Forrester Report: The State of Application Security, 2020

Applications continue to be the leading attack vector in security breaches. As applications become more complex, rely on internal and third-party components, and evolve to support new frameworks, security teams must keep up—attackers certainly are.

In this invaluable report, composed from a survey of nearly 4,000 security professionals, Forrester identifies three important factors that make applications the weakest link in organizations’ overall security strategy:

  • Open source continues to be vulnerable
  • Attackers are adapting as applications take new forms
  • Developers aren’t slowing down—security can’t either

Clearly, now is not the time to ease up on security efforts. Instead, pushing security testing earlier in the software development life cycle, implementing autoremediation, and shoring up production protections are more important than ever. 

Download the complimentary report

To meet developer needs, security pros must integrate application security testing tools into the CI/CD pipeline and enable scans to run automatically on check-in, build, and integration while also enabling autoremediation to make mitigating security flaws quick and painless."




Jonathan Knudsen

Jonathan Knudsen
Senior Security Strategist, Synopsys


Synopsys Point of View

As the report points out, applications are becoming more complex: they include more code, in more languages, on more platforms, and with more deployment options. This complexity means more security risk. There are more places and more things to go wrong. And more velocity means less time to get things right.

As I wrote in a recent blog post, the big question that organizations need to answer is, “What’s the best way to approach security holistically, from a boots-on-the-ground perspective on risk reduction?”

The clear answer is automation.

The report identifies how organizations are moving software composition analysis (SCA) and container security, as well as static application security testing (SAST) and even interactive application security testing (IAST), into the development phase of the software development life cycle (SDLC). Using automation in this way helps address risks with lower friction, to better meet release timelines and objectives.

Additionally, instead of running full scans every time a piece of code is changed, organizations can use intelligent test execution based on context, to decide what to run, when to run it, and how to run it.

This approach frees teams to handle each application the best way, with limited configuration by the toolchain team, and with the flexibility to easily adjust policy in one place.