A flood of security tool false positives, talent shortages among cybersecurity teams, and vulnerabilities detected long after they’ve been deployed into production all contribute to an environment in which DevSecOps teams can’t seem to ever get ahead of their application security challenges. 

These are the findings from a survey released today in the 2025 State of Application Security report from Cypress Data Defense. One of the more concerning findings in Cypress Data Defense’s survey is the widespread acceptance of teams shipping insecure code into production to meet delivery deadlines. The survey, based on 250 IT and security leaders across the United States and Canada with 250 to 1,000 employees, found that 62% of respondents said they had knowingly released vulnerable applications to meet deadlines.  

That’s undoubtedly due to the enormous pressure to release software on schedule, yet the human costs associated with the potential security fallout remain high. The Cypress Data Defense survey found nearly 80% of security professionals expressed worry about losing their jobs due to an application security incident. This anxiety reflects not just personal concerns but a fundamental misalignment between organizational expectations and the resources provided to security teams. When 60% of respondents said that security issues are more likely to delay product launches than feature bugs, it becomes clear that security has become a critical path item. 

Appsec Talent Remains Scarce, Application Attacks on the Rise 

A significant part of the reason application security remains so challenging is the lack of talent. Jeremy Nelson, CISO North America at cybersecurity services provider Insight, says organizations simply can’t find the application security and general security talent they need. “There is tremendous demand for cybersecurity professionals right now. And when you think about that, especially for small and medium-sized companies, when you try to attract talent, you are competing with some of the biggest firms in the country for the same talent, and it’s tough for them to attract and retain that talent,” Nelson said in an interview with DevOps.com. “The result is we see a lot more organizations relying on outsourcing to get the cybersecurity talent they need,” Nelson said. 

Other recent surveys have found that attacks on web applications are on the rise, and what was once a relatively rare attack vector has become one of the top attack vectors. According to Cyentia Institute’s IRIS 2025 report, attacks on web applications now account for up to 38% of observed intrusions. That’s a sixfold increase over the past ten years, according to Cyentia. Application security weaknesses now rank among the top three initial access vectors, alongside credential compromise and phishing. 

The flaws being successfully exploited aren’t rare or unknown. According to Cypress Data Defense’s survey, only 51% of organizations report that OWASP (Open Worldwide Application Security Project) Top 10 threats are fully addressed and actively monitored. In comparison, 46% describe themselves as being in the “improvement” phase when it comes to addressing web application attacks. That means nearly half of the surveyed organizations are vulnerable to well-known attack vectors that have been well-documented and well-understood for a long time. 

Still, the increase in application-level attacks isn’t due to a lack of spending on improving application security, with 90% of organizations reporting that they spend between 11% and 20% of their entire security budgets on application security alone. 

False positives from security scanning tools are exacerbating these challenges by creating noise that drowns out legitimate threats. Fifty-eight percent of respondents report frequently encountering false positives, with 11% stating that it happens constantly. This flood of inaccurate alerts not only wastes precious time but also undermines trust in security tools, potentially leading to alert fatigue that causes teams to miss real threats. 

The fact that organizations still conduct application security checks late in the development process remains a persistent problem across organizations. According to the survey, only 36% of teams involve security during the planning stage of the software development lifecycle, while 57% wait until just before deployment. “When application security checks happen so late in development it’s a sign of bad processes, and can be more disruptive and cost more to fix than when issues are caught earlier, it can also put security teams in a tougher spot when they have to try to stop or slow deployment closer to deadlines,” said Wim Remes, founder at security consultancy Wire Security. 

Still, such bad processes are commonplace. Half of the Cypress Data Defense survey respondents said that their teams lack the time or resources for any secure code reviews. At the same time, other critical activities, such as security unit testing and threat modeling, are similarly deprioritized due to bandwidth limitations. 

Where Can Application Security Laggards Get Started? 

For DevSecOps teams seeking to enhance their software quality and security outcomes, the research identifies several key steps that must be taken. First, application security checks must shift from being spot checks late in the development lifecycle and becoming an integral part of the process. That means having security teams part of the development planning stages and starting to test early in the development process.  

Steve Kosten, director of application security at Cypress Data Defense, advised those teams that don’t have much in the way of security budgets or tools to start with open source scanners and software composition analysis (SCA) scanners that can identify vulnerabilities. There are also low-cost dynamic scanner teams that can be considered. “I’d suggest moving forward with open-source or free versions of scanners, and then get the lower-cost scanners before investing in full commercial static application security testing and dynamic application security testing scanners,” Kosten advised. “However, the problem with all scanners is that they require some technical skills to install, configure and operate,” he said. Kosten added that if the team doesn’t have the resources necessary to run the program internally, then outsourcing is a viable option.    

Successfully addressing the challenges around false positives requires a focus on better tool tuning and human oversight. Organizations should focus on tools and processes that improve the level of actual security signals, potentially including managed services that offer expert validation of security findings.  

Kosten advises organizations to initially use only a subset of the rules within any given tool, especially those rules known to generate fewer false positives. They should then further customize their rulesets to their code to reduce false positives even further. As their comfort level with the tools increases, teams can expand to include more rules and even consider outsourcing scanning and tool tuning to a managed service provider over time. “The security team can then focus on secure architecture and design to limit the attack surface,” he said. 

The current status of appsec, as highlighted in this survey, presents a significant challenge for many organizations in improving their application security. Those organizations that continue to treat application security as something to be done at the end of the development processes will likely find themselves with security issues that compound over time and increase their risk of data breaches, while those that build a comprehensive application security program will be better positioned to defend their organizations — and it’s likely more costly over time to fix those flaws once they’ve shipped into production. “Waiting until the end to do a security assessment can be significantly more costly when it comes to fixing those vulnerabilities,” said Kosten.