cheap nfl jerseys china cheap nfl jerseys free shipping wholesale nfl jerseys china wholesale jerseys from china cheap nfl jerseys free shipping cheap nfl jerseys for sale cheap jerseys free shipping wholesale nfl jerseys from china cheap nfl jerseys sale cheap nike nfl jerseys china wholesale jerseys free shipping cheap nfl jerseys wholesale wholesale nfl jerseys online cheap nfl jerseys wholesale china jerseys wholesale cheap coach handbags outlet authentic designer handbags cheap coach handbags outlet cheap coach purses outlet discount coach bags coach bags sale coach purse outlet cheap real coach purses coach handbags sale online coach purse outlet michael kors outlet online store cheap michael kors bags cheap michael kors purse michael kors factory outlet online cheap michael kors handbags cheap michael kors purses michael kors bags outlet online cheap michael kors purse michael kors handbags discount

Trio of reports highlights need for more resources to secure JavaScript code across both in-house and open source codebase

Tel Aviv, Israel – May 18th 2016 – Checkmarx, a global leader in application security today announced that three recent reports highlight the challenge faced by developers in securing code as attacks against web applications increase, while security budgets for developers remain low.

As highlighted by the influential Data Breach Investigation Report 2016, attacks against web applications have seen a dramatic rise in the last year.  Attacks against every business sector rose significantly with financial particularly hard hit with a 51% increase in the number of reported incidents. The report also suggests that Common Vulnerabilities and Exposures (CVE’s) are not being addressed quickly enough by developers with the top 10 vulnerabilities accounting for 85% of successful exploited traffic.

“Many of the vulnerabilities that are still regularly exploited are years old which suggests that organisations need to spend more effort actively testing existing code bases and not just assuming that it is just new applications that are at risk,”  says Amit Ashbel, Cyber Security Evangelist and Director of Product Marketing for Checkmarx, “This goes for both your in-house developed code and for open source modules and third party apps that are incorporated into applications, often without full vulnerability scanning which creates vulnerabilities, but little accountability to a specific developer.”

With huge demand, especially for mobile web applications, many developers are gravitating to development in Java based languages and scripts. As highlighted by the annual Stack Overflow survey, confirming that 85% of developers working on full stack applications are using JavaScript with Java in the top two choices for frontend, backend and mobile applications.

However, collating data from the recent ‘SANS institute 2016 State of Application Security: Skills, Configurations and Components’ report highlights that developer awareness regarding security controls is increasing. Although, the report suggests the development community is not getting enough support with a lack of application security skills, tools and methods ranked as being in the top three challenges to implementing AppSec by 38% of respondents, followed by lack of funding or management buy-in (37%).

The SANS report also shows that security testing schedules are diverse but heading towards a more continual approach with 60% indicating that they test applications continuously, with 27% using continuous assessment in their Agile development processes. However, 53% of respondents still test applications when they are initially launched into production.

This test cycle is showing benefits. The largest group (57%) said they find one to 25 vulnerabilities per month and the survey found the largest number (24%) said that over half of critical vulnerabilities they found were related to code bugs rather than to misconfigurations.

However, the most disappointing area was in remediation where the survey found less than 30% are achieving a 75%–99% level of satisfaction with the speed it takes to repair their vulnerabilities. The speed at which patches are applied is comparable to last year’s survey, with 26% of vulnerabilities being patched within two to seven days, and another 26% within eight to 30 days.

The reasons are varied but lack of funding or management buy-in is a major issue with nearly a third (29%) of developers saying that saying that their organisations spend 1% or less of IT budgets on information security.

Looking across all three reports shows an emerging pattern. “Developers are gravitating towards JavaScript, being asked to create more applications by using faster development cycles. Meanwhile, the number of attacks against them grows and information security budgets have remained largely static,” says Amit Ashbel, Cyber Security Evangelist and Director of Product Marketing for Checkmarx, “This is an unenviable position for developers and a situation that needs to be looked at more carefully by budget holders if they want to stop the problem from getting worse.”

In Ashbel’s view, even with slim budgets organisations need to think about the long term value of early detection of vulnerabilities. “Investing in developer AppSec education programs and white box testing tools can have a massive return on investment compared to the cost of breaches and urgent remediation work after an app has gone live.”

Ashbel suggests three areas where organisations can help counter this issue.

  1. Education is key and has a long term rolling positive effect. Once you have been able to build a small team of developers who know Application Security and can practice secure coding best practices, you have created a healthy basis which can easily be positioned as a position for others to strive for. Give eager and motivated developers a chance to grow within the company and take leadership of Application Security concerns within development. At the end of the day, all deliveries start from the developer and security should be no different. Education and knowledge also helps bridging the gap between the Dev teams and the Security teams. Cooperation between these teams is key for AppSec success.


  1. Make Application Security a top priority and build the correct processes to help developers make secure coding practices part of their daily routine. Integrate Static Application Security Testing solutions within the SDLC and make sure developer work flow is not negatively impacted. Of course, when looking for the right solution, make sure your developers are part of the evaluation process. Otherwise you might end up with very expensive shelfware.

Do NOT wait for the Application release date to start vulnerabilities assessment.


  1. Developers love Open-Source and rightfully so. No reason to waste time on solving problems that were already solved by someone else. That said, open-source projects are subject to the same security risks and vulnerabilities.  Make sure you always have an updated list of the open-source module inventory and ensure they don’t expose your applications to any security risks or legal concerns.

About Checkmarx 

Checkmarx develops solutions used by developers and security professionals to identify and fix vulnerabilities in web and mobile applications early in the development lifecycle. It provides an easy and effective way for organizations to automate security testing within their Software Development Lifecycle (SDLC) which systematically eliminates software risk before applications are released. Amongst the company’s 1,000 customers are 5 of the world’s top 10 software vendors and many Fortune 500 and government organizations, including SAP, Samsung and  For more information about Checkmarx, visit or follow us on twitter: @checkmarx


Media Contacts: 
Anne Harding
The Message Machine (PR for Checkmarx in the UK)
+44 (0)7887 682943


Comments are closed.