Application security is becoming an increasingly important factor in the purchasing decisions of software companies, with responsibility shifting towards development teams.
According to findings from Checkmarx' annual report, 49% of chief information security officers (CISOs) from a range of industries and regions said buyers regularly factor it in, with a quarter saying that application security is always a factor in those decisions.
This is predominantly the case in Europe, where regulatory frameworks like DORA led 58% of respondents to say that security is always a factor, compared with a third in the Asia Pacific region and only 8% in North America.
In nearly half of software-based product companies, security oversight has moved outside the CISO’s office entirely, the study found.
Engineering teams are increasingly responsible for ensuring secure, scalable delivery, while development teams are taking over AppSec decisions and budgets to embed security earlier and more efficiently in the development process.
"We’re witnessing a pivotal change: AppSec is now a competitive differentiator, a budget priority and a boardroom issue," said Checkmarx chief product officer Jonathan Rende.
"As development teams take greater ownership, CISOs must focus on governance, strategy and collaboration to keep security outcomes on track."
However, the report warned this shift in responsibility is leading to gaps in security coverage, with uneven protection across applications and fragmented tooling leading to blind spots.
Only four-in-ten business operations run on secured applications, and seven-in-ten organizations said that at least half of their applications lack robust security measures.
The good news is that AppSec budgets are growing, with 78% of respondents saying their budget rose last year, and four-in-ten saying the increase was ‘significant’. More than seven-in-ten reckoned their budget would increase this year, with a quarter saying the increase would be significant.
Budget increases were most frequently seen in Europe, where 56% of respondents reported significant growth, compared with roughly a third in both North America and the Asia Pacific region.
Communication barriers are causing problems
Despite positive signs with regard to budget growth and responsibility, the study did uncover problems with the way security is communicated at the executive level.
While 62% of CISOs report AppSec metrics to their board, most said they focus entirely on vulnerability counts, with only a quarter linking those risks to business outcomes like brand reputation or regulatory exposure.
Nearly one-in-five said they don't report on application security risks at all.
As a result, the report said CISOs need to try and redefine their role through governance, rather than direct control, and foster a culture of shared responsibility by incorporating developer feedback to redefine processes.
"As security responsibility migrates toward development teams, so does the funding," said Rende. "That’s why CISOs today need to lead with influence, creating guardrails, not roadblocks."
MORE FROM ITPRO
- Businesses are taking their eye off the ball with vulnerability patching
- Developers are at their wits end trying to build generative AI applications
- INSERT STORY LINK
-
Four things I expect to see at Dell Technologies World 2025These are my Dell Technologies World predictions ahead of the conference kick off next week
-
Global tablet shipments grew by almost 9% in Q1, Canalys findsNews Worldwide shipments reached 36.8 million during Q1, driven by consumer and education-led refresh cycles
-
The NCSC wants developers to get serious on software securityNews The NCSC's new Software Security Code of Practice has been welcomed by cyber professionals as a positive step toward bolstering software supply chain security.
-
It’s time to face the open source security problemOpinion Software companies have built on open source for decades. Now they need to give back
-
Build modern applications on AWSWhitepaper Manage less. Build fast. Innovate more.
-
SAP's $7.7 billion Qualtrics sale branded a “win-win” situationNews The German software company has sold its 71% stake in Qualtrics which will see the company go private once again
-
Google cracks down on murky data usage policies from app developersNews Android developers have been given a July deadline to ensure they comply with Google's new app transparency rules on the Play Store
-
Global enterprise application market to hit $468 billion by 2027News Microsoft, Oracle, IBM, and SAP are among the top vendors influencing the market
-
Apple's App Store now allows unlisted appsNews Businesses are invited to make their limited-audience apps available only through a direct link
-
Microsoft 365 prices to soar by 20% for pay monthly subscribersNews The move has sparked anger in the partner community with many feeling the decision benefits only the largest resellers
