Sick and Tired of Struggling With Application Security?

AppSec Risk Visibility

Publish Date

Jun 14, 2020

Written by

ZN Logo for Blog


Tagged with

  • Continuous Security
  • Cybersecurity
  • Application Security
  • AppSec
  • Rapid AppSec

A recent report from analyst firm ESG highlighted the following statistic:

61% of organizations only secure half of their applications with some form of testing tool, which means many go unscanned altogether.

Not confidence-inducing. And given the severity of the cyber threat landscape, application security (AppSec) is critical. This stat demonstrates how organizations are struggling to ramp up their security programs, and secure their applications. But what it doesn’t show, is how vulnerability discovery allows us to test more applications while also taking advantage of the actionable results.

ESG Infographic

Even the Best-Case Scenario is Pretty Bad

We did some simple math to determine how many applications are deployed into production without some form of application security testing. We started with the best-case scenario. We assumed the 61%, who scan no more than half, scan exactly half their applications. And we assumed the remaining 39% scan all their applications. Under this scenario, 31% of all applications lack security testing.

Let that sink in. In the absolute best case scenario—which is highly unlikely—1/3 of all applications are vulnerable.  It’s worth noting, many scenarios are only testing, which means found vulnerabilities are not necessarily addressed. This compounds an already dire situation.

Re-running the numbers with less optimistic assumptions provides a more realistic (and more disturbing) picture. Let’s assume the 61% scan 1/3 of their applications, and the 39% scan 75% of their applications. We’re now up to 52% of unscanned applications getting released into production. Yikes.

Why It’s So Hard

These stats are not intended to cast blame or suggest organizations are willfully developing and releasing vulnerable software. There are several external and internal realities making AppSec so difficult. Companies must release new features often to compete well in an increasingly software-driven market. And with the ongoing shortage in cybersecurity skills, it’s a challenge to keep security teams fully staffed. These two factors alone make it difficult to develop and deploy secure applications, but there are even more issues at play. As the ESG report outlines, organizations are grappling with other issues as well.

Six Common Operational Challenges

  1. Gaining software risk visibility and assurance. You can’t prioritize, let alone manage, risk you’re not aware of. But most companies have a periodic, fragmented view into where their risks lie and how they might affect the business.
  2. Scaling an application management risk framework. Policies help your teams implement practices consistent with your desired security posture. Because each tool has its own policy model, it takes time and resources, both of which are in short supply, to keep them all aligned.
  3. Securing DevOps. Many companies adopted a DevOps model to accelerate time to market. But neither Dev nor Ops are security specialists, so those controls were never baked into the process. Bolting on security after the fact adds time and cost and defeats the purpose of DevOps in the first place.
  4. Integrating fragmented security scanning tools. Many companies have multiple development teams as well as third-party software supply chains. With agility and speed as the watchword, each group invests in tooling as needed. This may work for individual teams, but the organization ends up with a large and disparate collection of security tools. Not only is this inefficient, but it’s also nearly impossible to get a company-wide view.
  5. Automating application and infrastructure testing. You need different testing tools to secure various components across all stages of the software development lifecycle (SDLC). Each tool has its own integration requirements and data outputs. With the sheer number of tools in your portfolio, you simply don’t have the resources to manage it all manually.
  6. Ensuring PCI DSS compliance. To address key PCI DSS requirements, companies use tools to continuously monitor application security throughout the SDLC and the infrastructure. But even with these controls in place, they often lack a complete and actionable view of risk, resulting compliance violations not to mention exploitable gaps in security.

Vulnerability Orchestration Addresses These Challenges

The ZeroNorth platform improves vulnerability discovery by enabling orchestration of security tools and automating control of testing. This ability delivers an aggregated view of risk across the entire application portfolio. It will also:

  • Enable comprehensive and consistent management of application vulnerabilities, from discovery to remediation
  • Make it possible to both scan and use actionable results to improve application quality
  • Eliminate noise to quickly find and remediate the critical application vulnerabilities
  • Make the most informed decisions on where to focus remediation efforts based on continuous, prioritized visibility of software vulnerabilities across the SDLC
  • Unleash the collective potential of your existing application security tools to deliver higher quality results, with more speed and less cost
  • Orchestrate application security, including tools and vulnerability data
  • Facilitate seamless collaboration with development by integrating security into DevOps processes and CI/CD pipeline tools
  • Quickly stand-up application security programs with integrated open source scanning tools, built-in workflows, automation and management, without additional overhead

By addressing operational challenges, vulnerability orchestration helps organizations protect more of their applications. Because the more we can drive down that 61%, the better it is for everyone.

The ZeroNorth orchestration platform enables security teams to scale up their application security initiatives while increasing the effectiveness of their efforts. Please contact us for more information or to request a demo.

eBooks & Research Reports

Research Report: The Journey to True DevSecOps

Many questions emerge as the topic of DevSecOps is volleyed about. First, confusion exists in terms of understanding what it actually means to get to true ...

Read Now


Application Security: Bridging the Gap Between DevOps and Security Teams

When AppSec and DevOps teams aren’t aligned on how to deliver secure software, fast, organizations are at risk. This video discusses how to tackle this challenge ...

Watch Now

Related Articles

Application Security

Learn How Powerful Metrics Can Help You Manage AppSec Tools and Risk

By ZeroNorth Jul 15, 2021

Bugs and flaws in software are common and unavoidable. In fact, about 84%[1] of software breaches happen at the application layer, which means organizations looking to ...

Read More

Application Security

What is Application Security Risk?

By ZeroNorth Jun 22, 2021

If you have ever considered how hackers and other cyber attackers on the internet use different paths to harm systems and software, you already know a ...

Read More

The ZeroNorth DevSecOps platform offers options for your DevSecOps journey—getting started with AppSec, finding enterprise visibility or fully integrating security into DevOps.