In my last blog post on DevSecOps, I discussed an informal, internally developed maturity model for DevSecOps and posited that “DevSecOps represents the reality that DevOps must grow to encompass security.” The quote above by Gartner highlights the importance of making this shift. We know that better security outcomes are possible, but security and development teams are often on completely different pages. But the question is – how do we get there from here? 

If we agree DevSecOps is the necessary evolution of DevOps, then we need to look back at DevOps. What was DevOps? It was as massive change in the culture of application development. Therefore, DevSecOps is the continued merging of organizational cultures that began with DevOps.  

So again – why is this so difficult, and how do we get there from here? 

AppSec is From Mars – Developers Are From… Mercury? 

The proposed culture merger between security and DevOps is particularly thorny because of the environments that these groups of people generally come from. Again, we emphasize groups of people because moving to DevSecOps is fundamentally a human issue.

Developers and DevOps teams live in the IDE. They (should) have big chunks of uninterrupted “maker time” (to borrow from Paul Graham’s 2009 essay). Their job is to “move fast and break things.” Get to minimum viable product. Get feedback. Iterate. Produce!

Security comes from a different place. Whereas DevOps teams are told to move fast and break things, the goal of security is to never ever let anything break! They are bombarded by alerts that interrupt work.

So, when Gartner says “only 29% of those surveyed say the two groups strongly agree with each other” – this, I believe, comes down to culture and measurement.

The key to changing culture is in understanding the fundamental mindset of these teams and getting them aligned, and we’ve come up with five requirements to keep in mind when pushing internal change.

If you’re familiar with DevOps, you’ve likely heard of Jez Humble’s (co-author of The DevOps Handbook) CALMS framework. CALMS refers to the five proposed pillars of DevOps:

• Collaboration/Culture 

• Automation 

• Lean  

• Measurement 

• Sharing 

We have come up with five requirements, aligned to CALMS, that will help move the needle on culture from DevOps to DevSecOps: 

• Integrations 

• Shared measurements  

• Security education 

• Security velocity that matches DevOps 

• Automating security processes 

We’ll be covering each of these five requirements in an upcoming series of short blog posts; but you’ll notice that the goal of each requirement is to start aligning teams with the needs of the others: 

• Integrations get security teams thinking about how developers work, and how to keep them productive. 

• Building shared measurements gets teams aligned on their goals so that they begin to have a shared language and outcomes they can agree on. 

• Security education helps developers understand security, while also building their own skillsets; helping build careers and making security tasks faster and more efficient. 

• Matching security velocity to DevOps helps developers feel like security is part of the process rather than a roadblock to it. 

• Automations are the core of DevOps and make everyone happier and work more efficiently! 

So again – Step 1 to getting on the road to DevSecOps is building commonality between your teams. Without common goals, and without demonstrating that each group is starting to care about the others’ needs, you’ll never properly address the human issues at the core of DevSecOps.  

Our next blog will dive deeper into integrations, and how you can use them to build DevSecOps culture. But if you can’t wait for our next blog – we’ve got a special treat for you! In this blog we quoted a fantastic report from Gartner that includes their own formal, highly detailed maturity model, complete with five dimensions, each addressing what they consider to be a separate domain of DevSecOps. We like the Gartner report so much, that we’d like to offer our readers complimentary access. Please access the report, on us. 

There are two sections in particular that I’d like to highlight here to help you change your organization’s culture – and they aren’t the maturity model. They are the fully detailed descriptions of a DevSecOps Community of Practice and DevSecOps enabling teams. Below we’ll discuss each of these recommendations and give examples of how Checkmarx has seen these to be highly effective in our customer organizations. 

DevSecOps Communities of Practice 

“While software engineering leaders can pursue many of the maturity improvements in this model alone, reaching a desired maturity state requires collaboration with the rest of the technology organization. A CoP can cooperatively drive an implementation strategy between departments.” – Gartner, DevSecOps Maturity Model for Secure Software Development, 29 August 2024 

Based on our real-world experience working with customers, Checkmarx can easily validate this experience. We have worked with hundreds of organizations at different levels of maturity, and some excellent AppSec practitioners and organizations. However, time and again we have seen that no matter the quality of the AppSec team, they cannot truly succeed in meeting the needs of a DevOps organization without the buy-in of and collaboration with other functions within the organization. 

Going back to our own maturity model, we have seen many excellent AppSec teams stuck at the bottom of this model. Gartner recommends building a Community of Practice out of five key domains: 

1. Cybersecurity 

2. Software Engineering 

3. Infrastructure and Operations 

4. Platform Engineering 

5. Business Units 

Gartner gives excellent advice in the report on how to create and operate a Community of Practice within these teams. We recommend reading the details and urge you to remember what we have already covered – these teams must build common goals. Getting representatives from five different organizations in the room does not guarantee success. Remember that DevSecOps is about taking the needs and outcomes of security – risk management and mitigation – and integrating them into the process and culture of DevOps. If that is not the shared goal of everyone in your Community of Practice, the effort will fail. 

DevSecOps Enabling Teams 

“An enabling team’s purpose is to help trailing teams upskill and onboard to new tools and knowledge.” – Gartner, DevSecOps Maturity Model for Secure Software Development, 29 August 2024 

This is fantastic advice and goes along with the industry’s push towards Security Champions. We’ve seen this put into practice at some of our more advanced customers. The goal is to create a small group of security experts and have them work with other development teams as coaches and mentors with regards to security. This pairs well with ASPM, where your security team is able to analyze vulnerability data to identify which development teams are most in need of support from security experts. Enabling teams can then be sent to mentor, support, and help those teams to uplevel their skills and more regularly write more secure code. We highly recommend finding senior developers with an interest in (or prior knowledge of) security to take on this role. Checkmarx worked with a major Western European broadcast customer where the security champion program was actually started by a developer (vs. AppSec). They went on to build a small, successful program that partnered closely with the AppSec teams to raise security awareness across the organization.  

If they can do it, so can you! 

Thanks again for taking time here today! This blog is the second in our series on DevSecOps. Our next blog will focus on using integrations to build DevSecOps culture. In the meantime, please don’t forget to read the Gartner report: DevSecOps Maturity Model for Secure Software Development. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

DevOps represents the fundamental cultural shift in software engineering towards performance: high performing teams, and high performance code.

In DevOps, security was never a primary consideration.

DevSecOps represents the reality that DevOps must grow to encompass security. Eventually, performant code will mean secure code by default – but we’re not there yet. How do we get there?

Let’s start with where we are now. Earlier this year, Checkmarx ran a survey asking CISOs about their current AppSec programs. One of our questions specifically asked: “Where are you on your DevSecOps journey?” You can see the answers below:

On the surface, this doesn’t look too bad… until you consider the details. Based on our scaling, “medium” only represents the “definition and strategy” phase. The actual process of integration and automation is where companies actually start “doing” DevSecOps, and only 1 in 5 companies surveyed have reached that stage in some form.

And let’s be clear – integration and automation are the goals of DevSecOps. DevSecOps is about taking the needs and outcomes of application security and integrating them with the processes and culture of DevOps. In 10 years, there should be no difference between “DevOps” and “DevSecOps.” DevSecOps is just what DevOps needs to be when it grows up.

DevSecOps: The Path to Maturity

OK – how do we get there? If I were to create a rough sketch of DevSecOps maturity, it would look like this:

Let’s start on the bottom. This is traditionally where AppSec finds vulnerabilities, and essentially throws them over the wall to developers and says “here, fix these.” I have some bad news for you, this is actually “Shift Left” in action. Maybe that’s flippant and a bit unfair; but it is the base level of maturity that puts organizations on the road to DevSecOps.

The next level focuses on the developer experience. Here, AppSec teams and developers alike realize that “Shift Left” isn’t really working. Not because anyone is bad, uncaring, or unintelligent, but because it is only intended to be the first step. In that stage, AppSec got tools to find and triage vulnerabilities. Now developers need tools to manage those vulnerabilities themselves without breaking their workflow. The “developer experience” stage of maturity focuses on IDE-integrations, remediation guidance, and other ways to keep developers focused without greatly disrupting their flow.

But like “Shift Left”, focusing on the developer experience eventually hits diminishing returns. Organizations will get stuck, and then they will need to begin to move towards the third step of maturity. This is where you take the foundational understandings of the first two steps, and work to define a DevSecOps culture.

DevSecOps: Worth the Effort

Culture is hard to change, but luckily, DevOps people have done it before. If you go back to the early days of Agile and Scrum, teams would hold daily standups, and then go back to working exactly the way

they had before. But, as modern DevOps organizations can confirm, it’s worth the effort. For DevSecOps, it’s also worth the effort. Here is an example of a Checkmarx customer’s journey, and you can see them go through the stages and the results:

This is a chart showing the number of vulnerabilities remediated by a Fortune 100 company, and it’s a powerful representation of what things look like when teams integrate.

If you’re curious about the types of things this customer did to get from the left to right side of the graph above, here we’ve got some examples ready based on where you are from a maturity standpoint:

Shift Left: If you just need to get something in place to start getting vulnerabilities over to developers, the easiest way is to integrate your AppSec tools with your feedback tool (be careful here, you don’t want to suddenly shunt 10,000 JIRA tickets over to the devs, so set some policies around it). Click here to see a video showing how easy that the integration is to do with Checkmarx.

Developer Experience: The easiest way to start improving your developer experience is by integrating with their IDE of choice. This is also simple to do with Checkmarx, and here is a video showing how: Watch Now!

DevSecOps: We’ll explore the keys to DevSecOps in detail in the next blog, particularly culture, automation, and speed, but we mentioned the importance of policy management in our first bullet point. While designing policy is difficult – it relies on great communication between development teams and security teams – creating and implementing policy with Checkmarx is easy. Here’s a video showing how it’s done: Watch Now!

This blog is just our first in a series on DevSecOps. Our next blog will focus on how to change culture, the need for automation, and the true meaning of “speed” within the context of DevSecOps. In the meantime, the videos I just listed are only some a few of those you can check out over on YouTube showing how easy it is for platform engineers and developers to integrate and work with Checkmarx One. Check them out here!

Checkmarx One customers can access these capabilities.

Visibility for Better Decision-Making

If you’ve looked at the results from most vulnerability scanning tools, then you probably know this feeling: there is a ton of data in front of you, and it’s time to make decisions. Who should work on what next? What is actually important? How can I make the biggest impact? Is our AppSec program working, and are we making progress as a team? Security is about making decisions. To make good decisions, you need reliable data, and strong analytics capabilities. At Checkmarx, we spend a lot of time and effort building our products to help AppSec practitioners make better decisions – easier.

What’s New From Checkmarx?

Checkmarx One consolidates multiple market leading AppSec solutions into a single, unified platform. We know that many of our customers may be managing hundreds of apps and thousands of individual projects. That is a lot of data to analyze, correlate, and prioritize. It also means that your developers need to have bought into your AppSec program. Checkmarx’ updated analytics and reporting provides your team the data necessary to influence stakeholders, build trust, and make your organization more secure.

In this release, Checkmarx is improving your ability to do the following, in a single location:

• Access & Analyze Security Data
• Track Program Adoption and Success
• Measure AppSec Trends and Security Posture

Let’s dive into each of these categories.

Access and Analyze Security Data: Enhanced Intuitive User Experience with Advanced Filtering Options

Checkmarx One Analytics simplifies the complex landscape of your security data through customization. Our new approach allows you to adapt Checkmarx One to the unique structural and strategic needs of your own organization. This personalized approach, coupled with powerful filtering and drill-down capabilities, transforms how security data is accessed, analyzed, and utilized for strategic decision-making. This is done through new unified security dashboard and advanced filtering.

• Unified Security Dashboards: Checkmarx One Analytics offers a sophisticated, user-friendly platform that consolidates various security metrics into a single, intuitive dashboard. This unified approach provides a comprehensive overview, crucial for making informed decisions quickly and effectively. By presenting a holistic security landscape, these dashboards cater to the diverse needs of different organizational roles, from security analysts to top management.
• Tailored Organizational Views Through Advanced Filtering: Recognizing that each organization has unique structures, projects, and priorities, Checkmarx One Analytics introduces advanced filtering capabilities. This feature empowers users to customize views according to their specific organizational hierarchy and business-critical areas. Whether it’s filtering by department, application, project, or any other relevant criterion, these dynamic filters allow users to hone in on the data they need for a tailored analytical experience. This granularity ensures that users can easily access and analyze the information that is most pertinent to their specific security concerns and questions, enhancing the overall efficiency and effectiveness of security strategies.

Tracking Adoption and Success: Comprehensive Insights for Optimized Platform Engagement

Checkmarx One Analytics acts as a strategic ally for organizations, providing deep insights into user engagement and technology utilization. By enabling easy identification of trends and anomalies, and empowering platform administrators with actionable data, it plays a pivotal role in optimizing the security and efficiency of the Checkmarx One platform.

Below are key features of this update:

• In-Depth User Engagement Analytics: Checkmarx One Analytics significantly elevates the monitoring and tracking of user engagement within the platform. It offers an extensive array of metrics that comprehensively capture various aspects of user interaction. This includes tracking the progression of user onboarding, measuring the depth of project engagement, monitoring scan operations, and analyzing project-specific analytics. Such detailed insights are instrumental in understanding how users interact with the platform, which features are most utilized, and where there might be room for enhanced engagement or training.
• Technology Utilization Patterns and Project Coverage: Another key area of focus within Checkmarx One Analytics is the analysis of technology utilization patterns. By observing and reporting on how different technologies and tools are being used within the platform, the analytics module provides valuable insights into technology adoption and effectiveness. This also extends to tracking the coverage of project scans compared to the actual number of projects open. Such metrics are crucial for platform administrators to ensure that all projects are adequately scanned and secured, thereby maintaining a robust security posture.
• Easy Identification of Anomalies and Trends: One of the standout features of Checkmarx One Analytics is its ability to surface anomalies in the data easily. Whether it’s a noticeable decrease in scans over time, unequal distribution of workload across different engines, or discrepancies in project scan coverage, the platform quickly flags these anomalies. This capability enables platform administrators to swiftly identify and address potential issues, such as lapses in security practices or underutilization of platform capabilities.
• Empowering Platform Administrators: The comprehensive insights provided by Checkmarx One Analytics are especially valuable for platform administrators. They are equipped with a powerful tool to oversee all platform activities, ensuring optimal utilization and efficiency. Administrators can make data-driven decisions to enhance platform adoption, streamline operations, and ensure that the full potential of Checkmarx One is realized across the organization.

Organizational Security Trends and Overall Posture: Measuring Success through Data-Driven Insights

Checkmarx One Analytics allows you greater insight into the effectiveness, current and historical, of your AppSec program. With key usage data at your fingertips, you can troubleshoot potential hitches in your AppSec process, and justify the time and resources your team invests in AppSec.

• Visualized Application Security Evolution: Checkmarx One Analytics offers dynamic visualizations of an organization’s security trends over time. This includes comprehensive graphs depicting the emergence of new vulnerabilities alongside the progress made in addressing existing ones. Such visual tools are pivotal for understanding how the security landscape evolves within the organization, offering clear insights into both vulnerabilities and remediation efforts.
• Enhancing Security Maturity with Data-Driven Insights: The platform’s ability to track and measure key security metrics provides an invaluable perspective on the organization’s overall security posture. This data-rich environment is instrumental in assessing the effectiveness of security strategies, enabling continuous refinement and improvement. By highlighting trends in vulnerability detection and resolution, Checkmarx One Analytics underscores the progress in an organization’s security maturity, guiding teams towards more informed and impactful security decisions.

Make Better Decisions with Checkmarx One

Building an effective AppSec program is hard. Investments in time and resources must be justified to the Board and C-suite, which is itself a challenge because it’s hard to connect the dots between the risk of a vulnerability to the potentiality of a data breach. In parallel, you must be able to make similar justifications to both the heads of operations and engineering to enlist the support of the developers, since you will need them to make any AppSec program viable. To make these justifications on an ongoing basis, you must be able to clearly articulate key metrics surrounding your AppSec program. Checkmarx One’s new analytics are another step on that road, making it easier to justify your investments, and build trust across your organization.

The new analytics features illustrated above are available immediately to all Checkmarx One customers. To start using them, simply click on the tabs in your UI, and get started.

If you’re not a Checkmarx One customer yet, and would like to learn more, follow the link below to schedule a demo. We can’t wait to speak with you!

There are two key challenges around AI that make this an essential area for AppSec platforms to address. 

The first is that AI is disrupting the developer workflow that AppSec teams have worked hard to integrate with. We know that AI Large Language Models (LLMs) do not understand secure coding practices, however developers are increasingly relying on them to maximize their coding output. This results in a flood of insecure code being directed at already resource constrained AppSec teams. AppSec teams are finding themselves in an increasingly untenable situation, especially since many developers don’t understand or practice security coding, nor prioritize AppSec. 

This brings us to the second challenge: AppSec is already hard! AppSec teams are generally under-resourced; they rely on working with cross-functional teams with often opposing incentives; and they face an increasingly complex code environment. Analysis and prioritization of vulnerabilities has already been difficult, and they have long given up on the idea of getting their vulnerability count to zero. 

AppSec teams require cutting edge tools to keep pace – and Checkmarx delivers. Last year Checkmarx pioneered a strategic approach to help AppSec organizations get the most out of AI.  Today, we are excited to announce the second wave of AI Security features from Checkmarx!  

Checkmarx’ AI Vision

Checkmarx has a clear vision for the future of AI in supporting AppSec, and sees 3 key opportunities where we can provide meaningful assistance to our customers:

1. The Developer Workflow: Developers are, and will continue to use, AI for code generation. By plugging AppSec tools directly into the AI tools, Checkmarx aims to help secure code from the first line written, while also securing the software supply chain.
2. Accelerate AppSec Teams: AppSec teams want to use GenAI as a productivity tool in the same way that everyone else does. Checkmarx is creating tools and platform features to simplify AppSec management and increase daily efficiency for AppSec teams .
3. AI-Based Attacks: The use of new technology always brings new risks, and AI tools are no different. Checkmarx will help customers protect against risks targeting AI tools in the new developer workflow.
   

Building towards this vision, Checkmarx has already supplied developers with core features to help support the changing developer workflow experience that AI has created.  These include our AI Security Champion for Infrastructure as Code (IaC), our AI Query Builder for reducing false positives, and our Checkmarx GPT integration that helps developers understand the open source risks of generated code.  

Our newly launched features build on that momentum with more ways that allow developers to embrace AI in a way that is both comfortable to their workflow, and is mindful of the business’s responsibility to their (and their customers) data. 

Auto Remediation for SAST

Resolving security vulnerabilities is a necessary evil for developers. It is often time consuming and involves significant research and context-switching.  Each vulnerability has its own background that needs to be understood before a meaningful solution can be drawn up and implemented. 

Our new auto remediation for SAST functionality, part of our AI Security Champion plugin, aims to significantly shorten the time and effort needed for developers to remediate vulnerabilities. Now developers can get meaningful recommendations presented to them, directly in their IDE, on how to resolve specific SAST vulnerabilities, making (not just finding but) resolving vulnerabilities much more practical and reasonable. 

Want to learn more? Read about it here.

Checkmarx GPT

Code is code, regardless of if it is written by a developer, or copied and pasted from OSS, or generated by AI.  It all needs to be scanned, and if you want to scan AI generated code successfully then you need to do it in real time.  Checkmarx demonstrated how to do this with our initial Checkmarx GPT integration for ChatGPT, which allowed Checkmarx to analyze the generated code for malicious packages, hallucinations, and potential versioning and licensing challenges.  We have further extended the Checkmarx GPT functionality by including the ability to perform a SAST scan as part of the process.  Now, developers using ChatGPT can leverage a full security check of the generated code in real  time and get remediation advice for specific vulnerabilities.

GitHub Copilot Integration

In the spirit of our Checkmarx GPT plugin, we know that many developers are using Copilot to drive their code generation needs. Many developers have Copilot integrated directly into their IDE, and just as we did with ChatGPT, we knew we needed to provide a real-time scan for Copilot-generated code.  Our VS Code Plugin for Checkmarx now supports real-time IDE scanning for all types of code, including Copilot generated code, which allows developers to get a super fast SAST scan of the code, as it’s being created. 

Read this blog post to get more details.

Prompt Security

Checkmarx cares about your data.  We understand that for many organizations considering leveraging Generative AI, the risk of your data being accidently leaked is a tough to weigh out. Checkmarx is partnering with Prompt Security to help secure all uses of Generative AI in an organization: from tools used by your employees to customer facing applications. Checkmarx and Prompt are working together to help AppSec understand what is being passed to a Large Language Model, and providing ways to sanitize and block unwanted data from being shared. 

AI in Your AppSec Program

It can get overwhelming trying to keep track of all the developments around AI. We are convinced they need to be integrated into your existing AppSec program purposefully, with a defined strategy and plan. So, we incorporated AI into our AppSec Maturity Model  – APMA. When we discuss and assess your AppSec program with you, we will also consider your organization’s AI strategy. We will then work with you to build a way to leverage AI opportunities, while protecting against AI-related risks, using our AppSec AI solutions and best practices.

Learn More

As the adoption of generative AI in software development continues to grow, Checkmarx remains dedicated to guiding organizations through their AppSec journeys. By focusing on enhancing the developer experience, reducing false positives, and addressing the unique threats posed by AI, Checkmarx is paving the way for a more secure digital future. Our investment in advanced solutions reflects our commitment to not just identifying problems but also providing the solutions that empower developers to build safer, more secure software in the age of AI.

We’re at RSA this week and we encourage you to stop by our booth to see and participate in live demos of our most recent announcements, and check out the additional blogs linked within this blog post for more details! 

If you feel that way, you’re not alone. A recent global Checkmarx survey asked CISOs, AppSec managers and developers which risks they wanted to prioritize most. In roughly equal amounts of about 36%, leaders named APIs, open source and supply chain, containers, and infrastructure as code all as high priority.

Digital transformation means that enterprises have more business running on more applications, and these new architectures and infrastructure are creating a multifaceted attack surface. It’s also is partially responsible for the increasing complexity that has become synonymous with running an effective application security program at an enterprise level. It’s also a key reason many are now prioritizing consolidation of their AppSec solutions. 

Here’s why you should too, along with some points to consider before you do.

Enterprise AppSec should provide visibility into the entire application landscape

The high-velocity production of modern DevOps pushed application security teams to rapidly implement various AppSec scanning tools. Now they’re facing the consequences of a quickly built, patchwork AppSec program that was never designed to work seamlessly. The pieces aren’t integrated, the testing results aren’t always correlated, and the total cost of ownership isn’t quite what they’d hoped. 

Security teams must also maintain trust with large, and often dispersed, development teams that they depend on to fix vulnerabilities. But developers, faced with divergent point solutions cranking out AppSec alerts by the thousands, are often unsure which alerts are credible. When your developers can’t easily differentiate between alerts that are false positives and low priority, from those that are high risk and need to be prioritized, the ensuing lack of trust can cripple your AppSec program. 

For enterprise AppSec programs, the challenge is exponentially more complex due to sheer volume and scale. Their large development teams, billions of lines of code, hundreds of applications to release and support, and competing priorities make team alignment and trust that much more essential.

With so much at stake for enterprises, a consensus is forming around a solution: to consolidate into a fully integrated enterprise AppSec platform. 

Defining a true enterprise AppSec platform

Your enterprise deserves a  purpose-built platform that works toward securing all your applications, starting from when your developers write their first line of code, through production and runtime. An enterprise AppSec platform should check a lot of boxes, including these:

• AppSec scalability: Can it scale to handle your growing application footprint, with the speed to scan hundreds of apps, including their open source code, APIs, containers etc.?
• Results you can trust: Can it be tuned to fit the needs of your enterprise, prioritizing alerts so developers can focus on the riskiest vulnerabilities? 
• Holistic view of risk: Can it help your team understand risk across your entire application footprint? A platform must continually build its AppSec tools to work together and communicate seamlessly.
• Developer experience: Can it easily integrate into your developer experience to allow devs to perform their AppSec duties right in their IDE? Can it motivate them to upskill with relevant, engaging training tailored to your organization’s needs?
• Embracing the power of AI: Does your platform allow developers to use AI to write secure code? Can you use AI for query tuning to minimize alert fatigue

An enterprise AppSec platform that shows you the whole picture of your risk

At Checkmarx, we have taken these criteria to heart. We built a full suite of AppSec tools that let you “shift everywhere” to secure application development throughout the SDLC. Our cloud-native Checkmarx One platform brings those tools together to give you the speed and ease of use that are crucial to a rapidly scaling enterprise.

We know that a full array of scanning tools isn’t enough, because few teams have the staffing and resources to deploy and manage them effectively. It’s why we built the technologies that make up Checkmarx One to talk to each other in smarter, and more insightful, ways. 

Checkmarx Fusion correlates Checkmarx One results across all its individual AppSec tools so you can easily prioritize remediation of your riskiest vulnerabilities. Fusion is key functionality in Checkmarx One, helping you manage your resources effectively and gain better control over your enterprise’s application security posture.

Here are a few Fusion use cases to consider:

Identify your riskiest apps – Fusion allows you to view the security posture of your entire application portfolio and footprint. It aggregates data from multiple AppSec tools and provides a comprehensive risk score for each scanned application, so you can quickly see what to prioritize.

Discover shadow APIs – Undocumented APIs, or shadow APIs, are easy access points for attackers. With Checkmarx, SAST and DAST work together to discover your applications’ shadow APIs.

Focus on what’s exploitable – Exploitable Path evaluates vulnerabilities in open source libraries and analyzes whether they are actually called by your application’s code. If not, they aren’t exploitable. By weeding these out, Fusion can reduce AST noise by 40%.

Visualize your vulnerabilities – The average cloud-native application can have hundreds, or even thousands, of different components. The Fusion Insights Dashboard provides a visual and textual representation of threats in an intuitive chart containing all software elements, consumed cloud resources, and the relationships among them. 

Correlate runtime protection – Runtime Insights gives you the full picture of your container once an application is in use, identifying what is and isn’t being called by your application. This connects the dots between pre-production and deployment, giving your team clear visibility into workloads that are running in production. This can help reduce vulnerability noise up to 95%.This just touches on the power of consolidating your AppSec tools into Checkmarx One. To learn more about how our platform delivers a holistic view of your AppSec risk, builds #DevSecTrust between your AppSec and development teams, and lowers your total cost of ownership, join our deep dive webinar on the topic.