There are many software security solutions available today designed to provide insight into important security issues found during software development. As organizations begin moving forward with DevOps initiatives, are their current Application Security Testing (AST) solutions doing the work they need them to accomplish? If you haven’t integrated AST automatically into your vulnerability detection, triage, and remediation processes across all stages of DevOps, your organization is suffering from what we at Checkmarx call, adoption exposure.
AST solutions manage and measure your overall Software Exposure, which helps you accurately understand and significantly reduce your organization’s business risk. Software exposure results from mistakes made in the design, coding, testing, and maintenance of software. Exploiting these vulnerabilities can make the software unavailable or unreliable to users, or allow attackers to execute unauthorized code, read or modify data, change a user’s privileges, hide activities, or bypass security controls.
One component of software exposure includes the concept of adoption exposure as shown in the graphic below. This concept raises the question of, “Does our application scanning cover all stages of DevOps and has it been automated?”
Organizations today generate vast amounts of software. Without proper integration and automation of AST solutions directly into the stages of DevOps, you simply won’t be able to scale or systematically cover all of the code you produce and deliver. Although it’s critical to integrate AST solutions automatically into DevOps, you also need to incorporate them into your Integrated Development Environments (IDEs) through plugins and APIs.
Every organization has unique needs, which is why it’s essential to automate the process of finding security issues, and also automate the remediation processes that follow those discoveries. With the right policies in place, you can ensure that you have the ability to mark a build as unstable if necessary, based on a critical policy violation. The ability to block completion of a build is essential if you want to treat security issues seriously.
Adoption exposure occurs when AST solutions are treated as standalone solutions that are only operated by security teams. Without integrating and automating AST into your overall DevOps environments, your organization will experience unintended consequences—including delayed results, poor feedback loops, incomplete testing, wasted testing, and partial or limited results.

Deliver Secure Software, Faster
Traditional security models send code to separate security teams for testing in sequential processes that simply doesn’t work in DevOps environments. Dynamic application security testing (DAST) tools require testing an application in its running state, which means they can’t be used on source code or for testing un-compiled code. Using DAST delays security testing until the later stages of development, doesn’t necessarily highlight where vulnerabilities exist within the source code itself, and increases the cost in both time and effort for resolving code defects. In order to deliver secure software faster, organizations need a combination of static application security testing (SAST), integrated application security testing (IAST), and open source analysis (OSA) (commonly called software composition analysis). These solutions should be integrated as a platform directly into your developers’ IDEs and CI pipeline. In addition, integrating Secure Coding Education (SCE) training modules directly into your IDEs has tremendous benefits for developers—while they’re developing code. To overcome adoption exposure, organization need a complete solution as shown below.
How Does the Platform Integrate
When organizations begin software security programs, many treat it as a discrete activity performed after the software is built. In these cases, organizations establish penetration testing processes to reveal vulnerabilities and enforce policies to prevent their organization from releasing software with severe security flaws. Delaying the discovery of vulnerabilities this late in DevOps costs organizations time and money. To address security throughout DevOps, provide your developers with the testing tools they need to identify vulnerabilities as they’re writing code, in addition to the educational tools needed to help developers learn how to reduce future coding issues. This near-instant feedback greatly reduces the time required to fix vulnerabilities, resulting in more-secure software and predictable software delivery schedules. Below highlights how, where, and when to integrate the Checkmarx solutions that address software exposure within the stages of DevOps.