your development teams to use as they stand up a PaaS project within Microsoft Azure. That way, developers can work at their usual fast pace, confident that their work is protected, and Defender can help monitor for suspicious activity or misconfigurations, allowing you to take timely remediation actions and helping reduce the risk of vulnerability exploitation.

The bottom line Securing applications often requires a shift in mindset, in tooling and in ways of working. Developers trained in agile processes should take an agile approach to application security. Developers can work hand in hand with security teams, grounded in a cyber-risk-based approach and equipped with automated, modern, highly effective tools.

As some recent high-profile breaches show, not “shifting left” on security — not accounting for it in the earliest planning stages and weaving it into the design of applications — can lead to serious consequences.

Be cyber-ready for tomorrow See how PwC and Microsoft can help strengthen threat-detection capabilities.

Learn more

Next and previous component will go here Our insights. Your choices. Subscribe here Follow us Audit and assurance services Consulting Tax services Newsroom Alumni US offices Contact us © 2017 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see http://pwc.zhutiblog.com/com/structure for further details.

Privacy Data Privacy Framework Cookie info Legal Terms and conditions Site provider Site map Your Privacy Choices