Costly code reviews, lack of thorough security scrutiny, and manual cataloging of applications and APIs are some of the key findings of a recent AppSec survey.
While most organizations push application updates at least once a week, only 54% of major code changes get a full security review, the CrowdStrike 2024 State of Application Security report (PDF) shows.
In fact, only 34% of organizations review over 75% of code changes, while 44% review less than half of the code changes, reveals the report, which is based on survey responses from 400 US security professionals.
The main reason for that is the long time these reviews take: 81% of respondents said their organizations need more than one business day to conduct the review, while 35% said they need more than three days for a review.
“Traditional security reviews are even more resource-depleting due to the number of people participating in them. Survey data shows that 10 is the median number of individuals involved in a security review,” the report shows.
According to CrowdStrike, the cost of these reviews is also high. In an average organization, an individual may spend a full business day on security reviews each week, while a large organization is estimated to pay 62 business days’ worth of security reviews each week, at an annual cost of over $1 million.
Furthermore, the survey respondents revealed that they rely heavily on documentation and spreadsheets to create application and API catalogs and inventories, which renders them prone to error, especially within organizations that deploy updates frequently, which also tend to use more programming languages.
According to the report, organizations that make daily deployments use more than five programming languages, while those that deploy at least once a week use four.
“Programming language sprawl complicates the job of application security professionals, as security teams must learn secure coding paradigms in multiple programming languages. Furthermore, they must find tools that support each coding language used internally,” CrowdStrike notes.
Adding to this complication is the use of multiple tools for vulnerability detection and prioritization. A vast majority of the survey respondents said they are using more than three such tools, making it difficult to correlate alerts between them.
Prioritizing what to fix is a top challenge for most respondents, followed by visibility. Furthermore, for 70% of the respondents, resolving a critical issue takes more than 12 hours.
“Organizations must rethink their approach to application security. Relying on manual processes slows down security and drives up cost. Traditional security reviews are time-consuming and costly. Security teams juggle multiple individual security tools — and even with those tools, many share the common challenge of prioritizing which issues to fix first,” CrowdStrike notes.
Related: OT Maintenance Is Primary Source of OT Security Incidents: Report
Related: The Ransomware Threat in 2024 Is Growing: Report
Related: Number of Internet-Exposed ICS Drops Below 100,000: Report