Published June 2025

Executive summary

The rising menace of AI weaponized by threat actors has stormed onto the scene, dampening confidence in application security protections and threatening a renewed onslaught of attacks against applications. Indispensable application design constructs developed internally and across the supply chain remain ill-protected, even as usage relentlessly increases and threats multiply. Visibility into threats and security weaknesses is too low, and many organizations lack sufficient protections against new AI threats and business logic attacks, among others.

Key takeaways:

• AI-powered cyberthreats spark high concern, rapid response
• Applications are under attack from all directions
• New attacks against APIs exploit logic vulnerabilities
• Use of third-party service APIs is widespread, but not fully understood
• Application DDoS attacks are disruptive and costly

Published March 2025

Executive summary

CISOs and CIOs are prioritizing cloud infrastructure security, internal cybersecurity talent, and the ethical control of data in 2025. The threat environment continues to change, with AI-driven cyberthreats escalating the potential damages on the offensive side in parallel with tightening cybersecurity insurance requirements forcing a recalibration of the defensive side.

More organizations are experiencing a higher number of cybersecurity incidents each year, which drives the need to re-assess the efficacy of current posture against the organization’s desired standard of performance. Having done so, the CISOs and CIOs in this research are investing in protections to shore up the critical areas above. In addition to the overall prioritization of cybersecurity areas, we offer a more nuanced analysis of CISO and CIO priorities within the areas of applications, cloud platforms and services, identities, and data.

Request a copy

Published November 2023

Executive summary

The “great cloud migration” is looking different than how it was originally touted, with few organizations hosting all their applications exclusively on public cloud platforms. Almost all operate a hybrid infrastructure mixing public cloud, private cloud, and on-premises environments. While that mix continues to change and morph—a dynamic that raises security concerns by itself—security threats against applications are increasing in frequency and severity. Compounding these threats is alarmingly low organizational preparedness for multi-cloud security, poor visibility into security weaknesses of their own APIs (as well as third-party APIs and code), and insufficient protections against application DDoS attacks.

See also:

• Radware’s blog post on the new report
• Webinar to discuss the findings of the report (North America option, EMEA and Asia Pacific option)

Published September 2022

Executive summary

Organizations are no longer moving to the cloud; they are already there. The research shows that only a negligible percentage of organizations, less than 0.5%, do not deploy applications in the public cloud at all. However, organizations are increasingly shifting into the next iteration of the cloud movement: the multi-cloud. The research shows that 95% of the organizations use at least two types of infrastructure, and nearly half of the organizations deploy applications on four or more different platforms. As a result, deploying applications across multi-cloud and hybrid cloud environments has become the new normal.

The growing number and diversity of environments for hosting applications raises the bar on what is required from security tools, with consistency in security policy and cross-environment visibility key requirements. Many organizations are struggling to achieve high-quality protection and centralized, cross-cloud visibility, and 69% of organizations can trace data breaches or data exposures to inconsistent application security configurations across the different public cloud platforms that they currently use. The trust in native public cloud security capabilities is declining, and more than half of the organizations cannot trust their security staff to configure and maintain a strong application security posture, across the public cloud platforms that they currently use for hosting applications.

Commissioned by Approov

Executive summary

Mobile apps have become key tools for businesses to serve customers, earn revenue, and enable remote work by employees. Over the last two years, mobile apps have become critical to success for the majority of businesses.

In this report, we present the findings of a survey into the state of mobile app security in 2022, encompassing survey respondents from across the United States and the United Kingdom. The survey and white paper were commissioned by Approov.

Key takeaways:

• Three out of four respondents report that mobile apps are now “essential” or “absolutely core” to their success.
• Secure development practices are essential but offer only partial protection: They do not eliminate the threat of runtime attacks against mobile apps and APIs.
• Run-time attacks against APIs that render mobile apps non-functional prove costly to 75 percent of organizations: Attacks include data theft and service interruption via API abuse, fake account creation, and credit fraud, among others.
• Most lack visibility into runtime threats against mobile apps and APIs: Sixty percent of organizations report that they do not have visibility to runtime threats against mobile apps and APIs.
• Reducing threats resulting from hardcoded API keys is a priority.
• Accelerating time-to-market for new features is prioritized over security.

Published November 2021

Executive summary

Zero trust offers a modern approach for security to meet modern work designs and tackle the cybersecurity challenges facing organizations. The rise in remote work, the relentless waves of ransomware and other cybersecurity attacks, and the need to redress fundamental weaknesses in perimeter-based security have coalesced to drive interest and uptake in zero trust architectures. First touted in 2004, organizations are progressing with zero trust designs to increase the efficacy of cybersecurity protections and build a stronger foundation to address the new challenges of hybrid work, data protection, and security. Organizations view strengthening identity and access management as the key design modification for zero trust initiatives, and confidential files the most important data source to protect. Most organizations expect to be fully deployed with a zero trust architecture within two years.

This white paper reports on how organizations are deploying and planning to deploy a zero trust architecture. It offers direction to decision-makers and influencers on best practices and solutions to support the move to zero trust.

Request a copy

Published September 2021

Executive summary

Osterman Research conducted a large survey to uncover the extent and impact of third-party scripts and open-source libraries that are used in web applications in organizations across industries. These scripts and libraries—often added without approvals or security validation—can introduce hidden risks into the organization and make it challenging to ensure data privacy and comply with various privacy regulations. Collectively referred to as “Shadow Code,” these scripts and libraries are used for tasks like ad tracking, payments, customer reviews, chatbots, tag management, social media integration, or other helper libraries that simplify common functions. The goal of this survey was to understand the hidden risks that organizations face from the unmanaged use of Shadow Code.

This is the third annual survey conducted by Osterman Research for PerimeterX on the use of Shadow Code in web applications.

Published August 2021

Executive summary

Commercial off-the-shelf software often includes open-source software components, but vendors frequently do not disclose details of the presence of such components. Many open-source components contain a range of known vulnerabilities that can be used as egress points for cyberattack. This lack of awareness of open-source components used by organizations in commercial off-the-shelf software increases the security risk, attack surface, and potential for compromise by cybercriminals.

In this white paper, we present the findings of an investigation into the use of open-source components in commercial off-the-shelf software—many of which have a list of known vulnerabilities—across five common software categories. The base data was generated by GrammaTech using its CodeSentry software supply chain security product. CodeSentry uses multiple methods of identifying open-source components used in commercial off-the-shelf software that is delivered in binary form. CodeSentry does not need access to the vendor’s source code to complete its analysis of included open-source components.