AppSec Budgets Lag Amidย $9.48Mย Breach Costs
Cypress Data Defense, a leading provider of application security and network security solutions, in partnership with TechStudio, released the 2025 State of Application Security Report, revealing a growing crisis in software security. The findings reveal a concerning trend: 62% of organizations knowingly release insecure code to meet delivery deadlines. As cyber threats intensify, security teams face burnout, resource constraints, and a troubling misalignment between application security (AppSec) investment and actual risk.
The survey, conducted in collaboration with TechStudio, gathered insights from 250 senior IT and security leaders acrossย North America. The findings underscore a widening gap between AppSec funding and the escalating cost of breachesโwhich now averageย $9.48 millionย per incident in the U.S. Despite this, nearly 90% of organizations allocate just 11โ20% of their security budgets to application security.
Also Read:ย CIO Influence Interview with Dipto Chakravarty, Chief Product and Technology Officer at Black Duck
“False positives, talent shortages, and late-stage vulnerability detection are creating a perfect storm for application security teams,” saidย Aaron Cure, Co-Founder and Director of Cyber Security at Cypress Data Defense. “Organizations urgently need proactive AppSec strategies and managed services to keep pace with modern threats.”
Key Findings:
Security Delays Threaten Software Releases
- 60% say security issues are more likely to delay product launches than feature bugs
- Only 36% involve security at the planning stage; 57% wait until just before deployment
Security Teams Under Intense Pressure
- 62% admit to pushing insecure code to production under deadline pressure
- 58% report frequent false positives from security scanners; 11% say it happens constantly
- 51% of teams have fully addressed OWASP Top 10 threatsโleaving nearly half exposed to foundational risks
AppSec Budgets Misaligned with Rising Risk
- Application-layer attacks account for 43% of breaches
- 36% of companies spend more on network security than AppSec
- Nearly 90% allocate only 11โ20% of their security budgets to application security
- Just 1% invest more than 20% of their total security budget into AppSec
Outsourcing Emerges as a Key Trend
- 83% are considering outsourcing AppSec functions
- 8 in 10 AppSec professionals are open to outside help due to limited staffing, talent shortages, and constant development cycles
The report reveals a broader crisis of capacity and morale. Burnout is rampant, and 62% of security professionals fear being fired following a breach. 17% believe termination is likely.
“Automated scanners generate alertsโbut real security comes from expert validation and prioritization,” saidย Steve Kosten, Co-Founder and Director of Application Security at Cypress Data Defense. “Our State of Application Security report shows why managed AppSec services are becoming essential for modern development teams.”
Also Read:ย Scott Holden Joins Vanta as Chief Marketing Officer
Cypress’s hybrid AppSec modelโincluding its EASy managed serviceโhelps teams shift security left without slowing development. Its expert-led services include secure code reviews, validation, and scalable remediation support.
