Home » Technology » AppSec Inefficiencies Take a Costly Toll on Enterprises

AppSec Inefficiencies Take a Costly Toll on Enterprises

A recent security report from the software industry shows a noticeable increase in tensions between application security workers and application developers regarding consensus on cloud native needs. In this context, the retention of developer talent is also a growing concern.

The fundamental problem is the lack of appropriate AppSec tooling for cloud environments. AppSec Teams are constantly dealing with the consequences of a lack of cloud-native software. This situation leads to team friction, problems with talent retention and revenue concerns. It also causes reputation disputes. And they spend more than half their time hunting for vulnerabilities.

The good news AppSec teams are clear about what they want, and AppSec experts are unanimous on how a modern cloud-native AppSec model should look. Only a small number of teams are able to meet these needs effectively, despite the fact that they understand what is required.

A Study Reveals the Effects of Cloud-Native Tools That Are Inadequate

In May, cloud-native AppSec solutions provider Backslash Security Released a report titled, “Breaking up the Catch-up cycle: The Cloud-Native AppSec Survey Report.” This study explores how the application security landscape has changed since cloud-native development.

The study examines practices, tools and needs of CISOs and AppSec managers at enterprises with 1,000 employees or more, who have mature cloud-native apps development environments. According to the results, 85% of AppSec experts said that being able distinguish between real risks and noise was critical. Today, only 38% of AppSec pros can distinguish between real risks and noise.

Researchers claim that mature DevOps companies cite widespread impacts due to the absence of cloud-native software. AppSec is stuck in a cycle of catching up, unable keep pace with the agile development pace, and playing security defence via an unproductive and endless vulnerability hunt.

Inadequate cloud native tooling is the root cause of frictions between AppSec and developers. Backslash Security CEO Shahar Man, co-founder of Backslash Security and the company’s current AppSec software, told TechNewsWorld that the tools do not provide enough evidence to allow developers to respond to alerts.

AppSec playing defense

The report notes that while 58% of respondents spend over 50% of their day chasing vulnerabilities and 89% spend at minimum 25% of their day in defensive mode. This costly defensive tax is a problem for enterprises everywhere.

The “tax”, estimated to cost over $1.2m annually, is the cost for hiring AppSec Engineers who pursue vulnerabilities instead of driving a comprehensive cloud native AppSec Program. Man claimed that the application security teams were struggling to keep pace with fast-paced teams of developers who were rapidly deploying code into the cloud.

He said that the tools they use are out-of-date. AppSec Teams lack the necessary cloud context to be able to successfully perform their tasks. The issue is further aggravated by the fact that the current tools for application security generate an excessive number low-value alerts.

Man suggested that AppSec teams should have modernized cloud-native tools. It’s not surprising that AppSec professionals have the most complaints about their current tools. AppSec professionals claim that their traditional tools make it difficult to prioritize findings and are noisy.


“That being said, we found that AppSec specialists are in agreement on the cloud native capabilities that they find most useful for their daily work.” Man explained: “The core of modern AppSec consists of the automatic correlation of AppSec threat to app exposure in the outside world.”

91 percent of respondents said that this was important. AppSec has a growing conflict with developers over the issue of critical and general vulnerabilities. 82% also emphasized the importance of end to end visualization of cloud native application threat models.

Lack of action is fueling the Rift

AppSec Teams lose credibility when developers see the sheer number of false-positives they are reporting. In a survey about the impact on the lack of cloud native tools, respondents listed the growing AppSec/dev tension as the most important issue. This was followed by the retention of devs and AppSec talents.

Man challenged: “AppSec teams are aware of what they require, but is the industry ready to provide it?”

AppSec pros, for instance, overwhelmingly (85%) want the ability of separating real code risks from issues with low risk, making this the most critical cloud-native functionality. However, only 38% can do so using their existing toolset.

He noted that “These massive gaps in cloud native capabilities extend across all core capabilities.”

You’re a Pining for a Relaxing Environment

Man added that one of the things AppSec teams want most is to work well with their dev counterparts — a core concern that came up throughout the survey. Each AppSec team has their own view on the impact of the lack cloud-native apps on the friction between AppSec/devs.

AppSec engineers, for instance, spend a lot of time in the trenches. Most of their worries are about retaining developers. Their managers are most concerned with retaining AppSec talents. CISOs worry about friction, as they have a top-level perspective on both sides.

Man also points out that cloud-native features are missing, which would enable AppSec to collaborate with developers. The survey revealed that they are lacking.

78% of respondents stated that it is important to communicate security findings with the team responsible for fixing the bug. Only 43% of respondents are able to fully do this.


The study revealed that triaging is equally efficient between DevSec vs AppSec at 73% and 42%.

Costly Consequences

Man revealed that he was surprised by the amount of AppSec work wasted due to insufficient tools. Inefficiency costs businesses a fortune.

The defensive tax is a major cost. Conservative estimates place the cost of wasted AppSec hours at more than $1 million a year for an average enterprise, he said.

The estimate is based off of the average AppSec salaries and team size. Man said that this calculation doesn’t take into account the costs associated with inadequately securing an enterprise’s application.

The Key Takeaways from the Conference Show a New Market Direction

Approximately half of respondents stated that their organizations push code at the very least once a day. The rate of development is constantly increasing.

“Teams have lost faith in traditional AppSec Tools, because they are unable to keep up with the latest technologies and are trapped in a never-ending game of catching up. “The impact is widespread, as the majority of organizations are seeing the widespread impacts of inadequate cloud native AppSec Tools,” said Man.

He said that “people’s” impact was particularly important. The AppSec sector is ready for major change, and needs tools that are specifically designed to understand cloud computing.

Man believes that application security posture management (ASPM) — a new security approach — gives AppSec teams more control and improves the security posture of their applications.

“Finally, there is a new mindset, one that provides a holistic view of the application security posture, allowing AppSec to strike a balance between a ‘shift left’ mentality and being empowered to identify and mitigate vulnerabilities before they can be exploited,” concluded Man.