Despite the proliferation of application security testing (AST) tools in use today, most organizations knowingly or unknowingly push vulnerable code to production. Nearly 70% of respondents in a recent survey reported using 11 or more AST tools on more than half their codebase, and 69% of them rated the effectiveness of their security program as an 8 or higher on a scale of 1 to 10. And yet nearly 80% of the same organizations admitted to pushing code with known vulnerabilities to production at least occasionally (with nearly 50% admitting doing it regularly).

It’s no secret that software complexity and development speed are the main culprits here. Security teams simply can’t keep up. Manual security testing is incredibly complicated, and managing the vulnerability remediation cycles for everything those tests uncover multiplies the task. At the same time, malicious hackers are homing in on vulnerabilities in live web applications constantly. According to Forrester, applications are the most common attack vector, and web application exploits are the third-most-common type of attack.

Ideally, organizations would have an ever-increasing number of full-time security professionals whose only job is orchestrating scans and remediating vulnerabilities. But even if that were fiscally possible, the people qualified for that job are few and far between, and they are always overloaded.

So what’s an organization to do when the need to produce more applications more quickly collides with the need to secure them?