Get Started

The Door You Forgot to Lock: Why Application Security Testing Is the Cheapest Insurance You're Skipping

One in five breaches now starts with a software flaw. Why application security testing is the cheapest insurance most businesses are still skipping.

Garrett Grimmett 8 min read
The Door You Forgot to Lock: Why Application Security Testing Is the Cheapest Insurance You're Skipping

Picture a bank that spent twenty years building thicker walls. Higher fences, deeper moats, guards at every gate. Then one morning the money is gone, and the vault was never touched. The thieves walked in through a side door that nobody thought to lock, because nobody thought of it as a door at all.

That side door is your software. The apps your business runs on, the tools you bought, the open-source code humming quietly underneath all of it. For two decades companies got very good at guarding the network and very casual about the code. Attackers noticed. So they stopped climbing walls and started trying doors.

Application security testing is how you find the unlocked door before someone else does.

Everything that follows is the case for taking that seriously, told through what is actually happening right now. No jargon you need a glossary for. Just the pattern, the price, and the fix.

Start here, if you read nothing else

Attacks that break in through a software flaw are climbing fast. The average breach still costs millions. Most of the flaws being exploited are old, boring, well-documented mistakes that testing tools are built to catch. Finding one early costs pennies on the dollar. And AI is now writing code faster than anyone can read it, which means more doors, not fewer.

Testing is the cheap part. The breach is the expensive part.

The numbers are not subtle

Every year, Verizon publishes the closest thing this industry has to a scoreboard, built from tens of thousands of real incidents. Its latest edition delivered a number that should stop a boardroom cold: breaking in by exploiting a software vulnerability jumped 34 percent in a single year. That route now opens one in five breaches, almost tying stolen passwords for first place.

Then it got worse. Breaches that started somewhere else, in a partner’s software or a vendor’s service you happen to depend on, doubled to 30 percent of all cases. Nearly a third of breaches now arrive through code a company never wrote, never reviewed, and often never thought about. You can do everything right and still get robbed through a door you did not know you had.

And the bill keeps coming. IBM’s annual study pegged the global average breach at 4.44 million dollars. In the United States, a record 10.22 million. In healthcare, 7.42 million per incident. Those are not abstract figures. They are the kind of losses that end careers and land a company in the headlines.

Three doors that swung open this year

Statistics are easy to shrug off. Recent events are not. Here are three from the last few months, each a different door, each left unlocked.

One. Even the AI giants got hit through borrowed code.

In May 2026, attackers poisoned a wildly popular set of open-source coding libraries called TanStack, slipping 84 booby-trapped versions onto the public registry inside a six-minute window. The malware spread on its own, lifting credentials off any developer’s machine that installed it. It was one front of a sprawling campaign nicknamed Mini Shai-Hulud that tainted more than 170 software packages with over half a billion downloads between them. Two OpenAI employees installed the bad code. The attackers reached internal source code and exposed the certificates OpenAI uses to sign its own apps, forcing the company to re-sign and re-release its Mac, Windows, Android, and iOS software as a precaution. Mistral AI got caught in the same net.

The lesson is hard to miss. Some of the most sophisticated AI companies on earth were compromised through the ordinary open-source code their own software depends on.

Two. The campus that went dark during finals.

Around the same time, the company behind Canvas, the learning platform thousands of schools run on, was breached twice in two weeks. The way in was almost embarrassing: a sign-up feature that let anyone create an account without verification. In May 2026 the attackers defaced login pages at roughly 330 institutions, including Harvard and Princeton, and pulled the platform offline mid-exam. It is now the largest education-sector breach on record. No genius exploit. Just a door propped open and never checked.

Three. The quiet one that cost the most.

Not every break-in trends online. Through late 2025 and into 2026, the Cl0p extortion crew worked a critical flaw in Oracle’s business software, the system large companies use to run finance and payroll. The Washington Post confirmed attackers lived inside its Oracle environment for weeks, walking out with names, Social Security numbers, and bank details for nearly 10,000 people. Ransom demands across the campaign reportedly touched 50 million dollars. Same script as always: one flaw, no test that caught it in time, a great deal of stolen data.

Here is the maddening part: these are old mistakes

You would hope the attacks landing today were dazzling and new. Mostly, they are not. The security nonprofit OWASP keeps a famous list of the ten most critical web application risks, drawn from data on more than 500,000 apps. The 2025 edition is the first update in four years, and the story it tells is how stubbornly little has changed.

Sitting at number one, exactly where it sat in 2021, is broken access control. It turns up in 94 percent of applications tested. In plain terms: people seeing or changing things they should not, often by editing a single value in a web request. Right behind it sit basic misconfiguration and supply-chain weakness, the very gaps those three breaches slipped through.

There is quiet good news buried here, too. The classic injection attack, sneaking commands into an input box, slid down the rankings, because modern coding frameworks now block it by default. That is what winning looks like: a whole category of problem fades once the tools handle it automatically. Problems do not vanish on their own. The right defaults and the right testing make them vanish.

The cheapest move you will ever make

Now the part for whoever signs the checks. The cost of a flaw is not fixed. The longer it goes unfound, the more expensive it is to fix.

There is an old rule of thumb that captures it, the 1-10-100 rule. A flaw costs roughly a dollar to fix while you are designing, ten dollars once it is built, a hundred dollars once it is live. For security flaws, the gap runs even wider. The reason is simple:

  • Caught in a code review, a flaw is a two-minute edit by the person who just wrote it.
  • Caught in production, that same flaw means an emergency patch, frantic re-testing, a rushed deploy, customer notifications, lawyers, regulators, and weeks of brand repair, all while attackers may already be inside.

This is why smart teams now bake security checks into how software gets built instead of bolting them on at the end. IBM found this approach, often called DevSecOps, was the single biggest factor in lowering breach costs, trimming about 227,000 dollars off the average breach. Teams that leaned hard on AI and automation in their defenses saved close to 1.9 million, mostly by catching trouble sooner.

Test early and you edit a line. Test never and you write a press release.

The AI twist that cuts both ways

AI is bending this story in two directions at once.

On defense, it earns its keep. Faster, automated detection is the main reason global breach costs actually dipped this year.

On offense, it is murkier. Attackers used AI in roughly one in six breaches to write sharper phishing and cleaner fakes. But the deeper shift is in the code itself. AI assistants now write a huge and growing share of what companies ship, and they learned from years of older code written before today’s security habits took hold. So they reproduce the same classic flaws at machine speed. More code, written faster, with uncertain safety baked in. That is an argument for more testing, not less.

The bottom line

Application security testing is not a box to tick or the first line to cut when budgets tighten. It is the difference between catching a flaw with a tool and catching it in a ransom note.

The pattern barely changes from year to year. The costly breaches start in the software. The flaws are mostly known and named. Catching them early costs a sliver of catching them late. And AI is widening the gap between how fast code gets written and how carefully anyone checks it.

Go back to that bank with the thick walls and the open side door. The lesson was never about building taller fences. It was about walking the building and trying every handle before someone less friendly does. The companies that test their software as they build it are doing exactly that. Everyone else is one unlocked door away from next year’s list of names.

Sources

  1. Verizon, “2025 Data Breach Investigations Report” (vulnerability exploitation, third-party breaches). verizon.com
  2. Infosecurity Magazine, “Verizon’s DBIR Reveals 34% Jump in Vulnerability Exploitation.” infosecurity-magazine.com
  3. ColorTokens, “Verizon 2025 DBIR Insights for Cyber Resilience in 2026.” colortokens.com
  4. IBM, “Cost of a Data Breach Report 2025.” ibm.com
  5. IBM, “2025 Cost of a Data Breach Report: Navigating the AI rush without sidelining security.” ibm.com
  6. OpenAI, “Our response to the TanStack npm supply chain attack” (May 2026). openai.com
  7. BleepingComputer, “OpenAI confirms security breach in TanStack supply chain attack.” bleepingcomputer.com
  8. Palo Alto Unit 42, “The npm Threat Landscape: Attack Surface and Mitigations” (June 2026). unit42.paloaltonetworks.com
  9. PKWARE, “2026 Data Breaches: Cybersecurity Incidents” (Instructure / Canvas). pkware.com
  10. TechCrunch, “The worst hacks and breaches of 2026 (so far)” (June 3, 2026). techcrunch.com
  11. Bright Defense, “List of Recent Data Breaches in 2026” (Oracle E-Business Suite / Washington Post). brightdefense.com
  12. Infosecurity Magazine, “Top 10 Cyber-Attacks of 2025” (Oracle E-Business Suite, CVE-2025-61882). infosecurity-magazine.com
  13. OWASP, “OWASP Top 10:2025 Introduction.” owasp.org
  14. The Register, “OWASP Top 10: broken access control still tops app security list” (Nov 11, 2025). theregister.com
  15. IBM / BetterQA, cost-of-fixing-bugs by SDLC stage (the 1-10-100 rule). betterqa.co
  16. SentinelOne, “Data Breach Statistics for 2026.” sentinelone.com
More from the field

Related articles.

The Vendor You Trusted: Why Schools and Education Platforms Are the Newest Frontier for Cyberattacks
June 13, 2026

The Vendor You Trusted: Why Schools and Education Platforms Are the Newest Frontier for Cyberattacks

Canvas, PowerSchool, Udemy: schools keep getting breached through the vendors they trust. Why third-party penetration testing is now a basic requirement.

Read post →
All In on Risk: Why Gambling Establishments and Apps Can No Longer Afford to Skip Penetration Testing
June 9, 2026

All In on Risk: Why Gambling Establishments and Apps Can No Longer Afford to Skip Penetration Testing

MGM, Caesars, IGT, Wynn — two years of casino breaches that began with a phone call. Why penetration testing finds what compliance checklists miss.

Read post →
Phishing Attacks in 2026: The Real Cost of One Click and Why Empowerment Wins
June 5, 2026

Phishing Attacks in 2026: The Real Cost of One Click and Why Empowerment Wins

Phishing still triggers most breaches. Why human-led pentesting, training everyone, and empowerment over punishment build lasting defense in 2026.

Read post →
Next step

Want this kind of detail on your environment?

A 30-minute scoping call. You talk to the senior operator who would run the engagement. No slide deck.

  • No high-pressure follow-up
  • Scoping notes delivered within 24 hours
  • NDA available before the call
Book a scoping call Browse services