A survey of 250 senior IT and security leaders based in North America, published today, finds that 62% work for organizations that knowingly release insecure code to meet delivery deadlines.

Conducted by Cypress Data Defense, a provider of application and network security services and TechStudio, a provider of managed IT services, the survey also finds nearly 90% of respondents work for organizations that only allocate 11–20% of their security budgets to application security. Just 1% invest more than 20% of their total security budget in application security, the survey finds.

Despite recent advances in the adoption of best DevSecOps practices, only 36% said their organization involves security at the planning stages of application development, with well over half (57%) waiting until just before deployment.

Aaron Cure, director of cybersecurity for Cypress Data Defense, said this lack of coordination continues to persist even though 60% of respondents acknowledge that security issues are more likely to delay product launches than feature bugs and that cyberattacks aimed at the application layer account for 43% of all breaches.

Overall, the survey finds just over half of respondents (51%) are working on teams that have fully addressed the top 10 application security threats defined by OWASP. One of the primary reasons not as much progress has been made is the number of false positives that are still being generated by application security tools, noted Cure. In fact, the survey finds 58% report frequent false positives from security scanners, with 11% claiming they occur constantly.

Stress levels among application developers as a result of these issues are high, with 62% fearing termination. As a consequence, a full 80% said they are open to outside help due to limited staffing, talent shortages and constant development cycles, with 83% considering outsourcing application security functions.

On the plus side, a recent survey of security leaders conducted by The Futurum Group finds all respondents are working for organizations that are investing in software supply chain security, with application security posture management (ASPM) and DevSecOps automation and orchestration topping the priority list, followed closely by security composition analysis (SCA) tools, application programming interface (API) security and dynamic application security testing (DAST) tools.

In addition, 30% of respondents expect to be piloting a software bill of materials (SBOM) initiative in the next 24 months, the survey finds.

However, the source of the funding for these initiatives is becoming more of a shared responsibility, with only 21% of respondents reporting that security budgets are the sole source. In fact, half of the respondents (50%) said application development teams now own responsibility for application security.

Regardless of the level of investment in application security being made today, it’s only a matter of time before securing software supply chains becomes a much higher priority as regulations become more stringent. The challenge and the opportunity now is to put the resources in place today to address these issues ahead of a deadline that will otherwise create a level of disruption that, like it or not, will inevitably slow down the current pace of application development.