A survey of 349 U.S. and UK cybersecurity professionals finds that while 60% work for organizations that update web applications at least once a week, nearly three-quarters (75%) test their web applications monthly or less often.

Conducted by CyCognito, a provider of for discovering web application security, the survey said the number of web applications in their environment was too large for adequate testing, with nearly 75% leaving more than 40% of the attack surface untested.

More than one-third (35%) said their organization experiences a significant security event involving a web application at least once a week. More than a quarter (26%) said they experience a major incident involving a web application once a week.

In addition, more than half of respondents (53%) indicated difficulties remediating vulnerabilities uncovered by web application testing. More than half (54%) of respondents struggle to remediate the vulnerabilities their web application security tests reveal. Nearly one-third (28%) strongly agree that they are not able to readily operationalize vulnerability test findings.

The survey identifies the top-ranked inhibitors to adequate web application testing including the volume of APIs in production environments (67%) and the time required to test and monitor changes (66%).

On the plus side, nearly two-thirds (65%) said they are planning to increase automation within their web application security testing workflows.

CyCognito CEO Rob Gurzeev said the lack of testing across the web application portfolio is essentially a numbers game. Organizations have more applications being built and deployed than they can reasonably expect to test unless they invest more in automation, he added.

No Formal Process for Testing Production Web Applications

More challenging still, it’s not always clear in many organizations who is responsible for ensuring web applications are secure, Gurzeev noted. More than a quarter of survey participants (26%) work for organizations with no formal process for testing production web applications. Nearly one quarter (24%) reported that their organization lacked a formal handoff process when web apps were delivered into production and security teams became responsible for testing, monitoring, and protecting them. An even larger percentage (27%) said that individual business units didn’t have a process for involving the security team in web app deployment. A similar number (27%) had no process for testing the security of web applications once in production.

For all types of testing, roughly 60-70% of organizations are testing monthly or less often. Approximately 30-40% of all testing is conducted quarterly or less frequently. More than three-quarters of respondents (77%) expect their cloud provider to do at least some security testing and remediation.

There’s little doubt that there’s plenty of room to improve DevSecOps workflows within most organizations. In fact, governments around the world are starting to put regulations in place that will hold organizations that deploy software much more accountable for application security.

More challenging still, thanks to advances in artificial intelligence, the number of web applications that will be deployed in the years ahead is only going to exponentially increase. If it hasn’t already, it’s clear the overall size of the application portfolio that needs to be secured is growing well beyond the ability organizations have to effectively secure and manage them.