Back to blog

Follow and Subscribe

IDC Study Reveals 3X Gains from Modern AppSec Programs

Natalie Griffeth

Senior Content Marketing Manager

SecurityIndustry insightsDevOps

Organizations with modern AppSec Programs are 3X as likely to yield better developer productivity, user experience, and application availability outcomes, and almost 2X less likely to experience a data breach.

This week, IDC released a new paper From Code to Production: How Modern AppSec Programs Yield 3X Better Business Outcomes, sponsored by Fastly. The research takes a deep look at what defines a modern application security (AppSec) program and the impact AppSec maturity has on business performance. The findings are clear: organizations with modern AppSec programs are nearly four times more likely to achieve better outcomes in developer productivity, user experience, and application availability – and are almost twice as likely to avoid a data breach.

This new study gives security and technology leaders a benchmark to understand how their own programs compare, and importantly, what steps they can take to move toward a truly modern AppSec function.

Inside the IDC AppSec Benchmark Study 

The research evaluated application security programs across industry verticals, regions, revenue, and organizational size for key capability markers and essential practices associated with modern AppSec programs.

Nearly 1,000 global security and technology leaders across 9 countries and 10 industries participated. Respondents were grouped into four maturity categories using a forced distribution method to create a standard bell curve:

  • Emerging

  • Evolving

  • Established

  • Exceptional

The four categories were assessed not only for their security practices, tooling, and activities, but also for their security and business outcomes. Readers can use the report as a data-driven tool to assess and mature their organization's software security programs relative to their peers.

The study provides insight into:

  • What ‘exceptional’ application security programs look like

  • Positive outcomes associated with modern AppSec (and how to achieve them) 

  • Actionable insights for improving your AppSec program, across numerous key activities

Key Findings: Modern AppSec Correlates to Better Business Outcomes

Once respondents were sorted into their maturity categories, one theme became impossible to ignore: the more modern the AppSec program, the better the business outcome.

Organizations in the Exceptional category saw:

  • Improved Developer Productivity: Exceptional organizations are nearly four times (356%) more likely to achieve a 20% or greater improvement in developer productivity compared to those in the Emerging category

  • Better User Experience: Exceptional programs are nearly four times (367%) more likely than Emerging programs to reduce negative user experiences by more than 20%

  • Increased Application Availability: Exceptional organizations are nearly four times (364%) more likely to report a 20% or greater improvement in application availability compared to Emerging peers

  • Fewer Data Breaches: Exceptional programs are almost twice (190%) as likely to avoid a data breach as Emerging programs

Across all measures, modern AppSec is tightly linked to stronger performance, not only from a security perspective, but from the standpoint of customer experience and engineering efficiency.

The Benchmark: A Practical Tool for AppSec Leaders

Beyond assessing the benefits of a modern AppSec program, the report also provides a benchmark that organizations can use to evaluate their current level of maturity and map out next steps. The four maturity categories, Emerging, Evolving, Established, and Exceptional, act as a guide for understanding where the program stands today.

Organizations can use the benchmark to:

  • Assess their maturity level. Orgs can compare security needs and capabilities against other software security programs.

  • Understand security program strengths and weaknesses. Orgs can identify their starting point to determine what to prioritize as efforts are made to evolve software security programs.

  • Take action. Actionable guidance and insights into peers’ activity help readers identify immediate steps they can take

What does ‘Exceptional’ Look Like? 

The most modern or mature ranking in the report, ‘Exceptional’, represents AppSec programs that are continuous, adaptive, and deeply integrated into how organizations build and ship software. Security is part of organizational DNA - automated, intelligent, and developer-driven. Culture, tooling, and governance work in concert to anticipate and mitigate risk at scale. 

Notable Insights from Exceptional Programs

We found many expected activities across exceptional programs - think strong security advocacy and training, structured checkpoints, secure-by-design decisions, and a strategic suite of modern AppSec tools. We also found some interesting stats worth highlighting:

  • A strong shift toward integrated platforms: Exceptional programs primarily or completely (81%) address application security needs via integrated, multi-function security platforms. The need for a ‘platform’ play has never been clearer; To move toward exceptional, orgs should “lean into powerful security and integration platforms and invest in security tooling that can address gaps”. 

  • A surprisingly effective approach to backlogs: Bigger backlogs and slower averages can actually signal a more effective, risk-led program. Counter to what we’ve traditionally thought about backlogs (bigger is bad), the report showed a “Two-speed reality”, where exceptional orgs moved “fast for what matters [and used] governed deferral for the rest”.

Why this AppSec Research Matters

Organizations need clarity on what modern AppSec looks like and which investments deliver real impact.

This study provides:

  • A standardized AppSec maturity benchmark

  • Clear evidence showing how modern AppSec drives better business outcomes

  • Actionable guidance for strengthening application security programs

Whether you’re aiming to enhance developer velocity, improve application resilience, or reduce breach risk, this research offers a roadmap for progressing towards an Exceptional AppSec program.

Download the full study to get the full data, recommendations, and maturity models in From Code to Production: Benchmarking the Performance of AppSec Programs.

IDC InfoBrief, sponsored by Fastly, From Code to Production: How Modern AppSec Programs Yield 3x Better Business Outcomes, #US53892325, December 2025

© Fastly 2025