At the close of 2016, we surveyed 100 CISOs and decision makers to get a sense of their 2017 security priorities. The full report will be released next week. In the meantime, you can learn more about a few of the top application security focus areas and challenges in our previous post. This post will build on those trends, diving into specific tools and best practices appsec organizations are using.

Top Utilization of Application Security Tools

It should come at no surprise to readers that the application security space has seriously ballooned over the past several years. Today there are hundreds of application security vendors and firms that make up a market that is estimated to grow to $7.6B in 2021.
With so many tools and practices available, what are CISOs utilizing the most?
  • Penetration testing is, across the board, the most utilized application security practice; over 80% of respondents utilize penetration testing in their current application security program.
  • The next most utilized tools and practices are incident response teams and processes (79%) and application vulnerability scanning (71%).
  • The least used methods are static analysis (39%) and threat modeling (50%).
Utilization of these activities also varies by organization size, as shown above. Across the board, smaller companies are doing less of the listed activities, and the deltas are highest in the utilization of incident response processes, threat modeling, and use of an SDLC.

While there is saturation across many application security methods, products and services, breaches still occur, and hacking is the overwhelming cause.

How do Bug Bounties fit into AppSec?

As application security programs become more robust to keep up with modern attackers, bug bounties have offered a unique solution. By leveraging the volume of top security researchers, bug bounty programs augment automation solutions and find results that go beyond penetration testing.
This report will provide the first layer of insight into….
  • How CISOs and appsec leaders perceive bug bounty programs
  • What challenges bug bounties are alleviating, and why they are becoming more and more crucial to security organizations
  • If a bug bounty is right for your organization

Sign up to get the full report when it is released January 31st: