Introduction
Web applications are the backbone of modern organizations, enabling digital transformation, customer engagement, and business operations. However, rapid development cycles, complex cloud environments, and increasingly sophisticated threats expose critical security gaps. Weak access controls, insufficient visibility, and delayed threat detection leave applications vulnerable to attacks, leading to data breaches, compliance failures, and operational disruptions.
Compounding the challenge, attackers now leverage AI, automated bots, and API vulnerabilities to exploit these weaknesses, underscoring the urgent need for more robust application security measures.
The 2025 Web Application Security Report is based on a comprehensive survey of over 600 IT and cybersecurity professionals. The survey explores organizations’ biggest challenges, strategies for responding to them, and the evolving role of automation, AI, and consolidated platforms to provide a nuanced understanding of the application security landscape.
Key findings from this report include:
• 60% struggle with application visibility – Blind spots in workloads, APIs, and cloud environments make it difficult for security teams to detect threats before they escalate.
• 58% cite API security as a major concern – API-driven services require robust anomaly detection, firm authentication, and real-time monitoring to prevent data theft.
• 49% rank DDoS as the top bot-driven attack – Advanced bots pose severe operational risks as a prolonged outage can cost organizations thousands of Dollars per minute of downtime. Yet 62% remain uncertain about their readiness to defend against human-like bot activity, underscoring a significant gap in organizational preparedness.
• 30% or organizations have experienced a breach tied to stolen credentials – Weak identity protections expose organizations to account takeover attacks, such as credential stuffing for instance, reinforcing the need for multi-factor authentication and strong access controls.
• 61% are using AI for threat detection – Organizations increasingly rely on AI-powered security tools to identify anomalies and respond to attacks more effectively. Many organizations report that AIdriven threat detection has improved speed and accuracy in identifying malicious activity.
• 43% plan to consolidate security tools – With rising complexity and tool sprawl, nearly half of organizations aim to streamline their security stack to improve efficiency and integration.
We extend our sincere gratitude to Fortinet for their valuable insights and contributions to this report. We hope the findings and recommendations presented in the report will provide actionable insights to help security teams strengthen their application security defenses, close security gaps, and protect applications from evolving threats. With the right tools—those capable of discovering and enhancing visibility of digital assets while employing sophisticated measures like machine learning and threat analytics—businesses are better equipped to safeguard applications and APIs against advanced threats.
We trust that our readers will find this report helpful in their journey towards improved application security and in navigating the complexities of modern digital landscapes with confidence.
Thank you,
Holger Schulze Founder, Cybersecurity Insiders
Confidence in Application Security: A Mixed Picture
Confidence in an organization’s application security posture provides a critical indicator for its readiness to defend against emerging threats.
The responses show that only 42% of respondents are confident in their application security measures. The majority, 58%, do not feel confident, marking a continued decline in confidence from last year (53%).
The increase in respondents reporting a lack of confidence could be driven by persistent uncertainty. This highlights ongoing challenges in addressing vulnerabilities, scaling protections, and navigating increasingly complex security landscapes.
Organizations that integrate advanced security tools and DevSecOps practices tend to report higher confidence, while those struggling with legacy systems and staffing shortages remain vulnerable. This variation in confidence underscores the disparity in maturity levels across organizations.
Shifting Concerns in Application Security
Protecting applications and the data they handle is critical as organizations increasingly rely on digital ecosystems to deliver value to customers while safeguarding sensitive assets.
Protecting data remains a top concern for 63% of respondents, a significant rise from 43% last year, highlighting growing awareness of data security amidst a surge in breaches and regulatory mandates. Securing cloud applications, now at 54%, has also gained prominence compared to last year’s 40%, reflecting the increasing reliance on cloud infrastructure and the growing sophistication of cloud-native threats. Threat and breach detection, consistently critical, is cited by 50%, holding steady as organizations prioritize rapid threat identification and response capabilities. Notably, while regulatory and compliance concerns remain significant at 46%, effective vulnerability management at 34% underscores ongoing struggles with prioritizing risks as application environments grow more complex.
The rising focus on cloud applications illustrates a broader shift toward securing cloud-native architectures. For instance, an organization migrating legacy workloads to the cloud might grapple with challenges like securing APIs and monitoring dynamic environments. This trend underscores the importance of advanced threat detection and the ability to adapt to increasingly decentralized and cloud-driven infrastructures.
Overcoming Challenges in Securing Cloud Applications
As organizations span their applications across hybrid and multi-cloud environments, they encounter a range of security challenges that must be addressed to protect sensitive data and maintain operational integrity.
The survey reveals that misconfigurations of cloud infrastructure are the most significant application security challenge, cited by 63% of respondents. This aligns with findings from last year’s report, emphasizing the critical nature of proper configuration management in preventing security breaches. Limited visibility into workloads follows closely, with 60% of participants highlighting this issue, underscoring the necessity for comprehensive monitoring tools to oversee dynamic cloud environments. Securing APIs concerns 58% of respondents, reflecting the growing reliance on interconnected services and the need to safeguard these communication channels.
Compliance complexities (51%) and lack of staff expertise (45%) further illustrate the multifaceted difficulties organizations face in maintaining robust cloud security postures.
These challenges manifest in various ways. For instance, a company might experience a data breach due to a misconfigured Microsoft Azure storage bucket, exposing sensitive customer information. Similarly, limited visibility into cloud workloads can hinder the rapid detection and mitigation of malicious activities, allowing threats to persist undetected.
Join our LinkedIn group Information Security Community!
