https://cypressdefense.com/resources/state-of-application-security-report
A new report from Cypress Data Defense has revealed a troubling state of application security, with 62% of organisations knowingly deploying vulnerable code to production environments to meet delivery deadlines. The 2025 State of Application Security report, based on insights from 250 senior IT and security leaders across North America, exposes a widening crisis where security teams are overwhelmed by burnout, resource shortages, and a critical misalignment between cybersecurity budgets and actual risk exposure in software development.
The research highlights a dangerous disconnect between security investment and threat reality, with nearly 90% of organisations allocating only 11-20% of their security budgets to application security despite application layer attacks accounting for 43% of data breaches. This budget misalignment becomes more concerning when considering that 36% of companies spend more on network security than application security, while the average cost of a U.S. data breach has soared to $9.48 million. The report also reveals that 60% of respondents believe security issues are more likely to delay product launches than feature bugs, yet only 36% involve security teams at the planning stage, with 57% waiting until just before deployment to address security concerns.
The crisis extends beyond budget allocation to fundamental workforce challenges that are compromising security effectiveness across the industry. Security teams are experiencing intense pressure, with 58% reporting frequent false positives from security scanners and 11% saying they occur constantly, contributing to decision fatigue and reduced threat detection accuracy. Perhaps most alarming, 62% of security professionals worry they will be fired if a breach occurs, with nearly one in five believing termination is likely, creating a culture of fear that may discourage transparent reporting of security issues. In response to these mounting challenges, 83% of organizations are considering outsourcing application security functions, with eight in ten professionals expressing openness to external assistance due to limited staffing and relentless development cycles.