Stocking Up on Speed: A “Huge Success” in European Retailer’s AppSec Transformation

As the retailer rapidly expanded its e-commerce operations, payment systems, and internal applications, the complexity of its software ecosystem surged. Thousands of repositories and billions of lines of code accelerated through CI/CD pipelines, stretching development and security teams and exposing vulnerabilities as the digital footprint grew.

When software issues surfaced late in the development cycle, they derailed release schedules, discouraged developers, and became far more costly to fix.

Even worse, some problems weren’t found until they were already exposed, magnifying both risk and impact. AppSec teams were stuck in a reactive loop, trying to manage escalating threats without slowing delivery, with no sustainable path forward.

By 2023, the retailer realized it needed to move beyond its legacy on-premises SAST solution and fragmented mix of tools surrounding it. As more of their workloads shifted to the cloud, legacy tools could not deliver the modern application security they needed. The team conducted a thorough evaluation over several months that included testing multiple vendors, including Snyk and Veracode.

After the evaluation, the retailer chose Checkmarx One, a cloud-native DevSecOps platform that centralizes application security testing across the Software Development Life Cycle (SDLC), automates code scanning, and enables developers to move faster with confidence. By bringing security into the development workflow, Checkmarx One helps developers both code faster and code smarter with real-time remediation capabilities and trusted security tools built for velocity. These benefits are powered by tightly integrated AppSec capabilities including:

• Static Application Security Testing (SAST) for early detection of code-level vulnerabilities;
• Software Composition Analysis (SCA) to manage open-source and third-party risks;
• Container Security for modern deployment environments.

Four weeks and 10,000 repositories later…

Checkmarx One was deployed and fully operational within a month, backed by close, ongoing collaboration from the Checkmarx team. A Professional Services team of four Checkmarx application security engineers acted as an extension of the AppSecOps team, guiding best practices, fine-tuning configurations, and accelerating onboarding.

Automated scans ran through CI/CD pipelines to assess 10,000 repositories, with results flowing directly into JIRA for streamlined remediation. Nearly 800,000 vulnerabilities surfaced, but with structured triage that prioritized the biggest issues, developers quickly gained visibility into their code and fixed issues on the fly.

For the AppSec teams of this major retailer, moving to Checkmarx One delivered real-time visibility, centralized reporting, and clear audit trails for compliance across privacy, payment, and data-protection regulations. The head of product assurance likened Checkmarx to a Formula One car—engineered for peak performance and built for speed to keep the team running at maximum efficiency.

Full buy-in from the developer community

“Our developers were not repeating the same mistakes they used to make, and fixing vulnerabilities earlier,” he noted. “The immediate positive outcomes were clear in our pen-testing, with no ‘high’ or ‘critical’ findings,” a clear example of how Checkmarx fixes issues before they made it to testing.

Checkmarx One achieved 100% adoption across 2,500 developers in just six months, driven by a deliberate, gradual rollout of a developer-first platform that’s easy to use, intuitive to learn, and seamlessly embedded into daily workflows. Leaders gave the developers the time needed to understand how to leverage the tool, not installing “draconian” mandates with dedicated policies but instead giving developers the freedom to test the experience with flexibility to fail and grow. The goal was to let the tool, not company policy, drive adoption.

“If you introduce policies that break pipelines, you can disrupt the very heartbeat of the business,” the head of product assurance said. “In the worst case, you can stop the business from operating altogether.”

Reduced rework, real ROI: £2M in savings at scale

It worked. Early analysis showed that roughly 75% of vulnerabilities were recurring patterns, often introduced when developers reused one another’s code. By surfacing these issues consistently, the team immediately reduced repeat mistakes.

Other key metrics highlight how this approach helped developers identify and fix vulnerabilities earlier in the lifecycle, not chase false positives or low-priority alerts:

• Average remediation time dropped 70%, significantly shrinking exposure windows.
• Vulnerability density improved 32% year over year, reflecting stronger code hygiene at scale.
• Actionable findings fell 45% for SAST and 39% for SCA, reducing triage effort and keeping attention on high-impact issues.

These efficiencies led to an estimated £2M in cost savings for the business.

Security is now embedded throughout the software development lifecycle, from the birth of code to its retirement. The organization now scans more than 10,000 repositories each month across both internal systems and customer-facing applications. To date, it has scanned over 35 billion lines of code and remediated more than 400,000 vulnerabilities.