Cyber security workers only review major updates to software applications only 54 percent of the time, according to a poll of tech managers.

That figure comes from CrowdStrike, which recently published [PDF] its 2024 State of Application Security Report. It's based on interviews with admittedly just 400 US security managers, so take it all with a suitable pinch of salt.

The likelihood that major code updates undergo a security review resembles a bell curve, according to the survey. Twenty-two percent of respondents confessed they did a security review under half of the time, and the same percentage claim to have reviewed code 50 to 74 percent of the time.

At the lower end of the spectrum, over a fifth of those surveyed responded that they only reviewed major code changes in less than a quarter of instances. On the other side, a third said they did so at least 75 percent of the time.

Skipping the review process isn't simply down to neglect and laziness. Reviews take time, and time is often money. Only 19 percent said a security review took less than a day, while 46 percent estimated one to three days were needed. A further 29 percent claim reviews could take three to five days to complete.

On average, employees said they had ten code reviews per week, with each one requiring 16 or 17 team members. Based on this, CrowdStrike calculated the average yearly cost of security reviews at nearly $1.2 million. Even when doing the same math, but with median number of reviews per week and employees per review, the annual expenditure for code reviews was $188k.

Keep in mind, that's when teams are only doing reviews for every other major update.

There doesn't seem to be a single root cause as to why security reviews are so time and money-consuming - it comes down to a variety of factors.

Respondents work with about three to five different coding languages. In addition 89 percent use at least two tools for threat detection - 60 percent using at least five tools - and about 71 percent of firms are using manual management methods like documentation and spreadsheets.

Indeed, 52 percent of the security managers placed "misaligned tools/technology" among their top three challenges. And 61 percent lamented that merely "prioritizing what to fix first" was also in the top three.

"The data is clear: Applications and APIs are not secure enough," CrowdStrike concluded. "As adversaries evolve their techniques and operate with greater speed, it is imperative that organizations strengthen their application security posture." ®

https://www.theregister.com//2024/07/18/security_review_failure/