Bugcrowd Blog

Top 2017 AppSec Challenges and Investment Areas

Posted by Payton O'Neal on Jan 11, 2017 12:37:37 PM

At the close of 2016, we surveyed 100 CISOs and decision makers to get a sense of their 2017 security priorities. The full report will be released at a later date. In the meantime, you can learn more about a few of the top application security focus areas and challenges in this post.

Top Areas of Application Security Investment

We’ve certainly witnessed a transformation in attack surfaces over the past decade with the increased adoption of “the cloud,” diversification of available platforms and languages, invention of “The Internet of Things” and more. Not only are attack surfaces becoming more complex, but the overall surface area has also ballooned significantly.

We asked participants where they will be investing time and resources to secure their business over the next twelve months. Overall, the top two areas of focus and investment over the next twelve months are applications hosted in the public cloud as well as public-facing web applications.

top-areas-of-investment.png

Focus areas varied by company size. Larger organizations were concerned about more areas; they have more assets to protect over a longer period than smaller organizations.

Mobile applications had the greatest delta between these two sectors; 50% of larger organizations were focusing resources and investment on mobile applications compared to less than 20% of smaller organizations.

What does this mean?

Organizations face the defender’s dilemma. The current state of the internet’s attack surface presents hackers with more opportunity than ever to find exploits; they only need to find one while defenders must search for and fix ALL potential exploits.

Sign up to get the report to learn more about these implications.


Top Application Security Challenges

Thus, as attack surfaces become more complex, breaches are on the rise. Hacking is the overwhelming leading cause. According to the Identity Theft Resource Center, 296 data breach incidents occurred as a result of hacking, phishing or scamming in 2015, compared to 63 in 2007.

Apparently, cybersecurity at the application level has become more complicated, while organizations are struggling to keep up. Overall, the biggest challenge facing security teams is staffing or resourcing issues; over 54% of respondents experienced this problem. Budget constraints also presented a challenge to these teams with 47% of respondents facing this challenge. Our research found that the least challenging issue was getting management or executive buy-in on security initiatives (17%).

top-challenges.png

Although there is not significant variance in challenges by company size, we did notice that larger organizations faced more challenges getting internal buy-in on security initiatives than smaller companies did. On the other hand, smaller companies experienced more challenges with budgeting.

How can application security teams combat these challenges?

We know that organizations are at an unfair advantage with their environments fundamentally preventing them from getting ahead of modern-day attackers. What is more, ‘traditional’ application security tools and solutions just aren’t cutting it.

So what can organizations do to get ahead? Watch out for our post on this topic next week and the full report at the end of the month.

Payton O'Neal

Written by Payton O'Neal