A substantial 78% of CISOs have expressed concerns about the current unmanageability of application security (AppSec) attack surfaces, emphasizing the need for improvement.
The figure comes from Application Security Posture Management (ASPM) firm Cycode’s inaugural The State of ASPM 2024 report.
The research, drawn from a survey of 500 US CISOs, AppSec Directors and DevSecOps team members, underscores the existing challenges in AppSec.
The report revealed a significant issue concerning strained relationships between security and development teams, with 90% of respondents recognizing the need for improvement. Interestingly, 77% of CISOs perceive software supply chain security as a more substantial blind spot for AppSec than emerging technologies like generative AI or open source.
“Despite industry forecasts, our research reveals a much more condensed time frame to ASPM adoption,” said Cycode CEO, Lior Levy. “While all the hype right now is focused on AI, software supply chain security issues are just as or even more critical, and any ASPM solution needs to have best-in-class capabilities.”
Read more about AI security: AI to Create Demand for Digital Trust Professionals, ISACA Survey Finds
A notable challenge highlighted in the research is the prioritization of AppSec risks and activities. An alarming 85% of CISOs acknowledge that development teams grapple with vulnerability noise and alert fatigue, hindering collaboration.
This alert fatigue, recognized by 88% of respondents, also results in developers neglecting critical vulnerability remediation, posing a significant security risk.
Furthermore, the report emphasized the ambiguity surrounding application security responsibilities within organizations. A substantial 77% of respondents find it challenging to determine ownership of application security, indicating the need for greater clarity in this domain.
Addressing the multifaceted issues contributing to strained relationships, the report notes that managing multiple security tools poses a challenge for 75% of security professionals due to their inherent complexity.
“Much of the Cycode report findings align with what we’re seeing in the market, starting with the criticality of software supply chain security,” commented Katie Norton, senior research analyst at IDC.
“Our 2023 DevSecOps Adoption, Techniques and Tools Survey identified a vulnerable software supply chain as a top application security gap. Our IDC research also found that companies struggle with developer and security misalignment and have prioritized fostering coordination.”
More information about securing AI and the software supply chain is available in this analysis by Sonatype developer advocate Dan Conn.