AppSec Budgets Lag Amid $9.48M Breach Costs

GOLDEN, Colo., July 29, 2025 /PRNewswire/ -- Cypress Data Defense, a leading provider of application security and network security solutions, in partnership with TechStudio, today released the 2025 State of Application Security Report, revealing a growing crisis in software security. The findings reveal a concerning trend: 62% of organizations knowingly release insecure code to meet delivery deadlines. As cyber threats intensify, security teams face burnout, resource constraints, and a troubling misalignment between application security (AppSec) investment and actual risk.

The survey, conducted in collaboration with TechStudio, gathered insights from 250 senior IT and security leaders across North America. The findings underscore a widening gap between AppSec funding and the escalating cost of breaches—which now average $9.48 million per incident in the U.S. Despite this, nearly 90% of organizations allocate just 11–20% of their security budgets to application security.

"False positives, talent shortages, and late-stage vulnerability detection are creating a perfect storm for application security teams," said Aaron Cure, Co-Founder and Director of Cyber Security at Cypress Data Defense. "Organizations urgently need proactive AppSec strategies and managed services to keep pace with modern threats."

Key Findings:

Security Delays Threaten Software Releases

• 60% say security issues are more likely to delay product launches than feature bugs
• Only 36% involve security at the planning stage; 57% wait until just before deployment

Security Teams Under Intense Pressure

• 62% admit to pushing insecure code to production under deadline pressure
• 58% report frequent false positives from security scanners; 11% say it happens constantly
• 51% of teams have fully addressed OWASP Top 10 threats—leaving nearly half exposed to foundational risks

AppSec Budgets Misaligned with Rising Risk

• Application-layer attacks account for 43% of breaches
• 36% of companies spend more on network security than AppSec
• Nearly 90% allocate only 11–20% of their security budgets to application security
• Just 1% invest more than 20% of their total security budget into AppSec

Outsourcing Emerges as a Key Trend

• 83% are considering outsourcing AppSec functions
• 8 in 10 AppSec professionals are open to outside help due to limited staffing, talent shortages, and constant development cycles

The report reveals a broader crisis of capacity and morale. Burnout is rampant, and 62% of security professionals fear being fired following a breach. 17% believe termination is likely.

"Automated scanners generate alerts—but real security comes from expert validation and prioritization," said Steve Kosten, Co-Founder and Director of Application Security at Cypress Data Defense. "Our State of Application Security report shows why managed AppSec services are becoming essential for modern development teams."

Cypress's hybrid AppSec model—including its EASy managed service—helps teams shift security left without slowing development. Its expert-led services include secure code reviews, validation, and scalable remediation support.

For full survey results and analysis, download the 2025 State of Application Security Report at: www.cypressdefense.com

About Cypress Data Defense
Cypress Data Defense helps organizations secure applications across the software development lifecycle. With expertise in vulnerability management, secure code review, and managed AppSec services, Cypress enables development teams to shift security left and deliver secure software faster. Learn more at www.cypressdefense.com.

Media Contact:
Alexandra Pony
250.858.0656
398748@email4pr.com

View original content to download multimedia:https://www.prnewswire.com/news-releases/62-of-companies-admit-to-shipping-insecure-code-cypress-data-defense-unveils-2025-state-of-application-security-report-302515549.html

SOURCE Cypress Data Defense