The application security landscape is in a state of constant flux. Tools that were once sufficient for securing your applications may no longer be enough.
To better understand the state of application security, including present and future development trends, we conducted a survey of 1500 plus CISOs, AppSec managers, and developers worldwide with an independent research agency, Censuswide, and reviewed internal data from Checkmarx One™ — our cloud-based application security platform.
After evaluating the internal and external findings, we were able to identify common tendencies amongst roles and draw conclusions around topics such AppSec scan use, secure code training practices, development practices, budget constraints, and digital transformation efforts.
We hope that you take the time to comb through our second annual 'Global Pulse on Application Security' report, but in the meantime, here’s a small sampling of the findings.
There’s been an ongoing trend in application security over the past few years: the need for speed. As we saw in this year’s Global Pulse on Application Security report, technological advances and increased connectivity have heightened reliance on software, especially applications. To keep up with consumer demands and remain competitive in the software space, enterprises are prioritizing speed to market through digital transformations and modern development tactics such as increased use of open source libraries, APIs, microservices, and containers.
But new approaches to hosting, building, and deploying applications bring new risks and attack surfaces. In fact, 88% of organizations experienced at least one breach in the past 12 months — most of which were the direct result of modern development practices [shown below in Figure 1 from the report].
A few years ago, “shift left” was the mantra that every development and security team lived by. But is that still the right approach?
Our report uncovered that vulnerabilities are found throughout the software development life cycle (SDLC), not only in the beginning phases.
“60% of vulnerabilities are detected during the code, build, or test phases, and 40% are found during the production phase.”
What does this finding mean? By shifting AppSec testing to the left and only testing at the beginning of the SDLC, you could miss vulnerabilities further down the line, like in production.
The secret is out: 98% of software developers are not satisfied with their security testing tools. The survey revealed that the most common complaints around testing tools include “way too many false positives,” and “no correlation of scan results,” among others.
It also doesn’t help that most AppSec testing tools do not easily integrate and automate in developer’s existing tools and processes.
“Only 34% of developers responded that their AppSec scans are completely integrated and automated into their SCMs, IDEs, and CI/ CD tooling.”
With discontent around testing tools from developers, it comes as no surprise that 99% of AppSec managers plan to add new testing solutions or strategies over the next 12 months.
From the findings, it’s safe to surmise that organizations developing modern software need to take a step back and look holistically at their application security. For starters, application security needs to be embedded into every phase of the SDLC, not just at the beginning. In other words, organizations should not only shift left but also shift right, a concept referred to as “shifting everywhere.”
By shifting AppSec everywhere, organizations can find and fix vulnerabilities faster, significantly reducing time to market and lowering costly rework to remediate vulnerabilities. This helps ensure that new technologies and architectures are secure.
The findings in this year’s 'Global Pulse on Application Security' report also point to the importance of a cloud-based platform approach. By having all of your AppSec testing tools with one vendor on a unified platform, development teams can seamlessly integrate scans into their CI/CD pipelines and defect-tracking systems, creating better automation and a more efficient feedback loop. Empowering developers to be in the driver’s seat with AppSec initiatives not only helps foster a stronger relationship between development and security teams but also frees up the security team to concentrate on product security.
One unified AppSec platform, like Checkmarx One™ , can also help organizations to prioritize vulnerabilities. Checkmarx One offers unique scan correlation capabilities that provide actionable insights into vulnerabilities across scan types and applications so you know what fixes will make the greatest impact in the shortest period of time. And given that Checkmarx One offers testing tools to reduce risk across all components of modern software — including proprietary code, open source, APIs, and Infrastructure as Code — there’s no need to juggle multiple AppSec vendors.
We hope you’ll explore the 'Global Pulse on Application Security' report to learn additional insights from your industry peers and to inform the decisions you make about your own AppSec program.