Check Point® Software Technologies Ltd.(link is external) announced major advancements to its family of Quantum Force Security Gateways(link is external).
TechTarget's Enterprise Strategy Group (ESG) recently surveyed 350 IT and cybersecurity professionals and application developers to create a report called Modernizing Application Security to Scale for Cloud-Native Development. The survey results and analysis offer insights into the strategies, tools, and investments security and development teams are leveraging to address modern AppSec. It also generated some compelling data related to AppSec teams' challenges in the face of a rapidly changing development environment.
When asked to identify their top challenges for AppSec teams supporting cloud-native dev processes, "understanding developer environments and assets to effectively manage security" was one of the top three responses provided. With the explosion of innovations like APIs, multi-cloud deployments, containers, and AI-generated code, the attack surface has grown exponentially in recent years, and security teams are struggling to achieve the visibility and context required to effectively mitigate risk.
More evidence of the struggle to keep up with changing development practices emerged in the survey responses about the speed of development and infrastructure as code.
Speed of Development
Software development cycles today run at a lightning-fast pace and often leave security teams struggling to keep up. When asked about the security challenges with faster development cycles, survey respondents cited the following three areas as their top challenges:
■ Prioritizing needed remediation based on business criticality, reachability, or exploitability (35%)
■ Security lacks visibility and control in development processes (34%)
■ Software is released without going through security checks and/or testing (34%)
With the intense pace of development, chasing down each and every vulnerability becomes unfeasible – it is therefore not surprising to see prioritizing remediation top the list of challenges. Security teams can't afford to spend time, money, and effort fixing something that doesn't actually represent real risk to the organization.
What's missing is contextual prioritization of the overall development environment in order to select which vulnerabilities to fix first based on the impact to the business. Security teams should aim to shift the focus to overall product security rather than creating silos for cloud security, application security, and other components of the software supply chain. They should also seek out a clear view of the full software factory, its assets, its owners, its security controls, its vulnerabilities, and how all are related.
Increasing IaC Misconfigurations
With the software development factory becoming increasingly complex and automated, there are increasing opportunities for misconfigurations to create risk, and AppSec teams are struggling to manage that increase.
For example, the misconfiguration of build servers is a common problem that creates significant vulnerabilities. Build systems are essentially automated, implicitly trusted pathways straight to the cloud, yet most aren't treated as critical from a security perspective. In many cases, these systems, like Jenkins, for example, are misconfigured or otherwise vulnerable and unpatched.
Another increasingly common risk is infrastructure as code (IaC) misconfigurations.
Infrastructure as code use is exploding as developers look for ways to move faster. With IaC, developers can provision their own infrastructure without waiting for IT or operations. However, with increased use comes increased chance of misconfigurations. In fact, 67% of survey respondents noted that they are experiencing an increase in IaC template misconfigurations. These misconfigurations are especially dangerous because one flaw can proliferate easily and widely.
Examples of these misconfigurations include:
■ Not using the latest version of TLS
■ Relying on username/passwords instead of SSH keys
■ Creating cloud assets with excessive permissions, i.e., S3 buckets with read/write permissions
Development tool misconfigurations often stem from privileges issues. Many tools are over-privileged because they're easier to integrate if users have full access. To avoid this in IaC, security teams should pay special attention to access controls in IaC definitions:
■ Determine what users need to do, then craft policies allowing them to perform only those tasks.
■ Do not allow all users full administrative privileges.
■ Start with a minimum set of permissions and grant additional permissions as necessary.
Context and Clarity
It's clear that modern software security requires better context and more clarity. With the speed and complexity of development environments, security teams need visibility that allows them to make sense of the complexity and move at the speed of development, but current application security tools are falling short.
With different application security tools scanning code in different ways across the development lifecycle, most AppSec tools generate a lot of results without a lot of context. Without contextual risk ranking among applications and vulnerabilities, either "everything" is a priority, or "nothing" is a priority.
Additionally, AppSec teams need the kind of visibility that is standard for endpoint and network protection — where security teams collect a complete list of assets and a map of the environment to know what needs to be protected and where proper controls should be put in place.
For example, creating an automated SDLC asset inventory for development pipelines allows security teams to apply security policies to that inventory and check for risky violations — quickly and accurately. Threat modeling will then allow the team to identify risky implementations before starting development.
Industry News
Sauce Labs announced the general availability of iOS 18 testing on its Virtual Device Cloud (VDC).
Infragistics announced the launch of Infragistics Ultimate 25.1, the company's flagship UX and UI product.
CIQ announced the creation of its Open Source Program Office (OSPO).
Check Point® Software Technologies Ltd.(link is external) announced the launch of its next generation Quantum(link is external) Smart-1 Management Appliances, delivering 2X increase in managed gateways and up to 70% higher log rate, with AI-powered security tools designed to meet the demands of hybrid enterprises.
Salesforce and Informatica have entered into an agreement for Salesforce to acquire Informatica.
Red Hat and Google Cloud announced an expanded collaboration to advance AI for enterprise applications by uniting Red Hat’s open source technologies with Google Cloud’s purpose-built infrastructure and Google’s family of open models, Gemma.
Mirantis announced Mirantis k0rdent Enterprise and Mirantis k0rdent Virtualization, unifying infrastructure for AI, containerized, and VM-based workloads through a Kubernetes-native model, streamlining operations for high-performance AI pipelines, modern microservices, and legacy applications alike.
Snyk launched the Snyk AI Trust Platform, an AI-native agentic platform specifically built to secure and govern software development in the AI Era.
Bit Cloud announced the general availability of Hope AI, its new AI-powered development agent that enables professional developers and organizations to build, share, deploy, and maintain complex applications using natural language prompts, specifications and design files.
AI-fueled attacks and hyperconnected IT environments have made threat exposure one of the most urgent cybersecurity challenges facing enterprises today. In response, Check Point® Software Technologies Ltd.(link is external) announced a definitive agreement to acquire Veriti Cybersecurity, the first fully automated, multi-vendor pre-emptive threat exposure and mitigation platform.
LambdaTest announced the launch of its Automation MCP Server, a solution designed to simplify and accelerate the process of triaging test failures.
DefectDojo announced the launch of their next-gen Security Operations Center (SOC) capabilities for DefectDojo Pro, which provides both SOC and AppSec professionals a unified platform for noise reduction and prioritization of SOC alerts and AppSec findings.
Check Point® Software Technologies Ltd.(link is external) has been recognized on Newsweek’s 2025 list of America’s Best Cybersecurity Companies(link is external).
Red Hat announced enhanced features to manage Red Hat Enterprise Linux.