Kusari, a leading innovator in software supply chain security and SBOM management, today released "Application Security in Practice," a new research report based on a survey of software developers and security professionals. The report examines how organizations manage application security and software supply chain risk as regulatory pressure increases, AI-driven development expands, and dependency complexity grows.
The findings reveal a widening gap between how software is built and how security is enforced. As compliance frameworks tighten, most teams remain trapped in reactive security models that surface risk too late and fail to integrate into developer workflows.
"Most teams are not failing because they lack effort or tools," said Tim Miller, co-founder and CEO of Kusari. "They are failing because visibility, ownership, and integration have not kept pace with modern software development. Organizations that succeed treat security as a continuous, workflow-native capability rather than a periodic compliance exercise."
Key Findings
- Transitive dependency blind spots persist. Only 28% of respondents have strong visibility into transitive dependencies, leaving organizations exposed to hidden risk from inherited code.
- Legacy systems drive the most exposure. 59% cite legacy systems as their top software supply chain risk, rising to 84% in healthcare.
- Reactive security consumes developer time. Nearly half spend five or more hours weekly on security incidents, pulling capacity from development.
- Frequent checks reduce vulnerabilities. Teams assessing security on every pull request report 40% fewer monthly vulnerabilities than those checking only at release.
- AI adoption outpaces AI security trust. 85% use AI coding assistants, but just 9% consider AI-driven security analysis essential.
- Tooling integration remains a barrier. 38% cite difficulty integrating security tools into developer workflows.
- Fragmented ownership weakens accountability. Split ownership between security and development teams creates longer review cycles and higher risk.
High-performing teams consolidate tools, embed security checks into CI/CD pipelines, and adopt shared ownership models. The full report is available at www.kusari.dev/report.
About Kusari
Kusari delivers end-to-end software supply chain security, helping organizations understand and secure what they build. Founded by cybersecurity experts with deep experience in regulated industries, Kusari delivers actionable insights that help teams build secure software without friction. Powered by comprehensive SBOM analysis, Kusari provides a unified, highly accurate view of direct and transitive dependencies, vulnerabilities, and license risks across open source, AI-generated, and third-party code, enabling teams to pinpoint issues, prioritize fixes, and stay compliant, all with automated, developer-friendly workflows. Backed by J2 Ventures, Glasswing Ventures, and Unusual Ventures, Kusari is active in the open source security ecosystem, including several CNCF and OpenSSF initiatives. For more information, visit www.kusari.dev.
Media Contact
Jennifer Pospishek
pr_hotline@kusari.dev
+1 408-839-2054
