By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
World of SoftwareWorld of SoftwareWorld of Software
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Search
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
Reading: New Research Reveals: 95% of AppSec Fixes Don’t Reduce Risk
Share
Sign In
Notification Show More
Font ResizerAa
World of SoftwareWorld of Software
Font ResizerAa
  • Software
  • Mobile
  • Computing
  • Gadget
  • Gaming
  • Videos
Search
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Have an existing account? Sign In
Follow US
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
World of Software > Computing > New Research Reveals: 95% of AppSec Fixes Don’t Reduce Risk
Computing

New Research Reveals: 95% of AppSec Fixes Don’t Reduce Risk

News Room
Last updated: 2025/05/01 at 6:40 AM
News Room Published 1 May 2025
Share
SHARE

For over a decade, application security teams have faced a brutal irony: the more advanced the detection tools became, the less useful their results proved to be. As alerts from static analysis tools, scanners, and CVE databases surged, the promise of better security grew more distant. In its place, a new reality took hold—one defined by alert fatigue and overwhelmed teams.

According to OX Security’s 2025 Application Security Benchmark Report, a staggering 95–98% of AppSec alerts do not require action – and may, in fact, be harming organizations more than helping.

Our research, spanning over 101 million security findings across 178 organizations, shines a spotlight on a fundamental inefficiency in modern AppSec operations. Of nearly 570,000 average alerts per organization, just 202 represented true, critical issues.

It’s a startling conclusion that’s hard to ignore: security teams are chasing shadows, wasting time, burning through budgets, and straining relations with developers over vulnerabilities that pose no real threat. The worst part of it – is that security gets in the way of actual innovation. As Chris Hughes puts it in Resilient Cyber: “We do all this while masquerading as business enablers, actively burying our peers in toil, delaying development velocity, and ultimately impeding business outcomes.

How We Got Here: Mountains of Issues, Zero Context

Back in 2015, the application security challenge was simpler. That year, just 6,494 CVEs were publicly disclosed. Detection was king. Tools were measured by how many issues they found – not whether they mattered.

Fast forward to 2025: Applications went cloud-native, development cycles accelerated, and attack surfaces ballooned. In just the past year, over 40,000 new CVEs were published, bringing the global total to over 200,000. Yet, despite these major changes, many AppSec tools have failed to evolve: they’ve doubled down on detection, flooding dashboards with unfiltered, context-free alerts.

OX’s benchmark confirms what practitioners have long suspected:

  • 32% of reported issues have a low probability of exploitation
  • 25% have no known public exploit
  • 25% stem from unused or development-only dependencies

This flood of irrelevant findings doesn’t just slow security down – it actively impairs it.

While most alerts can be disregarded, it is essential to accurately identify the 2-5% that require immediate attention. The report shows these rare alerts usually involve KEV issues, secrets management problems, and in some cases, posture management issues.

The Need for A Holistic Prioritization Approach

To combat this doom-spiral, organizations must adopt a more sophisticated approach to application security, based on evidence-driven prioritization. This requires a shift from generic alert handling to a comprehensive model that covers code from design stages to runtime, and includes multiple elements:

  1. Reachability: Is the vulnerable code used, and is it reachable?
  2. Exploitability: Are the conditions for exploitation present in this environment?
  3. Business Impact: Would a breach here cause real damage?
  4. Cloud-to-Code Mapping: Where in the SDLC did this issue originate?

By implementing such a framework, organizations can effectively filter out the noise and focus their efforts on the small percentage of alerts that pose a genuine threat. This improves security effectiveness, frees up valuable resources, and enables more confident development practices.

OX Security is addressing this challenge with Code Projection, an evidence-based security technology that maps cloud and runtime elements back to code origin, enabling contextual understanding and dynamic risk prioritization.

Real-World Impact

The data tells a powerful story: By using evidence-based prioritization, the alarming average of 569,354 total alerts per organization can be reduced to 11,836, of which only 202 require immediate action.

Industry benchmarks reveal several key insights:

  • Consistent Noise Thresholds: Baseline noise levels remain remarkably similar across different environments, whether enterprise or commercial, regardless of industry.
  • Enterprise Security Complexity: Enterprise environments face significantly greater challenges due to their broader tool ecosystem, larger application footprint, higher volume of security events, more frequent incidents, and elevated overall risk exposure.
  • Financial Sector Vulnerability: Financial institutions experience distinctively higher alert volumes. Their processing of financial transactions and sensitive data makes them high-value targets. As the Verizon Data Breach Investigations Report indicates, 95% of attackers are motivated primarily by financial gain rather than espionage or other reasons. Financial institutions’ proximity to monetary assets creates direct profit opportunities for attackers.

The findings have far-reaching implications. If less than 95% of application security fixes are critical to the organization, then all organizations invest enormous resources in triage, programming, and cybersecurity hours in vain. This waste extends to payments for bug-bounty programs, where white-hat hackers find vulnerabilities to fix, as well as the costs of complicated fixes for vulnerabilities that were not discovered early and reached production. The final significant cost is the tension created within organizations between development teams and security teams, who demand fixes for vulnerabilities that aren’t relevant.

Detection failed, Prioritization is the Way Forward

As organizations face a projected 50,000 new vulnerabilities in 2025 alone, the stakes for effective security triage have never been higher. The old model of “detect everything, fix later” is not just outdated – it’s dangerous.

OX Security’s Report makes a compelling case: The future of application security lies not in addressing every possible vulnerability but in intelligently identifying and focusing on the issues that pose real risk.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share This Article
Facebook Twitter Email Print
Share
What do you think?
Love0
Sad0
Happy0
Sleepy0
Angry0
Dead0
Wink0
Previous Article Asus Vivobook Go 15 Review: This Bargain Laptop Is No Big Deal
Next Article Age assurance has become a non-negotiable – UKTN
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected

248.1k Like
69.1k Follow
134k Pin
54.3k Follow

Latest News

Transforming Audio Product Verification: Aparna Mohan’s Framework Revolution | HackerNoon
Computing
Take Control of Your Privacy: Get 55% Off Incogni with Code IPHONELIFE
News
Regulators urged to speed up tech trials with £5.5m funding pot – UKTN
News
Kesha Wants to ‘Smash’ the Music Industry With a New LinkedIn-Style App
Gadget

You Might also Like

Computing

Transforming Audio Product Verification: Aparna Mohan’s Framework Revolution | HackerNoon

5 Min Read
Computing

Bitcoin’s Quiet Rally: The Real Reasons Behind its Record Push | HackerNoon

5 Min Read
Computing

How to Run a Productive Consulting Meeting: Agenda, Tools & Tips

26 Min Read
Computing

Noise, Numbers, and the New Normal for U.S. Census Data | HackerNoon

6 Min Read
//

World of Software is your one-stop website for the latest tech news and updates, follow us now to get the news that matters to you.

Quick Link

  • Privacy Policy
  • Terms of use
  • Advertise
  • Contact

Topics

  • Computing
  • Software
  • Press Release
  • Trending

Sign Up for Our Newsletter

Subscribe to our newsletter to get our newest articles instantly!

World of SoftwareWorld of Software
Follow US
Copyright © All Rights Reserved. World of Software.
Welcome Back!

Sign in to your account

Lost your password?