As Log4j catapulted application security into the spotlight, this past year saw a steep rise in enterprise interest and efforts to prevent further application-related security events. With topics such as SBOM (Software Bill of Materials) and Software Supply Chain dominating cybersecurity dialogues and agendas, AppSec has grown into a major priority for security executives and team leaders.
Resolving to test this observation and its implications, the Enso team embarked on a major research initiative to gauge how decision-makers perceive and plan to approach AppSec in the upcoming year. Together with our survey partners YL Ventures, and with support from Merlin Cyber and the St.Louis Cyber Interest Group (STLCIG), we surveyed over 40 security executives and AppSec professionals across a wide variety of industry verticals. Here’s what we found.
Our sample consisted of CISOs, CIOs, CSOs, AppSec Directors, AppSec Engineers, VPs of Product Security, Heads of Product Security, Product Security Engineers and more. We ensured that respondents hailed from a fairly even distribution of industry types, with the top 5 verticals being Finance, Insurance, SaaS, Life Sciences and Media/Entertainment.
Intent on producing hard, data-driven insights, our questions primarily followed a quantitative approach. However, we asked a small number of qualitative and open-ended questions as well for important context. Respondents answered questions that would specifically help us better understand their production environment, scale, company size, AppSec program maturity and most pressing AppSec needs.
AppSec Among Top 3 Priorities for 2023
Data pulled from our survey responses clearly indicate AppSec’s importance for organizations of various sizes and varying levels of program maturity for 2023. Over 70% of organizations said that AppSec was one of their top three priorities for 2023, and almost 90% claimed that they plan on improving their organization's AppSec over the next year. This was even true among respondents who categorized AppSec as a medium priority in their organization; 68% of them stated that AppSec was still a top 3 priority–further demonstrating AppSec’s growing role among organizations who are not even “AppSec first”.
Risk Prioritization Tops Pain Points
When respondents were prompted to rank their organization’s three biggest AppSec pain points, prioritizing activities ranked number one, followed by coverage of tools. Compliance and executive buy-in ranked at the bottom of the list.
With additional context, we learned that many AppSec teams are already armed with the tools, budget and executive buy-in they need. What they now require most is a solid methodology to prioritize activities, measure and understand security and tooling gaps, and gaining full visibility of their application environments.
These findings were underscored in another question asking respondents to describe what is missing from current AppSec solutions on the market. Prioritization once again ranked highest, especially around defects to help better understand real associated risks. This was closely followed by the need for a more systematic approach to prioritization flagging for developers.
The low rankings of compliance and executive buy-in paint an important picture of contemporary decision-making into resource allocation. It is evident that the market demand for AppSec tools currently outpaces demands stemming from government regulation. Findings around executive buy-in also reinforces earlier findings around prioritization and indicate that it has already garnered executive attention. It also indicates how security executives are gaining an increasing level of independence over their budgets and teams.
AppSec Budgets to Increase in 2023
According to a 2022 Forrester report, 58% of global senior security decision makers planned to increase their application security budgets for 2022. Our findings confirm that this trend is projected to continue into 2023. 69% of surveyed organizations indicated that they indeed plan on increasing their AppSec budget in the next 12 months. What we did not ask, and wish we had, is how organizations intend to spend their increased budgets.
A follow up survey to track changes in responses and gain more detailed insight into budget allocations would be advised.
Get the full report here: https://www.enso.security/lp/annual-appsec-trends-2023-report. For any comments or questions, please contact us at Julia@enso.security
About Enso Security
Enso Security is the first Application Security Posture Management (ASPM) tool used daily by AppSec teams to enforce, manage and scale a robust AppSec program, all without interfering with development.