Key Findings from Recent Application Security Testing Trends Report

The recently published 2022 Application Security Testing Trends Report has generated a lot of interest in the application security community. The report is based on the responses to a Fall 2022 survey that was sent out to over 44,000 professionals worldwide. On February 8, 2023, HCLSoftware hosted a webinar (Listen Here) to discuss the key findings from the report with HCLSoftware Solutions Architect Rob Cuddy.

Above are some of the report’s findings focused on the security challenges and barriers that companies face.

Rob took the audience through four key findings starting with the barriers that companies are experiencing when either adopting an application security testing program or increasing its size and scope. According to the report, an overall lack of resources is a clear challenge (82%), but Rob was surprised that only 24% of respondents expressed concerns over a lack of in-house security expertise. His own research suggests that this is a larger issue worldwide.

While this number seemed encouraging, when the webinar audience was polled on the same question, 44% listed security expertise as their leading challenge, more in line with Rob’s expectations.

Above are some of the report statistics related to technology use.

The data showed a clear lag between the interest in both IAST (Interactive Application Security Testing) and SCA (Software Composition Analysis) and the actual implementation of these testing tools in organizations today. Seventy-six percent of respondents are still not using these technologies.

Rob spent time explaining the way IAST works both as an independent monitoring tool and in conjunction with DAST (Dynamic Application Security Testing) and SAST (Static Application Security Testing) tools to validate findings, correlate results and prioritize what to fix first.

Above are some of the security integration statistics from the report.

Rob was concerned about the 70% of respondents who have still not integrated application security testing into their CI/CD pipelines (Continuous Integration/Continuous Deployment). Even more concerning is the 26% that reported having no plan at all for this type of integration.

One encouraging statistic was the 62% of respondents who reported that developers at their organizations have been provided with clear secure coding guidelines. As the burden of securing code has shifted left to the developers, it is obviously critical that they have the guidance to write secure code, ideally without slowing down the development process.

Above are some of the key findings in the report dealing with stakeholder communication.

When it came to security roles and communication, Rob was not surprised if CISOs (Chief Information Security Officers) expressed dissatisfaction with remediation speeds. In some respects, it is their job to always be pushing their teams to deliver fast, better results. Developers on the other hand were mostly pleased with the time it takes to find and fix vulnerabilities. The statistics suggest that there is room for improved communication amongst all application security stakeholders.

Click Here to listen to a recording of the entire webinar. You can also download the full report for a more complete picture of application security testing today.

Visit  AppScan for more information on HCLSoftware application security testing solutions, or sign up for a free trial today.