Software Integrity Blog
Software security trends from experts at Infosec Europe 2019
Top software security trends for 2019, based on our annual survey at Infosec Europe, include growing concerns for data protection and regulatory compliance.
At Infosecurity Europe this year, we conducted our annual survey of attendees to uncover the latest software security trends, including what they’re concerned about and what they’re doing about it. Read on for our analysis, or download the PDF version.
Software Security Experts Speak Out at Infosec
Who’s talking
We surveyed security and software engineers from the tech, finance, and security industries at Infosecurity Europe 2018 and 2019.
What they’re saying
Critical security concerns
Protecting customer data and maintaining business operations remain top of mind in 2019. But regulatory compliance is of growing concern. Overall, the 2019 respondents considered each of the four issues as more important than did the 2018 respondents. There’s a clear trend regarding software security concerns: Organizations are more worried about everything.
| 2018 | 2019 | |
| Protecting customer data | 60% | 69% |
| Maintaining business operations | 57% | 68% |
| Regulatory compliance | 51% | 64% |
| Protecting internal IP | 43% | 55% |
GDPR compliance
GDPR legislation has had an obvious impact over the past year. The growing number of organizations who maintain compliance with this privacy regulation is one of the more positive software security trends we discovered.
| 2018 | 2019 | |
| My organization is GDPR compliant | 44% | 88% |
Security program challenges
Respondents pointed to the same three main roadblocks to implementing application security programs in both 2018 and 2019. It seems that while these challenges aren’t getting worse, organizations aren’t making much headway in resolving them either.
| 2018 | 2019 | |
| Perceived impact on speed of development/deployment | 33% | 31% |
| Lack of skilled professionals | 30% | 31% |
| Budget constraints | 29% | 31% |
Security and awareness training
Another positive software security trend revealed in our survey relates to training. Some organizations offer only application security training for developers. Others offer only cyber security awareness training for all employees. But many more organizations now see the value of both types of programs. It’s a trend we hope continues in the same direction.
| 2018 | 2019 | |
| We have both types of programs | 35% | 48% |
Riskiest applications
Respondents in 2019 again told us that customer-facing web applications pose the highest security risk to their organizations. This statistic has hardly changed since our survey in 2017, when it was 48%. A number of reports in recent years have confirmed that web apps are the No. 1 attack surface, so it’s no surprise that organizations are worried about protecting web apps from hackers.
| 2018 | 2019 | |
| Customer-facing web applications | 44% | 45% |
| Internal/business applications | 29% | 28% |
Riskiest vulnerabilities
Our survey suggests a possible trend in what software security professionals consider the riskiest vulnerabilities. In 2019, more respondents thought that either cloud and container misconfigurations or vulnerabilities in open source components pose the most risk. The upward trend in both these areas is backed up by recent reports showing that cloud security is a growing concern, and organizations are using more open source components than ever.
| 2018 | 2019 | |
| Misconfiguration vulnerabilities in cloud/containerized apps | 25% | 27% |
| Vulnerabilities in OSS components | 22% | 24% |
| Vulnerabilities in in-house proprietary code | 20% | 20% |
What to learn from these software security trends
Many development organizations believe that security testing is too slow—leading them to take on increasing risk in their quest to decrease time to market. But modern AppSec platforms integrate multiple tools and services to build security in throughout the SDLC, from developer to deployment, without slowing you down. With the right tools, you can manage risk across your application portfolio with minimal impact to your release dates.
