Cycode announced the
inaugural State of ASPM 2024 report,
the industry's first. The research found that AppSec chaos reigns, with
78% of CISOs responding that today's AppSec attack surfaces are
unmanageable and 90% of responders confirmed relationships between their
security and development teams need to improve. Surprisingly, 77% of
CISOs believe software supply chain security is a bigger blind spot for
AppSec than Gen AI or open source.
The State of ASPM 2024
report was compiled from a survey of 500 U.S. CISOs, AppSec Directors
and DevSecOps team members. Half of the sample came from companies with
5,000+ employees and half with 1,000 - 5,000 employees. The research
consolidates and correlates findings across more than thirty different
categories and data points across the industry.
Prioritization
of AppSec risks and activities are a significant problem for most
organizations as highlighted in the State of ASPM research. The vast
majority (85%) of CISOs acknowledge dev teams suffer from vulnerability
noise and alert fatigue, which strains the relationship between security
and dev teams. Additionally, 88% acknowledge that because of alert
fatigue developers are not focused on remediating critical
vulnerabilities, which increases the potential for a security breach and
puts the business at risk.
Only 21% of respondents believe
that both security and development are equally responsible for
application security, confirming that many security professionals
question whether application security is a team sport. An overwhelming
77% majority said that understanding who owns application security is
challenging, indicating that more clarity is needed about who is
responsible for AppSec in most organizations.
The report also
shows that alert fatigue is not the only cause of the souring
relationship between security and development teams. Many of the
challenges stem from diverse vulnerability sources and the proliferation
of AppSec tools. A staggering 75% of security professionals struggle
with the complexity of managing multiple security tools.
According
to Gartner®, "By 2026, over 40% of organizations developing proprietary
applications will adopt ASPM to more rapidly identify and resolve
application security issues."
"Despite industry forecasts, our
research reveals a much more condensed time frame to ASPM adoption.
While all the hype right now is focused on AI, software supply chain
security issues are just as or even more critical, and any ASPM solution
needs to have best in class capabilities," said Lior Levy, co-founder
and CEO, Cycode.
"Much of the Cycode report findings align
with what we're seeing in the market, starting with the criticality of
software supply chain security," said Katie Norton, Senior Research
Analyst at IDC. "Our 2023 DevSecOps Adoption, Techniques and Tools
Survey identified a vulnerable software supply chain as a top
application security gap. Our IDC research also found that companies
struggle with developer and security misalignment and have prioritized
fostering coordination."
In addition, 92% of CISOs confirmed
they are looking to consolidate their AppSec tools into a single
platform in the next 12 months. This comes straight off the heels of
Cycode's announcement of an expanded, complete approach to ASPM that
enables security and development teams to manage the burden, cost and
inefficiencies of having too many siloed (and vendor-locked) security
tools from code to cloud - which brings order to better maintain strong
application security posture.
The capstone on Cycode's complete ASPM solution was its recent ConnectorX announcement,
a click and connect 3rd party ASPM integration platform that provides
companies with the choice to use Cycode's native ASPM tools or maximize
their investments in their existing AppSec tools. Using ConnectorX,
companies can plug in any AppSec solution (i.e., SCA, SAST, Secrets,
etc.) and within minutes, gain accurate, real-time visibility into their
security posture.
Combined with significant enhancements to
its Risk Intelligence Graph (RIG) for smarter, risk-based
prioritization, Cycode delivers the capabilities needed for a complete
approach to ASPM, enabling security and development teams to align,
build trust and collaborate on maintaining strong application security
posture.
The State of ASPM 2024 Report is available online.