Our Information Security, Application Security 2022 study examines which application security solutions are implemented in enterprises, and which characteristics of application security testing are seen as most important by stakeholders. It also looks at where AST tools are used within the developer pipeline and by whom.
Two-fifths (41%) of respondents report having some manner of API security in place. However, the definition of what constitutes API security has a large remit, from vulnerability scanning to implementation of protective controls, such as authentication. API usage is growing exponentially with the growth of microservices architectures for applications, and this growth has led to the development of a pure-play API security market separate from prior shift-right approaches such as via a web application firewall (WAF) or API gateway.
Respondents demand a variety of security functions from this emerging market, including inventory controls, real-time traffic analysis and vulnerability scanning. More than two-fifths (45%) of respondents note detecting anomalous API behavior as a key feature. Meanwhile, 39% want a real-time inventory of which APIs are handling sensitive data to prioritize controls and monitoring, and 36% require the ability to inventory APIs, including undocumented ones, based on observed traffic. A similar portion (38%) want the ability to test for vulnerabilities.
Summary of Findings
Over half (55%) of respondents see integration of application security testing tools into integrated development environments and DevOps toolchains as “very important” when selecting an AST vendor. This enablement of shift-left, or correcting application vulnerabilities earlier in the development life cycle, is reflected in tool usage, as well. About half (53%) of AST users run the tools as new code is introduced, while 61% run AST as part of their quality-assurance activities. Just 10% are scanning only in production. Respondents note that information security teams (55%) are using AST tools most, followed by application development teams (45%). This means AST tool suites need to address the needs of both user constituencies: information security, which must identify the overall risk posture of each application, and application development, which seeks to perform security tests on incremental code changes for specific projects with as little friction as possible.
Managing open-source vulnerabilities (31%) is the most cited pain point in application security. The commotion around the Log4J vulnerability at the end of 2021 highlighted enterprise dependence on open-source libraries. Software composition analysis tools, designed to identify known vulnerabilities in open-source libraries and code being leveraged by an enterprise, are in use at 22% of respondent organizations, with an additional 16% implementing SCA in the next 12 months.
Trends in Application Security Testing
Use of AST tools remains most prevalent among organizations with in-house application developers writing code (43%). However, the AST user base increasingly includes enterprises with in-house developers writing scripts to run IT infrastructure (22%). This reflects the increasing abstraction of infrastructure away from physical hardware configuration, and it helps explain why “support for infrastructure as code (IaC)” is cited as a key differentiator leading to recommendation and repurchase among buyers of AST tools. About one-fifth (21%) of respondents plan to integrate IaC scanning in the next 12 months.
Want insights on information security delivered to your inbox? Join the 451 Alliance.