Market Overview

Checkmarx Survey Finds Only Eight Percent of Organizations Have Effective DevSecOps Practices


Developer Trends Create Software Exposure Risks that are Reaching
Boardroom-level Discussion

92 percent of organizations struggle to implement security into the
entire DevOps process despite most saying they want to do so -- a
staggering capability gap exposed in the new, global data report from
FreeForm Dynamics in collaboration with The Register called "Managing
Software Exposure: Time to Fully Embed Security into Your Application
." Commissioned by Checkmarx,
the study spotlights the biggest barriers to securing software today
depending on where organizations sit on the DevOps maturity curve.

Report findings are based on online survey input from 183 respondents
worldwide, the majority of whom hold software development, IT and
security professional titles ranging in seniority from management to
specialists and in-between, and coming from a wide range of industry

"Today, software is everywhere and the majority of respondents agree
that it is integral to most business initiatives, yet there are still
many gaps when it comes to securing that software," said Maty Siman,
Checkmarx founder and CTO. "Increased software complexity and the need
to move at the speed of DevOps is creating a new type of risk in the
form of software exposure, and as the results of this report attest,
software security also needs to change."

Other key findings include:

Gaps exist between theory and practice when it comes to security's
place in DevOps

96 percent of respondents report it is "desirable" or "highly desirable"
for developers to be properly trained on how to produce secure code. As
developers take responsibility for the security of their software, more
respondents believe it is more important to educate developers and
empower them than it is to educate other stakeholders in the
organization like ops specialists and security specialists. But 41
percent agree that defining clear ownership and responsibility in
relation to software security remains a big challenge, and just 11
percent say they have adequately addressed the need for developer

"More respondents say they believe it is more important to educate
developers and empower them than put proper processes in place," Siman
said. "This is interesting, as most organizations today are actually
doing the opposite. They focus more on processes like break build as
well as one-off activities such as pen testing, rather than investing in
securing their entire DevOps processes."

Software security is a boardroom-level discussion, and it needs to be
treated as such

57 percent of respondents strongly agree or agree with the statement
that software security is now a boardroom issue. It's a matter of
business risk. In order to ensure better software security, developers
and security teams need support from their executive teams, but 45
percent find it challenging to get senior management to approve funding
for security training. 44 percent say executives don't care about how
quickly, frequently and safely developers deliver software, they just
want them to do it.

Developers, testers, security specialists and ops staff need to work

Although more than half of respondents do not have adequate code
scanning solutions to flag potential security exposure early on,
solutions are not the only thing needed to drive improvement. The
majority say the way we fundamentally approach software security
requires a rethink based on modern architectures and delivery
approaches. The human factor poses both an opportunity and a challenge.
Nearly 100 percent agree that developers, testers, security specialists
and ops staff need to work together. Yet, 72 percent of respondents
agree that different teams and disciplines within IT are still too often
reluctant to trust each other.

Checkmarx executives will be onsite at Black Hat 2018 Booth #1202 to
discuss key findings from the report (full text is available at this
) and demo the company's software exposure platform. Contact
to arrange an interview and/or check out their presentations at BSidesLV
and DEF CON 2018 listed here.
You can also read more about the Checkmarx perspective on today's era of
software exposure in this
blog post


Insights presented in the "Managing Software Exposure: Time to Fully
Embed Security into Your Application Lifecycle" Report are derived from
an online study completed in the Summer of 2018, during which views were
gathered from 183 respondents via an online survey. Participants were
predominantly from North America and the UK, and drawn from a range of
industry sectors and company sizes. The work was sponsored by Checkmarx,
and conducted in collaboration with The Register news site.

About Freeform Dynamics

Freeform Dynamics is an IT industry analyst firm. Through our research
and insights, we aim to help busy IT and business professionals get up
to speed on the latest technology developments, and make better-informed
investment decisions. For more information, and access to our library of
free research, please visit
or follow us on Twitter @FreeformCentral.

About The Register

The Register (
started life as a daily news operation on the web in May 1998. On the
first day, 300 readers visited; today over 10 million unique readers
visited the site every month. The Register's blend of breaking news,
strong personalities, and its accessible online execution, has made it
one of the most popular authorities on the IT industry. With an
international team of journalists and columnists, The Register reports
on the IT industry from the inside out – covering everything from
enterprise software to chip developments.

About Checkmarx

Checkmarx is the Software Exposure Platform for the enterprise. Over
1,400 organizations around the globe rely on Checkmarx to measure and
manage software risk at the speed of DevOps. Checkmarx serves five of
the world's top 10 software vendors, four of the top American banks, and
many government organizations and Fortune 500 enterprises, including
SAP, Samsung, and Learn more at

View Comments and Join the Discussion!