As a security practitioner or leader, we recommend you use this complimentary report to benchmark your AppSec program and stay on top of emerging trends to ensure that you don’t get caught unaware in 2022 and beyond.

Below are some highlights from the report, with our comments.

It’s all about the application

Of course, this is The State of Application Security report. But when the team at Forrester asked 500+ security experts “How was the external attack carried out?”, software vulnerabilities, supply chain breaches, and web app exploits came out on top of vectors like phishing, malware spam, and others.

Why do applications have such a big target on their back? The software factory now runs on open-source libraries, APIs, containerized and serverless workloads, etc. As the operation of creating and delivering software grows more complex, so will the underlying attack surface.

Is Shift Left (already) behind us?

Larry Smith first coined the term in 2001 and it’s important to remember the context in which it was introduced. The 1990s is the decade when teams realized that the Waterfall model is not working out, and that is when the principles of Shift Left became popular. In the meantime, DevOps has blurred the lines between the sequential stages of the SDLC and turned it into a continuous uninterrupted loop.

According to Forrester, organizations are not only adopting prerelease tools (in development or testing) in 2022. They are also investing in security scanning throughout the full lifecycle, to cover new technology stacks and give development teams more confidence in each deployment. It’s time to embrace the secure everywhere movement.

Also, an interesting thing to note is the growing influence of engineering teams over how this movement is folding out. Vendor vetting, approval, and budget spending are under their ownership in 40% of the organizations polled. In hindsight, it makes sense to have development teams, who are now expected to enhance their security practices throughout the SDLC, choose the tools they deem fit for the mission. But this was not a given previously.

Planned AppSec adoption is not even

AppSec tooling is like every other technology, it has its early adopters, fast followers, and the ones arriving a little late to the party. With dozens of verticals to choose from (SAST, DAST, IAST, RASP, Bot management, WAFs, fuzz testing…), this comes as no surprise.

Depending on the industries they’re operating in, companies will face various challenges and will need to prioritize depending on the biggest threats. The report explores the differences in planned AppSec adoption for the next 12 months in various industries like manufacturing, retail and wholesale, financial services, utilities and telecom, media, etc.

That’s it for now, we don’t want to spoil you any further. There’s a lot more to learn in the 20-page complimentary report from Forrester!