Invicti Research Finds Executive Overconfidence is a Security Risk

Existing web application security workflows are more fragile and less effective than the C-suite believes.

Invicti Research Finds Executive Overconfidence is a Security Risk
AUSTIN, Texas, Oct. 13, 2020 – Invicti, the leading enterprise dynamic application security testing (DAST) solution, teamed up with Dimensional Research to understand the maturity and effectiveness of web application security in organizations worldwide. Security professionals from 382 organizations across the globe responded to the survey, with roles spanning development, DevOps, and C-suite. Invicti analyzed the findings and today released a report, "New Vulnerability Found: Executive Overconfidence." The survey found numerous areas where executives believe their organizations are more secure or adhere to best practices at a higher rate than security professionals deeper in the organization. For example, 75% of executives believe their organization scans all web applications for security vulnerabilities, while nearly 50% of security staff say they don't. Even more concerning, over 60% of DevOps respondents indicate that new security vulnerabilities are being found faster than they can be fixed, indicating that web application security efforts are insufficient. However, only just over 40% of executives are aware of this situation, and thus most companies are unlikely to be making the required investments to remedy the situation. Despite this, respondents ranked web application security highest among areas they believe their company should focus. Over 66% of respondents named web application security as a priority – more than any other aspect of IT security, ahead of network security, endpoint security, and patch management. Additional highlights from the Invicti report include:
  • While just 20% of developers believe that development teams are resistant to incorporating security, close to half of security professionals say they encounter developer resistance.
  • Just under 40% of developers indicated that critical security issues get automatically escalated, showing that organizations still have a long way to go to fully integrate security into the software development process.
  • Just under 35% of developers report friction caused by security false positives, compared to over 54% of security staff. This suggests that security teams bear the bulk of extra work caused by false alarms.
The survey shows a worrying disconnect between the theory and practice of web application security. While most organizations appreciate the importance of web security, many still don't scan all their applications and an even greater number struggle to deal with vulnerabilities in a timely manner. This research shows that perceptions and expectations of web application security vary widely depending on the role. This misalignment between perception and reality creates dangerous threats to the security of organizations and their customers' data as well. About Invicti Security Invicti Security is changing the way web applications are secured. An AppSec leader for 15 years, Invicti delivers DAST, IAST, and SCA technologies that empower organizations in every industry to continuously scan and secure all of their web applications and APIs with a highly integrated, automated approach spanning the entire software development lifecycle. Invicti is headquartered in Austin, Texas, and serves more than 3,000 organizations of all sizes all over the world. Learn more at