Invicti Security’s Fall 2021 AppSec Indicator report reveals where organizations make security trade-offs in the push to innovate; explores the promise of automation and integrationAustin, TX, October 26, 2021 at 9am EDT – Nearly all organizations are increasing their investment in application security this year, but they continue to struggle to fully embrace secure innovation. A new market study released today by Invicti Security™, Application Security and the Innovation Imperative, examines how companies are contending with the strategic need to innovate and the existential risk posed by cyber threats. Conducted in partnership with Wakefield Research, the report is based on a survey of 600 executives and hands-on-keyboard practitioners across security, development and DevOps. Respondents spanned more than 20 industries including manufacturing, technology, government, retail, and education. The findings reveal both encouraging trends and continued challenges:
- Tight timelines and innovation pressures for those on the front lines mean skipped security steps. And, integration is still a work in progress: 70% of respondents “frequently” or “always” complete projects without carrying out all security steps. Additionally, integration into the software development life cycle (SDLC) is lacking, with only 20% reporting they have fully shifted left and another third in the “messy middle.” The repercussions of this are clear, with one in three issues under remediation making it to production without being caught in the dev or test stages.
- Dev and sec are collectively stressed out, but the animosity between the two groups has been exaggerated: An eye-popping 78% of dev and sec respondents suffered increased stress levels this year and 73% actually considered quitting their job because of this stress. Despite the well-known reputation for friction between the two groups, 76% feel they have a shared passion for security and work as one team that often collaborates to address security issues. This compares with only 17% who classified the relationship as “frenemies” and 7% “strangers.”
- Underpowered tools and manual processes impede efficiency, but practitioners know what it will take to address the problem. It would take a whopping two weeks per team member on average to address their organization’s current backlog of security issues — and that’s if they don't work on anything else. Adding to this, 78% say they are forced to perform manual verification of vulnerabilities always or frequently. False positives no doubt play a role in this: 96% report they are problematic at their organization, and 39% say they increase friction between dev and sec. But these teams know what it will take to dig out of the mess: increased automation (60%) and more integrations (99%).