Five takeaways from Forrester’s 2024 state of application security

Application security often gets sacrificed for speed and to meet ever-tightening time-to-market windows for new apps needed to fuel new revenue growth.

Increasing the urgency to get apps out early are compensation plans for CIOs, DevOps leaders and their teams that offer financial incentives for delivering apps ahead of schedule. With bonuses riding on getting a new app released quickly, security gets pushed to the final phase of a project and is rushed out fast.

The greater the push for speed, the more cracks and weaknesses in application security begin to emerge, however. Forrester’s recently published 2024 report on the state of application security reflects the growing threats of these growing cracks or gaps in application security, starting with software supply chains and progressing through DevOps.

Gen AI chatbots deliver the need for more DevOps speed

Forrester is seeing generative AI chatbots and tools delivering developer productivity boosts of between 20 to 50%. “In 2024, many development teams will go from experimentation to embedding TuringBots in their software development lifecycle,” predicts Chris Gardner, VP, Research Director at Forrester. Gardner also predicted that this year, “testers will also gain 15–20% productivity, and all members of product teams will gain above 10% efficiency from their assistive TuringBots in planning and delivery. Gen AI will make low-code and high-coding much more productive everywhere, and this will exponentially grow going forward.”

BairesDev’s recent survey of more than 500 software engineers finds that 72% of them are leveraging gen AI as part of the software development process today, and nearly half, or 48%, are using it every day. Eighty-one percent are using gen AI-based tools to write code they used to write manually. Nearly one in four developers, 23%, using gen AI, are seeing a productivity increase of 50 percent or more. OpenAI’s ChatGPT, GitHub’s Copilot, Microsoft Copilot and Google Gemini are the four most popular chatbots with the software engineers interviewed.

The pressure is on every software-based business to find new ways to increase DevOps accuracy, efficiency and speed. Boston Consulting Group (BCG) says that the more software-intensive any business is, the faster and more effective it needs to be in delivering new features and apps. Getting apps out faster than competitors has proven to be a market advantage and core to long-term survival. With high-performing DevOps teams deploying code on average 208 times more often than low performers, the growing adoption of gen AI-based DevOps tools is growing the performance gap.

Speed exposes growing gaps in governance, risk, and security

The productivity and speed gains that gen AI-based chatbots and apps deliver are exposing growing gaps in the areas of governance, risk and security. CISOs, DevOps leaders, I.T., and security leaders are finding it challenging to adopt a more agile/DevOps development and delivery model that will help close gaps in each area.

Forrester observes in their report, “When we asked global I.T. and digital professionals about their biggest challenges when moving to just such a model in 2023, 26% said security, risk and governance. Unfortunately, an iterative and incremental approach like agile/DevOps leaves limited time for lengthy software validation.”

Five insights from Forrester’s 2024 AppSec report

One reason application security gaps are getting wider is that DevOps teams are racing to beat deadlines without having security core to the SDLC process and integrated into CI/CD frameworks. That challenge is exacerbated by gen AI chatbots and tools proliferating, forcing the need for new governance, risk and security frameworks for agile/DevOps to deliver safe, secure, and trusted code and apps.

Forrester’s five key takeaways are aimed at that challenge, and they are the following:

Application security budgets increase despite economic headwinds: Despite ongoing economic headwinds and turbulence, cybersecurity spending continues to show resilience and strength. Forrester found that 64% of security decision-makers reported an increase in their application security budget, with 32% reporting an increase of 5% or more; only 8% reported a decrease.

Fifty percent of security leaders whose organizations hadn’t been hit by a breach are predicting their budgets will increase. The number of organizations getting cybersecurity funding jumps to 77% for those organizations that reported six or more breaches in the previous year. Forrester writes that security decision-makers who reported six or more breaches disclosed that their total breach costs averaged around $5.3 million. These costs didn’t include brand damage or opportunity costs, highlighting the importance of preventative and protective application security measures… Read Full Source

By Louis Columbus