Bright is now integrated with GitHub Copilot

Check it out! →
Product
Product overview

See how dev-centric DAST for the enterprise secures your business.

Web attacks

Continuous security testing for web applications at high-scale.

API attacks

Safeguard your APIs no matter how often you deploy.

Business logic attacks

Future-proof your security testing with green-flow exploitation testing.

LLM attacks

Next-gen security testing for LLM & Gen AI powered applications and add-ons.

Interfaces & extensions

Security testing throughout the SDLC - in your team’s native stack.

Integrations

Connecting your security stack & resolution processes seamlessly.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Book a demo

We’ll show you how Bright’s DAST can secure your security posture.

Resources
Blog

Check out or insights & deep dives into the world of security testing.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Case studies

Dive into DAST success stories from Bright customers.

Research

Download whitepapers & research on hot topics in the security field.

Company
About us

Who we are, where we came from, and our Bright vision for the future.

News

Bright news hot off the press.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

We're hiring

Want to join the Bright team? See our open possitions.

Bug bounty

Found a security issue or vulnerability we should hear about? Let us know!

Contact us

Need some help getting started? Looking to collaborate? Talk to us.

Resources > Blog >
The 2023 State of Application Security Survey – Insights and Key Findings

The 2023 State of Application Security Survey – Insights and Key Findings

Nedim Marić

As the digital landscape continues to evolve, application security (AppSec) remains a critical focus for organizations worldwide. As 2023 ends, let’s review the new 2023 State of Application Security Report  from the Purple Book Community provides a comprehensive look into the current trends, challenges, and advancements in this field. This blog post delves into the key findings of this report, offering insights into how companies are navigating the complex world of AppSec.

The Maturing Landscape of AppSec

The report begins by acknowledging the gradual maturation of AppSec practices. However, it’s clear that many organizations still face significant hurdles. A staggering 53% of teams report unmanaged risks in their application portfolios, indicating a substantial gap in effective security coverage. This finding underscores the need for more robust and comprehensive security strategies.

A Shortage of AppSec Professionals

The report sheds light on a significant challenge in the realm of AppSec – the acute shortage of AppSec engineers. While nearly half (48%) of the respondents report their security team supports up to 50 developers, a concerning 42% have a minuscule team of just one to five AppSec engineers. Alarmingly, 24% of organizations admit to having no dedicated AppSec engineers at all.

This scarcity of specialized personnel severely hampers the teams’ ability to devote adequate time and effort to counteract threats and vulnerabilities effectively. More critically, it impedes the establishment and implementation of proactive security management strategies. AppSec engineers are not just technical experts; they are the vanguards who work alongside developers to establish, deploy, and maintain security measures. Their role is pivotal in identifying, remediating, and preventing vulnerabilities, thus safeguarding the critical data within the application ecosystem.

The imbalance between developers and security professionals is stark, often with the ratio exceeding 100 to 1. This disparity raises serious concerns about the consistent implementation of best security practices. Without a robust team of AppSec engineers, there’s an inherent risk that applications may be deployed without adequate safeguards against threats like unauthorized access and data modification.

The importance of a strong AppSec engineering team cannot be overstated. These professionals play a crucial role in intertwining security with the software development processes. By embedding security practices throughout the application lifecycle, AppSec engineers ensure the fortification of data against both internal and external threats. This integration is essential for securing applications at every stage – from development to deployment.

Prioritization: A Persistent Challenge

One of the most notable challenges highlighted in the report is the difficulty in prioritizing vulnerabilities. The phrase “too many vulnerabilities, not enough prioritization” resonates throughout the report, capturing a common sentiment among security teams. This challenge is further complicated by the fact that 86% of respondents agree that while security tools are interchangeable, it’s the process that’s most important, suggesting a need for better processes and strategies in vulnerability management.

The Evolution of Security Practices

Interestingly, the report reveals a shift towards more sophisticated security practices. For instance, 31% of industry leaders are using an Application Security Maturity Model, and a similar percentage are tracking the usage of security tools across teams. This indicates a move towards more structured and mature security frameworks, which could be key in addressing the prioritization challenges.

Investment in Security Amid Economic Downturn

Despite global economic challenges, over 50% of organizations are increasing their security spend. This is a telling indicator of the growing recognition of the importance of AppSec in safeguarding business interests. The report suggests that as threats become more sophisticated, so too must the defenses against them.

The Role of SBOM in Supply Chain Security

The Software Bill of Materials (SBOM) is highlighted as a crucial tool in understanding and mitigating supply chain risks. The report notes that over 20% of respondents have no SBOM usage, highlighting an area of potential improvement for many organizations. A comprehensive SBOM provides a clear view of an application’s components, which is essential in today’s complex software ecosystems.

Cloud Adoption and Its Implications for AppSec

A significant trend noted in the report is the increasing shift towards cloud deployments, with more than half of the respondents deploying 75% or more of their applications in the cloud. This transition brings its own set of security challenges and emphasizes the need for AppSec strategies that are tailored to cloud environments.

The Human Element in AppSec

The report also touches on the human aspects of AppSec. Challenges such as lack of funding, difficulty in hiring skilled personnel, broader AppSec awareness, and lack of leadership buy-in are cited as major obstacles. These findings highlight the importance of not only technological solutions but also the need for skilled professionals and organizational commitment to AppSec.

Day-to-Day Challenges for AppSec Teams

For teams on the ground, the daily reality involves grappling with an overwhelming number of vulnerabilities and a constant need to prioritize risks effectively. The report suggests that analyzing and triangulating results across various tools to highlight risk priorities remains a daunting task for many.

Conclusion

The 2023 State of Application Security Report sheds light on the complex and evolving nature of AppSec. While there is evidence of maturation and advancement in practices, significant challenges remain. The key takeaways from the report emphasize the need for better prioritization processes, investment in security despite economic challenges, embracing cloud transitions with robust security strategies, and focusing on the human elements of AppSec. As the digital world continues to evolve, so too must our approaches to securing it. This report serves as both a benchmark and a guide for organizations looking to navigate the intricate landscape of application security.

Resources

IASTless IAST – The SAST to DAST Bridge

Streamline appsec with IASTless IAST. Simplify deployment, enhance accuracy, and boost your security posture by combining SAST and Bright’s DAST.

Bringing DAST security to AI-generated code

AI-generated code is basically the holy grail of developer tools of this decade. Think back to just over two years ago; every third article discussed how there weren’t enough engineers to answer demand; some companies even offered coding training for candidates wanting to make a career change. The demand for software and hardware innovation was

5 Examples of Zero Day Vulnerabilities and How to Protect Your Organization

A zero day vulnerability refers to a software security flaw that is unknown to those who should be mitigating it, including the vendor of the target software.

Get our newsletter