"Many of these companies have thousands of applications and developers, and only small teams of security professionals available to do all the work necessary to track and remove all the errors, so security teams are reaching out to development to take on some of this daunting workload," said Wieder. "Everyone from the government to financial services firms and retailers are looking at the regulatory environment and seeing the writing on the wall in terms of being forced to take responsibility for breaches; this is pushing the work down to developers who are creating demand for new tools."
At least one Watchfire customer said that the availability of such security testing technologies is allowing it to make headway in instilling new secure coding practices among its developers.
"We used to hire a third party to do vulnerability assessment of production level code, then we would report their findings to the business units, and unless something was high-level it would just get put on a release schedule," said Ethan Stieger, chief security officer at automotive market intelligence firm Polk Global Automotive, based in Southfield, Mich.
"This technology allows us to fix things when they're being developed, which is the right way to do things, if you wait until production, that's a lot more invasive in environment, and the security issues are exposed to the outside world," he said. "We're still tying to sell this effort internally, but now we can do so on the commercial value of keeping potential attacks at bay."