Managing Application Security

Managing Application Security at Scale: Insights from Industry Leaders

Application security programs are increasingly driven by risk management, not just compliance — and scaling these efforts requires a systematic, metrics-driven approach.

Why This Study Was Conducted

Security Compass conducted a targeted study of large enterprises to understand which AppSec practices scale effectively.

  • 28 large enterprises participated, 18 with revenues over $1B

  • Majority from financial services, but findings apply broadly

  • Aim: Identify which security activities are effective across large portfolios of applications

What’s Driving Application Security Today?

The key drivers for application security programs have shifted from compliance to proactive risk management.

Three Pressures Shaping AppSec:

Pressure Description
Speed of Development Agile and DevOps demand faster releases without slowing down the business
Sophisticated Risk Management Board-level scrutiny and enterprise-wide risk frameworks increase pressure
Cost Control Especially in competitive industries like finance and manufacturing

Top Motivators for AppSec Programs:

Driver Percentage
General Risk Management 79%
Compliance 2nd most common
Customer Demand Especially among product/software vendors

What Metrics Are Organizations Using?

Most companies still rely on the number of vulnerabilities found, despite its limitations.

Metric Adoption Rate
Number of vulnerabilities found 75%
Compliance with policy/standards 58%
Remediation time 39%
Tool/training adoption 32%
Financial metrics (ROI, cost impact) Very rare

Key Takeaway: Over-reliance on vulnerability count biases programs toward what scanners can detect, missing deeper threats.

Which AppSec Activities Scale Best?

Only a few secure development activities scale well across large organizations.

Most Scalable Activities:

Activity Avg. Adoption Score (1–5) Notes
Application risk classification 4.6 (Finance) Broadly adopted across sectors
Threat/risk assessments High Often outside security-specific processes
Static analysis ~3.5–4 Scales better than manual reviews
Dynamic analysis ~3 Heavily used but slower than static analysis
Penetration testing ~3 Limited by time and cost
Secure coding guidelines ~2.5 Easier to scale once a standard is in place

Least Scalable (but critical) Activities:

Activity Adoption Challenges
Threat modeling Requires expertise, often inconsistent or incomplete
Manual code review Time-intensive and lacks scalability
Secure QA testing Depends on technical depth of QA team
RASP & IAST Low adoption, but expected to grow
Fuzz testing Niche use cases, mainly non-web protocols

Common Gaps in Third-Party Risk Management

Most organizations apply shallow checks on third-party software security.

Practice Adoption
General security questionnaires (non-AppSec) 92%
Requiring secure SDLC policy 46%
Requiring SSAE 16 / SOC 2 / ISO 27001 Common
Actual testing or code review of vendor software 38%
Threat modeling or requirement validation Rare

Recommendation: Push vendors to adopt deeper standards like ISO/IEC 27034 or Microsoft SDL — not just ISO 27001.

Why “Shift Left” Still Has Gaps

Despite years of industry focus, shift-left activities like secure requirements and threat modeling are inconsistently applied.

  • Few companies align security requirements with test coverage

  • Traceability from threat modeling → requirements → test → validation is missing

  • Most rely solely on testing outcomes, not design-level controls

The 70/30 Problem in AppSec Testing

Even with advanced tools, 70% of potential risks go unaddressed due to limitations in detection and remediation.

Risk Funnel Stage Insight
Static/Dynamic tools coverage ~54% of known vulnerabilities
Fix rate ~46–54% of findings get fixed
Time to fix (critical) Avg. 316 days (WhiteHat data)

Conclusion: Relying solely on SAST/DAST and pen testing leaves major gaps in application security posture.

Three Key Takeaways for Security Leaders

To effectively manage application security at scale, focus on these strategic imperatives:

  1. Adopt Better Metrics

    • Move beyond “vulnerabilities found”

    • Track remediation time, requirements coverage, and financial impact

  2. Link Requirements to Testing

    • Use platforms like SD Elements or threat modeling tools

    • Ensure traceability from controls to validations

  3. Hold Vendors to Higher Standards

    • Demand ISO/IEC 27034, Microsoft SDL, or equivalent

    • Don’t rely solely on general security certifications

Final Thoughts

Security Compass’s study makes it clear: scalable application security requires more than testing. It demands risk-driven strategy, measurable outcomes, and rigorous vendor expectations. By focusing on what actually scales — and improving what doesn’t — organizations can build stronger defenses into every layer of the SDLC.