AppSec is getting more attention from the C-suite, and with digital transformation taking place worldwide, organizations are continuously playing catch-up. As technology rapidly evolves and time to market demands become increasingly critical, there is a massive knowledge gap to be closed as well as a need for ongoing process change.
As far as who’s responsible for more secure applications, the “us vs. them" finger-pointing between AppSec and developers has held organizations back, and it’s clear that needs to change. Although “shift left” is a well-known term in the AppSec community, this shift is also about people, processes, and technology—tools alone won’t fix the existing contention. Education is key, and modern AppSec tooling should always be seen as an enabler of continuous improvement and better outcomes.
We wanted to understand more about what might be behind organizations’ widening AppSec concerns in the midst of their transformations. AppSec managers we approached admitted they were uncertain about their development teams’ ability to build secure applications, with the top three reasons being:
- Lack of time to work with development teams in the context of security (40%)
- Unavailability of appropriate application security tooling (38%)
- Sophisticated nature of attacker methods (37%)
More About the Survey
This past summer, we commissioned an organization called Censuswide to conduct a survey on the current state of AppSec worldwide. 1,524 AppSec managers and software developers across the US, UK, France, APAC, and DACH responded to the survey, leading us to some rather interesting discoveries.
For modern organizations that have become reliant on the software they develop, AppSec is nothing new. They balance the act between time-to-market demands and secure software initiatives daily. Business demands outweigh security in many cases, but from all indicators in this survey, things are moving in the right direction pertaining to overall AppSec awareness.
Some notable points in the survey highlighted confidence issues between developers and security teams, both seemingly pointing fingers at the other when it comes to who’s responsible for security. Respondents shared information about their own breach statistics and negative outcomes, proving in the process that a widening threat landscape is just part of their daily grind.
Targeted attacks were high on their list, and growing concerns about cloud native, open source, and software supply chains were evident. Training, AppSec testing, closing loopholes, and what it would take to become more successful were all concerns respondents widely shared. It’s clear they fully understand what is at stake. All in all, the survey results provide a tremendous view into the current state of AppSec. To learn more, download your free copy of the survey report here.
Where Do We Go from Here?
One thing’s for sure: AppSec is a moving target amid the massive migration to newer software development and deployment approaches. These approaches include evolution to almost 100% cloud native, tons of microservices, vast numbers of APIs, unprecedented consumption of open source, containers galore, and infrastructure as code being used everywhere possible. Modern application development (often called MAD) isn’t going anywhere but up. Developers love it, security professionals are getting used to it, and those in leadership positions are seeing its many benefits, even if they’re also rightly concerned about its expanding risk landscape.
At Checkmarx, we’re dedicated to helping those embarking on MAD initiatives safely navigate that landscape. If you’re currently unsure about the MAD landscape, you can become better informed by following us—and our mission to secure the world’s software applications one line of code at a time.
For instance, on October 20, we launched our inaugural global customer conference, Checkmate, where we brought together the global AppSec, developer, and leadership communities for a one-day virtual event. It was jam-packed with keynotes from a host of industry thought leaders and top analysts, a CISO roundtable, a live Codebashing tournament, integration and automation labs, and a major reveal: the Checkmarx Application Security Platform. That’s just a sample of the various topics we covered. If you missed the event, no worries. You can watch all of the sessions on demand here.
To inform the software-driven community even further, we’re delivering a three-part e-book series all about MAD:
- The Many Facets of Modern Application Development
- The Many Risks of Modern Application Development
- AppSec Considerations of Modern Application Development (coming soon)
This e-book series should help clear up the cloudy waters, allowing you to approach modern application development with confidence, skill, and know-how from a leadership, AppSec, and developer perspective. You can begin your path to MAD knowledge here.