Case Study Highlights Pcl Construction

Case Study Highlights

PCL Construction Simplifies Its Cloud Transition
With the Checkmarx One AppSec Platform

“Build” takes on a new meaning for the well-known construction company
as it constructs a security-first culture and an end-to-end AppSec program

PCL Construction is a leading North American contractor relying heavily on 100+ apps developed in-house. PCL needed a unified AppSec solution to simplify security for business-critical applications.


Construction and Engineering


Edmonton, Canada

Checkmarx Solutions & Services

4 hours

to onboard
Checkmarx One

4.4 million

lines of code
scanned weekly

21+ applications

scanned every

The Need

Shift security throughout application development

With cloud-based applications, PCL needed application security solutions designed for modern development, delivered from the cloud. Ideally, PCL also wanted AppSec solutions that were easy to integrate and automate and could help it shift security into every phase of the software development life cycle (SDLC).

With more than 100 applications, the price was also a consideration. “I wanted a tool that would work well for the developers and had a licensing model that wasn’t going to break the bank,” explained Joel Godbout, Cybersecurity and Networking Manager, PCL Construction.

The Solution

A comprehensive, cloud-based AppSec platform

After thoroughly evaluating several solutions, the team selected the Checkmarx One™ Application Security Platform, with Static Application Security Testing (SAST) and Software Composition Analysis (SCA).

Checkmarx One, a cloud-based solution, is the most comprehensive AppSec platform on the market. The platform was specifically designed for cloud development and today’s technology stack, processes, vulnerabilities, and risks. It’s easy to use and can be seamlessly integrated into the developer’s existing tools and processes.

Checkmarx’s pricing model, which licenses users for unlimited apps, was also appealing. PCL is a growing enterprise and having an AppSec solution that will scale as PCL adds more applications is invaluable.

The Results

PCL first deployed Checkmarx One several months ago, and the process was fast and seamless. The PCL development team had the first scan running from an automated build in about four hours and the platform has been up and running ever since.

The company’s onshore development team, which includes approximately 50 developers, uses the solution daily, and the company hopes to roll out the platform to its offshore developers soon. The platform is easy to learn and integrates well into existing developer workflows—optimizing adoption.
Checkmarx Codebashing is also helping to drive developer adoption. “It becomes part of everybody’s workday, identifying potential problems before they start — and how to avoid them,” said Blaine Stearns, Lead Solution Architect, PCL Construction.

Today, PCL uses Checkmarx SAST to rapidly detect and remediate security risks in its applications. It also enables the team to prioritize risks so it can focus on the most important issues first. PCL automates its SAST scans—spanning millions of lines of proprietary and open-source code—for nearly a dozen applications, and it continues to add applications to the platform.

PCL leverages significant open source code in its applications, and Checkmarx SCA saves the team significant time as it reduces the risk associated with open source threats. “We’re in a stronger position today when it comes to open source supply chain or package threats because of Checkmarx One,” explained Godbout.

“Checkmarx One definitely checks all my boxes from a security standpoint
and has a great interface that’s engaging and easy to use. Some of the
solutions we considered were more complicated. With Checkmarx One, it’s
easy to get right to the problem with little to no learning curve.”

Joel Godbout

Cybersecurity and Networking Manager | PCL Construction

Skip to content