Organizations maintain dozens, often hundreds, of custom web apps, developed in-house and by third-party partners. Over 60 percent update web applications weekly or more often, yet testing is being neglected–almost 75 percent only test their web applications monthly or less often, leaving more than 40 percent of the attack surface untested. 70 percent say the number of web applications in their environment is too large for adequate testing. Other barriers to adequate web application testing include the volume of APIs in production environments, cited as a large or very large blocker by 67 percent, and the time required to test and monitor changes, with 66 percent mentioning it as a challenge.

In addition, 53 percent of respondents say they face difficulties remediating vulnerabilities uncovered by web application testing. 65 percent are planning to increase automation within their web application security testing workflows, and there is also interest in building out continuous testing capabilities. According to Rob Gurzeev, CEO and co-founder of CyCognito, “In the modern IT ecosystem, each SaaS instance, DevOps service, and hardware device has a web interface. Generative AI is also now creating many more of these interfaces, resulting in thousands of exposed web applications for large enterprises.

Despite this fact, most security teams only test monthly at best.” Gurzeev notes that when testing is conducted, coverage is severely limited, ranging from five percent to 13 percent, due to outdated testing methods. As a result, many applications are left vulnerable.