Vulnerable application code a case for concern

Research revealed at RSA Conference also finds a startling 86% of software developers and AppSec managers have knowingly deployed vulnerable code.

  • 4 months ago Posted in

Checkmarx has released its Global Pulse on Application Security study at the 2023 RSA Conference in San Francisco. Developed with Censuswide, the research uncovered global trends around the security challenges faced by Chief Information Security Officers (CISOs), application security (AppSec) leaders and software developers as migration to the cloud and digital transformation have become enterprise imperatives.

At a time when IBM has reported that the average cost of a data breach is $9.44 million in the United States and $4.35 million globally, the Checkmarx survey of over 1,500 CISOs, AppSec managers, and software developers around the world uncovered some troubling statistics. The research showed that 88% of AppSec managers surveyed have experienced at least one breach in the prior year as a direct result of vulnerable application code. The shift toward modern development practices that incorporate microservices and serverless technologies, container security and infrastructure as code (IaC) are multiplying the potential attack surface, thereby identifying critical new priorities for application security.

The Global Pulse of AppSec report also included these key findings:

•86% of software developers and AppSec managers surveyed have or know someone who has knowingly deployed vulnerable code

•An average 60% of vulnerabilities are detected during the code, build, or test phase, according to AppSec managers surveyed

•CISOs surveyed see the highest-priority security risks at their organizations as being:

oIncreased use and exposure of APIs (37%)

oOpen source software supply chain risks (i.e., malicious code) (37%)

oApplication containerization risks (37%)

oOpen source software risks (36%)

oInfrastructure-as-code risks (36%)

• Surveyed AppSec managers who have experienced breaches say that the top three causes include:

oOpen source software supply chain attacks (41%)

oStolen credentials, secrets or weak authentication/authorization (40%)

oKnown and/or unknown vulnerabilities in code released to production (39%)

•Only 34% of developers surveyed report that their AppSec scans are completely integrated and automated into their software configuration management (SCM) systems, integrated development environments (IDEs) and continuous integration (CI) / continuous delivery (CD) tooling

● Only 22% of surveyed CISOs believe that their developers are highly proficient in AppSec best practices

“Our research underscores how the complexity of cloud-native applications has ushered in a bevy of new risks at a time when digital transformation is a key enterprise goal,” said Sandeep Johri, CEO at Checkmarx. “A comprehensive ‘shift everywhere’ approach to AppSec ensures that vulnerabilities can be addressed at any point during the software development lifecycle. This can become both an enabler of transformation and a strong differentiator for the enterprise that can prove its advanced AppSec posture, ultimately priming the business for success.”

Checkmarx Makes Shift Happen

RSA attendees can see the industry’s most complete solution for shifting everywhere and reducing risk in AppSec at booth #1335 in the South Hall. Checkmarx will be giving demonstrations of its industry-leading Checkmarx One™ Application Security Platform in the RSA Conference Expo Hall, featuring all-new capabilities available in its latest release:

● Dart and Flutter Support: The industry’s first incorporation of Dart and Flutter, supporting one of the most popular mobile technologies in the market today

● Private-package Scanning: Allows for scanning of second-party code in any project within Software Composition Analysis (SCA) and delivers information on potential risks

● 2MS for Supply Chain Security: A new secret detection engine, 2MS, which is an open source project that protects sensitive information like passwords, credentials, and API keys from appearing in public websites and communication services

● DAST: Dynamic application security testing, including testing of internal (over-the-firewall) applications

● Exploitable Path for C#: Powered by Checkmarx Fusion and available within SCA

● VS Code Plugin: Helps developers easily understand the risks of their open source packages


Salesforce is migrating more than 200,000 systems from CentOS Linux to Red Hat Enterprise Linux 9, building on the world’s leading enterprise Linux platform to streamline IT operations and enhance customer experiences.
CloudBees has introduced a new cloud native DevSecOps platform that places platform engineers and developer experience front and center.
CloudBees has introduced significant performance and scalability breakthroughs for Jenkins® with new updates to its CloudBees Continuous Integration (CI) software.
Copado has launched the Copado 1 platform, said to be the only turnkey end-to-end DevOps solution for Salesforce.
GitLab survey finds organizations are optimistic about AI, but AI adoption requires attention to privacy and security, productivity, and training.
Ecosystem partners help customers more simply deploy and manage solutions for smarter edge environments.
New global CISO research reveals increasing opportunities and pressures for security leaders along with the need for consolidation and developer adoption.
Red Hat Consulting helps railway company move mission-critical applications to new cloud environment with Red Hat AMQ Streams.