SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image
Checkmarx report reveals 92% companies faced breach due to app vulnerabilities
Mon, 4th Mar 2024

A new global research report released by Checkmarx, known as the Future of AppSec, reveals that a staggering 92% of the surveyed companies had suffered a breach the previous year because of vulnerabilities in applications that were developed in-house.

The research involved a survey of over 1,500 AppSec leaders, CISOs, and developers around the globe and provided a comprehensive understanding of the current state of application security within companies.

The research also unveiled that a massive 91% of companies have knowingly released vulnerable applications due to business pressure and deadlines. However, this release of vulnerable applications significantly heightens the possibility of cyber breaches.

The responsibility for application security has notably shifted from dedicated security teams to a shared responsibility between developers and AppSec managers. The study found that 49% of respondents have developers involved in important AppSec solution purchases, while AppSec managers and CISOs involvement is stated at 41% and 40% respectively.

When asked about the release of vulnerable applications, business pressure to meet deadlines emerged as a predominant reason. A significant 29% of AppSec managers admitted to rushing the release of applications to meet "a business, feature, or security-related deadline". Additionally, 18% of CISOs expressed they hoped the vulnerability would not be exploitable, and another 29% of developers felt the vulnerability would be fixed in a later release.

Amit Daniel, Chief Marketing Officer at Checkmarx, expressed that “The mitigation of AppSec risk is becoming a shared responsibility at a time when cloud-native applications are deployed multiple times each day." He further added, "Our goal is to provide them with that visibility as a way of building what we call ‘DevSecTrust,’ or trust between developers and security, which can help bring their AppSec maturity to a whole new level.”

Developers admitted that their top three security concerns are related to the tension between time-to-delivery demands and the potential volumes of vulnerabilities needing remediation. These include impediment of the development process due to security demands, difficulty in knowing which vulnerabilities to fix and how to prioritise them, and lack of context to remediate vulnerabilities. Approximately 61% of developers consider it critical that security does not block or decelerate the development process or become a hindrance to business success.

The complexity of applications has increased exponentially, now including source code, open source packages, infrastructure-as-code (IaC), containers and more. Consequently, the need for organisations to scan across the entire software development life cycle, from code to cloud, has become more pertinent.

These findings underscore the urgent need for a comprehensive application security (AppSec) platform that effectively addresses these concerns. Such a platform must facilitate cooperation and trust between AppSec and developer teams (DevSecTrust), improve the developer experience by providing risk prioritisation as part of an integrated toolkit with their preferred IDEs, consolidate cloud-native AppSec, and secure the entire application footprint from code to cloud.

The study's methodology involved a survey commissioned by Checkmarx and conducted by Censuswide among 1,504 developers, CISOs, and AppSec managers in companies from 1000 to 10,000+ employees across North America, Europe, and Asia-Pacific.