The defensive tax, which is the time AppSec teams spend chasing vulnerabilities vs. driving scalable cloud-native AppSec policies, is real and is being felt across enterprises of all sizes. The “defensive tax” costs organizations dearly — conservative estimates put the average cost of employing AppSec engineers who end up chasing vulnerabilities rather than driving a comprehensive cloud-native app security program at $1.2 million annually. This cost was estimated based on the assumption that the average enterprise has 10 AppSec engineers, with each commanding an average salary of $125K annually.*
SAST and DAST — long considered the standard bearers of AppSec security — were the two least extensively used technologies, with just 32% of respondents saying they use each extensively.
Comprehensive visualization, automated correlation, and intelligent prioritization are the core tenets of Cloud-Native application security
When we asked AppSec professionals to assess the importance of these three key tenets of a modernized approach to AppSec, the response was overwhelming: 82% agree that automating threat model visualization will help AppSec Teams save time and manual labor analyzing cloud-native application risks. A full 91% see the ability to correlate application security risks with the application’s exposure to the outside world, such as via open APIs, as important. 91% also see the ability to differentiate between general code weaknesses and critical vulnerabilities as important.
There’s a close consensus on the new critical AppSec capabilities in cloud-native environments. We asked respondents to assess the criticality of a variety of different capabilities to enterprise AppSec teams’ ability to secure cloud-native applications.
“Meeting code compliance standards” and “Correlating security findings to the developer or dev team responsible for the fix” are both deemed significant by 78% of respondents. “Analyzing threat impact in the context of our production environment”, and “Offering concrete evidence of code security findings for devs”, are also widely viewed as “critical” or “important", at 74% and 76%, respectively.
Cloud-native app development has given new meaning to the pace of innovation, with modern enterprises developing and deploying code at a feverish pace. At modern enterprises, code is being pushed to production a few times per week at a minimum; and many teams are moving even faster.
47% of respondents report pushing code into production at least once per day, with 29% reporting doing so multiple times per day. The remaining 53% report pushing out code a few times per week.
All these eye- opening findings and more are available in the New Cloud-Native AppSec Paradigm Survey ReportDownload HERE