Register for your free ticket to our next Digital Dinners event
Home
Knowledge centreContact us
Contact us
Home
About us
About us
About usCulture and valuesMeet the teamWork with usOur Commitment to Social Value
What we do
What we do
Leadership of Critical ChangeDesigning Exceptional ServicesDigital Organisation OptimisationDriving Engineering ExcellenceService Ops ModernisationUnlocking the Cloud
Sectors
Sectors
Automotive FinancialUtilitiesHealthGovernment
Knowledge centreContact us
Home
Insights
Insights
Living on a knife edge - why securing your software development processes has to be at the top of your to-do list.
Knowledge centreInsights

Living on a knife edge - why securing your software development processes has to be at the top of your to-do list.

Every organisation today is trying to ramp up their digital delivery speed against a precarious background of exponentially escalating cyber threat. The implications of getting this balance wrong are severe – look at Equifax, T-Mobile etc. More software vulnerabilities are being found than ever before (38% increase in 2024 vs 2023(1)) and attackers are moving faster in making exploits available for them, with the average time for an exploit becoming available dropping from 32 days to just 5 days between 2022-2023.

Probing and scanning by attackers is often automated and ubiquitous, looking for anyone with an internet presence with the trace of exploitable vulnerabilities – over 96% of organisations reported each and every production application being attack probed over 5000 times per month in 2024, with 37% reporting a whopping 15,000 probes per month (3). You don’t escape because you’re low key – the bot farm scanning everything doesn’t care. You escape because there’s nothing there to find. This is now big business, with dedicated ‘access broker’ hacking groups hunting specifically for access into organisations and selling compromised entry points on the dark web for other criminal gangs to exploit, often through ransomware. Everyone understands the impact ransomware can have – just look at M&S losing £3.5m per day.

Whilst organisations are also moving faster to fix vulnerabilities when they emerge, it’s nothing like the same rate – on average, it took 45 days to remediate the highest severity vulnerabilities in 2024 (4) vs less than 5 days for attackers to develop and start sharing exploits. Despite this threat window widening all the time, organisations are still taking shortcuts in their security regimes, with 50% knowingly sacrificing security testing in the face of delivery pressures (5). Whilst fixing new vulnerabilities is a problem, remediating known ‘in the wild exploitable’ vulnerabilities is equally problematic – a massive 55% of vulnerabilities with a CVSS* score >7.0 discovered in software in 2024 were between 1 and 4 years old (4).

But it’s not just the software you write – most applications use high numbers of open-source libraries and call 3rd party software at runtime, many of which present an easy access point for attackers.

Auditing 1000 applications in 2025, OSSRA identified 86% of applications using vulnerable open-source components, with 81% of the total containing critical and high vulnerabilities (7). Despite this, a huge 50% of organisations either have limited scanning or no scanning at all of open source and 3rd party dependencies (8), despite a 1300% increase in malicious open source packages being discovered between 2020 & 2023 (9).

Trading off security for speed is the wrong model – it might achieve a short-term goal, but that’s irrelevant if you invite a breach that puts your business at risk. SAST, DAST, secret scanning, dependency scanning, IAC scanning, software composition analysis etc aren’t the domain of the ‘leading edge’ any more – they’re table stakes in a threat-rich world.

And whilst this is undoubtedly true, many organisations lack the skills, know-how or expertise to build these checks seamlessly into their pipelines without impacting precious delivery speed.

For others, they’re simply unaware of the risk they’re facing. If this is you (or you just don’t know if this is you), get in touch for our free DevSecOps healthcheck and we’ll help you plot a course through all this complexity.

* CVSS =Common Vulnerability Scoring System, the technical standard for assessing the severity of vulnerabilities in computing systems. Scores range from 0-10, with 10 being the most severe. A CVSS of 7 or above is classed as ‘high severity’, whereas greater than 9 is ‘critical’.


References:

(1) Source: CVE.ICU

(2) Google Threat Intelligence: How Low Can You Go? An Analysis of 2023 Time-to-Exploit Trends

(3), (5) Contrast Security: State of DevSecOps report.

(4) Edgescan Vulnerability Statistics Report

(6)CyberMindr

(7) 2025 “Open Source Security and Risk Analysis” (OSSRA) report

(8) ActiveState: 2025 State of Vulnerability Management & Remediation Report

(9) ReversingLabs Software Supply Chain Security Report 2025

(10) Sonatype: State of the Software Supply Chain 2023

Related news & insights

See all articles
Insights

FOMO vs. Tangible Value: The CEO's Challenge in AI Adoption

Insights

Optimise Your Cloud with a Free AWS Well Architected Framework Review

Culture

Spreading Cheer and Making a Difference: Axiologik's Commitment to Giving Back This Christmas

Want to know more about how we can help you deliver digital change?