It’s no secret that AppSec teams are under more pressure than ever. Development velocity continues to accelerate, application architectures are increasingly distributed and attackers are targeting everything from proprietary code to open-source dependencies and cloud infrastructure.
To better understand how organizations are managing this reality, new research from Omdia examines the emerging application security posture management (ASPM) market. The study aims to define ASPM, evaluate whether current solutions are delivering on their promise to unify full-lifecycle visibility and risk-based prioritization and explain how ASPM is being used in modern AppSec programs.
Let’s break down five findings from the research that expose the reality of application security today.
54% of Organizations Experienced a Cybersecurity Incident Related to Internally Developed Applications.
Internally developed applications are often the core of digital businesses and a primary attack surface, given that modern applications change continuously. New code deploys daily, architectures evolve rapidly, and security teams need to keep pace without slowing development. Even small visibility gaps can quickly turn into real incidents.
66% of Organizations Have Moderate to Extensive AI Development Occurring in Their Environment.
Keeping up with the volume of generated code is the most significant challenge teams face. AI-assisted development has fundamentally changed the scale of software creation with teams shipping more code faster than ever. Security capacity, however, hasn’t scaled at the same pace.
Security teams are underwater chasing findings, while developers are flooded with alerts that lack context and clear prioritization. Traditional scanner-centric approaches begin to break down under this volume.
50% of Organizations Report It Taking 1–7 Days to Remediate Critical Application Issues at the Root Level.
Remediation continues to move too slowly for modern threat timelines. The math is simple and concerning. When remediation takes days and new issues are continuously introduced, risk accumulates. Backlogs outpace team capacity, widening the gap between exposure and remediation and increasing the likelihood of exploitation.
Only 17% of Organizations Can Deploy a Compensating Control in Less Than One Day.
When immediate remediation isn’t possible, compensating controls, such as runtime protections or policy enforcement, are critical for reducing exposure. But the research shows that most organizations struggle to act quickly. The gap leaves applications exposed for longer than necessary, especially in production environments where fixing code may take time.
Only 31% of Organizations Have a Complete Security Posture Assessment of Their Development Environment.
Most organizations lack full visibility into their development posture. Modern software supply chains are complex by default. Open-source dependencies, third-party services, CI/CD pipelines and cloud infrastructure all contribute to application risk. Without a complete view of the development environment, organizations are left with blind spots, which puts them in a risky position, given the ongoing rise in supply chain attacks.
What Does This Mean for Appsec?
Omdia’s research points to a clear shift in how organizations are thinking about application security. Fragmented toolchains, alert overload and slow remediation are creating material risk while trust in automation and AI remains uneven.
Organizations that make progress will be the ones that improve visibility across development environments, reduce friction between security and engineering teams, and move faster when risk is identified.
Download the Research
These five findings only scratch the surface. Omdia’s full report delves into organizational dynamics, the convergence of ASPM with ADR and CDR, and the evolving role of AI in application security.
Download the full report to explore the data and implications shaping the future of AppSec.