To better understand the state of application security, including present and future development trends, we conducted a survey of 1500 plus CISOs, AppSec managers, and developers worldwide with an independent research agency, Censuswide, and reviewed internal data from Checkmarx One — our cloud-based application security platform. 

After evaluating the internal and external findings, we were able to identify common tendencies amongst roles and draw conclusions around topics such AppSec scan use, secure code training practices, development practices, budget constraints, and digital transformation efforts.

We hope that you take the time to comb through our second annual ‘Global Pulse on Application Security‘ report, but in the meantime, here’s a small sampling of the findings.

Modern development practices bring modern risks

There’s been an ongoing trend in application security over the past few years: the need for speed. As we saw in this year’s Global Pulse on Application Security report, technological advances and increased connectivity have heightened reliance on software, especially applications. To keep up with consumer demands and remain competitive in the software space, enterprises are prioritizing speed to market through digital transformations and modern development tactics such as increased use of open source libraries, APIs, microservices, and containers.

But new approaches to hosting, building, and deploying applications bring new risks and attack surfaces. In fact, 88% of organizations experienced at least one breach in the past 12 months — most of which were the direct result of modern development practices [shown below in Figure 1 from the report].

Vulnerabilities are found throughout the software development life cycle

A few years ago, “shift left” was the mantra that every development and security team lived by. But is that still the right approach?

Our report uncovered that vulnerabilities are found throughout the software development life cycle (SDLC), not only in the beginning phases.

“60% of vulnerabilities are detected during the code, build, or test phases, and 40% are found during the production phase.”

What does this finding mean? By shifting AppSec testing to the left and only testing at the beginning of the SDLC, you could miss vulnerabilities further down the line, like in production.

Organizations are not satisfied with their current AppSec testing tools and plan to make changes

The secret is out: 98% of software developers are not satisfied with their security testing tools. The survey revealed that the most common complaints around testing tools include “way too many false positives,” and “no correlation of scan results,” among others.

It also doesn’t help that most AppSec testing tools do not easily integrate and automate in developer’s existing tools and processes.

“Only 34% of developers responded that their AppSec scans are completely integrated and automated into their SCMs, IDEs, and CI/ CD tooling.”

With discontent around testing tools from developers, it comes as no surprise that 99% of AppSec managers plan to add new testing solutions or strategies over the next 12 months.

Responses show a need for an AppSec platform in order to ‘shift everywhere’

From the findings, it’s safe to surmise that organizations developing modern software need to take a step back and look holistically at their application security. For starters, application security needs to be embedded into every phase of the SDLC, not just at the beginning. In other words, organizations should not only shift left but also shift right, a concept referred to as “shifting everywhere.”

By shifting AppSec everywhere, organizations can find and fix vulnerabilities faster, significantly reducing time to market and lowering costly rework to remediate vulnerabilities. This helps ensure that new technologies and architectures are secure.

The findings in this year’s ‘Global Pulse on Application Security’ report also point to the importance of a cloud-based platform approach. By having all of your AppSec testing tools with one vendor on a unified platform, development teams can seamlessly integrate scans into their CI/CD pipelines and defect-tracking systems, creating better automation and a more efficient feedback loop. Empowering developers to be in the driver’s seat with AppSec initiatives not only helps foster a stronger relationship between development and security teams but also frees up the security team to concentrate on product security.

One unified AppSec platform, like Checkmarx One , can also help organizations to prioritize vulnerabilities. Checkmarx One offers unique scan correlation capabilities that provide actionable insights into vulnerabilities across scan types and applications so you know what fixes will make the greatest impact in the shortest period of time. And given that Checkmarx One offers testing tools to reduce risk across all components of modern software — including proprietary code, open source, APIs, and Infrastructure as Code — there’s no need to juggle multiple AppSec vendors.

Ready to dig deeper?

We hope you’ll explore the ‘Global Pulse on Application Security’ report to learn additional insights from your industry peers and to inform the decisions you make about your own AppSec program.

Get the full report.

The Brazilian-based technology company, which has offices in the United States and the United Kingdom, provides an all-in-one, cloud-native platform for banking and payments processing on AWS. It provides APIs for customers’ web or mobile applications so they can leverage Pismo’s infrastructure as their back end. Using Pismo, banks and financial technology companies are able to quickly launch secure payment solutions.

Since payment applications host a wealth of personally identifiable information, they need to be verifiably secure. Customers repeatedly chose Pismo because they take security very seriously.

In a recent effort to further ensure the security of its software, Pismo brought onboard Ubirajara Aguiar Jr. to build and lead the DevSecOps team. Aguiar immediately stepped up to the plate, assessing the state of application security (AppSec) and identifying areas for improvement.

His recommendations included moving security further left—earlier in the software development lifecycle (SDLC)—and leveraging an AppSec vendor with a more comprehensive and scalable suite of testing types.

“We evaluated AppSec vendors with high ratings from Gartner. As a leader in the Gartner Magic Quadrant, Checkmarx was a strong contender,” said Aguiar.

To narrow down the list of potential vendors, Pismo’s DevSecOps team came up with a list of “must-have” capabilities. For starters, the chosen solution needed to support multiple development languages, offer bi-directional integration with bug tracking tools, create and close tickets automatically, and identify reoccurring false positives. The solution also needed to be developer friendly, with the ability to integrate and automate into developers’ existing tools and processes.

“We always kept our developers in mind when thinking about the new tools,” Aguiar explained. “We wanted the transition to be smooth and transparent and didn’t want them worrying about dealing with tickets or keeping track of cards. We specifically looked for tools that would make our developers’ work easier and more productive.”

Last, but just as important, the tool needed to allow for flexible policies to break the build if high- or medium-risk vulnerabilities were identified.

Checkmarx met the list of requirements and then some, making it the clear winner. The first Checkmarx solution that Pismo invested in was Static Application Security Testing (SAST).

SAST is an enterprise-grade application security testing solution that provides high-speed, fully automated, flexible, and accurate source code analysis to identify security errors that could lead to vulnerabilities in custom code. With the flexibility to run full and incremental scans whenever needed, Checkmarx SAST provides Pismo with comprehensive, highly accurate reports that prioritize vulnerabilities according to their severity, guiding developers on what they need to remediate first. Checkmarx SAST also supports a full list of programming languages and frameworks.

Pismo also invested in Checkmarx Software Composition Analysis (SCA), which integrates with SAST.

Pismo uses SCA in the cloud to provide extensive security coverage for custom and open-source code. With Checkmarx SCA, Pismo is able to uncover vulnerabilities not only in the third-party code that their developers directly use but also vulnerabilities in any dependencies that the third-party code calls on.

Since onboarding the tools, there has been a major shift in Pismo’s security culture. “Developers have been actively using Checkmarx SAST and SCA.” As Aguiar stated, it certainly helps that “the tools are so well integrated into our processes.” 

Pismo already has policies in place for Checkmarx SAST. “The teams fix only low-risk issues, and Checkmarx blocks the merge of any new high or medium-risk issues. That’s a great feeling.”

The team is also working hard on the Checkmarx Software Composition Analysis strategy. “We’re now focused on assessing vulnerabilities and giving them one of four ratings: one being most critical and vulnerable; two being potentially vulnerable but not enough information; three being using packages with reported vulnerabilities, but not under vulnerable conditions, and four being using outdated packages with no vulnerabilities,” said Aguiar.

The risk reduction has been so impressive that Aguiar and his DevSecOps team have been able to show Pismo’s Head of Information Security/CISO Leonardo Carmona and business executives the critical metrics and KPIs that show progress since deploying Checkmarx.

“We created a chart plotting risks and vulnerabilities and, at first, there were a high number of issues with high risk. Now, every single one of them is at the zero mark, since they’ve all been fixed,” Aguiar concluded. All in all, “the money we invested in Checkmarx was well spent.”

Pismo is excited to continue working with Checkmarx to keep its applications and customers safe.

Learn more

To learn more about the challenges and solutions that led to Pismo’s success, download the full case study.

These scans do provide valuable data. For example, they can find places that reference old libraries, which could lead to defects and after-hours calls from panicked operations folks. In addition to reducing avoidable defects, scans can identify variables and unused dependencies that cause application bloat. They can even make sure that the code is styled in the same way (so you can finally pick a winning side in the tabs vs. spaces flame war).

So Many Places, So Little Time

The larger and older your organization is, the more likely it is that you’re using scanning technology that’s been mixed and matched. There are a few reasons for this. For one, the organization’s suite of tools was likely assembled over time, which probably involved finding solutions to new requirements in a vacuum. The chosen tool might have been best-of-breed or the absolute cheapest available, depending on who was running the procurement cycle at the time. In addition, the organization might lack a centralized approach, either because they just allowed different development groups to do their own thing, or because they experienced many different mergers and left acquisitions semi-autonomous.

In an environment where there are multiple tools from multiple vendors, each with its own method of retrieving data, it can be a daunting task for a developer just to remember all of the scans that he or she needs to perform, not to mention keep track of where to get the results of each one. In situations like this, aggregation can be a huge help.

There are several different levels of aggregation, and achieving any one of them is a step in the right direction. For example, you can aggregate the process of kicking off all of your scans using hooks in your favorite version control software at a certain gateway step (like a merge request). This approach allows developers to find all of the results for any scans that the organization requires. You can even have them block requests until any issues are resolved.

For example, you might see something like this if you’ve integrated scans into GitHub pull requests:

(source: https://github.com)

Another example of aggregation is a dashboard that combines all of the results into a single, easy-to-access view. This approach doesn’t seem to be as common, since some of the tools involved may not have an API or an easy point of integration. Some organizations, however, have the luxury of standardizing their security testing with a single vendor that provides end-to-end integrations and a convenient console. This usually comes about when the organization finally gets serious about its investment in security.

One View to Rule Them All

Single-vendor consoles come closest to what a developer might consider the peak of ease-of-use, which would be the correlation of all results from all scans against any application code base in context.

Bits and pieces of this ideal do exist – like the ability to show a list of dependencies that are out of date, or the ability to show static code results in an IDE by highlighting lines that are not up to the required standards. But it isn’t all shown in context, and it’s missing other things – like the results of IAST scans that can pinpoint a dependency or line of code that’s causing an error.

Once these bits and pieces have been brought together in a single console, vendors could take it even further by integrating runtime data generated by CWPP, CASM, CWPS, or CNAPP tooling (which watches the live environment and constantly looks for ways to improve and areas that need attention.) Vendors could also extend beyond security data to include APM suites that developers use to gather usage data that allows them to fine-tune and enhance their applications.

Conclusion

Aggregating the results of all the various security scans that an application undergoes from keyboard to production in a single place is a great first step. It would be even better if you had a few entry points to get to the results. But having a centralized view where you could see all of the relevant issues while viewing the code would be best. Vendors are getting there, and developers are just waiting for them to take that next step so that all of that consolidated data can be brought into their safe place: the code. Instead of merely achieving an operations-friendly environment, this last step would create a utopia for developers.

If you’re looking to leverage a single vendor for all of your AppSec needs, consider the Checkmarx One Application Security Platform. Checkmarx One is built from our industry-leading AppSec solutions—SAST, SCA, IaC, API Security, Container Security, and Supply Chain Security (SCS)—and delivered from the cloud. It provides rapid, correlated, and accurate results to speed remediation all on a single, unified report.

Bio

Vince Power is an Enterprise Architect with a focus on digital transformation built with cloud enabled technologies. HE has extensive experience working with Agile development organizations delivering their applications and services using DevOps principles including security controls, identity management, and test automation. You can find @vincepower on Twitter.