New Kusari Research Finds Security Teams Stuck in Reactive AppSec as Software Supply Chain Accountability Tightens

Application Security in Practice report highlights critical gaps in transitive dependency visibility, developer workflow integration, and security ownership that prevent organizations from scaling AppSec and software supply chain security

Ridgefield, Connecticut–(Newsfile Corp. – February 18, 2026) – Kusari, a leading innovator in software supply chain security and SBOM management, today released Application Security in Practice, a new research report based on a survey of software developers and security professionals. The report examines how organizations manage application security and software supply chain risk as regulatory pressure increases, AI-driven development expands, and dependency complexity grows.

Kusari

To view an enhanced version of this graphic, please visit:
https://images.newsfilecorp.com/files/8871/284027_3488dd71c4627abf_001full.jpg

The findings reveal a widening gap between how software is built and how security is enforced. As compliance frameworks tighten, most teams remain trapped in reactive security models that surface risk too late and fail to integrate into developer workflows.

“Most teams are not failing because they lack effort or tools. They are failing because visibility, ownership, and integration have not kept pace with modern software development. Organizations that succeed treat security as a continuous, workflow-native capability rather than a periodic compliance exercise.”

Tim Miller, Co-Founder and CEO of Kusari

Key Findings

1. Transitive dependency blind spots persist. Only 28 percent of respondents have strong visibility into transitive dependencies, leaving organizations exposed to hidden risk from inherited code.

2. Legacy systems drive the most exposure. 59 percent cite legacy systems as their top software supply chain risk, rising to 84 percent in healthcare.

3. Reactive security consumes developer time. Nearly half spend five or more hours weekly on security incidents, pulling capacity from development.

4. Frequent checks reduce vulnerabilities. Teams assessing security on every pull request report 40 percent fewer monthly vulnerabilities than those checking only at release.

5. AI adoption outpaces AI security trust. 85 percent use AI coding assistants, but just 9 percent consider AI-driven security analysis essential.

6. Tooling integration remains a barrier. 38 percent cite difficulty integrating security tools into developer workflows.

7. Fragmented ownership weakens accountability. Split ownership between security and development teams creates longer review cycles and higher risk.

High-performing teams consolidate tools, embed security checks into CI/CD pipelines, and adopt shared ownership models. The full report is available at www.kusari.dev/report.

About Kusari

Kusari delivers end-to-end software supply chain security, helping organizations understand and secure what they build. Founded by cybersecurity experts with deep experience in regulated industries, Kusari delivers actionable insights that help teams build secure software without friction. Powered by comprehensive SBOM analysis, Kusari provides a unified, highly accurate view of direct and transitive dependencies, vulnerabilities, and license risks across open source, AI-generated, and third-party code, enabling teams to pinpoint issues, prioritize fixes, and stay compliant, all with automated, developer-friendly workflows. Backed by J2 Ventures, Glasswing Ventures, and Unusual Ventures, Kusari is active in the open source security ecosystem, including several CNCF and OpenSSF initiatives.

To view the source version of this press release, please visit https://www.newsfilecorp.com/release/284027