Double Whammy: When Insecure Code Meets Burned-Out Cybersecurity Teams

When deadlines close in, security often slips through the cracks. 

A recent survey of 250 IT leaders across industries by application security firm Cypress Data Defense found that 62% of organizations are knowingly releasing insecure code to meet delivery deadlines. While enterprises neglect tech safety to meet financial goals, security teams are finding themselves burned out and underresourced, said Aaron Cure, co-founder and director of cybersecurity at Cypress.

“They’re pushing code that they know has vulnerabilities,” Cure said. “They’re releasing because they have a deadline, because they have money goals to reach and they have sales goals to reach. So they prioritize those goals over security.” 

The report found that only 36% of enterprises involve security in the planning phase of development:

• Often, the security focus of a business is on network security, or the protection of physical infrastructure like servers and routers, rather than application-layer security, or protection of software – despite the fact that application-layer attacks drive 43% of security breaches, according to the report. 
• That’s because network security is “tangible,” said Cure. “It’s something that takes a lot of trust. As soon as I put that money into training (staff), that money walks out the door when they go to the next job. If I buy a piece of hardware, that hardware stays here.”

AI is only exacerbating the problem, Cure said. Amid the growing trend of rapid code development with the help of AI tools, security teams are forced to identify bugs in larger and larger code bases. 

“Because AI is generating twice as much for them, they’re getting twice as much done. So now, you’ve got twice as much to do,” said Cure. 

This leads to security teams spending all of their time “fighting the same fight,” said Cure. While they attempt to keep up with security vulnerabilities and weed through thousands of false positives picked up by code security scanners, they’re often fighting against leadership’s demand for output, said Cure. 

But in the face of competition, slowing down development isn’t always possible, said Cure. The only solution is investing the time, resources and cash to bolster application-layer security, whether that means hiring more talent internally or outsourcing. 

“What they need to do is to be able to iterate security as quickly as they can iterate features,” he said.