What are AppSec leaders prioritizing in 2021? The survey results are in

The events of 2020 created a catalyst for technology adoption at every level of business. From accelerating digital transformations, growing online web application estates, to increasing reliance on remote working technologies. As a result there, are a host of new security concerns to be reconciled.

Here at PortSwigger, our mission is to enable the world to secure the web. Even compared with six months ago, the scope and vast complexity of the web feels irrevocably different. This makes our purpose even more urgent, while also making it all the more important that we achieve it.



We took to our community, sending out surveys and asking questions, to understand where they are in their security maturity journey. More importantly, we wanted to find out where they saw themselves in the next 12 months.

While we may have our work cut out for us, our mission remains ever-present. We are here to help you to secure your growing web estates.

Here are the top three application security trends and how we can help:

1. DevSecOps is a journey, not a destination

We often hear DevSecOps referred to as the destination companies want to get to. Unfortunately, that can be counterproductive. DevSecOps is agile, incremental, and continually improves over time. DevSecOps is a journey, one that companies should be embarking on to find and replicate efficiencies and introduce automation in the software development pipeline. Approached in this way, it provides a framework for productivity that can accelerate a business forward, helping them to maneuver successfully around their competitors along the way.

It’s therefore unsurprising that 18% of respondents indicated they will be preparing to start DevSecOps within the next 12 months. An additional 28% reported that they already have a mature DevSecOps program in place. A further 50% of companies have early indicators of DevSecOps preparedness, and have already integrated security testing capabilities within their development pipelines.

 

Learn how to start your DevSecOps journey with automation in our blog 'Get started with DevSecOps: insights from Aleksandr Krasnov - Product Security Engineer'.

2. Automation is the map to your DevSecOps journey

You can’t know which way to go until you know where you currently stand. Scanning at scale is just one way that organizations can gain a view of their hundreds and even thousands of web applications. But scaling your scanning is not achievable, without first introducing automation as an organized guidance system.

To grow application security capabilities companies will be investing their budget in automation. Automation is key in allowing large enterprises to scale scanning across their large web estates.

By automating more manual activities, companies will also free up application security time and resources (58%) which can be deployed to serve development teams (44%) and save costs (42%), all while scaling scanning across a larger number of applications (56%).

Are you ready for automation? Trial Burp Suite Enterprise Edition to scan at scale and embark on your DevSecOps journey.

3. Who will succeed on the journey?

The efficiencies introduced by automated scan at scale activities, and subsequently DevSecOps, mean that application security engineers and managers can get more time back. Given the significant skills gap, time is a commodity that can’t be wasted. This means companies need to make the most efficient use of the people they have, by tasking them with the most valuable activities. This is where automation becomes your competitive advantage.

Over a third of companies surveyed reported that their AppSec team is responsible for more than 200 applications. By automating scans that were once a manual, and therefore time-consuming, activity, AppSec leaders have the time to focus their efforts on complex and harder to find vulnerabilities. By introducing automation is this way, those vulnerabilities that require lateral thinking, and human-guided exploitation, can become the key priority.

The big question then becomes, how are AppSec leaders keeping up with the latest vulnerabilities? Based on our survey results, nearly two-thirds are investing in training and upskilling their existing security team members. At PortSwigger, we are passionate about education and research so we were thrilled to see the investment companies are making to upskill the security community.

Preparing for application security in 2021

Will you be looking to grow your cybersecurity knowledge in 2021? The Web Security Academy is a free training resource covering the latest and greatest vulnerabilities, with expert-led interactive labs to hone your skills. Sign up today to get started.