Research revealed at RSA Conference also finds a startling 86% of software developers and AppSec managers have knowingly deployed vulnerable code
SAN FRANCISCO, CA AND RAMAT GAN – April 25, 2023 – Checkmarx, the global leader in application security solutions, today released its Global Pulse on Application Security study at the 2023 RSA Conference in San Francisco. Developed with Censuswide, the research uncovered global trends around the security challenges faced by Chief Information Security Officers (CISOs), application security (AppSec) leaders and software developers as migration to the cloud and digital transformation have become enterprise imperatives.
At a time when IBM has reported that the average cost of a data breach is $9.44 million in the United States and $4.35 million globally, the Checkmarx survey of over 1,500 CISOs, AppSec managers, and software developers around the world uncovered some troubling statistics. The research showed that 88% of AppSec managers surveyed have experienced at least one breach in the prior year as a direct result of vulnerable application code. The shift toward modern development practices that incorporate microservices and serverless technologies, container security and infrastructure as code (IaC) are multiplying the potential attack surface, thereby identifying critical new priorities for application security.
The Global Pulse of AppSec report also included these key findings:
- 86% of software developers and AppSec managers surveyed have or know someone who has knowingly deployed vulnerable code
- An average 60% of vulnerabilities are detected during the code, build, or test phase, according to AppSec managers surveyed
- CISOs surveyed see the highest-priority security risks at their organizations as being:
- Increased use and exposure of APIs (37%)
- Open source software supply chain risks (i.e., malicious code) (37%)
- Application containerization risks (37%)
- Open source software risks (36%)
- Infrastructure-as-code risks (36%)
- Surveyed AppSec managers who have experienced breaches say that the top three causes include:
-
- Open source software supply chain attacks (41%)
- Stolen credentials, secrets or weak authentication/authorization (40%)
- Known and/or unknown vulnerabilities in code released to production (39%)
- Only 34% of developers surveyed report that their AppSec scans are completely integrated and automated into their software configuration management (SCM) systems, integrated development environments (IDEs) and continuous integration (CI) / continuous delivery (CD) tooling
- Only 22% of surveyed CISOs believe that their developers are highly proficient in AppSec best practices
“Our research underscores how the complexity of cloud-native applications has ushered in a bevy of new risks at a time when digital transformation is a key enterprise goal,” said Sandeep Johri, CEO at Checkmarx. “A comprehensive ‘shift everywhere’ approach to AppSec ensures that vulnerabilities can be addressed at any point during the software development lifecycle. This can become both an enabler of transformation and a strong differentiator for the enterprise that can prove its advanced AppSec posture, ultimately priming the business for success.”
Checkmarx Makes Shift Happen
RSA attendees can see the industry’s most complete solution for shifting everywhere and reducing risk in AppSec at booth #1335 in the South Hall. Checkmarx will be giving demonstrations of its industry-leading Checkmarx One™ Application Security Platform in the RSA Conference Expo Hall, featuring all-new capabilities available in its latest release:
- Dart and Flutter Support: The industry’s first incorporation of Dart and Flutter, supporting one of the most popular mobile technologies in the market today
- Private-package Scanning: Allows for scanning of second-party code in any project within Software Composition Analysis (SCA) and delivers information on potential risks
- 2MS for Supply Chain Security: A new secret detection engine, 2MS, which is an open source project that protects sensitive information like passwords, credentials, and API keys from appearing in public websites and communication services
- DAST: Dynamic application security testing, including testing of internal (over-the-firewall) applications
- Exploitable Path for C#: Powered by Checkmarx Fusion and available within SCA
- VS Code Plugin: Helps developers easily understand the risks of their open source packages
For more information on the Checkmarx One Application Security Platform, visit this page or stop by booth #1335 in the South Hall at RSA.
About Checkmarx
Checkmarx is the leading application security provider, offering the industry’s most comprehensive and innovative cloud-native platform, Checkmarx One™. Fueled by intelligence from our industry-leading AppSec security research team, our products and services enable enterprises to shift everywhere in order to secure every phase of development for every application while simultaneously balancing the dynamic needs of CISOs, security teams, and development teams. We are honored to serve more than 1,800 customers, including 60 percent of Fortune 100 organizations, and are committed to moving forward with an unwavering dedication to the safety and security of our customers and the applications that power our day-to-day lives. Checkmarx. Make Shift Happen.
About the Research
The research was conducted by Censuswide, with 1,567 Software Developers (517), AppSec Managers (534) & CISOs (516) were surveyed between 06.09.2022 – 26.09.2022.
All respondents work within a company of 1,000+ employees. All companies must have an Inhouse software development. Min. 100 respondents per the following verticals: Banking or Finance and insurance, Retail and ecommerce, Healthcare, High Tech (Software and Tech) or Manufacturing, Public sector: any other industry per sample group and guaranteeing a minimum per the following markets for each sample group: USA (200), UK (100), DACH (66), Aus/NZ (33), France (33), Singapore (33) and Brazil (33). Censuswide abide by and employ members of the Market Research Society which is based on the ESOMAR principles.
Media Contact
Katie Brookes
Merritt Group for Checkmarx