How Best Buy Reduced False Positives by 80%

Best Buy’s application environment is massive, comprising:

• 3000+ engineers
• 300 application teams
• 8000 repositories
• Thousands of microservices

“Our environment is deceptively large,” says Matthew Hurewitz, Director of Application Security, when addressing Best Buy’s complex security posture. “We support nearly every language and framework you can imagine” Mathhew explains further and adds jokingly -“Some of our applications are old enough to drink.”

To secure this scale and complexity, Best Buy needed a modern AppSec platform that could:

• Seamlessly integrate into developer workflows
• Deliver accurate, fast results without introducing friction
• Consolidate toolsets across SAST, SCA, secrets detection, and more
• Provide centralized governance and consistent remediation workflows

Best Buy used Checkmarx One to centralize scanning, triage, and remediation across SAST, SCA, and CI/CD pipelines. With strong support from Checkmarx, the Best Buy team was able to:

• Integrate into CI/CD to embed security scans into every release pipeline
• Improve Dev Experience with faster scans and reduced friction
• Simplify Tooling by consolidating multiple vendors into a single platform
• Gain Visibility into actual risk and improve prioritization with analytics

Real-Time Risk Reduction and Streamlined Operations at Peak Enterprise Scale

Following its adoption of Checkmarx One, Best Buy cut false positives by 80%, secured 27,000 monthly scans across thousands of CI/CD pipelines, and empowered more than 3,000 engineers across 300 teams to release software quickly and securely.

These improvements streamlined vendor management, reduced technical debt, and gave leadership clear analytics to demonstrate ROI and prioritize risk with confidence.