Despite knowing the risks, most organizations are still shipping insecure software. That’s one of the stark findings from Cypress Data Defense’s 2025 State of Application Security report, which reveals a worsening crisis in software security. According to the report, 62% of organizations knowingly deploy vulnerable code to meet delivery deadlines.
As cyber threats intensify, security teams are struggling with burnout, resource shortages, and a widening disconnect between where budgets go and where the real risks lie. Based on insights from 250 senior IT and security leaders across North America, the report reveals a trend: while the average cost of a U.S. data breach has soared to $9.48 million, nearly 90% of organizations allocate just 11-20% of their security budgets to application security.
“False positives, talent shortages, and late-stage vulnerability detection are creating a perfect storm for application security teams,” said Aaron Cure, Director of Cyber Security at Cypress Data Defense. “Organizations urgently need proactive AppSec strategies and managed services.”
Security delays threaten software releases
- 60% say security issues are more likely to delay product launches than feature bugs.
- Only 36% involve security at the planning stage. 57% wait until just before deployment.
Security teams under intense pressure
- 62% admit to pushing insecure code to production under deadline pressure.
- 58% report frequent false positives from security scanners; 11% say they occur constantly.
- 51% of teams have addressed OWASP Top 10 threats—leaving nearly half exposed to foundational risks.
AppSec budgets misaligned with rising risk
- Despite application layer attacks accounting for 43% of breaches, 36% of companies spend more on network security than AppSec.
- Nearly 90% allocate only 11-20% of their security budgets to application security.
- Just 1% invest more than 20% of their total security budget into AppSec.
Outsourcing emerges as a key trend
- 83% are considering outsourcing AppSec functions.
- 8 in 10 AppSec professionals are open to outside help due to limited staffing, and constant development cycles.
The report highlights a serious breakdown in morale and capacity across security teams. Burnout is widespread, and anxiety is high. Sixty-two percent of security professionals worry they will be fired if a breach occurs, and nearly one in five believe termination is likely.
