AppSec Rising: Examining the Advancements and Challenges of Application Security

Survey Shows That Cultural Factors Hinder Adoption of Secure Coding Practices

A recent survey conducted by Checkmarx, titled “Global Pulse of AppSec,” suggests that cultural factors continue to obstruct the adoption of secure coding practices, resulting in vulnerabilities remaining in production code. The survey highlights that developers often estimate that up to 40% of vulnerabilities evade code checks and testing, emphasizing the need for improving security maturity. Developers and application security managers differ on attributing the most significant challenge to application security. Developers identified slower deployment as the key challenge, while application security managers blamed the lack of adoption of tools by developers.

Identifying Responsibility For Security Remains A Challenge

A lack of organizational support and ill-defined responsibilities concerning application security has been a significant hurdle for most companies. Nearly 36% of chief information security officers in the Checkmarx report held AppSec teams responsible for application security, while 28% pointed towards operations teams, and 20% identified developers.

Increase in Vulnerabilities Despite Security Focus

The “Open Source Security and Risk Analysis” (OSSRA) report by Synopsys shows that 84% of applications had at least one vulnerability in 2022, while 48% of applications had a high-risk vulnerability. Although scans reveal that application security tools are catching vulnerabilities before production, many development teams do not have organizational support to focus on security. The report highlights that 23% of respondents regularly ship known-vulnerable code into production, while 45% have occasionally done so despite being cognizant of the vulnerabilities.

Challenges of Developer Behavior and Shifting Roles

Experts emphasize that the cultural factors outweigh technology issues facilitating the continued release of vulnerable applications. Synopsys’ Nivedita Murthy noted that the introduction of special application security tools in the pipeline has helped development teams catch the most critical vulnerabilities. Despite this, remediation and reduction require more sustainable learning experiences implemented, as development teams often change quickly, leading to a loss of security know-how. AppSec experts agree that cultural factors such as developer behavior and collaboration between security and DevOps teams can improve companies’ security efforts.

Automating Scans To Ensure Secure Development Life Cycles

AppSec teams need to encourage a culture of collaboration, incentivize visibility into security, and continuously strive to improve security maturity. Furthermore, automated scans can highlight a well-integrated pipeline and reduce the likelihood of vulnerabilities escaping to production. Consequently, regular scanning can help companies bring down their debt to zero or close to it and maintain it there.

Conclusion: Urgent Need to Improve Security Maturity

The survey results reveal that companies are getting better at AppSec, but they still have a long way to go before they can claim to be effectively catching vulnerabilities. Improved cultural factors such as developer behavior, collaboration between security and DevOps teams, and organizational learning experiences are critical in improving application security. Organizations need to avoid being complacent and should focus on attaining a high level of maturity in security by prioritizing AppSec.