2022 Application Security in the Mid-Market

Introduction

The scale and intensity of cybersecurity threats have increased this past year and unfortunately have become ubiquitous across enterprises of all sizes. As the comprehensive 2021 Data Breach Investigations Report makes clear, both SME’s and large enterprises suffer similar exposure to threat actors and the data they compromise. No enterprises are immune to cybersecurity threats, with even small non-profits coming under full attack. What can and often does differ substantially are the capabilities of small and mid-sized companies in their resources and abilities to prevent and stave off these attacks.

The sophistication and maturity of organizations tend to grow in tandem with size. While this may be generally true, when viewing the security posture and organizational decision-making approach of small and mid-sized companies, it poses a particular industry susceptibility, given that cybersecurity threats do not differ across enterprise sizes. This vulnerability plays out, in particular in “Industry 4.0” manufacturing enterprises. Among many reasons for the discrepancy between sizes of companies and the ability for prevention and mitigation, previous research has pointed to the biggest culprit being budget constraints.

The current research findings provide a comprehensive view into the current state of application security in mid-market-sized companies that develop software. It reveals and quantifies the challenges and opportunities growing companies face in scaling their secure development efforts. Specifically, it provides “deep dives” into issues of security maturity, the speed of software development, application security requirements, training, overall challenges, and the desire for automation.

Current State

This chart shows the distribution of where security functions sit within organizations. The majority (69%) are part of IT, followed by Development (24%), Risk (6%), and Operations (1%).

 

For over two thirds of mid-market companies that develop custom software, security sits within the IT department. Creating software that is secure by design and shifting security left are top priorities, especially for larger mid-sized companies.

 

Speed of Software Development

Over 80% of mid-market organizations indicate speed is a high priority in their development of software applications.

This chart indicates the prioritization of speed in application development. Overall, 41% of organizations consider it a top priority, 41% rank it as a top 3 priority, 17% as a top 10 priority, and 1% as a very low priority.

 

Less than half of mid-market companies used focused metrics or tools to measure the speed of their software development.

 

This chart displays methods for measuring software development speed. 39% use focused metrics or tools, 61% rely on qualitative measures, while 0% do not measure, and 1% are unsure.

 

This chart illustrates the time organizations take to deploy new software to production. 9% take up to a day, 47% take more than a day up to a week, 37% take more than a week up to a month, and 7% take more than a month up to three months.

 

Use of Document Application Security Requirements

Almost all (98%) of mid-market organizations that develop custom software documents their application security requirements. Most do so for at least half or more of their applications,

 

This chart shows the percentage of applications covered by security practices. Overall, 29% cover 100% of applications, 51% cover 75-99%, 12% cover 50-75%, 5% cover 25-50%, and 1% cover less than 25%.

 

 

 

The number of tools employed in software development typically runs five or more, with a sizable portion exceeding ten or more in total.

This chart indicates the number of tools used in software development. 23% use 10 or more tools, 66% use 5 to 9 tools, 11% use less than 5 tools, and 1% are unsure.

 

This chart displays the reliance on consultants for software development. 91% use internal consultants, while 9% use external consultants. It also shows the annual cost of external consultants, with 38% spending $100k to $249k, 54% spending $250k to $499k, and 8% spending $500k or more.

Training

Almost three quarters (71%) of mid-market companies spend three or more days annually training their developers on security issues. Not surprisingly, the majority of respondents favoured “Just in Time Training”, with content and specific answers to security questions embedded directly in their development tools.

This chart shows the annual training time for developers. 1% spend less than a day, 28% spend 1-2 days, 45% spend 3-4 days, and 26% spend 5 days or more on training.

 

This chart illustrates the interest in Just-In-Time Training (JITT). 52.48% are very likely to adopt JITT, 42.57% are likely, 4.95% are neutral, and 0% are unlikely or very unlikely.

Defining Security Requirements

Very few companies are able to define security for new software nor are they able to track implemented controls in less than a day.

Bar chart showing the “Time to Define Security for New Software” with a breakdown of overall and by revenue ranges ($100M to $499M, $500M to less than $1B). Overall: 5% less than 1 day, 59% 1 to 6 days, 27% 7 to 13 days, 9% 14 days or more.

 

Pie chart showing the methods for tracking implemented controls: 91% use spreadsheets, 6% use a toolset, and 3% don’t know or are unsure. Bar chart shows the need for tracking inherited security from third parties with responses: 38% a great deal faster, 48% faster, 12% moderately faster, 2% slightly faster, and 0% not at all faster.

The time spent is undoubtedly tied to manual processes versus built to purpose software. Most (86% overall) believe that tracking inherited security from third parties would make the speed of delivering software faster or a great deal faster.

Challenges and Solution

The top challenges companies encounter when implementing DevSecOps are budget constraints and managing legal, regulatory & compliance controls. These challenges, along with the time it takes to create software applications while documenting appsec processes along the way, have resulted in very high interest for automating proactive security and compliance processes.

 

Bar chart showing challenges in implementing DevSecOps for different company sizes: budget constraints (50%), managing legal, regulatory, and compliance controls (49%), lack of organizational agility (45%), inadequate skillsets (43%), and securing DevSecOps (37%). A semi-circle chart shows interest in automation: 47% strongly agree, 49% agree, 4% neither agree nor disagree, 1% disagree, and 0% strongly disagree.

Conclusion

The need to build software with security by design, and in so doing to shift security left, is broadly accepted as one of the top priorities among mid-market-sized companies that produce software. Nonetheless, mid-market companies struggle to proactively define security for new software under development alongside an inability to document and track implemented controls in reasonable time periods. These shortcomings create a dilemma in slowing the release of new software and in many cases, releasing software with insufficient coverage of documented controls.

Our research uncovered the burden of using manual controls as well as the difficulty in tracking inherited security from third parties. To overcome these deficits, a minority of mid market companies turn to external consultants. Findings from this study illustrate that this approach is often costly. Given that our research validates prior findings highlighting budget constraints as the largest culprit in implementing DevSecOps, better software solutions are needed for implementing more comprehensive and proactive cybersecurity processes. It was not surprising to learn that over 90% of this market is interested in solutions that automate proactive security and compliance processes.

Companies looking to accelerate their software development in tandem with stronger cybersecurity compliance measures are looking to just-in-time training (JITT) for their software developers and automated built-to-purpose cybersecurity software for accomplishing these goals.