92% of companies had experienced a breach in the prior year due to vulnerabilities of applications developed in-house, according to Checkmarx.
AppSec managers and developers share application security duties
In recent years the responsibility for application security has shifted away from dedicated security teams and is now shared between AppSec managers and developers. 49% of respondents said that their developers were involved in key AppSec solution purchases, 41% said that AppSec managers were involved, and 40% indicated CISO involvement.
With more software to secure that has been deployed in more environments with less time available to secure it, a remarkable 91% of companies have knowingly released vulnerable applications. Without a robust approach to application security, breaches are more likely to occur.
Asked why respondents had released vulnerable applications, business pressure was a significant reason with 29% of AppSec managers saying they had released the applications “to meet a business, feature or security-related deadline,” 18% of CISOs saying that they hoped the vulnerability would not be exploitable, and 29% of developers saying that the vulnerability would be fixed in a later release.
“CISOs need to be focused on the strategic issues driving AppSec and driving future innovation investments, such as in emerging areas like AI and CNAPP, ensuring that the organization’s strategy is operationalized through every level of the organization, including individual developers and AppSec managers,” Peter Chestna, NA CISO at Checkmarx, told Help Net Security.
Developers’ top three security concerns are focused on the tension between time-to-delivery demands and the potential volumes of vulnerabilities requiring remediation, including impediment of the development process by security demands, difficulty knowing which vulnerabilities to fix and how to prioritize them and lack of context to help remediate vulnerabilities.
Security cannot be a barrier for business success
A significant 61% of developers said that it’s critical that security not block or decelerate the development process or become a barrier to business success. In order to close the gaps in application security, the seamless integration of developer-friendly AppSec tools within their workflows is essential.
The composition of applications has become more complex, increasing to include source code, open source packages, infrastructure-as-code (IaC), containers and more. This exponential increase in complexity is one main driver behind the need for organizations to scan across the entire software development life cycle, from code to cloud.
The research clearly illustrates the need for a comprehensive AppSec platform that addresses these concerns and more, equipping all teams involved to:
- Build DevSecTrust, a state of cooperation and trust between AppSec and developer teams
- Improve the developer experience by providing prioritization of risks as part of a toolkit integrated with their preferred IDEs
- Consolidate cloud-native AppSec with a holistic approach
- Secure the entire application footprint from code to cloud