/aug 18, 2020

69% Say Their AppSec Is Effective but Don’t Have Tools to Measure It

By Hope Goslin

Veracode recently sponsored Enterprise Strategy Group’s (ESG) survey of 378 developers and security professionals, which explored the dynamic between the roles, their trigger points, the extent to which security teams understand modern development, and the buying intentions of application security (AppSec) teams.

The first survey question for developers and security professionals was to rate the efficacy of their organization’s AppSec program on a scale of zero to 10, zero being “we continually have security issues,” and 10 being “we feel confident in the efficacy and efficiency of our program.” Two-thirds of the organizations surveyed rated their programs as an eight or higher. And, even more surprising, of that two-thirds, one-third rated their program as a nine or 10.

ESG AppSec Effectiveness

Veracode’s Chris Wysopal, Chief Technology Officer and Co-Founder, and Chris Eng, Chief Research Officer, addressed this finding during an exclusive Black Hat session with ESG, New Data Reveals How AppSec Is Adapting to New Development Realities. During the session, Chris Eng pointed out that organizations are more likely to rank themselves favorably in an online survey – like the ESG survey – versus a face to face interaction. Chris Wysopal mentioned that respondents may have been answering based on their own experiences with AppSec and that they may not know what a fully mature AppSec program should look like – therefore, overinflating the response to their program’s effectiveness.

To further gauge the accuracy of the result, Eng and Wysopal reviewed the responses from the follow-up questions. The first follow up question was, “What percentage of your organization’s overall application portfolio codebase is protected by application security tools?” The results unveiled that approximately 71 percent of organizations use AppSec tools on more than half their codebase. Since around 70 percent of organizations ranked their AppSec programs as effective, it makes sense that a similar number of respondents are actively testing the majority of their codebase.

But the next question confirmed Wysopal’s suspicions that the developers and security professionals may not be gauging their responses off fully mature AppSec programs. The next question asked, “Have any of your organization’s production applications been exploited by OWASP top-10 vulnerabilities in the past 12 months?” The responses showed that 81 percent of organizations are experiencing exploits. There are several factors that could be contributing to the continuation of exploits … and all of the factors point back to the fact that the organizations need to further mature their AppSec programs

How can organizations make the case for AppSec budget?

From the ESG survey results, we’ve established that the respondents’ AppSec programs are likely making a positive impact on their organization, but they still need to invest in maturing their programs. Showing the return on investment can help organizations gain additional AppSec budget from stakeholders. But many organizations don’t have the tools to quantify the results from their AppSec program.

With Veracode Analytics, organizations can see how their AppSec programs are performing through pre-built dashboards and visualizations. The dashboards can be shared with stakeholders to show metrics across all our offerings, displaying the value of different scan types, and how those scans impact security findings. With that data, teams can pinpoint where further investment is required to achieve business goals. And as a bonus, since Veracode is SaaS-based, our solution can benchmark the success of a program against similar organizations within the industry.


To learn more about the survey, download the full report, Modern Application Development Security.

Related Posts

By Hope Goslin

Hope is part of the content team at Veracode, based in Burlington, MA. In this role, she focuses on creating engaging AppSec content for the security community.