Five takeaways from Forrester’s 2024 state of application security

Application security often gets sacrificed for speed and to meet ever-tightening time-to-market windows for new apps needed to fuel new revenue growth.

Increasing the urgency to get apps out early are compensation plans for CIOs, DevOps leaders and their teams that offer financial incentives for delivering apps ahead of schedule. With bonuses riding on getting a new app released quickly, security gets pushed to the final phase of a project and is rushed out fast.

The greater the push for speed, the more cracks and weaknesses in application security begin to emerge, however. Forrester’s recently published 2024 report on the state of application security reflects the growing threats of these growing cracks or gaps in application security, starting with software supply chains and progressing through DevOps.

Gen AI chatbots deliver the need for more DevOps speed

Forrester is seeing generative AI chatbots and tools delivering developer productivity boosts of between 20 to 50%. “In 2024, many development teams will go from experimentation to embedding TuringBots in their software development lifecycle,” predicts Chris Gardner, VP, Research Director at Forrester. Gardner also predicted that this year, “testers will also gain 15–20% productivity, and all members of product teams will gain above 10% efficiency from their assistive TuringBots in planning and delivery. Gen AI will make low-code and high-coding much more productive everywhere, and this will exponentially grow going forward.”

BairesDev’s recent survey of more than 500 software engineers finds that 72% of them are leveraging gen AI as part of the software development process today, and nearly half, or 48%, are using it every day. Eighty-one percent are using gen AI-based tools to write code they used to write manually. Nearly one in four developers, 23%, using gen AI, are seeing a productivity increase of 50 percent or more. OpenAI’s ChatGPT, GitHub’s Copilot, Microsoft Copilot and Google Gemini are the four most popular chatbots with the software engineers interviewed.

The pressure is on every software-based business to find new ways to increase DevOps accuracy, efficiency and speed. Boston Consulting Group (BCG) says that the more software-intensive any business is, the faster and more effective it needs to be in delivering new features and apps. Getting apps out faster than competitors has proven to be a market advantage and core to long-term survival. With high-performing DevOps teams deploying code on average 208 times more often than low performers, the growing adoption of gen AI-based DevOps tools is growing the performance gap.  

Speed exposes growing gaps in governance, risk, and security

The productivity and speed gains that gen AI-based chatbots and apps deliver are exposing growing gaps in the areas of governance, risk and security. CISOs, DevOps leaders, I.T., and security leaders are finding it challenging to adopt a more agile/DevOps development and delivery model that will help close gaps in each area.

Forrester observes in their report, “When we asked global I.T. and digital professionals about their biggest challenges when moving to just such a model in 2023, 26% said security, risk and governance. Unfortunately, an iterative and incremental approach like agile/DevOps leaves limited time for lengthy software validation.”

Five insights from Forrester’s 2024 AppSec report

One reason application security gaps are getting wider is that DevOps teams are racing to beat deadlines without having security core to the SDLC process and integrated into CI/CD frameworks. That challenge is exacerbated by gen AI chatbots and tools proliferating, forcing the need for new governance, risk and security frameworks for agile/DevOps to deliver safe, secure, and trusted code and apps.

Forrester’s five key takeaways are aimed at that challenge, and they are the following:

Application security budgets increase despite economic headwinds: Despite ongoing economic headwinds and turbulence, cybersecurity spending continues to show resilience and strength. Forrester found that 64% of security decision-makers reported an increase in their application security budget, with 32% reporting an increase of 5% or more; only 8% reported a decrease.

Fifty percent of security leaders whose organizations hadn’t been hit by a breach are predicting their budgets will increase. The number of organizations getting cybersecurity funding jumps to 77% for those organizations that reported six or more breaches in the previous year. Forrester writes that security decision-makers who reported six or more breaches disclosed that their total breach costs averaged around $5.3 million. These costs didn’t include brand damage or opportunity costs, highlighting the importance of preventative and protective application security measures.

Commit to Secure-by-Design principles. A series of new standards and regulations have been passed and are on the way that will hold software suppliers and manufacturers accountable for the quality, reliability and security of the products they sell. Forrester notes that the National Cybersecurity Strategy is an indication of the future of legislation aimed at offloading the liability of poor cybersecurity product quality from customers to software makers.

Cybersecurity and Infrastructure Agency (CISA) has joined forces with 17 other U.S. and international agencies to create the Secure by Design principles that recommend that software manufacturers only ship secure-by-design and -default products. At last count, 183 companies have signed the pledge, led by Ivanti one of the first to sign. Jeff Abbott, Ivanti’s CEO, writes, “With the threat landscape rapidly evolving and tactics becoming increasingly aggressive and sophisticated, the imperative to put security first has never been greater.” Abbott continued, “By signing the Secure by Design pledge, we are committing to a set of principles, standards, and actions that will help us further elevate the security of our products and better protect our customers. This includes implementing multi-factor authentication, reducing the use of default passwords, mitigating entire classes of vulnerabilities, increasing the adoption of security patches, establishing a vulnerability disclosure policy, and improving our customers’ ability to gather evidence of cybersecurity intrusions.”

More than 40 cybersecurity companies have signed the pledge, including Amazon Web Services (AWS), BlackBerry, Cisco, Cloudflare, CrowdStrike, Deep Instinct, Dragos, ESET, Fortinet, Google, HackerOne, IBM, Microsoft, Netwrix, Okta, Palo Alto Networks, RSA, SentinelOne, Sophos, Trellix, Trend Micro, Trustwave, Veracode, Zscaler and others. These companies are recognized leaders in cybersecurity, and their commitment to Secure-by-Design principles signifies a collective effort to enhance digital security and reduce vulnerabilities, starting with software development.

Web app exploits are driving IT and security to prioritize API security. Forrester finds that while 14% of all security decision-makers said they plan to adopt API security, the number jumps to 30% for organizations who’ve experienced an external attack that started as a web application exploit. API exploits often happen with attackers use techniques to compromise APIs and exfiltrate data.  

Compounding the risk is that there are so many APIs that many DevOps teams lose track of them, leaving many open, which become potential attack vectors in the future. Forty-one percent of organizations are managing just as many APIs as applications.

What’s needed is a more collaborative approach to bringing together DevOps, IT, and security to harden API security as part of the CI/CD process and broader SDLC. It’s clear that during the early stages of any new product definition, security needs to thoroughly know the API strategy for the product or project.

The goal needs to be for DevOps, IT, and security to work together on controls and a broader policy to reduce and eliminate the risk of rogue or unmanaged APIs being opened to the outside world.

Integrate security into the development lifecycle (DevSecOps):  DevSecOps stands for development, security, and operations. It’s an approach to combining automation and platform design that integrates security as a shared responsibility throughout the entire IT and CI/CD lifecycles. The goal is to increase the speed of application cycles or releases while making sure every phase of the development lifecycle is secure. As an increasing number of organizations adopt DevSecOps, they are looking for ways to ensure cloud-native application security, protect business-critical workloads, and streamline operations.

Define and continue hardening software supply chain security:  A staggering 91% of enterprises have fallen victim to software supply chain incidents in just a year, underscoring the need for better safeguards for continuous integration/continuous deployment (CI/CD) pipelines. Forrester advises their clients to reduce risk in the software supply chain by adopting practices including infrastructure-as-code (IaC) security and secrets-scanning solutions. These measures help identify and mitigate risks early in the development process, preventing downstream attacks that can have widespread impact​.

Security needs to be core to SDLC to work

Organizations need to take a forward-looking view and choose to adopt security across every phase of the system development lifecycle (SDLC), which is a key point of the Forrester report. “To successfully secure applications and their data, collaboration between security, development, and operations is essential,” notes the report.

GenAI chatbots and tools will continue to help accelerate the pace DevOps teams produce code. Getting governance, risk, and security right requires CIOs, CISOs, and their teams to define an approach to integrating security into the core of how programs are being produced. As coding accelerates, so does the need for better approaches to managing systemic risk, governance and security challenges