The state of application security: What the statistics tell us – CSO Online
The emergence of the DevOps culture over the past several years has fundamentally changed software development, allowing companies to push code faster and to automatically scale the infrastructure needed to support new features and innovations. The increased push toward DevSecOps, which bakes security into the development and operations pipelines, is now changing the state of application security, but gaps still remain according to data from new industry reports.
A new report by the Enterprise Strategy Group (ESG), which surveyed 378 application developers and application security professionals in North America, found that many organizations continue to push code with known vulnerabilities into production despite viewing their own application security programs as solid.
Releasing vulnerable code is never good but doing so knowingly is better than doing it without knowing, since the decision usually involves some risk assessment, a plan to fix, and maybe temporary mitigations. Half of respondents said their organizations do this regularly and a third said they do it occasionally. The most often cited reasons were meeting a critical deadline, the vulnerabilities being low risk or the issues being discovered too late in the release cycle (45%).
The findings highlight why integrating security testing as early in the development process as possible is important, but also that releasing vulnerable code is not necessarily a sign of not having a good security program because this can happen for different reasons and no single type of security testing will catch all bugs. However, the report also found that many organizations are still in the process of expanding their application security programs, with only a third saying their programs cover more than three quarters of their codebase and a third saying their programs cover less than half.
Who takes responsibility for the decision of pushing vulnerable code into production can vary from organization to organization, the survey found. In 28% of organizations the decision is taken by the development manager together with a security analyst, in 24% by the development manager alone and in 21% by a security analyst.
This could actually be a sign of application security programs maturing, because DevSecOps is about moving security testing as early as possible in the development pipeline, whereas in the past security testing fell solely in the sphere of security teams who used to perform it after the product was complete.
In organizations where the development team does the security testing as a result of integrations into their processes and also consumes the results, it's normal for the development manager to make decisions regarding which vulnerabilities are acceptable, either in collaboration with the security team or even inside their own organization if they have a security champion -- a developer with application security knowledge and training -- on their team. Such decisions, however, should still be taken based on policies put in place by the CISO organization, which is ultimately responsible for managing the entire company's information security risk and can, for example, decide which applications are more exposed to attacks or contain more sensitive information that hackers could target. Those applications might have stricter rules in place when it comes to patching.
If the risk is not evaluated correctly, shipping code with known vulnerabilities can have serious consequences. Sixty percent of respondents admitted that their production applications were exploited through vulnerabilities listed in the OWASP Top-10 over the past 12 months. The OWASP Top-10 contains the most critical security risks to web applications and include problems like SQL injection, broken authentication, sensitive data exposure, broken access controls, security misconfigurations, the use of third-party components with known vulnerabilities and more. These are issues that should not generally be allowed to exist in production code.
According to ESG's report, companies use a variety of application security testing tools: API security vulnerability (ASV) scanning (56%), infrastructure-as-code security tools to protect against misconfigurations (40%), static application security testing (SAST) tools (40%), software composition analysis (SCA) testing tools (38%), interactive application security testing (IAST) tools (38%), dynamic application security testing (DAST) tools (36%), plugins for integrated development environments (IDEs) that assist with security issue identification and resolution (29%), scanning tools for images used in containers, repositories and microservices (29%), fuzzing tools (16%) and container runtime configuration security tools (15%).
However, among the top challenges in using these tools, respondents listed developers lacking the knowledge to mitigate the identified issues (29%), developers not using tools the company invested in effectively (24%), security testing tools adding friction and slowing down development cycles (26%) and lack of integration between application security tools from different vendors (26%).
While almost 80% of organizations report that their security analysts are directly engaged with their developers by working directly to review features and code, by working with developers to do threat modelling or by participating in daily development scrum meetings, developers themselves don't seem to get a lot of security training. This is why in only 19% of organizations the application security testing task is formally owned by individual developers and in 26% by development managers. A third of organizations still have this task assigned to dedicated security analysts and in another 29% it's jointly owned by the development and security teams.
In a third of organizations less than half of developers are required to take formal security training and only 15% such training is required for all developers. Less than half of organizations require developers to engage in formal security training more than once a year, 16% expecting developers to self-educate and 20% only offering training when a developer joins the team.
Furthermore, even when training is provided or required, the effectiveness of such training is not properly tracked in most organizations. Only 40% of organizations track security issue introduction and continuous improvement metrics for development teams or individual developers.
Veracode, one of the application security vendors who sponsored the ESG research, recently launched the Veracode Security Labs Community Edition, an in-browser platform where developers can get free access to dozens of application security courses and containerized apps that they can exploit and patch for practice.
Any mature application security program should also cover any open-source components and frameworks because these make up a large percentage of modern application code bases and carry risks of inherited vulnerabilities and supply chain attacks. Almost half of respondents in ESG's survey said that open-source components make up over 50% of their code base and 8% said they account for two thirds of their code. Despite that, only 48% of organizations have invested in controls to deal with open-source vulnerabilities.
In its 2020 State of the Software Supply Chain report, open-source governance company Sonatype noted a 430% year-over-year growth in attacks targeting open-source software projects. These attacks are no longer passive where attackers exploit vulnerabilities after they've been publicly disclosed, but ones where attackers try to compromise and inject malware into upstream open-source projects whose code is then pulled by developers into their own applications.
In May, the GitHub security team issued a warning about a malware campaign dubbed Octopus Scanner that was backdooring NetBeans IDE projects. Malicious or compromised components have also been regularly distributed on package repositories like npm or PyPi.
The complex web of dependencies makes dealing with this issue difficult. In 2019, researchers from Darmstadt University analyzed the npm ecosystem, which is the primary source for JavaScript components. They found that any typical package loaded an average of 79 other third-party packages from 39 different maintainers. The top five packages on npm had a reach of between 134,774 and 166,086 other packages.
"When malicious code is deliberately and secretly injected upstream into open source projects, it is highly likely that no one knows the malware is there, except for the person that planted it," Sonatype said in its report. "This approach allows adversaries to surreptitiously set traps upstream, and then carry out attacks downstream once the vulnerability has moved through the supply chain and into the wild."
According to the company, between February 2015 and June 2019, 216 such "next-generation" supply chain attacks were reported, but from July 2019 to May 2020 an additional 929 attacks were documented, so this has become a very popular attack vector.
In terms of traditional attacks where hackers exploit known vulnerabilities in components, companies seem unprepared to respond quickly enough. In the case of the Apache Struts2 vulnerability that ultimately led to the Equifax breach in 2017, attackers started exploiting the vulnerability within 72 hours after it became known. More recently, a vulnerability reported in SaltStack was also exploited within three days after being announced, catching many companies unprepared.
A Sonatype survey of 679 software development professionals revealed that only 17% of organizations learn about open-source vulnerabilities within a day of public disclosure. A third learn within the first week and almost half after a week's time. Furthermore, around half of organizations required more than a week to respond to a vulnerability after learning about it and half of those took more than a month.
Both the availability and consumption of open-source components is increasing with every passing year. The JavaScript community introduced over 500,000 new component releases over the past year pushing the npm directory to 1.3 million packages. Until May developers downloaded packages 86 billion times from npm, Sonatype projecting that by the end of the year the figure will reach 1 trillion downloads. It's concerning that the University of Darmstadt research published last year revealed that nearly 40% of all npm packages contain or depend code with known vulnerabilities and that 66% vulnerabilities in npm packages remain unpatched.
In the Java ecosystem, developers downloaded 226 billion open-source software components from the Maven Central Repository in 2019, which was a 55% increase compared to 2018. Given the statistics seen in 2020, Sonatype estimates that Java components downloads will reach 376 billion this year. The company, which maintains the Central Repository and has deep insights into the data, reports that one in ten downloads was for a component with a known vulnerability.
A further analysis of 1,700 enterprise applications revealed that on average they contained 135 third-party software components, of which 90% were open source. Eleven percent of those open-source components had at least one vulnerability, but applications had on average 38 known vulnerabilities inherited from such components. It was also not uncommon to see applications assembled from 2,000 to 4,000 open-source components, highlighting the major role the open-source ecosystem plays in modern software development.
Similar component consumption trends were observed in the .NET ecosystem and the microservice ecosystem, with DockerHub receiving 2.2 container images over the past year and being on track to seeing 96 billion image pull requests by developers this year. Publicly reported supply chain attacks have involved malicious container images hosted on DockerHub and the possibility of having images with misconfigurations or vulnerabilities is also high.
The DevOps movement has fundamentally changed software development and made possible the new microservice architecture where traditional monolith applications are broken down into individually maintained services that run in their own containers. Applications no longer contain just the code necessary for their features, but also the configuration files that dictate and automate their deployment on cloud platforms, along with the resources they need. Under DevSecOps, development teams are not only responsible for writing secure code, but also deploying secure infrastructure.
In a new report, cloud security firm Accurics, which operates a platform that can detect vulnerable configurations in infrastructure-as-code templates and cloud deployments, 41% of organizations had hardcoded keys with privileges in their configurations that were used to provision computing resources, 89% deployments had resources provisioned and running with overly permissive identity and access management (IAM) policies and nearly all of them had misconfigured routing rules.
See more here:
The state of application security: What the statistics tell us - CSO Online
- ZML Takes On Nvidia Lock In With Free AI Software - Open Source For You - July 9th, 2026 [July 9th, 2026]
- LibreOffice 26.8 Beta Released For Improving This Free Software Office Suite - Phoronix - July 9th, 2026 [July 9th, 2026]
- Toybox Audio Thump One: hard-hitting free synth plugin gets a wild update 3.0 (beta) - synth anatomy - July 9th, 2026 [July 9th, 2026]
- Belm do Par lends its name to the new version of the free software QGIS - MundoGEO - July 9th, 2026 [July 9th, 2026]
- This free software aims to turn Sony headphones into a head tracker for '200+ PC games' - inkl - July 9th, 2026 [July 9th, 2026]
- Tilr TetraOP: a free 4OP FM and wavetable Synthesizer plugin (mac, linux, win) - synth anatomy - July 9th, 2026 [July 9th, 2026]
- If you have Sony headphones, you may be able to use them as a headtracker with this free software - PC Gamer - July 7th, 2026 [July 7th, 2026]
- IGV Investors: Watch Oracles Free Cash Flow as the Real Test of AI Capex Economics - 24/7 Wall St. - July 1st, 2026 [July 1st, 2026]
- 5 free and open-source software (FOSS) to replace Microsoft, Google, and big tech - How-To Geek - July 1st, 2026 [July 1st, 2026]
- Oxyfinz Unveils Free Software Initiative to Bridge the UAE Wealth Management Technology Gap - The Fintech Times - July 1st, 2026 [July 1st, 2026]
- FREE TO READ | Cracking the code to using enterprise software - TimesLIVE - July 1st, 2026 [July 1st, 2026]
- Ag View Solutions Offers Farm Profit Manager Software for Free - AG INFORMATION NETWORK OF THE WEST - June 24th, 2026 [June 24th, 2026]
- From free speech to software design: How experts are reading the Delhi HCs Telegram ruling - MediaNama - June 24th, 2026 [June 24th, 2026]
- Year of free HPE software a step in the correct direction in VMware rivalry - Ars Technica - June 22nd, 2026 [June 22nd, 2026]
- Free Software Foundation Europe pushes EU to force Google to allow AI uninstalls on Android - Neowin - June 22nd, 2026 [June 22nd, 2026]
- Smokeball Offers Free Software Access To Over 900,000 Attys - Law360 - June 16th, 2026 [June 16th, 2026]
- Foundation Software and Sax LLP to Host Free Webinar on Job Cost Reporting for Better Profit Management - ACCESS Newswire - June 16th, 2026 [June 16th, 2026]
- Palantir (PLTR): Debt-Free AI Growth Shows Why Its Software Story Still Has Financial Firepower - Yahoo Finance - June 16th, 2026 [June 16th, 2026]
- Foundation Software and Sax LLP to Host Free Webinar on Job Cost Reporting for Better Profit Management - Bluefield Daily Telegraph - June 16th, 2026 [June 16th, 2026]
- Massive's Pioneering 'Lord Of The Rings' Crowd Simulation Software Is Now Free To Use - Engadget - May 29th, 2026 [May 29th, 2026]
- Linux is Getting a Free Pass on Age Verification in California and Colorado - It's FOSS - May 29th, 2026 [May 29th, 2026]
- Claude Mythos AI Identified 10,000+ Software Vulnerabilities in One Month - Hackread - May 29th, 2026 [May 29th, 2026]
- BYD Shark 6 to gain free off-road software upgrade - EVs & Beyond - May 29th, 2026 [May 29th, 2026]
- Unique opportunity: a free technology program in SC offers professional training for young people with a focus on programming, software development,... - May 29th, 2026 [May 29th, 2026]
- Microsoft Says This Free App Can Fix Slow PCs in One Click. I Had to Try It - PCMag - May 29th, 2026 [May 29th, 2026]
- US and Allies Guarantee Tax-Free Streaming and Software Downloads - PYMNTS.com - May 11th, 2026 [May 11th, 2026]
- This free CAD software runs in your browser and puts expensive programs to shame - MakeUseOf - May 11th, 2026 [May 11th, 2026]
- Avast Free Antivirus: The Go-To Software for Millions of Users - Gizmodo - May 11th, 2026 [May 11th, 2026]
- The Best Budget Apps for 2026: Pros, Cons and What Users Say - NerdWallet - May 11th, 2026 [May 11th, 2026]
- Fluid-free dry braking is now in the sights of automakers: 100% electronic systems promise to reduce reliance on hydraulics, cut maintenance, and... - May 11th, 2026 [May 11th, 2026]
- I signed up to YouTube Premium exclusively for music videos, and its like MTV never left but theres one reason why I wont go beyond my free trial -... - April 21st, 2026 [April 21st, 2026]
- Microsoft College Offer doles out free software so that you forget that MacBook Neo is a better deal - Yahoo Tech - April 21st, 2026 [April 21st, 2026]
- The creative software industry has declared war on Adobe - The Verge - April 21st, 2026 [April 21st, 2026]
- Foundation Software and Hahn Loeser & Parks LLP to Host Free Webinar on Subcontractor Risk Management - Bluefield Daily Telegraph - April 21st, 2026 [April 21st, 2026]
- Top 7 Free Accounting Software for Clubs and Associations - Small Business Trends - April 10th, 2026 [April 10th, 2026]
- [un]prompted 2026 Code Is Free: Securing Software In The Agentic Future - Security Boulevard - April 7th, 2026 [April 7th, 2026]
- Best antivirus for Windows 11: Guide to choosing the right software - Acronis - April 7th, 2026 [April 7th, 2026]
- Work faster in Krita with these pro tips master the best free Photoshop alt - Creative Bloq - April 7th, 2026 [April 7th, 2026]
- JWM Guard Tour Patrol System - Battery Powered RFID Reader With LCD, Free Software For Security Monitoring - ruhrkanal.news - April 7th, 2026 [April 7th, 2026]
- Download the Free Guide: The 2026 Buyer's Guide to Hotel Management Software Released By Roommaster - Hotel News Resource - April 5th, 2026 [April 5th, 2026]
- Acer's Chromebook Plus Easter offer comes with free software worth more than the laptop itself, including GeForce Now - PC Guide - April 3rd, 2026 [April 3rd, 2026]
- Inside the German state trying to break free from Microsoft - Financial Times - April 3rd, 2026 [April 3rd, 2026]
- The Document Foundation Calls on Europe to Break Free from Proprietary Software - Linuxiac - April 3rd, 2026 [April 3rd, 2026]
- Fret Not, Some of These Apps are Free This Week! - nextpit.com - April 3rd, 2026 [April 3rd, 2026]
- Garmin smartwatch users may be green with envy over Coros latest free update - t3.com - April 3rd, 2026 [April 3rd, 2026]
- Get Your Free Apps of the Week Here! - nextpit.com - March 26th, 2026 [March 26th, 2026]
- Zeptive Software Update Boosts Vape Detection Performance - GlobeNewswire - March 22nd, 2026 [March 22nd, 2026]
- PRToolFinder Adds New Filters to Discover Free PR Tools and Free Software Trials Across its PR Tools Directory - Yahoo Finance - March 22nd, 2026 [March 22nd, 2026]
- Temecula DSP MDV-II: a free emulation of the Alesis MidiVerb II multi-FX processor - synth anatomy - March 22nd, 2026 [March 22nd, 2026]
- Garmins top smartwatches are getting a massive free software update here are the 2 best new features - MSN - March 22nd, 2026 [March 22nd, 2026]
- Sojus Records Ensoniq SD-1: an open-source emulation of the 1990 TransewaveTM synth - synth anatomy - March 22nd, 2026 [March 22nd, 2026]
- Chardet dispute shows how AI will kill software licensing, argues Bruce Perens - theregister.com - March 11th, 2026 [March 11th, 2026]
- Free income tax help and software are available in SC. Here's where and how. - Post and Courier - March 9th, 2026 [March 9th, 2026]
- 70% of taxpayers in the US can file taxes for free. Here's how - USA Today - March 9th, 2026 [March 9th, 2026]
- The complete guide to choosing the best free video editing software for high-quality content creation - AZ Big Media - March 9th, 2026 [March 9th, 2026]
- You can now use Elgato's mic and output mixing software with any device for free and I'm totally sold on it - PC Gamer - March 7th, 2026 [March 7th, 2026]
- Eligible N.Y. taxpayers can file their 2026 taxes for free: How to avoid hidden fees - SILive.com - March 7th, 2026 [March 7th, 2026]
- Volvo Puts Its Money Where Its Mouth Is, Sends UX-Upgrading Over-The-Air Software Update To 2.5 Million Cars - Jalopnik - March 7th, 2026 [March 7th, 2026]
- Best Pokies Software 2026 Real phoenix reborn slot free spins money Apps To have Pokies - Cutival Piura - March 7th, 2026 [March 7th, 2026]
- "Our vision for what creator audio should be" - Elgato launches Wave Next, a new generation of powerful audio hardware with software that's... - March 4th, 2026 [March 4th, 2026]
- Stop Paying for Tax Software Surprises: Know When to Use Paid or Free Versions - CNET - March 4th, 2026 [March 4th, 2026]
- Comparing Free Word Processing Software: Features and Compatibility - Techloy - March 4th, 2026 [March 4th, 2026]
- Winnipeg-based information technology consulting firm IDFusion Software Inc. celebrates 25 years of growth - Winnipeg Free Press - March 4th, 2026 [March 4th, 2026]
- The I.R.S. Shut Its Direct File, but Here Are Other Free Filing Options - The New York Times - February 27th, 2026 [February 27th, 2026]
- Tiagolr Rippler: free MPE physical modeling Synthesizer is the big brother of Ripplerx - synth anatomy - February 27th, 2026 [February 27th, 2026]
- Looking for Free Paid Apps on Your Phone? Check Out This Weeks Selection! - nextpit.com - February 26th, 2026 [February 26th, 2026]
- SpendHound Partners With Rooled to Give High-Growth Startups Free Visibility Into Software Spend - 01net - February 24th, 2026 [February 24th, 2026]
- Why PDFs are so hard to editand the one free app that actually works - How-To Geek - February 11th, 2026 [February 11th, 2026]
- People can't believe this retro cartoon was made in free 3D software - Creative Bloq - February 7th, 2026 [February 7th, 2026]
- Tech stocks go into free fall as it dawns on traders that AI has the ability to cut revenues across the board - Fortune - February 7th, 2026 [February 7th, 2026]
- These Premium Apps Are Now Free But Only for a Limited Time - nextpit.com - February 7th, 2026 [February 7th, 2026]
- Why UK Taxpayers Are Searching for the Best Free Tax Software in 2026 - openPR.com - February 7th, 2026 [February 7th, 2026]
- Aptitude Software Buys Back 23,000 Shares, Cuts Free-Float to 55.3 Million - TipRanks - February 7th, 2026 [February 7th, 2026]
- Dealers will update the batterys software and replace the battery if needed for free. - Facebook - February 4th, 2026 [February 4th, 2026]
- LibreOffice 26.2 Released With Many Refinements To This Open-Source Office Suite - Phoronix - February 4th, 2026 [February 4th, 2026]
- Use Your Library Card to Stream More Than 30,000 Movies for Free With This Streaming Service - CNET - February 4th, 2026 [February 4th, 2026]
- 7 open-source apps I'd happily pay for - because they're that good - ZDNET - February 1st, 2026 [February 1st, 2026]
- Fed up of subscriptions? Here's the free software every digital artist needs - Creative Bloq - January 24th, 2026 [January 24th, 2026]
- The Best Personal Finance and Budgeting Apps We've Tested for 2026 - PCMag - January 24th, 2026 [January 24th, 2026]
- Free download of software-defined automation application for manufacturing autonomy - Electropages - January 24th, 2026 [January 24th, 2026]