Vulnerable application code a case for concern

Research revealed at RSA Conference also finds a startling 86% of software developers and AppSec managers have knowingly deployed vulnerable code.

  • 1 year ago Posted in

Checkmarx has released its Global Pulse on Application Security study at the 2023 RSA Conference in San Francisco. Developed with Censuswide, the research uncovered global trends around the security challenges faced by Chief Information Security Officers (CISOs), application security (AppSec) leaders and software developers as migration to the cloud and digital transformation have become enterprise imperatives.

 

At a time when IBM has reported that the average cost of a data breach is $9.44 million in the United States and $4.35 million globally, the Checkmarx survey of over 1,500 CISOs, AppSec managers, and software developers around the world uncovered some troubling statistics. The research showed that 88% of AppSec managers surveyed have experienced at least one breach in the prior year as a direct result of vulnerable application code. The shift toward modern development practices that incorporate microservices and serverless technologies, container security and infrastructure as code (IaC) are multiplying the potential attack surface, thereby identifying critical new priorities for application security.

 

The Global Pulse of AppSec report also included these key findings:

86% of software developers and AppSec managers surveyed have or know someone who has knowingly deployed vulnerable code

An average 60% of vulnerabilities are detected during the code, build, or test phase, according to AppSec managers surveyed

CISOs surveyed see the highest-priority security risks at their organizations as being:

o Increased use and exposure of APIs (37%)

o Open source software supply chain risks (i.e., malicious code) (37%)

o Application containerization risks (37%)

o Open source software risks (36%)

o Infrastructure-as-code risks (36%)

•       Surveyed AppSec managers who have experienced breaches say that the top three causes include:

o Open source software supply chain attacks (41%)

o Stolen credentials, secrets or weak authentication/authorization (40%)

o Known and/or unknown vulnerabilities in code released to production (39%)

Only 34% of developers surveyed report that their AppSec scans are completely integrated and automated into their software configuration management (SCM) systems, integrated development environments (IDEs) and continuous integration (CI) / continuous delivery (CD) tooling

●        Only 22% of surveyed CISOs believe that their developers are highly proficient in AppSec best practices

 

“Our research underscores how the complexity of cloud-native applications has ushered in a bevy of new risks at a time when digital transformation is a key enterprise goal,” said Sandeep Johri, CEO at Checkmarx. “A comprehensive ‘shift everywhere’ approach to AppSec ensures that vulnerabilities can be addressed at any point during the software development lifecycle. This can become both an enabler of transformation and a strong differentiator for the enterprise that can prove its advanced AppSec posture, ultimately priming the business for success.”

 

Checkmarx Makes Shift Happen

RSA attendees can see the industry’s most complete solution for shifting everywhere and reducing risk in AppSec at booth #1335 in the South Hall. Checkmarx will be giving demonstrations of its industry-leading Checkmarx One™ Application Security Platform in the RSA Conference Expo Hall, featuring all-new capabilities available in its latest release:

●     Dart and Flutter Support: The industry’s first incorporation of Dart and Flutter, supporting one of the most popular mobile technologies in the market today

●     Private-package Scanning:  Allows for scanning of second-party code in any project within Software Composition Analysis (SCA) and delivers information on potential risks

●     2MS for Supply Chain Security: A new secret detection engine, 2MS, which is an open source project that protects sensitive information like passwords, credentials, and API keys from appearing in public websites and communication services

●     DAST: Dynamic application security testing, including testing of internal (over-the-firewall) applications

●     Exploitable Path for C#: Powered by Checkmarx Fusion and available within SCA

●     VS Code Plugin: Helps developers easily understand the risks of their open source packages


Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
Humans may do a lot less of the testing themselves in the future, but they will still have to peer...
JFrog has released the findings of an IDC survey indicating developers are spending significantly...
New research from Mendix finds that low-code tools are no longer simply a tactical solution for...
Global study of over 1,300 tech professionals uncovers opportunities for enhanced security training...
Global IT Business-to-Business (B2B) revenues, coming from data centers, IT services and devices,...
Confluent adds Table API support for Apache Flink® making it even easier for developers to use...