What's Happening?
A recent report by Checkmarx reveals that a significant number of Chief Information Security Officers (CISOs) are under pressure to delay or suppress compliance-related cybersecurity issues in code due to business deadlines. The report, based on a survey
of 2,350 CISOs, AppSec managers, and developers from 14 countries, indicates that 95% of CISOs have faced pressure to deprioritize security issues. Consequently, 75% of organizations have knowingly deployed vulnerable code into production environments. The reasons for deploying such code include reliance on compensating controls, meeting business or security-related deadlines, and late detection of vulnerabilities. The report highlights the risks associated with AI-generated code, which, while efficient, may contain vulnerabilities. Sandeep Johri, CEO of Checkmarx, emphasizes the need for a new security model that combines deterministic precision with probabilistic reasoning to address these challenges.
Why It's Important?
The deployment of vulnerable code poses significant risks to organizations, potentially exposing them to cyber threats. The report underscores a disconnect between the security challenges faced by organizations and their current mitigation strategies. With the rapid pace of vulnerability discovery, especially in the post-Mythos era, organizations are at risk of exploitation if vulnerabilities remain unpatched. The findings suggest that many organizations are not adequately addressing these vulnerabilities, with only 9% fixing over 90% of vulnerabilities within 90 days. This situation highlights the need for improved governance, particularly around AI, and better integration of security tools and processes to enhance cybersecurity resilience.
What's Next?
Organizations are optimistic about improving their security processes to meet the challenges of the AI era. Efforts include strengthening governance, especially concerning AI, and reducing fragmentation across tools, teams, and processes. These steps aim to close the gap between identifying and fixing vulnerabilities, thereby enhancing overall cybersecurity. As organizations continue to adopt AI-generated code, the emphasis will be on developing robust security frameworks that can effectively manage and mitigate associated risks.
