Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

No Security Scrutiny for Half of Major Code Changes: AppSec Survey

Only 54% of major code changes go through a full security review, a new CrowdStrike State of Application Security report reveals.

Costly code reviews, lack of thorough security scrutiny, and manual cataloging of applications and APIs are some of the key findings of a recent AppSec survey.

While most organizations push application updates at least once a week, only 54% of major code changes get a full security review, the CrowdStrike 2024 State of Application Security report (PDF) shows.

In fact, only 34% of organizations review over 75% of code changes, while 44% review less than half of the code changes, reveals the report, which is based on survey responses from 400 US security professionals.

The main reason for that is the long time these reviews take: 81% of respondents said their organizations need more than one business day to conduct the review, while 35% said they need more than three days for a review.

“Traditional security reviews are even more resource-depleting due to the number of people participating in them. Survey data shows that 10 is the median number of individuals involved in a security review,” the report shows.

According to CrowdStrike, the cost of these reviews is also high. In an average organization, an individual may spend a full business day on security reviews each week, while a large organization is estimated to pay 62 business days’ worth of security reviews each week, at an annual cost of over $1 million.

Furthermore, the survey respondents revealed that they rely heavily on documentation and spreadsheets to create application and API catalogs and inventories, which renders them prone to error, especially within organizations that deploy updates frequently, which also tend to use more programming languages.

According to the report, organizations that make daily deployments use more than five programming languages, while those that deploy at least once a week use four.

Advertisement. Scroll to continue reading.

“Programming language sprawl complicates the job of application security professionals, as security teams must learn secure coding paradigms in multiple programming languages. Furthermore, they must find tools that support each coding language used internally,” CrowdStrike notes.

Adding to this complication is the use of multiple tools for vulnerability detection and prioritization. A vast majority of the survey respondents said they are using more than three such tools, making it difficult to correlate alerts between them.

Prioritizing what to fix is a top challenge for most respondents, followed by visibility. Furthermore, for 70% of the respondents, resolving a critical issue takes more than 12 hours.

“Organizations must rethink their approach to application security. Relying on manual processes slows down security and drives up cost. Traditional security reviews are time-consuming and costly. Security teams juggle multiple individual security tools — and even with those tools, many share the common challenge of prioritizing which issues to fix first,” CrowdStrike notes.

Related: OT Maintenance Is Primary Source of OT Security Incidents: Report

Related: The Ransomware Threat in 2024 Is Growing: Report

Related: Number of Internet-Exposed ICS Drops Below 100,000: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Cody Barrow has been appointed the new CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.