New Kusari Research Finds Security Teams Stuck in Reactive AppSec as Software Supply Chain Accountability Tightens

Kusari's Application Security in Practice report finds most organizations remain stuck in reactive AppSec as regulatory pressure, AI-driven development, and dependency complexity grow. Limited visibility into transitive dependencies, fragmented ownership, and poor workflow integration leave teams exposed. High-performing teams reduce vulnerabilities by embedding continuous, workflow-native security into CI/CD and consolidating tools. www.kusari.dev.
RIDGEFIELD, Conn. - February 18, 2026 - Kusari [https://www.kusari.dev/], a leading innovator in software supply chain security and SBOM management, today released Application Security in Practice , a new research report based on a survey of software developers and security professionals. The report examines how organizations manage application security and software supply chain risk as regulatory pressure increases, AI-driven development expands, and dependency complexity grows.

The findings reveal a widening gap between how software is built and how security is enforced. As compliance frameworks tighten, most teams remain trapped in reactive security models that surface risk too late and fail to integrate into developer workflows.

"Most teams are not failing because they lack effort or tools. They are failing because visibility, ownership, and integration have not kept pace with modern software development. Organizations that succeed treat security as a continuous, workflow-native capability rather than a periodic compliance exercise." - Tim Miller, Co-Founder and CEO of Kusari

Key Findings

*
Transitive dependency blind spots persist. Only 28 percent of respondents have strong visibility into transitive dependencies, leaving organizations exposed to hidden risk from inherited code.

*
Legacy systems drive the most exposure. 59 percent cite legacy systems as their top software supply chain risk, rising to 84 percent in healthcare.

*
Reactive security consumes developer time. Nearly half spend five or more hours weekly on security incidents, pulling capacity from development.

*
Frequent checks reduce vulnerabilities. Teams assessing security on every pull request report 40 percent fewer monthly vulnerabilities than those checking only at release.

*
AI adoption outpaces AI security trust. 85 percent use AI coding assistants, but just 9 percent consider AI-driven security analysis essential.

*
Tooling integration remains a barrier. 38 percent cite difficulty integrating security tools into developer workflows.

*
Fragmented ownership weakens accountability. Split ownership between security and development teams creates longer review cycles and higher risk.

High-performing teams consolidate tools, embed security checks into CI/CD pipelines, and adopt shared ownership models. The full report is available at https://www.kusari.dev/report.

About Kusari

Kusari delivers end-to-end software supply chain security, helping organizations understand and secure what they build. Founded by cybersecurity experts with deep experience in regulated industries, Kusari delivers actionable insights that help teams build secure software without friction. Powered by comprehensive SBOM analysis, Kusari provides a unified, highly accurate view of direct and transitive dependencies, vulnerabilities, and license risks across open source, AI-generated, and third-party code, enabling teams to pinpoint issues, prioritize fixes, and stay compliant, all with automated, developer-friendly workflows. Backed by J2 Ventures, Glasswing Ventures, and Unusual Ventures, Kusari is active in the open source security ecosystem, including several CNCF and OpenSSF initiatives.

Media Contact
Company Name: Kusari
Contact Person: Jennifer Pospishek
Email:Send Email [https://www.abnewswire.com/email_contact_us.php?pr=new-kusari-research-finds-security-teams-stuck-in-reactive-appsec-as-software-supply-chain-accountability-tightens]
Phone: 408.839.2054
Country: United States
Website: http://www.kusari.dev

Legal Disclaimer: Information contained on this page is provided by an independent third-party content provider. ABNewswire makes no warranties or responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you are affiliated with this article or have any complaints or copyright issues related to this article and would like it to be removed, please contact retract@swscontact.com



This release was published on openPR.