AppSec Survey Reveals Troubling Trends

An eye-opening 92% of the organizations suffered a breach in the past year tied to a vulnerability in an application they developed, according to a survey released Thursday by Checkmarx. 

Even more sobering is the fact that 91% of the respondents to Checkmarx’s “Future of AppSec Report” (registration required) said they knowingly released applications that contained vulnerabilities due to business pressures. Nearly a third, 29%, of the 1,504 developers, chief information security officers (CISOs) and AppSec managers who responded to the survey cited “business, feature or security-related deadline” as the reason for releasing the applications. 

Why are so many security-challenged apps released with flaws? “This highlights that developers only have limited time to address vulnerabilities before demand from the business overtakes them,” according to the report. “Security success cannot come at the expense of business success.”

The 92% figure for businesses experiencing a breach via an application developed in-house is a slight increase from 88% reported the previous year, with most companies experiencing an average of 2.44 breaches a year.

“The growing complexity of applications, paired with the increase in cloud-native development, has rapidly expanded the current attack surface for many enterprises,” Checkmarx explains.

It seems that CISOs crossed their fingers when releasing applications as 18% of the leaders said they hoped vulnerabilities wouldn’t be exploitable, while 29% of developers said they’d address the known vulnerabilities in a later release.

The main causes for breaches were stolen credentials, secrets or weak authentication, followed by cloud resources and a vulnerability in code released to production.

With 67% of applications being hosted in the cloud, the responsibility of securing applications has shifted from dedicated security teams to one that is shared with developers and AppSec managers, according to the study. Managing cloud risks is the No. 1 priority, CISOs said, and AppSec managers and CISOs are also concerned about data governance, identity and access management, and software supply chain risks. 

To address their concerns, organizations are turning to cloud security approaches, with over 70% using or will use cloud-related security tools.

“The mitigation of AppSec risk is becoming a shared responsibility at a time when cloud-native applications are deployed multiple times each day,” said Amit Daniel, chief marketing officer at Checkmarx. 

READ MORE HERE