New Kusari Research Finds Security Teams Stuck in Reactive AppSec as Software Supply Chain Accountability Tightens

RIDGEFIELD, Conn. (February 18, 2026) — Kusari, a leading innovator in software supply chain security and SBOM management, today released Application Security in Practice, a new research report based on a survey of software developers and security professionals. The report examines how organizations manage application security and software supply chain risk as regulatory pressure increases, AI-driven development expands, and dependency complexity grows.

The findings reveal a widening gap between how software is built and how security is enforced—leaving many organizations unable to demonstrate control, respond quickly to risk, or scale AppSec alongside modern development. As compliance frameworks tighten, most teams remain trapped in reactive security models that surface risk too late and fail to integrate into developer workflows.

“AppSec is evolving into software supply chain security. Accountability is real and expectations are clearer," said Tim Miller, Co-Founder and CEO of Kusari. "The research shows that most teams aren’t failing because they lack effort or tools—they’re failing because visibility, ownership, and integration haven’t kept pace with modern software development. Security practices can no longer live outside the development process. Organizations that succeed treat security as a continuous workflow-native capability rather than a periodic compliance exercise.”

Key Findings

1. Transitive dependency blind spots persist. Only 28 percent of respondents have strong visibility into transitive dependencies, leaving organizations exposed to hidden risk from inherited code—including open source, AI-generated, and third-party components.
2. Legacy systems drive the most exposure. 59 percent cite legacy systems as their top software supply chain risk, rising to 84 percent in healthcare.
3. Reactive security consumes developer time. Nearly half of respondents spend five or more hours weekly on security incidents, pulling capacity from development.
4. Frequent checks reduce vulnerabilities. Teams assessing security on every pull request report 40 percent fewer monthly vulnerabilities than those checking only at release.
5. AI adoption outpaces AI security trust. 85 percent use AI coding assistants, but just 9 percent consider AI-driven security analysis essential, highlighting a growing gap between AI-enabled speed and AI-enabled governance.
6. Tooling integration remains a barrier. 38 percent cite difficulty integrating security tools into developer workflows, reinforcing that tools outside CI pipelines, pull requests, and IDEs slow remediation.
7. Fragmented ownership weakens accountability. Split ownership between security and development teams creates longer review cycles and higher risk.

High-performing teams consolidate tools, embed security checks into CI/CD pipelines, and adopt shared ownership models. The full report is available as a free download at www.kusari.dev/report.

About Kusari

Kusari delivers end-to-end software supply chain security, helping organizations understand and secure what they build. Founded by cybersecurity experts with deep experience in regulated industries, Kusari delivers actionable insights that help teams build secure software without friction. Powered by comprehensive SBOM analysis, Kusari provides a unified, highly accurate view of direct and transitive dependencies, vulnerabilities, and license risks across open source, AI-generated, and third-party code, enabling teams to pinpoint issues, prioritize fixes, and stay compliant, all with automated, developer-friendly workflows. Backed by J2 Ventures, Glasswing Ventures, and Unusual Ventures, Kusari is active in the open source security ecosystem, including several CNCF and OpenSSF initiatives.