The State of Web Application Security Testing 2024
July 08, 2024

"In the modern IT ecosystem, each SaaS instance, DevOps service, and hardware device has a web interface. Generative AI is also now creating many more of these interfaces, resulting in thousands of exposed web applications for large enterprises. Despite this fact, most security teams only test monthly at best," said Rob Gurzeev, CEO and co-founder, CyCognito. "And when they do test, coverage is severely limited, ranging from 5% to 13%, due to outdated testing methods. This result is that many applications are left vulnerable. Our research clearly underscores that automating testing processes are absolutely critical to ensuring robust protection against evolving cyber threats."

The 2024 State of Web Application Security Testing report from CyCognito, based on a survey of 349 US and UK cybersecurity professionals, found the following:

Web application attack surfaces are large and growing

Organizations maintain dozens, often hundreds of custom web apps, developed in-house and by third-party partners.

Web applications change frequently

Over 60% update web applications weekly or more often.

Web application security incidents and breaches are common

More than one-third of respondents (35%) experience a significant security event involving a web app at least once a week, while more than one-quarter (26%) experience a major incident that often.

Web application security testing is conducted infrequently and coverage is lacking

Nearly 75% test their web applications monthly or less often, leaving more than 40% of the attack surface untested.

Large web application environment is difficult to test

70% said the number of web applications in their environment was too large for adequate testing. Other top-ranked inhibitors to adequate web application testing include the volume of APIs in production environments (cited as a large or very large blocker by 67%) and the time required to test and monitor changes (66%).

Remediation is a struggle

More than half of respondents (53%) indicated difficulties remediating vulnerabilities uncovered by web application testing.

Leaders feel urgency to improve testing

65% are planning to increase automation within their web application security testing workflows. Looking to the future, they are interested in creating efficiencies. They are also interested in building out continuous testing capabilities.

Share this

Industry News

March 27, 2025

webAI and MacStadium(link is external) announced a strategic partnership that will revolutionize the deployment of large-scale artificial intelligence models using Apple's cutting-edge silicon technology.

March 27, 2025

Development work on the Linux kernel — the core software that underpins the open source Linux operating system — has a new infrastructure partner in Akamai. The company's cloud computing service and content delivery network (CDN) will support kernel.org, the main distribution system for Linux kernel source code and the primary coordination vehicle for its global developer network.

March 27, 2025

Komodor announced a new approach to full-cycle drift management for Kubernetes, with new capabilities to automate the detection, investigation, and remediation of configuration drift—the gradual divergence of Kubernetes clusters from their intended state—helping organizations enforce consistency across large-scale, multi-cluster environments.

March 26, 2025

Red Hat announced the latest updates to Red Hat AI, its portfolio of products and services designed to help accelerate the development and deployment of AI solutions across the hybrid cloud.

March 26, 2025

CloudCasa by Catalogic announced the availability of the latest version of its CloudCasa software.

March 26, 2025

BrowserStack announced the launch of Private Devices, expanding its enterprise portfolio to address the specialized testing needs of organizations with stringent security requirements.

March 25, 2025

Chainguard announced Chainguard Libraries, a catalog of guarded language libraries for Java built securely from source on SLSA L2 infrastructure.

March 25, 2025

Cloudelligent attained Amazon Web Services (AWS) DevOps Competency status.

March 25, 2025

Platform9 formally launched the Platform9 Partner Program.

March 24, 2025

Cosmonic announced the launch of Cosmonic Control, a control plane for managing distributed applications across any cloud, any Kubernetes, any edge, or on premise and self-hosted deployment.

March 20, 2025

Oracle announced the general availability of Oracle Exadata Database Service on Exascale Infrastructure on Oracle Database@Azure(link sends e-mail).

March 20, 2025

Perforce Software announced its acquisition of Snowtrack.

March 19, 2025

Mirantis and Gcore announced an agreement to facilitate the deployment of artificial intelligence (AI) workloads.

March 19, 2025

Amplitude announced the rollout of Session Replay Everywhere.

March 18, 2025

Oracle announced the availability of Java 24, the latest version of the programming language and development platform. Java 24 (Oracle JDK 24) delivers thousands of improvements to help developers maximize productivity and drive innovation. In addition, enhancements to the platform's performance, stability, and security help organizations accelerate their business growth ...