Getting a High-Value Return: How a Financial Giant Maximized Its AppSec ROI
A leading European asset manager operating in highly regulated environments needed a scalable, modern approach to application security. With hundreds of developers and strict governance requirements, fragmented tools and limited visibility made it difficult to keep pace with growth. The organization unified its AppSec program, strengthened data isolation, and gained the control and consistency needed to securely scale development.
The Security Journey
The multinational asset management company began its application security journey with a traditional on-premises SAST solution. Over time, however, this approach proved restrictive. Static analysis remained siloed, the company required stronger data segregation than shared environments could offer, and evolving governance requirements made even minor updates more complex.
As the company expanded its application footprint, the shortcomings became even more clear: different engines operated in isolation, developers lacked a cohesive workflow, and the AppSec team struggled to maintain visibility across multiple tools. They needed a modern, scalable solution, one capable of supporting strict IP restrictions, retaining years of triage history, and unifying their AppSec program without disrupting critical financial systems.
The Solution
The company’s evolution unfolded in phases. They first transitioned from an on-premises installation to a Checkmarx-managed SAST environment to reduce operational overhead. From there, they made a strategic decision to migrate to Checkmarx One Single Tenant, becoming one of the earliest adopters of this hosting model.
The migration was complex. Leaders described it as “very difficult” because it required carefully preserving historic triage decisions and scanning data to ensure developers & compliance teams didn’t lose continuity. But the payoff was substantial: the organization gained fully isolated infrastructure, strict IP-restricted access, and complete confidence in data segregation. Today, they operate with two environments—staging and production—allowing safe testing, controlled rollouts, and consistent governance. With the migration complete, the organization expanded beyond static analysis to unify their AppSec program under one platform. SAST, SCA, KICS for IaC, API Security, and soon DAST and Container Security, all became part of a larger strategy to bring multi-engine AppSec into a single, controlled system.
A major part of their success came from moving to the Enterprise Developer Productivity (EDPP) service model. Instead of a traditional “black box” vendor relationship, the company now works with three dedicated Checkmarx experts who embed directly into weekly engineering and AppSec meetings, tune queries, refine presets, and function as a true extension of their internal team.
- Active: SAST, SCA, KICS (IaC), API Security
- Preparing for rollout: DAST, Container Security
- In evaluation: Developer Assist (AI)
- Service model: EDPP with three dedicated embedded experts
Outcomes and Next Steps
Checkmarx provided a secure platform for rapid delivery of high-quality software, unifying AppSec tools in a single environment, and significantly improving visibility, consistency, and developer experience. Developers retained full triage history and integrated workflows, allowing them to continue scanning without disruption. Weekly collaboration with Checkmarx experts has accelerated tuning, onboarding, and configuration work, turning the partnership into a core part of the organization’s AppSec operations.
Responsiveness and Product Engagement
Throughout the engagement, Checkmarx responded effectively to feature requests and implementation needs, with prompt action, clear communication, and smooth delivery of enhancements. The Early Access Program further increased the value of their investment by giving the company access to new capabilities and a chance to test features and provide feedback before full release. Most importantly, the company now has a scalable, future-ready security foundation that meets regulatory expectations, supports a high volume of applications, and gives leadership confidence that AppSec has evolved from a fragmented toolset into a cohesive strategic capability.
Checkmarx provides a secure platform for rapidly delivering high-quality software.