Source: Antonio_Diaz/iStock/Getty images.
A study conducted by S&P Global Market Intelligence 451 Research examines the tools in place to enable enterprise application security programs both before and after applications reach production, tools planned for implementation in the next year, common pain points cited by application security professionals, features driving application security testing and API security tool selection, how application security testing activities break down between application development and information security resources, and where testing is applied.
The Take
Software supply chain security (SSCS) is one of the most in-plan information security technologies to be implemented this year, according to our a recent study conducted by S&P Global Market Intelligence 451 Research, focused on organization’s technology road map. SSCS addresses multiple concerns around identification and remediation of vulnerabilities in open-source code, the integrity and provenance of code artifacts in the development pipeline, and the security of developer tools. Recent attacks highlight this issue’s relevance. In August, the open-source Nx build system, used to manage codebases, was compromised in the “s1ngularity” attack, in which malicious versions of Nx packages exploited a GitHub Actions injection vulnerability to steal the node package manager (npm) publishing token. The attack used a novel approach leveraging local AI tools such as Claude and Gemini to execute malicious instructions after installation, in addition to exfiltrating sensitive data. In September, 18 popular npm packages were compromised by the inclusion of malicious code after maintainers were phished. A new worm-like attack on the npm ecosystem is ongoing at the time of writing; it includes a self-propagating payload and has compromised over 180 npm packages. The malicious script uses the security tool TruffleHog to steal identity tokens and cloud credentials, and exfiltrates sensitive data. Managing open-source vulnerabilities (26% of respondents) is the second most cited application security pain point in this survey.
Summary of findings
The complexity of application security tools, cited by 28% of respondents, is the top pain point in application security. While the cure is not necessarily worse than the disease, key aspects of application security are commonly viewed as problematic. The third most cited pain point is a lack of coordination between different application security testing (AST) tools (25%), which may in part explain why 15% of respondents report implementation plans for application security posture management (ASPM) in the next year. ASPM has in its foundation the components of application security orchestration and correlation (ASOC) or, more simply, the coordination of a variety of AST tools, including static and dynamic AST (SAST/DAST), software composition analysis (SCA or testing for open-source vulnerabilities), and frequently other tooling such as infrastructure-as-code (IaC) scanning and secrets detection. Because of its central role in managing the variety of tools used in an application security program, ASPM may be a key integration point for agentic AI capabilities to not only coordinate results from application security tools but also gather information from asset inventories, the runtime environment and relevant security policies to prioritize corrections or even model potential threats from proposed application changes.
Nearly half of respondents (47%) identify support for API testing as a very important attribute when selecting an application security vendor. Use of APIs continues to grow rapidly and will be further driven by the rise in agentic AI. More than a third of organizations (36%) have implemented API-specific security tools, and an additional 14% plan to in the next 12 months. The requirements of these tools have become more complex as both the use of and reliance on APIs increases, and as the API threat landscape diversifies. Developing an automated API inventory, for example, has become table stakes — it falls 10th in the list of most important API security tool features.
The ability to identify (38%) and block (37%) active attacks against APIs are the two most cited important features of API security tools, followed by the ability to test APIs for vulnerabilities (36%). More complex inventorying of APIs, such as identifying and prioritizing APIs that contain sensitive data (34%), also rates highly in respondents’ list of key features.
Three-fourths (76%) of respondents express some confidence in applying AI–generated code fixes to address identified vulnerabilities. One-third (33%) are very confident in those fixes, indicating automated code remediation already has a willing and ready contingent in application security. This is not entirely surprising: Resolving technical debt related to security is typically a repetitive task that may be well suited to a GenAI use case. The remainder who express some confidence would still prefer to have a human in the loop reviewing suggestions prior to implementation. Meanwhile, 16% indicate they are not very confident in AI-generated fixes, and 8% are not at all confident. Part of the willingness to accept AI-generated fixes may be related to the increased velocity of code creation, which is also being enabled by AI, and which is likely also contributing to the increasing number of introduced vulnerabilities.
The Security Talent Gap is More Complicated Than You Think
Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.
