Checkmarx

Fewer than half of the CISOs, AppSec managers and developers report deploying foundational security tools like dynamic application security testing (DAST) or infrastructure-as-code scanning.

Just 51% of North American organisations report adopting DevSecOps

Only half of organisations surveyed actively use core DevSecOps tools.

34% of CISOs, AppSec managers and developers admit that more than 60% of their code is AI-generated.

98% of organisations experienced a breach stemming from vulnerable code in the past year.

Within the next 12 to 18 months, nearly a third (32%) of CISOs, AppSec managers and developers expect Application Programming Interface (API) breaches via shadow APIs or business logic attacks.

Only 18% of organisations have policies governing AI use.

Up to 60% of code is being generated by organisations using AI coding assistants.

20% of organisations still forbid the use of AI coding assistants.

81% of organisations knowingly ship vulnerable code.

Half of CISOs, AppSec managers and developers already use AI security code assistants.

81% of organisations knowingly ship vulnerable code.

In North America, only 8% of respondents report security is “always” a factor in purchasing decisions.

In the Asia Pacific region, 33% of respondents report security is “always” a factor in purchasing decisions.

Only 39% of business operations run on secured applications, according to CISOs.

In nearly half of software-based product companies, security oversight has moved outside the CISO’s office entirely.

49% of CISOs say that buyers now factor application security (AppSec) into purchasing decisions.

24% of respondents indicated that application security is “always” a factor in purchasing decisions.

In Europe, 58% of respondents report that security is “always” a factor in purchasing decisions.

In organisations developing software-based products, responsibility is split: 50% of organisations assign security responsibility to CISOs, while 43% move security oversight to development teams.

56% of organisations say that most of their development teams are fully integrated with AppSec programmes.

62% of CISOs report AppSec metrics to their board.

72% of developers spend more than 17 hours each week on security-related tasks.

45% of organisations are measuring code security.

41.53% of responding developers reported that they understand the vulnerability tickets they receive, as well as how the vulnerability manifests during runtime, from 41-60% of the time.

28.3% of organisations are tracking mean time to remediate as a metric.

99.6% of developers have access to security training.

One in four developers spends more than 25 hours each week on security-related tasks.

21% of developers surveyed say that security is their top priority when coding.

46.27% of organisations are tracking ability to meet deadlines

90% of developers rank the effectiveness of the training they receive as medium or high.