• Home
  • Newsroom
  • New Research from ESG and Mend.io Reveals Key Best Practices for Application Security Effectiveness

New Research from ESG and Mend.io Reveals Key Best Practices for Application Security Effectiveness

Eighty-five percent of respondents agree application security is a board-level priority, yet barely half are capable of effectively remediating a critical vulnerability 

TEL AVIV, Israel and BOSTON, October 17, 2023 – New research sponsored by Mend.io and conducted by TechTarget’s Enterprise Strategy Group (ESG) found application security programs struggle to scale to meet the demand brought about by rapid development. The report, “Optimizing Application Security Effectiveness,” found just 52 percent of companies surveyed say they can effectively remediate critical vulnerabilities and only 41 percent are confident they can manage the security and compliance risks associated with open-source components. 

“Barely half of organizations can effectively remediate critical vulnerabilities. That’s concerning,” notes Melinda Marks, Practice Director, Cybersecurity, Enterprise Strategy Group. “This means the other 48 percent are at serious risk from malicious attacks, including malware, ransomware, and data loss.” 

Crucially, effective remediation pays off when it comes to the most important KPI: application safety. Companies that report the ability to efficiently remediate vulnerabilities were nearly twice as likely to say they have not experienced any serious security incidents tied to a software vulnerability/web application exploit in internally developed applications over the last 12 months.

The research also revealed important trends and best practices among companies that can effectively remediate vulnerabilities. “We wanted to know what companies could learn from the 52 percent who can effectively remediate a vulnerability,” Marks says, “so we did the analysis and identified several best practices.”

Application Security is a Priority…and Business Risk

These findings are particularly concerning given heightened board level security and business risk. In fact, 85 percent of survey respondents say application security is a board-level priority, with good reason. Surveyed organizations have experienced an average of ~3 serious security incidents resulting from a software vulnerability. And nearly 70 percent of organizations have directly encountered at least one serious security incident from a software vulnerability in the last 12 months.

For those who’ve experienced a security incident in the past 12 months, consequences included application downtime (46 percent), unauthorized access to applications or data (38 percent), malware (34 percent) and data loss (34 percent). 

Best Practices Enabling Efficient Remediation of Critical Vulnerabilities

Survey findings indicate key patterns among the organizations that could efficiently remediate critical vulnerabilities compared to those who could not. The research shows that effective programs:

  • Have more fully embraced DevOps. Organizations that report the ability to efficiently remediate vulnerabilities were more than twice as likely to report they have extensively embraced DevOps (46 percent vs. 20 percent).
  • Have more extensive DevSecOps adoption and automation of security workflows. These organizations have more often automated the identification and remediation of configuration and software vulnerabilities before deployment to production (78 percent vs. 61 percent)
  • Prioritize open source vulnerabilities. Organizations that report the ability to efficiently remediate vulnerabilities were more than twice as likely to report that they treat all open source vulnerabilities in their apps as “must fix.”  (60 percent vs. 28 percent)
  • Know what’s in their code. Organizations able to efficiently remediate vulnerabilities were also more likely to say they view being able to answer questions about their code, like what is its source,  as critical (49 percent vs. 31 percent).

“As businesses modernize their development processes to increase productivity, security must keep pace,” said Rami Sass, co-founder and CEO, Mend.io. “This research has revealed important insights that show progress is being made when it comes to best practices. Those organizations that embrace DevOps, utilize modern tools to automate security workflows, prioritize open source vulnerabilities, and understand what’s in their code demonstrate a stronger ability to effectively manage application risk and security.” 

The full report is available here.


To gain insight on the state of security keeping up with software development, TechTarget’s Enterprise Strategy Group (ESG) surveyed 350 application developers (27%) and senior security decision makers (73%) with oversight and visibility into programs and associated business outcomes. 

About Mend.io

Mend.io, formerly known as WhiteSource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development – using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks. With a proven track record of successfully meeting complex and large-scale application security needs, Mend.io is the go-to technology for the world’s most demanding development and security teams. The company has more than 1,000 customers, including 25 percent of the Fortune 100, and manages Renovate, the open source automated dependency update project. For more information, visit www.mend.io, the Mend.io blog, and Mend.io on LinkedIn and Twitter.

Meet The Author

Mend.io Communications

Mend.io offers an enterprise suite of application security tools designed to help leading organizations build and manage mature AppSec programs, enabling them to stop chasing vulnerabilities and start proactively managing application risk.

Subscribe to Our Blog