应用安全状况报告：当开发速度超越安全成熟度 2026

State ofAppSec Report When Development VelocityExceeds Security Maturity ©2026 ORCA SECURITY. ALL RIGHTS RESERVED. Application security has fundamentally changed, but many programs still operateas if it hasn’t. Software is built on open-source dependencies, automated pipelines,and infrastructure as code, while AI is increasing both scale and risk. Yet securityteams are expected to manage this complexity with outdated approaches. Across real production environments, risk is visible but rarely actionable withoutcontext. AI is accelerating development and expanding the attack surface, fromgenerated code to model dependencies, making prioritization essential. Thisreport helps organizations understand where traditional approaches fall shortand how to focus on the changes that materially reduce risk.” Inside This Report Foreword01About the Orca Research Pod02Executive summary03Key findings041.1 Major Supply Chain Attacks071. The Rise of Supply Chain Attacks052.Vulnerabilities in AI Packages083.1 High/Critical Vulnerability Patching Velocity143.Container Vulnerability Landscape124.1 The AI/ML Secrets Crisis174.Secrets Management152.1 Critical Remote Code Execution Vulnerabilities2.2 Malicious Packages: Still Lurking in Production1011 6.Infrastructure as Code Security22 6.1 IaC Platform Adoption6.2 Storage and Data Protection6.3 Identity and Access Management6.4 Network Security6.5 Container Security in IaC2425262728 7. Repository and SCM Security29 7.1 Code Review and Approval Gaps7.2 Branch Protection Weakness7.3 Access Control and Hygiene313233 8. Key Recommendations34 8.1 Immediate Actions (0-30 Days)8.2 Short-term Initiatives (30-90 Days)8.3 Strategic Improvements (90+ Days)353637 9. Conclusion38 2026 STATE OF APPLICATION SECURITY REPORT Foreword As organizations accelerate software delivery through cloud-native architectures, open-sourcedependencies, and automated pipelines, application attack surfaces are expanding faster than securitypractices can keep up. AI-assisted development is further increasing this velocity, generating code,dependencies, and configurations at a pace that traditional security processes were not designed togovern. Modern applications are built from thousands of third-party components and deployed at machine speed.This velocity enables scale and innovation, but it also makes it impossible to fix everything once codereaches production. Vulnerable dependencies, exposed secrets, and insecure configurations are no longeredge cases; they are structural realities of how software is built today. At the same time, AI systemsintroduce new risks and enable the rapid propagation of insecure code patterns and model dependenciesacross environments. These challenges are compounded by the rise of software supply chain attacks, which have proven to beone of the most effective paths to large-scale compromise. A single poisoned dependency or workflow cancascade across thousands of organizations, turning application security failures into operational risk. This State of Application Security Report is designed to help teams understand where these risks areintroduced and how to address them effectively. Grounded in real-world findings from the Orca ResearchPod, it provides a clear view into the current Application Security landscape and practical guidance forsecuring modern applications at the speed today’s businesses demand. Gil Geron CEO and Co-Founder of Orca Security 2026 STATE OF APPLICATION SECURITY REPORT About the Orca Research Pod The Orca Research Pod is a group of security researchers that discover and analyze securityrisks and vulnerabilities to strengthen the Orca Security Platform and promote CNAPP securitybest practices. Research Methodology This report is based on aggregated, anonymized security telemetry from more than 1,000 productionorganizations leveraging Orca Security’s cloud security platform. All metrics presented represent the percentage of organizations exhibiting each finding, calculated as aweighted average across the organizations. Data was collected between Q3 2025 and Q1 2026, focusingexclusively on production environments to ensure findings reflect real-world security postures rather thantest or development configurations. Security findings span multiple domains: CI/CD pipeline security, secrets management, repositoryconfiguration, software composition analysis (SCA), static application security testing (SAST), infrastructureas code (IaC), and container security. Report Data Set: ●Cloud workload and configuration data●Billions of real-world production cloud assets●Data referenced in this report was collected from Q3 2025 to Q1 2026●AWS, Azure, Google Cloud, Oracle Cloud, and Alibaba Cloud environments Executive Summary Leveraging real-world telemetry from more than 1,000 production organizations, this report examines the current state of application security across the modern softwaredelivery lifecycle. The findings reveal a growing disconnect