Cycode Releases State of ASPM Report: Shows 77% of CISOs Believe Software Supply Chain Security Is a Bigger Blind Spot Than Generative AI


  • Industry’s first research survey on Application Security Posture Management (ASPM) reveals AppSec chaos reigns
  • 90% said relationships between their security and development teams need to improve, 85% acknowledge dev teams suffer from alert fatigue

SAN FRANCISCO, Dec. 06, 2023 (GLOBE NEWSWIRE) -- Cycode, the leader in Application Security Posture Management (ASPM), today announced the inaugural State of ASPM 2024 report, the industry’s first. The research found that AppSec chaos reigns, with 78% of CISOs responding that today’s AppSec attack surfaces are unmanageable and 90% of responders confirmed relationships between their security and development teams need to improve. Surprisingly, 77% of CISOs believe software supply chain security is a bigger blind spot for AppSec than Gen AI or open source.

The State of ASPM 2024 report was compiled from a survey of 500 U.S. CISOs, AppSec Directors and DevSecOps team members. Half of the sample came from companies with 5,000+ employees and half with 1,000 - 5,000 employees. The research consolidates and correlates findings across more than thirty different categories and data points across the industry.

Prioritization of AppSec risks and activities are a significant problem for most organizations as highlighted in the State of ASPM research. The vast majority (85%) of CISOs acknowledge dev teams suffer from vulnerability noise and alert fatigue, which strains the relationship between security and dev teams. Additionally, 88% acknowledge that because of alert fatigue developers are not focused on remediating critical vulnerabilities, which increases the potential for a security breach and puts the business at risk.

Only 21% of respondents believe that both security and development are equally responsible for application security, confirming that many security professionals question whether application security is a team sport. An overwhelming 77% majority said that understanding who owns application security is challenging, indicating that more clarity is needed about who is responsible for AppSec in most organizations.

The report also shows that alert fatigue is not the only cause of the souring relationship between security and development teams. Many of the challenges stem from diverse vulnerability sources and the proliferation of AppSec tools. A staggering 75% of security professionals struggle with the complexity of managing multiple security tools.

According to Gartner®, “By 2026, over 40% of organizations developing proprietary applications will adopt ASPM to more rapidly identify and resolve application security issues."

“Despite industry forecasts, our research reveals a much more condensed time frame to ASPM adoption. While all the hype right now is focused on AI, software supply chain security issues are just as or even more critical, and any ASPM solution needs to have best in class capabilities,” said Lior Levy, co-founder and CEO, Cycode.

“Much of the Cycode report findings align with what we're seeing in the market, starting with the criticality of software supply chain security," said Katie Norton, Senior Research Analyst at IDC. "Our 2023 DevSecOps Adoption, Techniques and Tools Survey identified a vulnerable software supply chain as a top application security gap. Our IDC research also found that companies struggle with developer and security misalignment and have prioritized fostering coordination."

In addition, 92% of CISOs confirmed they are looking to consolidate their AppSec tools into a single platform in the next 12 months. This comes straight off the heels of Cycode’s announcement of an expanded, complete approach to ASPM that enables security and development teams to manage the burden, cost and inefficiencies of having too many siloed (and vendor-locked) security tools from code to cloud — which brings order to better maintain strong application security posture.

The capstone on Cycode’s complete ASPM solution was its recent ConnectorX announcement, a click and connect 3rd party ASPM integration platform that provides companies with the choice to use Cycode’s native ASPM tools or maximize their investments in their existing AppSec tools. Using ConnectorX, companies can plug in any AppSec solution (i.e., SCA, SAST, Secrets, etc.) and within minutes, gain accurate, real-time visibility into their security posture.

Combined with significant enhancements to its Risk Intelligence Graph (RIG) for smarter, risk-based prioritization, Cycode delivers the capabilities needed for a complete approach to ASPM, enabling security and development teams to align, build trust and collaborate on maintaining strong application security posture.

The State of ASPM 2024 Report is available online.

Information on Cycode’s complete approach to Application Security Posture Management is available online, or book a demo of Cycode’s ASPM platform.

About Cycode
Cycode is the leading Application Security Posture Management (ASPM) providing Peace of Mind. Its complete ASPM platform scales and standardizes developer security without slowing down the business. With Cycode’s complete ASPM, security teams can eliminate context switching, amplify visibility, prioritize and eliminate risk to ensure end-to-end code to cloud coverage, leaving no room for attacks to go unnoticed. Cycode’s Risk Intelligence Graph (RIG) provides unmatched visualization, risk scoring, along with code to cloud traceability across the entire SDLC. Backed by tier-one investors Insight Partners and YL Ventures, the series-B company has raised $80 million and boasts a number of the top global Fortune 100 customers in the world that are gaining immediate value. Book an online demo of Cycode’s ASPM platform.

Media Contact:
Liz Safran
Montner Tech PR
lsafran@montner.com

1 [1]  Gartner, Innovation Insight for Application Security Posture Management, by  Dale Gardner,  Dionisio Zumerle,  Manjunath Bhat, 04 May 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved