Application security has become fragmented. Large organizations often rely on 7–8 siloed tools to cover code scanning, compliance, runtime validation, and attack surface management. This tool sprawl inflates budgets, slows remediation, and still leaves security blind spots. Meanwhile, new regulations such as NIST 2.0 and PCI 4.0 demand stronger proof of governance, while attackers grow more advanced and persistent. Built in Toronto for enterprises seeking both security assurance and data sovereignty, IRIS 3.0 consolidates the fragmented application security landscape into one intelligent, compliance-driven platform. IRIS is solving the most Pressing Challenges in Application Security 1. Blind spots across code, infrastructure, and runtime that obscure true risk, often leading to breaches and undetected vulnerabilities. 2. Siloed tools that inflate costs and complicate governance, resulting in tool sprawl, poor risk visibility, and inefficient use of security budgets. 3. Compliance friction , where fragmented data weakens reporting and decision- making, ultimately leading to audit failures and regulatory exposure. 4. Technology Debt Consolidation , IRIS combines all detection, prioritization and remediation in one platform (SAST,DAST, SCA, PTAAS, ASM, ASPM, ADR) and much more. A Sovereign Advantage in a Fragmented Market As governments and enterprises increasingly prioritize sovereign technology for data protection and cost efficiency, IRIS 3.0 stands apart as a Canadian-built alternative to foreign expensive solutions, offering equivalent technical depth , 100% Canadian Data residency, Priced in loonies, not loonacy! For public and private sector leaders, this means investing in a trusted, locally engineered platform that aligns with federal data-residency mandates and responsible budgeting principles. From Visibility to Action IRIS provides a centralized executive dashboard that transforms raw vulnerability data into actionable insights, aligning technical findings with business risk and compliance priorities. Security leaders gain continuous assurance through automated control validation, compliance-based prioritization, and an adaptive risk model grounded in the NIST Cybersecurity Framework. “As attacks grow more complex, the only reliable countermeasure is advanced, real-time visibility across code, infrastructure, runtime, and the external attack surface,” added Howes. “IRIS 3.0 helps organizations eliminate blind spots, accelerate remediation, and align security with business outcomes.” About CodeEye CodeEye builds unified application security technology that gives organizations real-time visibility and risk-aligned control from code to production. Proudly Canadian, we pair rigorous engineering with practical security so teams ship software faster, without compromising trust.

Technical debt is no stranger to security leaders, but the 2025 landscape is accelerating it in ways that traditional playbooks can’t match. From new development patterns like vibe coding to the relentless sprawl of security tooling, debt is no longer just a development tax. It’s a strategic risk that bleeds across the entire security program.  The 2024 study  found 60% of organizations rank prioritization among their top three AppSec obstacles and 57% struggle with visibility across apps and APIs, two symptoms of mounting security debt and fragmented practices Top 5 Drivers of Security Technical Debt Security teams already battle backlog and complexity, but several forces are compounding the challenge this year: Vibe Coding and Speed-First Delivery 2025’s developer culture prizes velocity and intuition. “Vibe coding”—a shorthand for coding by instinct and skipping formal reviews or guardrails, creates invisible liabilities. Without consistent controls, it multiplies the odds of untested code paths and hidden vulnerabilities.  Tool Sprawl and Alert Fatigue One of the most consistent pain points security leaders report today is the complexity of their environments, too many tools, too many dashboards, and not enough visibility across the full security landscape.  A Microsoft security study  found an overwhelming majority of organizations are planning to consolidate: 91% of those relying on best-of-breed architectures and 79% of those juggling 10 or more tools intend to streamline within the next year.  Context Gaps Across the Pipeline Most programs still treat code, builds, cloud, and runtime as separate islands. That breaks the two triage questions that matter: Is it reachable? What’s the blast radius?  Without linking findings to runtime context, high-risk issues sit idle while low-value noise takes attention. Without context, ownership also fragments and one root cause becomes multiple tickets Compliance-Driven Shortcuts Chasing audit checkboxes often leads to temporary fixes like manual scripts, bolt-on controls, or paper processes that don’t scale with system changes. These quick wins create a false sense of security while leaving exploitable gaps. Over time, they accumulate as debt, making remediation costlier and slowing adaptation to new regulations. Resource Constraints and Economic Pressure Security budgets are not scaling linearly with risk. While we rarely talk openly about dollars, the imperative is clear, solutions that consolidate and automate are the only sustainable path. Unified Application Security: A Solution to Tool-Induced Debt Consolidation has emerged as a strategic reset for security programs. The rationale is clear, fragmentation drives complexity, cost, and blind spots. A unified AppSec approach changes the equation by integrating code, infrastructure, runtime, and attack surface into a single risk engine that eliminates blind spots and delivers clarity and control.   The key benefits of Unified AppSec includes:  Improved Oversight and Visibility Unified tools centralizing data, mapping vulnerabilities to critical assets, and correlating signals into a single risk view. A consolidated approach breaks siloes, stitching together risk signals into a complete view. Leaders gain clarity on which vulnerabilities affect business-critical assets, closing gaps that point tools miss and eliminating duplicated effort.  How CodeEye's IRIS provides advanced visibility IRIS helps security leaders oversee governance and threat posture in real time, ensuring complete oversight of business-critical assets. Its centralized dashboard unifies visibility across code, infrastructure, runtime, and attack surface, eliminating siloes and blind spots. By aligning application risk with business risk through NIST principles (Identify, Protect, Detect, Respond, and Recover), IRIS gives leaders actionable clarity, not fragmented signals. Smarter Prioritization, Faster Remediation Managing risk across dozens of siloed tools forces teams to stitch together attack paths manually, slowing response and obscuring which vulnerabilities truly matter. A unified platform changes this dynamic by presenting a prioritized view of exposures, factoring in asset criticality, data sensitivity, and exploit severity. Teams can then address vulnerabilities the same way as incident response, moving systematically from the highest-impact risks downward. With native integrations, this context also carries into incident investigations, helping leaders distinguish between routine fixes and issues with board-level implications. How CodeEye's IRIS enables faster remediation: IRIS helps teams remediate faster with context and automation. IRIS Posture continuously monitors security across the SDLC and production, centralizing posture metrics and prioritizing vulnerabilities by business impact. IRIS AutoResponse (ADR) connects real-time signals with client infrastructure to assess if issues are already neutralized. By verifying WAF rule presence and efficacy, ADR filters out noise from non-exploitable findings, enabling teams to focus only on high-risk gaps—cutting MTTR and reducing wasted effort. Key Takeaway for Security Leaders Technical debt will always exist, but its growth curve is a choice. The combination of vibe-driven development, sprawling toolchains, and static budgets demands a unified response. Consolidated application security isn’t a silver bullet, but it is the most pragmatic path to reclaim visibility, accelerate remediation, and keep your speed of innovation while keeping security debt from compounding. See exactly how IRIS identifies gaps in your AppSec and accelerates remediation. Book a free demo  today.

In finance, debt isn’t just the principal you borrowed, it’s the interest that accrues while you wait. Security works the same way. Think of your “principal” as the backlog: known vulnerabilities, misconfigurations, missing controls, unpatched components, and tech-debt hotspots. Interest is the hourly cost of risk that piles up while those items sit unresolved, extra triage, duplicate findings, emergency patches, incident overtime, audit churn, and the opportunity cost of features you didn’t ship because you were firefighting. A simple operational formula Security Debt (today)  = Backlog  (count × fix-time) + Risk Interest  (hours/week of rework, triage, and incident drag) Backlog : Every item carries an estimated remediation time. Multiply by volume and you have an effort number, not a hand-wavy list. Risk interest : Each week an item lingers, it generates more work, new findings on the same root cause, more exceptions to renew, compensating controls to maintain. That interest compounds when unresolved weaknesses act as multipliers (e.g., one vulnerable library across 14 services; one missed hardening control spawning clusters of similar issues). Over time, the interest eclipses the principal. That’s why “we’ll fix it next quarter” quietly becomes “we can’t catch up.” Here’s what data says about security readiness Most teams are already carrying meaningful principal. Forrester’s Q2 2024 T ech Pulse data  shows only 21% of US IT decision-makers say they have no significant technical debt; 49% report moderate debt and 30% report high/critical debt. That’s 79% operating with debt that actively competes with new initiatives, the perfect setup for compounding interest. The attack surface makes that interest compound faster. Microsoft’s 2024 Digital Defense Report  finds 90% of organizations have at least one attack path, and 61% of observed attack paths terminate at a sensitive user account, exactly the kind of “high APR” exposure that gets worse the longer issues linger.  Why is the compounding security debt a critical risk right now Economic pressure &  leaner teams:  Hiring freezes and budget scrutiny extend dwell time, each week of delay costs more relative to available capacity. Exploit velocity and automation: Recon and exploit tooling compress the disclosure-to-weaponization window, so unresolved weaknesses attract more attempts per week than they did even a year ago.  Estate sprawl.  More services, repos, SaaS, and identities mean a single unfixed flaw can fan out across environments, your “interest” compounds across the portfolio. Compliance-linked revenue risk.  Buyers want SBOMs, attestations, and continuous assurance; lingering findings create sales friction and audit overhead, another form of interest. How to manage it like a Security Leader  Instrument debt, not just findings.  Track principal (hours to remediate priority-eligible items) and interest(hours/week lost to rework, incidents, exceptions). Trend both. Fix classes, not just tickets.  Target root-cause patterns (e.g., service template misconfigs, dependency baselines) to collapse hundreds of line-items at once. Optimize for dwell time.  Time-to-first-fix and time-to-close are your interest-rate levers, streamline handoffs, pre-approve change windows, and automate the top recurring fixes. Price risk in business terms.  Tie items to revenue streams, regulated data, and reachable code paths so the org feels the APR and funds principal payments. Reduce your Debt with IRIS Better visibility IRIS consolidates traditionally siloed security functions such as Penetration Testing as a Service, AST tools, Application Security Posture Management, Attack Surface Management, and Automated Detection and Response. This unified approach delivers full-spectrum visibility, seamless orchestration, and intelligent remediation across the entire application lifecycle, from code to production. Smarter prioritization IRIS ranks fixes using business criticality, exploitability (reachability, known exploits, attack paths), and blast radius(who/what is impacted). It aligns findings to NIST, CIS, PCI, ISO, GDPR, tracks SLAs, and surfaces items that block audits or revenue. If a compensating control (e.g., WAF rule) effectively neutralizes a vulnerability, IRIS de-prioritizes it , so teams focus on what’s actually exploitable. Want a 15-min demo of IRIS? Book your demo here

Today, more security teams than ever are focused on high-priority vulnerabilities, but here’s the truth: Not every “high” is actually high. Severity alone doesn’t tell the full story. A vulnerability marked as ‘critical’ in a scanner might already be blocked by your firewall. Others might be buried in low-severity findings but pose a real risk to your environment. That’s where context  becomes everything. And that’s why we built Application Detection & Response (ADR) into IRIS, our unified application security platform. And now, with native integration into Web Application Firewall (WAF) rules, IRIS does something few others can: 👉 It tells you whether a vulnerability is actually exploitable right now, in your environment. Why Traditional Vulnerability Management Falls Short Legacy tools treat every ‘critical’ vulnerability the same without asking if this is actually exploitable?  The result? Security teams waste time on low-risk issues while real threats hide in the noise. A 2024 study found that although over 25,000 CVEs are reported annually, only about 20% are ever exploited. Yet most tools still push alerts without context. Gartner and Forrester now urge security teams to adopt risk-based vulnerability management and Continuous Threat Exposure Management (CTEM) approaches that factor in exploitability, asset criticality, and control validation. As CodeEye's CEO, Robert Howes put it: “Most executives in security are now compensated and measured by the board on vulnerability management... Their evaluation is directly tied to it.” Today’s security leaders are focusing on how effectively they manage risk, not on how many issues they fix. Introducing IRIS AutoResponse: ADR that Prioritizes with Real Context IRIS AutoResponse connects security signals from IRIS modules to SIEM/SOAR tools and web application firewalls (WAFs), enabling real-time detection and automated response to threats across your application landscape. When a vulnerability is detected, IRIS doesn't just show you severity scores or compliance flags. It analyzes the context around  that finding: ●      Is the affected application internal or external? ●      Does it handle sensitive data (e.g. credit card or health info)? ●      Is the vulnerability exploitable based on real-world threat intel? ●      And now: is there a WAF rule in place mitigating that risk already? WAF- aware prioritization with IRIS “If there's mitigating control on the WAF,” Robert explained, “the severity of the finding goes down. If there isn't... the severity goes up to ‘  fix this now.’”* This is what real risk-based remediation looks like. IRIS doesn’t just show vulnerabilities, it checks if these vulnerabilities pose a threat to your business. WAF-as-a-Lens: The Last Gate Before Escalation Robert uses a simple analogy to explain it: “Think of a firewall as the perimeter around an airport... There are gates, checkpoints, and security rules. Our technology checks whether there's a control in place to protect against the finding, just like checking if unauthorized people can get past security.” Before escalating a vulnerability to critical, IRIS checks the actual WAF configuration . If your defenses are already blocking or neutralizing the exploit path, IRIS deprioritizes it, saving your team time, budget, and stress. ADR + WAF, A New Standard for Modern AppSec This is not just a feature. It’s a new approach to vulnerability management, one that aligns with how modern enterprises work: cloud-native, fast-moving, and resource-constrained. If you're a CISO, a security lead, or part of an AppSec team, you no longer have to ask, “Is this finding real?” Instead of chasing after every vulnerability, IRIS automatically checks your WAF to see if a protective control is already in place, so your team doesn’t waste time, money, or energy on issues that don’t pose a real risk. Let’s talk about how IRIS can help your team focus on what’s exploitable, urgent, and actually worth your time. Book a demo with us and see IRIS in action

Toronto, Ontario, Canada - February 20, 2025 . At CodeEye, we don’t just build software—we build secure software by design. Our new Product Engineering Service stands out by embedding security into every phase of the development lifecycle, setting us apart from traditional software development companies that often treat security as an afterthought, leaving you the customer up at night worried about third party risk.   Powered by our IRIS Next-Gen ASPM platform, and a security focused development team, we integrate real-time vulnerability detection and remediation directly into the development process, ensuring that every product is not only innovative but also resilient, scalable, and fully compliant with leading security standards like NIST 2.0 and the CIS Controls for Product Security. Our Unique Value Proposition: Security Embedded at Every Stage – From ideation to deployment, security is always in focus Application Security by Design – Build resilient, future-proof products from the ground up NIST 2.0 & CIS Controls Compliance – Align with top-tier product security standards Real-Time Vulnerability Detection & Remediation – Powered by IRIS for proactive protection End-to-End Product Development – Comprehensive solutions tailored to your business needs Agile & Scalable Solutions – Innovate faster without sacrificing security or compliance Regulatory Readiness – Stay ahead of evolving standards like NIST 2.0, CIS, and GDPR Unlike traditional software development companies, CodeEye ensures that security isn’t a bolt-on—it’s built-in. This approach reduces technical debt, minimizes vulnerabilities, and streamlines compliance, giving your business a competitive edge in an increasingly regulated and threat-prone landscape. Let’s Build Smart. Let’s Build Secure. Visit www.codeeye.ai or contact@codeeye.ai today to discover how our Product Engineering Service can help you bring secure, compliant, and scalable products to market—faster and safer.

The rapid pace of application development today increases the potential for security gaps, making it essential to have a robust strategy in place. Since our founding in 2017, CodeEye has continually adapted and expanded our capabilities to meet the growing demands of our clients. Today, we’re excited to introduce a refreshed brand identity that aligns with our mission to provide top-tier security solutions that safeguard applications from development to deployment. So, why now?  From our early days specializing in offensive security and digital forensics to the development of our flagship IRIS platform , our journey has been one of growth, innovation, and unwavering commitment to our clients. Our new brand identity symbolizes our evolution and future direction, following the launch of our next-generation Application Security Posture Management (ASPM) platform earlier this year. The new brand emphasizes building security into every stage of development to a production product, helping businesses envision a better way to secure their applications. A Clearer Focus: Simplifying Application Security with a Modern Brand This brand update is designed to make security more accessible and manageable for our clients, from early development to ongoing maintenance. “Vision” remains a central theme to CodeEye’s identity, with the  IRIS platform  acting as a lens that helps businesses detect and remediate every potential threat, from code to production. Real business context from identifying possible threats and prioritizing remediation matters.  The goal of IRIS is to minimize Application Security's role in a commoditized processes by automating risk priority.  We enable organizations to gain complete visibility of business contextualized risk, and make faster, risk-based decisions.  Alongside the brand, we built a new website that reflects our mission of empowering organizations to   embed security into their software development lifecycle from day one. The goal was to make our brand presence as professional and trustworthy as our solutions. Impact on Our Customers This isn’t just a visual update—it’s about improving how we communicate and engage with our customers. By simplifying our messaging and modernizing our presence, we make it easier for businesses to understand how our solutions fit into their security strategy. Whether you're a growing startup or an established enterprise, our goal is to provide a cohesive and accessible experience across all touchpoints to help you protect your applications from planning requirements to maintenance. Our Offerings: Comprehensive Security Services Beyond IRIS We haven't forgotten where we came from and what got us to this point. CodeEye’s commitment to securing applications extends beyond the IRIS platform and handing over a licensing key. Our Professional Services  include offensive security, and security consulting enabling businesses to fortify their security posture from every angle. Whether it’s testing the resilience of your cloud infrastructure, securing your CI/CD pipelines, or conducting Red and Purple Team exercises, we provide actionable insights to enhance your defenses. Additionally, our Product Security Services  help integrate security into every stage of development, from secure design and code quality assessments to compliance and application security continuous monitoring. This comprehensive approach ensures your applications are secure, compliant, and resilient. Founder and CEO, Robert Howes, had a vision that no matter the maturity or size, a common theme in all organizations is that developers do not understand business risk and application security engineers do not understand code vulnerabilities. Combined with the fact that skilled application security engineers are very difficult to employ, CodeEye’s managed ASPM service was born in 2022.  Robert believes that the company's managed service offering will continue to grow and accelerate over 50% year over year until 2028.  Looking Ahead: Stay Connected with CodeEye We’re excited to share our refreshed brand with you! As we continue to evolve, we look forward to sharing more updates and insights that will help you launch and scale secure applications capable of withstanding today’s most complex threats.  See how CodeEye and IRIS can rapidly transform your business into a secure, resilient operation book a demo with a member of our team. About CodeEye CodeEye is a leading Canadian provider of cutting-edge Application Security solutions, designed to protect your digital assets from ever-evolving cyber threats. Our flagship offering, IRIS, is an all-in-one Managed Application Security Platform tailored specifically for high-growth SMBs with tight security resources and tireless development teams. Our team excels in application security, from code to production, blending advanced technology with personalized support to help you identify and mitigate risks, elevate code quality, enhance team collaboration and stay compliant with industry regulations. For more information, visit codeeye.ai .

Toronto, Ontario, Canada – March 26, 2024. Application and information security solutions company, CodeEye Solutions, today announced a significant milestone in their evolution, appointing Ronald Iraheta as VP of Product Security. In this role, Iraheta will leverage two decades of product development and application security experience to help fast-growing organizations streamline their application security efforts, minimize risk, and focus on delivering secure, resilient, and high-quality software solutions. Prior to joining CodeEye, Iraheta played a pivotal role in the success of the Priceline Partner Network, where he led the development of groundbreaking application security solutions that transformed the industry landscape. He played a leadership role at two of the most recognizable brands in the travel/hospitality industry worldwide, spearheading the Application Security programs. As VP of Product Security, Iraheta will oversee the technical direction of CodeEye’s Next-Gen Application Security Posture Management Solution (ASPM), IRIS.  He will lead technology strategy, product development, and technical operations. Iraheta’s visionary leadership and strategic mindset will be instrumental in shaping the technology roadmap for IRIS and positioning CodeEye at the forefront of the Application Security Posture Management (ASPM) market. “We are taking a different path from the current vendors in this space. I see a tremendous opportunity to fill those gaps with a complete solution from code development to production application security threat detection and remediation, not just for the enterprise, but for SMB clients as well,” said Iraheta. “I am ecstatic to have Ronald join our team. As companies struggle with managing point solutions, complex licensing, and application threat visibility, our team has architected a platform that provides real-time, AI-powered threat detection, correlation, and remediation throughout the application/product lifecycle,” said Rob Howes, CEO of CodeEye Solutions. “Our view on application security is going to change how organizations centralize, detect, prioritize, and remediate vulnerabilities seamlessly across all stacks,” said Howes. Vendor of Record Award CodeEye Solutions has recently earned the designation of Vendor of Record by the Ministry of Government and Consumer Services for IT Security Products and Services. The Vendor of Record (VOR) arrangement was established through an open, highly competitive evaluation of IT security products and related services, including, but not limited to, implementation, maintenance, and support services. A VOR is essential for all Ontario Public Service (OPS) ministries and agencies covered by the OPS Procurement Directive. CodeEye was successfully approved as a vendor in the following categories: Static Application Security Testing Dynamic Application Security Testing Working with an Ontario VOR solution, like IRIS by CodeEye, comes with many benefits, including compliance with procurement directives and time and cost savings throughout the procurement process. This acknowledgment underscores IRIS's exceptional standards in empowering organizations to streamline application security efforts, minimize risks, and focus on delivering secure, resilient, and high-quality software solutions. About CodeEye Solutions CodeEye Solutions is a leading Canadian provider of cutting-edge Application Security Audit / Offensive Testing and Application Posture Management Services, empowering organizations to safeguard their digital assets against evolving cyber threats. With a comprehensive suite of solutions, including IRIS, an all-in-one Managed Application Security Platform focused on maturing the needs of the SMB Market, we offer unparalleled protection for high-growth businesses with limited security resources and tireless development teams. Our expertise is application security, from the foundation to the product, coupled with expert guidance and support, to ensure that our clients can detect and mitigate security risks, improve code quality, foster collaboration between teams, and ensure compliance with regulatory requirements. For more information on CodeEye please visit www.codeeyesolutions.com.

TORONTO, Nov. 30, 2022 – CodeEye Solutions, the IR, offensive/defensive security-led services company, unveiled its IRIS Code Risk Management Platform today. The new platform helps organizations build safe and secure applications,  provides the tools for secure code compliance and highlights business risk. As organizations adopt digital transformation to create new, competitive solutions for customers, ensuring that development teams are able to integrate the right security controls in an automated fashion means more secure products, better code, and provides executive teams the ability to measure the risk within a product development. IRIS can be deployed as a devsecops code scanning operational tool  integrated into the development process or it can be deployed as a secdevops compliance / audit tool, with weekly / monthly scanning capabilities for security teams to ensure policies are enforced, risks are identified and auditors can report on compliance. What separates IRIS from the market is our focus on business context,  risk visibility,  operational readiness and compliance. With the launch of CodeEye Solutions’ IRIS platform, organizations can now take advantage of managed, on-demand, or annual subscription application scanning services. The platform covers Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Third-Party library scans, Forensic Code Scanning, Executive Risk Management Module and much more. IRIS also integrates with many existing CI/CD tools and source controls (such as Github) and has its own API. “Many of our customers are asking us how they justify spending or measuring risk in development and if their teams are improving in secure development. Beyond the technical features that set IRIS apart, this is what our product does. We help clients understand risks wherever their code is and if their developers are increasing or decreasing that risk,” said Rob Howes, CEO of CodeEye Solutions. “Clients that have the compliance requirement but lack the resources or knowledge can also take advantage of our managed SecDevOps expertise,” said Howes. CodeEye Solutions is the only vendor in the secure code space that provides a managed practice for clients to take full advantage of. CodeEye anticipates that market demand for a managed code compliance will increase as budgets tighten for the next fiscal year and as internal security teams maintain focus on traditional security operations. Contact CodeEye Solutions today to discuss your next application project or compliance requirements. About CodeEye Solutions: Additional Services: Application Threat Modeling Manual Source Code Review Pipeline Audits and Tool Selection Secure Code Developer Training Application Security Architecture Design or Review Security Audits / Gap Assessments Incident Response / Planning Application Migrations Security Audit Penetration Testing Media Contact: contact@codeeyesolutions.com CEO – Rob Howes rob@codeeyesolutions.com

IRIS API Service is now available to all customers. Iris API service provides better visibility and will integrate Iris platform into the software development life cycle. Using the API will provide results from each scan and these results can be consumed by the internal services. This service will facilitate the integration of third parties such as Jira, Slack, or in a build system to block/hold a deployment. IRIS API service documentation is also available. With the documentation, developers can find all the necessary information about how the API works, and what data will be available through it. Customers can perform functions including: Accessing vulnerability data Scanning Releases under projects/applications Receiving remediation advice View Account/Users/Teams information Please contact CodeEye Solutions or live demo.

On February 26, 2024, the National Institute of Standards and Technology (NIST) released an update to the Cyber Security Framework (CSF), introducing several changes, including implications for security by design and secure SDLC. Application security has become increasingly important in recent years due to the rise in cyber-attacks and data breaches. Governments in both Canada and the US have recognized the need for increased scrutiny over application integrity and have introduced regulations and guidelines to ensure the security of sensitive data. In the US, the National Institute of Standards and Technology (NIST) released an update to the Cyber Security Framework (CSF) in 2024, introducing several changes, including implications for security by design and secure SDLC. One of the most significant changes in NIST CSF 2.0 is the introduction of the Platform Security category under the “Protect” function. This category specifically references secure software development, stating that “Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle.” CodeEye launched IRIS, in 2019 with the ability to consolidate code security into one platform.  Since then, IRIS has evolved into a Next Gen ASPM Solution. What is IRIS ASPM? From code to production, IRIS detects, correlates, provides risk-based analysis, and prioritizes application security findings for easier interpretation and remediation – all within one platform. IRIS has a built-in Risk and Compliance Module that provides ongoing performance and risk monitoring of the product development program, addressing the requirements of PR.PS-06 of NIST CSF 2.0. This means that organizations can use IRIS to ensure that their secure software development practices are integrated and monitored throughout the software development life cycle. IRIS’s Risk and Compliance module supports the implementation and improvement of the NIST Cybersecurity Framework (CSF) 2.0 across the software development lifecycle. It provides a comprehensive view of the usage and findings of different scanning modules that correspond to the five core functions of the CSF: Identify, Protect, Detect, Respond, and Recover. It helps stakeholders monitor and compare the performance, risk, and health of the software projects and teams, and supports data-driven decision-making and risk mitigation efforts. The R&M Dashboard of IRIS aligns with the CSF 2.0 requirements across all 5 functions: Identify: The dashboard helps identify the assets, systems, and data that are involved in the software development process, and the potential risks and vulnerabilities that may affect them. By visualizing the number of issues found, analysis executed, and findings detected in different project stages (e.g., coding, QA, Production, Docker virtualization), the dashboard provides insights into the overall risk level at each stage. Protect: The dashboard helps protect the software assets, systems, and data by enabling the use of different scanning modules that can detect and prevent security breaches, such as static code analysis, dynamic code analysis, penetration testing, and vulnerability scanning. The dashboard allows a comparative analysis of the level of usage and effectiveness of each scanning module. This helps identify which modules are being utilized most effectively and which ones may need improvement. Detect: The dashboard helps detect the occurrence of cybersecurity events by tracking issues detected and analyses executed by each development team. This helps identify potential weak points in teams’ security practices and make informed decisions based on the results. The dashboard also facilitates the timely discovery and reporting of security incidents by providing alerts and notifications. Respond: The dashboard helps respond to cybersecurity incidents by providing actionable information and guidance on how to address and resolve the issues. The dashboard facilitates risk mitigation efforts by identifying areas where security vulnerabilities are most prevalent, allowing teams to prioritize and address critical issues. The dashboard also supports communication and coordination among stakeholders and teams during the incident response process. Recover: The dashboard helps recover from cybersecurity incidents by monitoring and comparing the results over time and assessing the impact and effectiveness of the remediation actions. The dashboard helps assess the overall health and security posture of the software development projects and identifies areas for improvement and lessons learned. With NIST CSF 2.0 bringing a renewed focus on secure software development, CodeEye’s Risk IRIS Next Gen ASPM provides a solution for organizations to efficiently meet the requirements of the new framework. For more information on CodeEye’s Risk and Compliance Module, contact us for a demo. About CodeEye Solutions CodeEye Solutions is a leading Canadian provider of cutting-edge Application Security Audit / Offensive Testing and Application Posture Management Services, empowering organizations to safeguard their digital assets against evolving cyber threats. With a comprehensive suite of solutions, including IRIS, an all-in-one Managed Application Security Platform focused on maturing the needs of the SMB Market, we offer unparalleled protection for high-growth businesses with limited security resources and tireless development teams. CodeEye Solutions is the Ontario Government Vendor of Record for IT Security Products and Services. Our expertise is application security, from the foundation to the product, coupled with expert guidance and support, to ensure that our clients can detect and mitigate security risks, improve code quality, foster collaboration between teams, and ensure compliance with regulatory requirements. For more information on CodeEye please visit www.codeeyesolutions.com.