In-house apps - cause for security concerns?

Global study of CISOs, AppSec leaders and developers reveals that business pressures are a primary reason for the release of vulnerable applications.

  • Saturday, 2nd March 2024 Posted 8 months ago in by Phil Alsop

Checkmar has released the annual Future of AppSec Report, which gives an in-depth look at the current state of application security, future investments and organisations’ most critical application security concerns.

The study reveals that 92% of companies surveyed had experienced a breach in the prior year due to vulnerabilities of applications developed in-house.

In recent years the responsibility for application security has shifted away from dedicated security teams and is now shared between AppSec managers and developers. In the Future of AppSec study, 49% of respondents said that their developers were involved in key AppSec solution purchases, 41% said that AppSec managers were involved and 40% of respondents indicated CISO involvement.

With more software to secure that has been deployed in more environments with less time available to secure it, a remarkable 91% of companies have knowingly released vulnerable applications. Without a robust approach to application security, breaches are more likely to occur.

A screenshot of a computer program

Description automatically generated

Business pressures to speed time-to-deployment are one reason for the release of vulnerable applications

Asked why respondents had released vulnerable applications, business pressure was a significant reason with 29% of AppSec managers saying they had released the applications “to meet a business, feature or security-related deadline,” 18% of CISOs saying that they hoped the vulnerability would not be exploitable, and 29% of developers saying that the vulnerability would be fixed in a later release.

“The mitigation of AppSec risk is becoming a shared responsibility at a time when cloud-native applications are deployed multiple times each day,” said Amit Daniel, Chief Marketing Officer at Checkmarx. “Enterprise CISOs are coming to Checkmarx looking for a way to gain visibility into the security posture of their entire organisational footprints. Our goal is to provide them with that visibility as a way of building what we call ‘DevSecTrust,’ or trust between developers and security that can help bring their AppSec maturity to a whole new level.”

Developers’ top three security concerns are focused on the tension between time-to-delivery demands and the potential volumes of vulnerabilities requiring remediation, including impediment of the development process by security demands, difficulty knowing which vulnerabilities to fix and how to prioritise them and lack of context to help remediate vulnerabilities. A significant 61% of developers said that it’s critical that security not block or decelerate the development process or become a barrier to business success. In order to close the gaps in application security, the seamless integration of developer-friendly AppSec tools within their workflows is essential.

The composition of applications has become more complex, increasing to include source code, open source packages, infrastructure-as-code (IaC), containers and more. This exponential increase in complexity is one main driver behind the need for organisations to scan across the entire software development life cycle, from code to cloud.

The research clearly illustrates the need for a comprehensive AppSec platform that addresses these concerns and more, equipping all teams involved to:

· Build #DevSecTrust, a state of cooperation and trust between AppSec and developer teams

· Improve the developer experience by providing prioritisation of risks as part of a toolkit integrated with their preferred IDEs

· Consolidate cloud-native AppSec with a holistic approach

· Secure the entire application footprint from code to cloud

The promise of AI is on every biopharma’s radar, but the reality today is that much of the industry is grappling with how to convert the hype into...
IT teams urged to resolve ‘data delays’ as UK executives struggle to access and use relevant business data.

‘Playtime is over’ for GenAI

Posted 3 days ago by Phil Alsop
NTT DATA research shows organizations shifting from experiments to investments that drive performance.

GenAI not production-ready?

Posted 3 days ago by Phil Alsop
Architectural challenges are holding UK organisations back - with just 24% citing having sufficient governance to implement GenAI.

AI tops decision-makers' priorities

Posted 3 days ago by Phil Alsop
Skillsoft has released its 2024 IT Skills and Salary Report. Based on insights from more than 5,100 global IT decision-makers and professionals, the...

The state of cloud ransomware in 2024

Posted 3 days ago by Phil Alsop
Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security realm.
Talent and training partner, mthree, which supports major global tech, banking, and business clients to build job-ready teams, has revealed the...

AI innovation is powering the Net Zero transition

Posted 3 days ago by Phil Alsop
Whilst overall AI patent filings have slowed, green AI patent publications grew 35% in 2023.