A survey of 1,519 application security stakeholders finds nearly all (98%) work for organizations that have experienced a security breach attributable to vulnerable code, with 81% acknowledging their organization has shipped code with known vulnerabilities into production environments.
Conducted by Censuswide on behalf of Checkmarx, the survey also finds more than a quarter of organizations (27%) experienced four or more breaches due to these vulnerabilities, with 38% reporting that vulnerable code is being shipped to meet a business, feature or deadline requirement.
Roughly a third of respondents are resigned to additional incidents occurring in the next 18 months, with software supply chain compromise (35%) topping the list followed by a third-party vendor/partner security incident (35%), cloud infrastructure misconfiguration (34%), insider threat or privileged access misuse (33%) and application programming interface (API) security breach or business logic attack (32%).
Less than 15% also feel prepared for threats that have become mainstream in the last two years, including attacks targeting continuous integration/continuous delivery (CI/CD) pipelines or development environments (14%), emerging technologies (14%), supply chain compromises and upstream dependency attacks (14%), advanced API security threats and business logic exploits (13%) and the security implications of generative artificial intelligence (AI) in development workflows (12%).
More troubling still, less than half of respondents, excluding heads of software development teams, are actively using application security tools such as infrastructure-as-code (IaC) scanning (48%) or dynamic application security testing (DAST) tools (47%).
Eran Kinsbruner, vice president of portfolio marketing for Checkmarx, said the survey shows many organizations continue to feel pressure to deploy code even though they know there are most likely security issues. The core issue is that not only do developers lack the time needed to proactively resolve these issues, they are overwhelmed by alerts that lack any meaningful context about the actual level of risk a vulnerability represents to the organization, he added.
Checkmarx, in the meantime, has been making a case for applying AI to application security, most recently in the form of a Checkmarx One Developer Assist tool that is now generally available. Integrated into the Checkmarx One application security platform, the Checkmarx One Developer Assist tool is an AI agent designed to be integrated into the integrated developer environment being used to build applications. Checkmarx later this year also plans to add Policy Assist and Insights Assist agents later this year to further improve software supply chain security.
Those issues will only be further exacerbated with the rise of AI coding tools. For example, a third of the 504 application developers that participated in the survey said more than 60% of code is AI-generated, even though only 18% have usage of those tools approved by their organization. Much of that code contains vulnerabilities simply because many of the examples of code used to train the large language models (LLMs) relied on by AI coding tools are, from a security perspective, deeply flawed, noted Kinsbruner.
Additionally, more than two-thirds of all respondents (67%) say half or more of their organization’s application code is made up of open-source software, which may have vulnerabilities that their organization will need a maintainer of an open source project to remediate.
While a lot of progress has been made in terms of adopting best DevSecOps workflows, there is, by any measure, a long way yet to go before software supply chains can be considered secure.
