Sponsored Content

Step 1 of 8

12%

Do you develop your own software in your organization?(Required)

Yes

Not sure

What portion of your cyber risk is Application Security (AppSec)? (Select one)(Required)

We over-focus on AppSec

We focus on AppSec to match the risk

We under-focus on AppSec

What are the biggest challenges you face implementing a robust AppSec strategy? (Select all that apply)

Lack of budget

Insufficient skilled personnel

Complexity of integrating security into the development lifecycle

Resistance from development teams

Keeping up with evolving security threats

Lack of executive buy-in

Other (please specify)

Other

Which DevSecOps practices are widely used for actively developed projects (not legacy) (Select all that apply):(Required)

Automated unit and functional tests for quality run in the pipeline with merge blocking

Automated application security testing (AST) in development and (SAST/IAST) runs in the pipeline

Automated AST tools to find vulnerabilities in the code you import (SCA) run in the pipeline

Merge blocking at current policy level for AST checks

Secrets management so no secrets stored in source code repositories

How do you assess and mitigate risk of For NON actively developed products (legacy) (Select all that apply):

In-production scans using DAST products like Qualys, Nessus, etc.

Periodic penetration testing

Periodic running of AST tools

Manual code reviews by security specialists

Use of third-party security assessment services

No assessment or mitigation effort is happening

How do you resolve the security issues found? (Select all that apply):(Required)

In-production scans using DAST products like Qualys, Nessus, etc.

Periodic penetration testing

Periodic running of AST tools

Manual code reviews by security specialists

Use of third-party security assessment services

No assessment or mitigation effort is happening

Which best describes security training for your developers? (Select all that apply)(Required)

Monthly

Quarterly

Annually

As part of onboarding

Just-in-time via integration with AST tools when a vulnerability is found

No formal training provided

How do you determine your level of investment in AppSec? (Select all that apply)(Required)

Perceived risk and threat landscape

Industry benchmarks and standards

Historical spending patterns / budget constraints

Recommendations from third-parties

We do not have a formal process