Safeguard
DevSecOps

Reducing developer friction in AppSec adoption

Why traditional SAST tooling like Checkmarx creates developer friction, what it costs engineering teams, and how to build developer experience application security that ships.

Priya Mehta
DevSecOps Engineer
8 min read

A developer opens a pull request Tuesday morning and finds 340 new findings from the org's SAST scanner. Two hundred are duplicates of issues already triaged as false positives last quarter. Forty are genuine but low-severity. The remaining handful matter, but nothing in the report tells her which ones without an hour of manual cross-referencing against the actual data flow. She has a release to ship by Friday. This scene repeats itself across thousands of engineering teams every day, and it's the reason "developer experience application security" has become one of the most searched phrases in DevSecOps circles in 2024 and 2025. Security teams bought scanners to reduce risk. Instead, many bought themselves a queue of unresolved findings and a developer population that has quietly learned to route around the tool. Checkmarx, one of the category's oldest and most established vendors, is often at the center of this conversation — not because it's uniquely bad, but because its scale makes its friction points visible at scale.

Why do developers push back against traditional AppSec tools like Checkmarx?

Developers push back because legacy SAST tools were built for security reviewers, not for the people writing code. Checkmarx, founded in 2006, built its reputation on deep, rules-based static analysis that auditors trust — but that same depth translates into scan times that historically ran 30 minutes to several hours for large monorepos, results delivered in a separate portal disconnected from the pull request, and remediation guidance written for a security analyst rather than the engineer who touched the file an hour ago. Checkmarx One (CxOne), the company's 2021 cloud-native consolidation of SAST, SCA, and IaC scanning, improved integration and added incremental scanning, but the core interaction model is still largely the same: findings accumulate in a dashboard, a security team triages them in batches, and developers receive tickets days or weeks after they wrote the code. That delay is the friction. A finding surfaced three weeks after a commit forces a developer to reload context that has already left their head, which is precisely what breaks flow and builds resentment toward the tool.

How much time does alert fatigue actually cost engineering teams?

It costs measurable hours every week, not because developers are slow, but because the ratio of noise to signal is inverted. Independent SAST benchmarking consistently shows false-positive rates in the 20-50% range across commercial tools when rulesets aren't heavily tuned, and Checkmarx deployments are no exception — enterprise security teams commonly report needing 3-6 months of active rule tuning after rollout before signal quality becomes usable for developers rather than just auditors. GitLab's annual Global DevSecOps surveys have repeatedly found that a majority of developers believe security testing happens too late in the lifecycle to be actionable, and separate practitioner surveys report that engineers spend several hours per week just triaging and dismissing findings that turn out to be non-issues. Multiply that across a 200-person engineering org and the "free" scanner is quietly costing the equivalent of several full-time engineers a year in triage labor alone, before a single vulnerability has actually been fixed.

Does consolidating scanners into one platform fix the friction?

Consolidation reduces tool sprawl but doesn't by itself fix developer experience, because the underlying interaction pattern — batch scan, dashboard, backlog, ticket — stays intact. Checkmarx One's pitch was exactly this: fold SAST, SCA, container, and IaC scanning under one platform so teams stop juggling five vendor logins. That's a real improvement over the 2018-era stack of point solutions, and it cut average tool-switching overhead for security teams significantly. But consolidating five dashboards into one dashboard still leaves developers looking at a dashboard. Firms migrating from Checkmarx SAST to Checkmarx One frequently report the same triage bottleneck post-migration, because the fix required was never "fewer tools," it was "findings that arrive in-context, pre-prioritized, and only when they're real." Platform consolidation is necessary hygiene. It is not the same project as developer experience, and treating it as a substitute is why many "unified" AppSec rollouts still see adoption stall within the first two quarters.

What does developer experience actually mean for application security tooling?

Developer experience in AppSec means a finding shows up where the developer already is, at the moment they can act on it cheaply, with enough context to fix it in minutes rather than hours. Concretely, that means results in the pull request diff instead of a separate portal, a scan that returns in under 2-3 minutes on incremental changes rather than a full 45-minute repo scan, and a fix suggestion tied to the exact line and data flow rather than a generic OWASP category description. It also means suppressing a false positive is a one-click, permanent action — not a conversation with a security team that has to re-approve it every quarter. Toyota's and Google's internal engineering research on developer productivity both point to the same conclusion: interruption cost, not tool capability, is the dominant driver of whether an engineering team adopts a workflow voluntarily or is forced to comply with it. AppSec tooling that ignores this distinction gets compliance. Tooling that respects it gets adoption, and adoption is what actually reduces the vulnerability count.

Can accurate, prioritized findings reduce remediation time without slowing releases?

Yes, and the evidence for this is now well established across reachability-based and runtime-informed scanning approaches. When findings are filtered by whether the vulnerable code path is actually reachable and exploitable in the running application — rather than flagged purely because a pattern matched or a package version is old — the volume of findings a developer sees typically drops by 80-95%. Teams that have layered reachability analysis on top of traditional SAST/SCA output report mean-time-to-remediate dropping from multiple weeks to under 48 hours for critical findings, simply because developers stop wading through noise to find the handful of issues that matter. This is the gap that has opened up between 2020-era static scanning and the current generation of AppSec tooling: it's no longer a question of whether you can detect a vulnerability, every vendor can do that. It's whether the finding that reaches a developer's screen is one they should actually act on today, versus next quarter, versus never.

How is pricing and licensing friction part of the developer experience problem?

Licensing friction shows up as developer experience friction because seat-based and scan-volume pricing models push security teams to ration scans, which means developers get feedback in large infrequent batches instead of small continuous ones. Checkmarx's enterprise contracts, like most legacy AST vendors, are typically structured around annual commitments and per-application or per-developer-seat pricing, which incentivizes security teams to scope scanning narrowly and run it less frequently to control cost — the opposite of the fast, continuous feedback loop that reduces developer friction. When a scan is expensive to run, it gets run weekly instead of on every commit, and a week-old finding is exactly the kind of stale, out-of-context finding that developers learn to ignore. Usage models that decouple cost from scan frequency change this incentive structure directly, making it cheap to scan constantly and expensive only to leave real vulnerabilities unresolved.

How Safeguard Helps

Safeguard was built around the premise that application security only works if developers actually use it, which means the product has to earn adoption rather than mandate it. Findings surface directly in the pull request with reachability context attached, so a developer sees whether a flagged package or code path is actually exercised by the application before deciding it's worth their time — cutting the noise that makes legacy SAST backlogs unmanageable. Scans run incrementally on every push, typically completing in minutes rather than tens of minutes, so feedback arrives while the change is still fresh in the developer's head instead of surfacing as a ticket three weeks later. Suppressions and accepted-risk decisions persist automatically instead of resurfacing every scan cycle, and remediation guidance is generated against the specific data flow in the diff rather than a generic vulnerability class description. For teams migrating off Checkmarx or Checkmarx One, Safeguard's software supply chain focus means SCA, SAST, and dependency risk are evaluated together against real reachability data from day one, rather than bolted together as separate modules that each need their own tuning cycle. The result isn't just fewer findings — it's a security workflow that engineering teams keep using six months after rollout, which is the actual measure of whether developer experience application security investment paid off.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.