Key Financial Findings from Ponemon Institute's “Application Security in the DevOps Environment” Study

IT Spending is Decreasing

As you know, 2020 has not been a typical year for any of us. Previously, I’ve written about the impact of the global pandemic on IT spending. In a July 2020 report, Gartner, Inc. predicted that worldwide IT spending will decline to $3.5 trillion this year, or 7.3% lower than in 2019.

Application Vulnerabilities are Increasing

While certain elements of the global economy- such as bars, restaurants and travel- have been slow to recover from the impact of the pandemic, malicious actors have not taken a break.

Here are recent statistics that bear it out:

• Earlier this year, a research study published in TechRepublic found that e-mail phishing attacks increased by 667% from the end of February 2020 to the end of March 2020.
• Specifically in the application security space, a separate analysis published in Security Boulevard found that more than 80% of applications experienced a SQL Injection attack in the May/June 2020 timeframe.
• According to the same report, at least one-third of applications were found to contain at least one serious vulnerability.

Developer Burnout is a “Thing”

Added to the mix is the sheer number of new applications and application updates that are required to power our hyper-digital world this year. In a 2019 study reported on by the Wall Street Journal, the average number of applications deployed by large companies is a staggering 129. Yes, that’s right- 129!

In addition to an increasing volume of applications to manage, the following factors have contributed to developer burnout:

• According to an Octoverse Spotlight blog, developers’ workdays have expanded by an hour per day in the COVID-19 era, during the traditional business week and on weekends.
• The same research found that nearly all developer activity metrics are up, including pull requests, pushes and issues created per active user.
• As a result of growing application volume, the number of open-source repositories created this year has grown accordingly, by nearly 28% from March 2019 to March 2020.

To recap, here’s what organizations like yours are facing: lower budgets, higher vulnerabilities and increased workloads. How can you address those issues, while continuing to combat cyber-security threats that your organization’s facing? As always, information, executive buy-in and budgetary funding are great places to start.

Share our Ponemon Institute Report Findings with Your Executive Team

Ponemon Institute released a study in October 2020 titled, “Application Security in the DevOps Environment.” Sponsored by HCL AppScan, the study includes a treasure trove of AppSec- and DevOps-related financial figures that you can use to make the case for application security testing with your executive team. You can access the comprehensive report here.

Here are the key financial findings from the report that you can leverage:

Average Total Economic Losses from Attacks Against Vulnerable Applications

In the past 12 months, organizations represented in Ponemon’s research incurred an average cost of $12 million as a result of attacks against their vulnerable applications. In other words, the cost is roughly $1 million a month, and is likely to run even higher for companies without effective application security testing programs.

Total Economic Losses: Worst-Case Scenario

Some of the organizations included in the study incurred unbelievable total economic losses that exceeded $100 million as a result of attacks against their vulnerable applications. To put the $100 million figure into perspective, it is the estimated cost to build 13 miles of interstate freeway, according to estimates provided to ToughNickel by the Florida Department of Transportation. If that figure doesn’t capture your executives’ attention, then nothing will!

Average IT, AppSec and DevOps Budgets

According to respondents, their average organizational IT budget totaled $99.6 million. On average, 25% of organizations’ current year IT budgets will go toward application security activities. Another 20% of organization’s current year IT budgets will go toward DevOps activities.

Security Budget and Investment Drivers

Fifty-one percent of respondents stated that Return on Investment (ROI) generation is an important driver for their organizations’ security budget and investment decisions. Only 29% stated that reducing Total Cost of Ownership (TCO) was a key driver.

Barriers to Success

Forty-one percent of respondents stated that insufficient budgets prevented their application security programs from being effective.

For additional strategic and financial trends in AppSec and DevOps, our comprehensive report can be accessed here.

To Learn More

Please listen to our webinar, where Larry Ponemon from Ponemon Institute and Eitan Worcel from HCL AppScan comprehensively analyze the study’s results.