86 percent of developers knowingly deploy vulnerable code
According to a new study, 86 percent of software developers and AppSec managers surveyed have or know someone who has knowingly deployed vulnerable code.
What's more the study from Checkmarx shows 88 percent of AppSec managers surveyed have experienced at least one breach in the last year as a direct result of vulnerable application code.
An average 60 percent of vulnerabilities are detected during the code, build, or test phase, according to the survey of over 1,500 CISOs, AppSec managers, and software developers around the world.
Only 34 percent of developers surveyed report that their AppSec scans are completely integrated and automated into their software configuration management (SCM) systems, integrated development environments (IDEs) and continuous integration (CI) / continuous delivery (CD) tooling.
The CISOs surveyed see the highest-priority security risks at their organizations as being increased use and exposure of APIs (37 percent). Other priority risks include open source software supply chain (i.e., malicious code) (37 percent), application containerization (37 percent), open source software (36 percent) and infrastructure-as-code risks (36 percent).
AppSec managers who have experienced breaches say that the top three causes include open source software supply chain attacks (41 percent), stolen credentials, secrets or weak authentication/authorization (40 percent) and known and/or unknown vulnerabilities in code released to production (39 percent).
"Our research underscores how the complexity of cloud-native applications has ushered in a bevy of new risks at a time when digital transformation is a key enterprise goal," says Sandeep Johri, CEO of Checkmarx. "A comprehensive 'shift everywhere' approach to AppSec ensures that vulnerabilities can be addressed at any point during the software development lifecycle. This can become both an enabler of transformation and a strong differentiator for the enterprise that can prove its advanced AppSec posture, ultimately priming the business for success."
You can get the full report from the Checkmarx site.