Software Under Siege: Why Production Data is the Key to Secure Code
The numbers are staggering and sobering: applications face attacks every three minutes, with defenders taking 84 days to patch critical vulnerabilities while attackers exploit them in just five days. According to Contrast Security's new "Software Under Siege 2025" research report, based on 1.6 trillion daily security observations from real production applications, the mathematics of modern application security simply don't add up in defenders' favor.
But buried within this seemingly dire data lies a counterintuitive insight that could fundamentally change how organizations approach application security: the answer isn't necessarily writing more secure code upfront, but rather using production attack intelligence to guide development efforts with surgical precision.
The False Positive Problem
"Most AppSec technologies see possible attacks, so they report huge numbers like thousands or tens of thousands of attacks per month," explains Jeff Williams, CTO and founder of Contrast Security, who has spent three decades in application security. "But when you actually watch the way that the application handles that request, you can differentiate. You can say, 'Hey, that's not an attack.'"
The research reveals a stark reality: while applications face over 14,000 attack attempts monthly, only 81 of those are "viable attacks" that actually reach exploitable vulnerabilities. The rest? Ambient internet noise—what Williams calls "mosquitoes" that defenders don't need to react to every time one flies by.
This distinction matters enormously for development teams drowning in vulnerability backlogs. The average organization now carries 1.1 million application vulnerabilities in its backlog, according to recent analyst research. With developers fixing only six vulnerabilities per application per month while discovering 17 new ones, the mathematical trajectory is unsustainable.
The Speed Asymmetry Crisis
The speed differential between attackers and defenders has reached crisis proportions. While attackers can exploit new vulnerabilities in five days and achieve lateral movement in just 48 minutes, defenders require an average of 194 days to identify breaches and 64 additional days to contain them.
"Large organizations have hundreds or thousands of applications, so you're adding net 11 new vulnerabilities per month per app," Williams notes. "If you do that for a few years across thousands of applications, you end up with massive backlogs."
Traditional security tools aren't equipped for this reality. Web Application Firewalls (WAFs) operate as "best effort" technology at the perimeter, unable to understand the applications they're protecting. Endpoint Detection and Response (EDR) tools miss application-layer attacks entirely due to what Williams calls "attack laundering"—when malicious activity originates through the application rather than directly targeting the operating system.
"Many application attacks stay in the application layer, and EDR can never see them," Williams explains. "Things like unsafe deserialization, SQL injection, and expression language injection—none of those touch the operating system."
The AI Amplification Effect
Artificial intelligence is simultaneously making the problem worse and pointing toward solutions. On the attack side, AI dramatically lowers barriers for novice attackers, enabling them to create sophisticated exploits like unsafe deserialization attacks without deep technical expertise.
For development teams using AI coding assistants, the news isn't encouraging. "AI doesn't generate code that's any more secure than humans generate," Williams cautions. "It's trained on code built by humans in the last generation, so that's the kind of code it produces." Multiple studies confirm AI-generated code carries similar security risks to human-written code.
However, AI also offers unprecedented opportunities for defenders when applied to high-quality production data.
The Production Data Advantage
Here's where Williams' research reveals something counterintuitive: the key to writing secure code isn't necessarily shifting further left in the development process, but rather gathering intelligence from production applications under real attack.
"My epiphany over the last 10 years is that in order to build code securely, you have to have context from production," Williams explains. "You have to know where you're being attacked, what attack types are being used against you, and which things in production are really exploitable."
This approach flips conventional wisdom. Rather than trying to anticipate every possible vulnerability during development (often resulting in false positive overload), teams can use actual attack intelligence to prioritize their security efforts with laser focus.
The data supports this approach: 99% of the 1.6 trillion security-relevant transactions Contrast observes daily are executed correctly. "Developers are getting almost everything right relative to the code they're writing," Williams notes. "It's in that 1% where we see the serious vulnerabilities and mistakes."
Practical Implementation Strategies
For CISOs and development leaders, this research suggests several strategic shifts:
1. Deploy Application Detection and Response (ADR) in production environments to gain real-time visibility into which vulnerabilities are actually being targeted. Unlike traditional tools that generate mountains of theoretical vulnerabilities, ADR identifies only those being actively exploited.
2. Use production attack data to prioritize remediation efforts. When development teams know which vulnerabilities attackers are actually targeting, they can focus their limited time on issues that matter rather than chasing theoretical risks.
3. Implement runtime protection for vulnerabilities that can't be immediately patched. Williams notes that ADR can completely eliminate entire categories of attacks, including expression language injection, SQL injection, and unsafe deserialization.
4. Focus on signal versus noise. By filtering vulnerability reports through production attack intelligence, teams can dramatically reduce their effective backlog while maintaining security posture.
Success Stories
The approach yields measurable results. Williams cites BMW as an example of a large organization that has "effectively eliminated their backlog and reduced their mean time to remediate vulnerabilities to one day" by implementing production-informed security practices.
"When you contextualize things and give developers real vulnerabilities, they can tighten the feedback loop," Williams explains. "Across hundreds or thousands of applications, they can get excellent AppSec programs going."
The Path Forward
The research reveals that method tampering appears as the most universal attack across all programming languages—not because it's particularly sophisticated, but because it's easy to attempt. Attackers simply try different HTTP verbs on every endpoint to find access control gaps.
This pattern reflects a broader trend: attackers are increasingly automated and opportunistic, scanning for the easiest targets rather than developing highly sophisticated, targeted exploits. Defenders can leverage this by focusing protection efforts on the vulnerabilities actually being exploited, rather than trying to eliminate every theoretical risk.
As Williams puts it, referencing the movie Cars: "You have to turn right to go left. People think they have to put more effort farther left to prevent vulnerabilities from getting into production. But there's no context over there, so you just get overwhelmed with false positives. The answer, counterintuitively, is in production."
For development teams and security leaders struggling with ever-growing vulnerability backlogs and accelerating attack timelines, this insight offers a path forward: use production intelligence to guide development priorities, deploy runtime protection for immediate risk reduction, and focus precious development resources on the vulnerabilities that truly matter.
The mathematics of modern application security may seem impossible, but with the right data and approach, defenders can finally start winning the race.
