Upcoming Webinar on AI-Generated Code and the Next Era of Secure Development 👉

 

ASPM Platform
ASPM Platform
Overview

Legit is an AI-native ASPM platform that automates AppSec issue discovery, prioritization, and remediation. A trusted ASPM vendor for your AppSec and software supply chain security programs.

Learn More
Integrations
Use Cases:
hub
Unified Vulnerability Remediation
code-scanning
Code Security (SAST, SCA)
encrypted
Secrets Detection & Prevention
account_tree
Software Supply Chain Security
settings_applications
Advanced Code Change Management
Platform - ASPM Icon
Compliance
AI-Native AppSec
header mobile nav icon
AI-Native AppSec
Resources
Resources - Blog Icon
Blog
Resources - Resource Library Icon
Resource Library
Resources - Open Source with Legitify Icon
Open Source with Legitify
Resources - Events Icon
Events
Company - About Legit Icon 2
ASPM Knowledge Base
Company
Company - About Legit Icon 2
About Legit
Why Legit - Customers Icon
Customers
Company - Partners Icon
Partners
Company - Press Releases Icon 1
Press Releases
Company - In the News Icon
In the News
Company - Careers Icon
Careers
contact_us_new
Contact Us
Sign In
  • Blog
  • Application Security in 2025: Why Scale, AI, and Automation Are Reshaping Priorities

Blog

Application Security in 2025: Why Scale, AI, and Automation Are Reshaping Priorities

Suzanne Ciccone
Published on
August 20, 2025

Updated on
August 20, 2025
SHARE:

New survey results shed light on the state of AppSec in 2025.

We recently partnered with Gatepoint Research to survey 100 security leaders across finance, technology, healthcare, and manufacturing to understand their application security pains and priorities in 2025. The results highlight that the scale of modern software development, the rise of generative AI, and the urgent need for automation are rewriting the rules of Application Security Posture Management (ASPM).

The scale challenge 

For many organizations, the size of their development footprint is staggering:

  • 77% have more than 100 in-house developers building externally facing applications.
  • 57% manage over 50 such applications every year, and 21% manage more than 500.

This level of scale isn’t just a capacity issue; it’s a visibility and control problem. The bigger the portfolio, the harder it becomes to maintain consistent security guardrails, remediate issues quickly, and prevent risk from compounding.

 

Security priorities are shifting 

When asked about their top application security priorities for the next 12 months, security leaders zeroed in on three areas:

  1. Reducing vulnerabilities in production (46%)
  2. Improving remediation efficiency and automation (42%)
  3. Ensuring generative AI is used securely in development (39%)

The emphasis on AI isn’t surprising; it’s rapidly moving from experimental to mainstream in development pipelines, and with it comes both productivity gains and new classes of vulnerabilities. It also introduces new visibility challenges as security teams attempt to discover where and how developers are using GenAI. In another recent Legit Security survey of security professionals, specifically around GenAI use and security, 95% of respondents felt there should be better methods in place to manage GenAI in development environments.

 

Persistent challenges 

The most common pain points identified in the survey:

  • Inefficient vulnerability management (32%)
  • Secure GenAI usage (30%)
  • Unprioritized vulnerabilities (26%)
  • Secrets proliferation (22%)

These aren’t isolated issues — they’re symptoms of a broader problem: too much noise, too little actionable insight, and not enough automation to close the gap.

These stats align with the conversations we have with security teams, who all share struggles with too many findings from too many tools and no way to quickly identify where the real risk lies.

With different tools scanning code in different ways across the development lifecycle, most AppSec scanners generate a lot of results without a lot of context. Security teams often assign developers all critical vulnerabilities to fix, but this can be thousands of findings, not all of which necessarily impact the business or reduce the risk to the environment. In the end, most security teams have more things to do than people and time to do them.

Secrets proliferation is another significant challenge. It is one of the most common risks we unearth when we first partner with a company. In fact, our platform data last year revealed that 100% of organizations had high or critical exposed secrets in at least one repo. 53% had exposed secrets in public assets.  

Large, growing, and exploitable, secrets exposure is also a very hard problem to solve. Most secrets scanners look for secrets in source code, but secrets are emerging well beyond source code, such as in ticketing & ITSM systems, artifact registries and shared workspaces such as Confluence, Jira, and Slack, or your developers’ personal GitHub accounts. In addition, most secrets scanners today return an overwhelming amount of false positives, making remediation challenging, if not impossible.  

These struggles led to the recent development of Legit Context, Legit Root Cause Remediation, and the 2.0 version of our Secrets Detection and Prevention – all of which are saving our enterprise customers significant time and money.


What the market wants 

It’s not surprising, therefore, that when evaluating ASPM solutions, leaders prioritize:

  • Complete visibility of the application attack surface (31%)
  • Vulnerability deduplication, correlation, and prioritization (27%)
  • Seamless integration with existing DevOps workflows (22%)

Ease of integration (66%), cost (56%), and accuracy in prioritization (50%) are the top decision drivers.

The path forward 

The survey’s most telling finding may not be in the numbers themselves but in what they imply:
Application security is moving from a reactive to a proactive discipline.

Security leaders are recognizing that they need AppSec solutions that move beyond simply findings security issues, and that can keep up with the pace of software development today. They are looking to embed prevention, guardrails, and visibility into the fabric of the SDLC. That means:

  • Leveraging automation for vulnerability triage and remediation.
  • Gaining context on AI-generated code usage.
  • Centralizing oversight across code, cloud, and supply chain.

Get full survey results and analysis in the Survey Report: Application Security Posture Management Strategies.

 

 

 

 
Suzanne Ciccone

Share this guide

Published on
August 20, 2025
Blog

Related posts

See more

ASPM Knowledge Base

A Foundation You Can Trust

Get a stronger AppSec foundation you can trust and prove it’s doing the job right.

Request a Demo