A comprehensive and mature application security (AppSec) framework is a key element in cybersecurity. However, with obstacles such as staffing issues, insufficient budgets, and an overall lack of organizational awareness of AppSec initiatives, many companies aren’t adequately positioned to protect themselves from the continuously growing threat landscape.
The “State of Application Security” report from the cross-industry Purple Book Community demonstrates ongoing trends including a shortage of AppSec engineers, prolonged vulnerability remediation time, and the continued rise of the cloud that impede industrywide AppSec maturity.
This annual survey of AppSec professionals, including chief information security officers (CISOs), security engineers and developers, application and product security directors and engineers, and C-suite executives, shows that although the tools and information necessary to position organizations against threats exist, there is still significant work to take the industry from its current state to AppSec maturity.
Shortage of AppSec Engineers
While 48% of survey respondents say their security team supports up to 50 developers, 42% have only between one and five AppSec engineers on their security team. Moreover, 24% say they have no dedicated AppSec engineers on their teams.
Along with limiting these professionals’ ability to dedicate the time and effort necessary to respond to threats and vulnerabilities, the shortage of AppSec engineers also prevents creating and deploying proactive methods of security management.
Working alongside developers to establish and deploy security measures that identify, remediate, and prevent vulnerabilities, AppSec engineers play an integral role in protecting the critical data within the application ecosystem.
With developers often outnumbering security teams by 100 to 1 or more, it is difficult to know whether best security practices are being implemented. Therefore, there is no guarantee applications are deployed with protection against vulnerabilities like unauthorized access and modification.
Having a strong team of AppSec engineers is critical in reducing vulnerability risk. By working with developers throughout the software development processes and integrating security measures throughout the application life cycle, AppSec professionals help secure data against internal and external threats and across all stages of application development and deployment.
Vulnerabilities With Nearly Every Product Release
Critical or high-severity vulnerabilities make their way into production multiple times per year, according to 32% of survey respondents. Another 16% concede vulnerabilities appear during every product release.
Vulnerabilities can be inevitable, stemming from gaps or errors in an application’s design, configuration, or implementation. As most organizations release new software regularly — quarterly, monthly, weekly, or biweekly — it is important to have the right people, processes, and technology in place to secure it.
Slow Remediation Time Complicates Vulnerability Management
Typical remediation time for critical severity vulnerabilities is between one and five days for 43% of respondents, with 22% reporting remediation time of six to ten days, and nearly 14% saying it takes more than ten days. Only 21% can respond to vulnerabilities in less than one day.
The presence of AppSec vulnerabilities in production makes it critical to quickly detect and resolve them. To prevent application data from being accessed, modified, or compromised by malicious players, organizations must have a comprehensive vulnerability remediation process to detect vulnerabilities and fix or neutralize them efficiently. This means prioritizing efforts to minimize remediation time to eliminate opportunities for malicious players to access data.
Cloud-Dominant Infrastructure Is Here to Stay
More than a quarter of survey respondents say they are deploying 100% of their software and applications in the cloud. Even organizations that have not shifted to an entirely cloud-based model are still gravitating there, with 31% of respondents deploying 75% of software in the cloud and 22% deploying at least 50% of their software in the cloud.
As digital infrastructure continues to migrate to the cloud, cloud-based application security becomes more critical. Paired with accelerated release cycles and new technologies, the cloud has dramatically altered the industry’s approach to delivering applications and infrastructure. Despite immense pressure to release software quicker than ever, the industry’s approach to security has not yet adapted.
To adjust to the heightened frequency and speed of new software releases, security teams must unify vulnerability management, security posture management, and DevSecOps across cloud and on-premises environments to create a comprehensive view of their application landscape.
Insufficient AppSec Funding
The survey reveals the largest barrier to AppSec maturity is insufficient funding. Budget is the biggest challenge to a successful application security program for 22% of respondents. Over 34% of those surveyed report no increase in their software security budgets within the last year, and more than 32% predict there will be no change in the next year. Without substantial software security budgets, organizations can’t fund both their people and processes.
Looking Ahead
Although 38% of survey respondents rate their application security program as “somewhat mature,” meaning that they have a defined program with core practices in place, only 14% say their AppSec programs are advanced. Additionally, 18% say they are “just starting” the process of developing an AppSec framework.
The journey to AppSec maturity is underway, but there is still progress to be made to adequately fortify the industry. In recognition of this ongoing journey and the changes in the industry, the Purple Book Community has come together to create a modern Scalable Software Security Maturity Model (S3M2). This cross-industry collaborative effort offers a framework to help organizations assess and improve their software security practices.