Back to blog

Follow and Subscribe

New research shows security tooling is at a tipping point

Brendon Macaraeg

Senior Director of Product Marketing, Fastly

As consumers have grown more internet savvy, their expectations have evolved in step — and the accelerated digital transformation that COVID-19 ushered in further accelerated the demand for secure, performant online experiences. Companies are answering in a big way, innovating how and what they build to better meet consumer expectations. But the security offerings that protect these new digital experiences haven’t kept pace — and we’re not the only ones who see it. 

In partnership with Enterprise Strategy Group (ESG) Research, we released a new report today that reveals some fascinating insights into the challenges organizations face securing their web apps and APIs.  In short: tooling fatigue and false positives are impeding companies’ ability to maintain adequate security across new and existing application architectures — compounded by the fact that half of all respondents report plans to shift to API-centric applications over the next two years.

Tooling fatigue and false positives are impeding companies’ ability to maintain adequate security across new and existing application architectures.

Validation for your experience

This might not feel like news to some of you — we hear from engineering and security professionals all the time about how frustrated they are with traditional security tools. For anyone feeling the pain points that arise with a patchwork of traditional tools, this research validates the facts that you’re right, security is getting harder and that no, you’re not alone.

The report, “Reaching the Tipping Point of Web Application and API Security,” is the result of a global survey we conducted with ESG Research that collected input from engineering, security, IT, and DevOps leaders across 500 organizations in North America, Europe, and Asia-Pacific and Japan. The report reveals an urgent need for modern security solutions amid the rapid transition to API- and cloud-centric applications. Here are a few of the key takeaways: 

  • On average, respondents say they use 11 web application and API security tools and spend close to $3 million annually. Security is becoming more complex and costly as companies continue to protect traditional architectures, while adding new architectures and cloud environments.

  • Traditional security tools are ineffective and impede business growth. They block harmless business traffic, waste money and resources, and cause 91% of respondents to run tools in log or monitoring mode, or to shut them off entirely.

  • Nearly half of all security alerts are false positives. The majority of respondents spend as much or more time on false positives as they do on actual attacks, suggesting current security tools are causing more problems than they solve. 

  • More than half of respondents say most or all of their applications will use APIs in the next two years. Respondents said web application and API security is more difficult today than it was two years ago, in part because of shifts to public cloud and API-centric applications without a modern security solution to support those innovations.

A path forward

With these kinds of revelations, it’s no surprise that companies say they’re ready for a new way of doing things. In fact, 93% of respondents say they are interested in or planning to deploy a consolidated web application and API security solution to improve security efficacy, provide consistent protection across disparate application architectures and environments, and reduce costs.

93% of respondents say they are interested in or planning to deploy a consolidated web application and API security solution to improve security efficacy, provide consistent protection across disparate application architectures and environments, and reduce costs.

In coming blog posts, we’ll dig in on how and why the market got to this point (hint: outdated offerings, false positives, and decentralized security functions), and where we go from here, including steps any company can take to move toward a more consolidated security function. 

In the meantime, download the report, and check out the findings for yourself.