We’re living through a boom for software development. One only needs to look at the explosion of global developer populations - which have grown by 50% since 2022. One could also look at projections that say by 2030, the size of the global enterprise software market will double to $517 billion. Or one could simply look around and think about how the world looked only a decade ago. It's now hard to think of an industry that hasn’t been profoundly changed by software, or a company that isn’t now a “software company.”
Software ate the world
As our lives and businesses have moved irreversibly online, demand for new products, services and applications has boomed in parallel. Not only do we want more software, we demand more out of the software we already use, meaning that regular maintenance, improvements, updates and upgrades are now a basic expectation.
Organisations are now looking to make good on those expectations. Everywhere, they’re attempting to scale their development efforts to meet this insatiable demand.
Those organisations are not just required to create software, but software that works well and protects its users from abuse. Customers expect it from them and - whether individual consumers or enterprise partners - will surely flee from any provider that doesn’t take their security seriously. On top of that, national, international and sectoral regulations increasingly demand that users be protected and will punish those that don’t respect that basic expectation. That said, while enterprises are rapidly scaling their development efforts, they’re often not scaling their AppSec efforts in parallel.
Uneven Scaling
Even in times of lesser demand, software development regularly exposed vulnerabilities and bugs to end users. As organisations try to step up their development efforts, these problems don’t just scale but become disproportionately problematic as they put stress on the AppSec functions which previously kept vulnerabilities in check.
In fact, Cypress Data Defense’s 2025 State of Application Security report shows that 62% of organisations actually release insecure code, knowing it to be insecure, in order to meet deadlines.
Furthermore, the increasing demand for new software has forced developers to rely ever more on AI tools and open source libraries. Indeed, vibecoding practices have taken root in software development in response to that increased pressure. But with the increased ease and scale that vibecoding and AI tools grant, developers also lose meticulous awareness about their build decisions and the security of their code, thus potentially accelerating the production of vulnerabilities.
Furthermore, open source libraries continue to be a common and serious source of risk for applications. In fact, one paper says that reported vulnerabilities in open source components has grown by 98% annually over the last few years and that there had been 85% increase in the average lifespan of those vulnerabilities, indicating that although vulnerabilities were known about, they were often being ignored.
The problem with scaling development efforts is that AppSec needs to be scaled in kind, or so much pressure will mount on development that bugs and vulnerabilities will flow through unhindered.
In fact, Verizon’s 2024 Data Breach Investigations Report highlighted that between 2023 and 2024 - businesses experienced a 180% increase in the exploitation of software vulnerabilities as a path to breach. This can be at least partially explained by the huge expansion that many organisations have made in development without a parallel expansion in AppSec. That’s a reality that many enterprises now need to understand.
Tipping the scales towards insecurity
The basic first problem that many enterprises who scale development without scaling AppSec will run into is a simple growth in the risks to software - inviting more bugs, vulnerabilities and then breaches. For a business that can’t secure their apps, that will likely mean a loss of customer faith. If customers find their releases embedded with vulnerabilities and bugs - they will start looking elsewhere for a more secure software provider. Worse yet, if those customers experience security incidents through their software providers - that will only hasten their flight from their erstwhile provider. Furthermore, their costs for fixing problems after deployment will quickly balloon as bugs often cost multiple times more to fix after production than before.
Those might be acceptable losses for some, but mature AppSec is increasingly becoming a competitive differentiator, a baseline compliance requirement and a condition for engagement with other businesses.
The lash of the supply chain
The effects of insufficient AppSec spread far and wide. We now live in a technological age in which we are all deeply interlinked.
In August this year, attackers got their hands on Salesloft Oauth tokens, stolen through the integration with Salesloft's Drift chatbot. They then used those tokens to compromise over 700 organisations including cybersecurity firms such as Palo Alto Networks and Cloudflare. Attackers accessed highly sensitive data too, including embedded secrets like API and AWS keys. They didn't even have to exploit a vulnerability in Salesloft's core platform, but the insecure application integration between the chatbot and Salesloft. This case is another example of how poor AppSec in one place can lead to catastrophic compromises in countless others.
Recognising that threat, efforts are now being made to police each link in the supply chain. What's more is that enterprise customers can now closely scrutinise the software they’re using and make crucial decisions based on their partner’s releases. The rise of the Software Bill of Materials (SBOM) is a great example of that. Now customers can inspect and analyse the basic components of software releases and hold developers to account. That new scrutiny that customers are now capable of should make good AppSec a real priority for businesses, especially considering they might lose customers because of it. Increasingly, SBOMs are now becoming a basic requirement for engagement with many enterprises and governments.
Similarly, regulation is also demanding increasing scrutiny over third parties and the supply chain as a whole. The EU Cyber Resilience Act will come into force in 2027 and will fine businesses up to 15 million for non-compliance. Aimed at tackling the cyber resilience of the EU holistically, this act demands the use of SBOMs in all digital products within the EU and update them regularly so that customers and partners can stay abreast of the contents of the software they’re using.
More recently, the Digital Operational Resilience Act (DORA) came into enforcement in the EU’s financial sector. This landmark regulation will make compliant entities responsible for the risk profiles of their partners and potentially liable for the failures in their supply chain. For many of those who supply to the EU financial sector - one of the world's largest financial markets - high AppSec standards will become a crucial competitive differentiator.
In multiple ways, AppSec is becoming an unavoidable duty for companies. To be sure, it should always have been in the first place, if only to ensure the security of its customers and partners. However, even those who overlook their AppSec responsibilities will soon be compelled to adjust or risk losing business and revenue to regulatory penalties and falling customer faith. The solution, however, is for companies to stop seeing their application security processes as a costly appendage and start seeing it as a central part of their development efforts and a means of ensuring their products’ long term success.
