IT security is a massive concern for many organizations of all shapes and sizes. The consequences of a security failure are often drastic, sometimes terminal. Over recent years, there has been a relentless upward trajectory in spending on IT security, and there are no signs of that trend abating.
Research from 451 Research revealed that 80 percent of enterprises planned to increase their security budgets, with an average rise of 17 percent. Broken down further, enterprises reported that 36 percent of the security budget was devoted to network security and 25 percent to endpoint security. But their share of the security budget has declined over the past three years. By contrast, the allocation for application security has grown by two-thirds in a year to take 15 percent of the IT security budget.
What does this mean? Enterprises are starting to grasp the significance of application security in their security landscape. According to the 2018 Verizon Data Breach Investigations Report, insecure software applications were the root cause for most data breaches. There are concerns that the state of application security is progressively deteriorating. No wonder that 451 Research found 20 percent of large organizations citing application security as one of their top three pain points. And little surprise that they are allocating more of their budget to application security tools (ASTs) within their businesses.
The research found 41 percent of large organizations already have ASTs in place, but 34 percent admitted that lack of staff expertise was inhibiting the full use of those tools, meaning that there is still a significant obstacle to ASTs being used effectively even when they are in place. Where ASTs are in use, 31 percent of teams said they were used for application development and 21 percent for quality assurance. The biggest proportion (42 percent) cited information security, but that usage has declined over time. In terms of the software development lifecycle (SDLC) phase, the biggest usage was in quality assurance testing (59 percent) and after new code was introduced (49 percent) with 23 percent only using AST for production applications.
In terms of the type of AST methodologies that enterprises have adopted, many use static (SAST) and dynamic (DAST) in tandem to find vulnerabilities in the early and late stages of the SDLC process. The increasing usage of open source components in software applications has also led to a significant proportion (40 percent) adopting software composition analysis (SCA). According to 451 Research, all enterprises are planning to deploy SCA within 24 months, and there has been an increase in spending on SCA by 42 percent of those surveyed.
ASTs are also being deployed for testing external applications, such as cloud hosted applications (45 percent), vendor products used by enterprises (33 percent) and SaaS applications (32 percent). The growing use of ASTs for cloud hosted applications may have a bearing on the rise in the number of enterprises (37 percent) willing to use hosted cloud for high-risk, mission-critical applications. ASTs are likely to be an important factor in helping to overcome the concerns of the 51 percent of enterprises who identify data and application security as major barriers for using the public cloud.
The role of ASTs could be significant because there is a movement towards cloud applications with 47 percent of enterprises expecting to decrease their percentage of on-premises applications and infrastructure to 50 percent or less within two years – compared to 27 percent today. The survey found that while 44 percent of enterprises plan to modernize their existing applications on premise, a similar percentage plans to move applications to the cloud or off premise.
When it comes to choosing an AST vendor, enterprises were very clear that the most important attribute was value for money (62 percent) by some distance. Understandably, technical expertise also scored highly (51 percent), along with systems development lifecycle integration (49 percent), as enterprises try to ensure that their deployment of ASTs is effective. The biggest potential inhibitor to adopting or fully utilizing a vendor’s technology was a lack of staff expertise (37 percent), company culture (28 percent) and complexity in setting it up (25 percent). This suggests that enterprises will look to vendor expertise as a key differentiator when choosing their AST supplier.
With the upward trend in enterprise spending on software and software security likely to continue into the future, effective implementation, deployment and application of ASTs will become increasingly significant for organizations in a hybrid world of on premise and cloud.