Lack of visibility, gaps between teams and a need for future-proofing AI reinforces the need for “Best-of-Breed’ tooling with vendor independent governance
State of AppSec Teams
AppSec teams are overburdened and under-resourced, especially considering that for every AppSec engineer, there are often more than 100 developers. According to ESG, organizations are adopting DevSecOps at an increasing rate, from 38% today to 48% over the next 24 months. This tighter alignment between development and operations teams, and its subsequent pace and scale, is straining security teams. In fact, security teams admit they struggle to implement consistent security tools and processes across the organization in ways that support development rather than slow it down. Since security teams are spread so thin and limited on resources, 42% report that they have no visibility at all into what developers are doing to test and fix their code. As a result, the lack of security checks (guardrails) and visibility into software development are two of the top three challenges that teams report, in addition to prioritizing remediation efforts based on risk, rather than just severity.
“As organizations are investing in DevSecOps initiatives and modernizing their application security programs, ASPM solutions can provide a vendor independent governance layer needed by teams to improve visibility, manage risk, and gain the context and efficiency needed to focus remediation actions on what matters most,” said Melinda Marks, practice director, cybersecurity, Enterprise Strategy Group. “Any medium to large enterprise has multiple scanning tools using different programming languages, so a vendor-independent governance layer can better orchestrate application security testing within developer workflows, while providing security teams with the control and visibility they need to support scale.”
Future Proofing AI in DevSecOps
The tidal wave of generative AI, while important for modernization, is also increasing pressure on DevSecOps. The role of AI in AppSec and the responsibility for security teams in ensuring the safe usage of AI across the organization are top of mind for respondents. 97% of organizations are currently using, or have plans to use, generative AI in software development. However, security teams feel outnumbered and report to be “very concerned” around nearly every aspect of securing that AI usage. Identifying or flagging sensitive data shared with GenAI frameworks, the security of APIs related to usage of GenAI and governance and policies to manage usage were all top concerns. As such, these organizations need to future proof their security programs around AI with a focus on a new approach to modernizing their application security.
“Having spent the past 30 years in the trenches of cybersecurity, I’ve experienced firsthand how siloed approaches challenge the best run organizations, causing breakdown in teams working to deliver secure software and manage vulnerabilities. Throw in the complexity of AI, on top of challenges in securing legacy public and private clouds, and today’s cybersecurity teams are struggling mightily. ArmorCode is purpose-built to secure what exists today and speed the adoption of new technologies, to simplify security and drive the collaboration required to better manage risk – measurement, management and communication of risk is the new requirement for every security team today,” says Karthik Swarnam, CSTO of ArmorCode.
Independent Governance Enables Best-of-Breed Adoption
Faced with the complexities of modern application development and the rapid accelerant that AI represents, security teams report a need for flexibility, unified visibility, and a new approach to AppSec. Given the current state of AppSec, it’s no surprise that 98% of organizations are planning to invest in new security solutions to modernize their AppSec programs to keep up with AI, DevSecOps, and the needs of their business. There are several approaches to modernizing AppSec programs, but 56% of organizations prefer to take a best-of-breed tools approach and leverage a platform that enables them to customize tooling choices across their enterprise.
