Key Findings from CrowdStrike’s 2024 State of Application Security Report

As organizations shift their applications and operations to the cloud and increasingly drive revenues through software, cloud-native applications and APIs have emerged among the greatest areas of modern security risk.

 

According to publicly available data, eight of the top 10 data breaches of 2023 were related to application attack surfaces.1 These eight breaches alone exposed almost 1.7 billion records, illustrating the potential for tremendous data loss if applications are poorly configured and lack effective protection.

 

Application security has quickly become one of the most essential forms of security for the modern enterprise. That’s why we set out to understand how organizations are securing their applications today and the challenges they face in doing so. Our research team surveyed 400 application security professionals in the United States to learn how they are securing applications, the tools and processes they are using and how effective their work is.

 

Here are some of our key findings.

 

AppSec Tools Aren’t Helping Enough

You can’t protect what you can’t see. Organizations require visibility into their growing number of cloud applications and the data these applications hold in order to determine their areas of risk. They also must have the ability to prioritize and remediate application vulnerabilities and security alerts as they learn about them. Both of these are top challenges among survey respondents: 60% said prioritization is among their top three obstacles in securing applications, while 57% said they struggle to gain full visibility into their applications and APIs to see what’s at risk.

 

These challenges could be caused by an onslaught of security tools. Nearly 90% of respondents reported using at least three tools to detect and prioritize application vulnerabilities and threats. Despite using multiple tools, organizations struggle most with prioritizing application vulnerabilities and threats and gaining visibility into their applications — the same challenges for which they are seeking solutions.

 

Traditional Security Reviews Don’t Scale

As organizations develop and deploy more applications, they increase the chance of producing vulnerable code that could be exploited in an attack. Mitigating the risk of application vulnerabilities requires oversight not only when code is first deployed but as it’s updated over time. It is standard best practice to conduct a comprehensive security review before code is pushed to production.

 

However, many application security teams aren’t taking this critical step. Our survey respondents estimated that, on average, only 54% of major code changes undergo a full security review before they’re deployed to production. This means almost half of major application code changes don’t undergo full security reviews. If major code changes aren’t vetted thoroughly, organizations run the risk of exposing their software to vulnerabilities that adversaries can exploit.

 

It’s difficult to scale the traditional review process to meet modern application security needs. Our data shows that traditional security reviews are time-consuming and expensive. Most (81%) of respondents said a security review takes more than one business day, and 35% said it takes more than three. Below is an overview of the additional information you can find in the CrowdStrike 2024 State of Application Security Report.

 

Rethinking Your Approach to Application Security

Custom applications are complex and changing. Security must keep up. In this report, you’ll learn about eight critical areas of application security and gain insight into the issues challenging application security teams today. With this knowledge, you will be able to develop a more effective and comprehensive approach to securing your applications.

 

Download the full report for more valuable insight including:

 

  • The average number of programming languages organizations use
  • How organizations inventory and catalog application microservices and APIs
  • The estimated mean time to remediation for critical application security issues
  • The individual(s) and/or team(s) considered responsible for application security — and how this varies across organizations of different sizes


Our findings confirm: The current state of application security isn’t effective enough to stop today’s threats. Today’s application security lacks the automation and efficiency needed to support modern applications and the teams that protect them.

 

CrowdStrike is committed to helping our customers stop breaches by securing cloud-native applications. Our acquisition of application security posture management (ASPM) pioneer Bionic is one critical step toward revolutionizing a cloud-native application protection platform (CNAPP). With the addition of ASPM, CrowdStrike Falcon® Cloud Security is now the only CNAPP to protect everything from code to cloud.

 

Additional Resources

 

  1. IT Governance, “List of Data Breaches and Cyber Attacks in 2023,” https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-2023
Breaches Stop Here