We recently held a webinar going over the recent 2023 State of Code Security. Thanks to all who were able to attend. If you missed it or you would like to review what we shared, you can catch the on-demand recording here. Below are several highlights from the webinar.
The AppSec Maturity Road
- While the majority (57%) of organizations are implementing DevSecOps, almost 3 in 10 (29%) haven’t yet, but plan to in the next year. This shoots up to 63% for larger companies. Almost 4 in 10 (38%) are making plans to implement it or haven’t done so yet.
- Almost two-thirds of respondents already use manual code review and 6 in 10 use manual application penetration testing. Most of these organizations are still at the starting point and have some way to go on the road to AppSec maturity.
- More than half (56%) of all organizations use SAST and perform application security assessments. However, less than 4 in 10 use MAST (38%) or IAST (37%).
- Almost half of respondents (46%) are planning to move to both IAST and SCA within 6-12 months.
- No one security pain point listed was cited by more than 29% of respondents. This highlights the growing complexity of challenges faced and points to the value of a single partner with deep expertise.
- Managing DevOps tools/processes across a hybrid environment (multi-cloud, on-premises) is the number one challenge across the board.
- More than a quarter (26%) of organizations are challenged by the frequent use of unsecure open-source code libraries. This is a bigger challenge for large organizations. Open-source components rank as the second-most vulnerable area overall but are top-ranked for larger organizations.
- The number one area where all organizations feel most vulnerable is the security of their APIs.
- Half of larger organizations tend to have a dedicated tool to test the security of their APIs. Only 31% of smaller organizations do that.
- Almost 4 in 10 (39%) of SMBs tend to treat APIs the same as they do web applications when it comes to handling their security.
- 45% of organizations use email (among other tools) to share vulnerabilities with developers. This is even higher, at 49%, for large organizations. This poses a serious security issue and also represents a lack of efficiency in the process.
- At the broader level, organizational culture is ranked as the second-biggest challenge to implementing DevSecOps, regardless of organization size.
Factors Influencing Tool Adoption
- All organizations prioritize accuracy and depth of vulnerability coverage (ranked number 1), as well as developer and ops tool integration (ranked second). These are the top two, regardless of organization size.
- When it comes to code security, a third (33%) of organizations are investing the most in security solutions and almost a quarter (24%) are investing in developer tools and cloud infrastructure.
- Only 13% of organizations use a single solution to take care of all their needs.
- 7 in 10 (71%) use a mix of 2 to 5 point-solutions or a collection of multi-touch vendors or tools. This shoots up to 81% of larger organizations.
- This means more to manage for overstretched staff as complexity in the security landscape spikes.
- Almost half of larger organizations (49%) are using hybrid methods to deploy AppSec, whereas less than a third (29%) of smaller organizations are doing so.
- Almost a quarter (23%) of respondents in general are investing most of their code security budget in cloud infrastructure. This promises an even greater shift towards a hybrid structure in the near future.
Outcomes and Tracking
- 6 in 10 respondents say they find too many false positives and almost as many say they worry about finding false negatives. However, this changes when looking at organization size. For larger organizations, finding false negatives (60%) is less of a worry than finding more issues than they can remediate (70%). At the scale that larger organizations are dealing with, and the higher stakes, that’s their concern.
- Most organizations track or manage the success of their application security program by looking at changes in the number and type of vulnerabilities found in the applications (59%); and also, whether or not they are complaint with various regulations and requirements (46%).
- Speed metrics such as MTTR are more important to larger organizations (42%) than to smaller organizations (32%). This corresponds to their greater concern about finding more vulnerabilities than they can remediate quickly enough.
We had a great discussion regarding key findings from the report. However! You can read the entire 2020 State of Code Security report here.