Technology

Start A FREE Trial

What is Application Security Testing?

Application security is becoming main stream following years of neglection. In addition, software security assurance always played second role to software quality. No technology today is fully equipped to give the intelligence required to CISOs and other IT executives to easily and effectively manage application/software risk. Instead, security teams are typically forced to fly blindly. The most promising technology to help security teams gain insight into Application Risk Intelligence (ARI) is code analysis. However, current products on the market cannot adequately help security comprehend application risk, as they do not fully cover the risk spectrum

What makes the Checkmarx risk platform unique?

Checkmarx changed the common paradigm of closed-end code scanning and built a platform that enables consistent and in depth code risk exploration. Compared to other vendors, Checkmarx picks up where all other vendors stop. Today, all static analysis vendors do repeatable code scans and reports. By contrast, Checkmarx doesn’t just scan and give comprehensive vulnerability details. In addition, it creates a persistent database that stores all scans’ results and, most importantly, enables intelligent, repeatable, risk exploration queries.

How Does Checkmarx’s Technology Work?

All source code analyzers make use of common compilers and attempt finding vulnerabilities based on scanning a reconstruction of the code. This approach introduces inflexibility and imprecision. Checkmarx created a generic abstract model for all programming languages. It converts all languages code and flow into a single, common-language format stored in a persistent database. On top of the model Checkmarx developed a query language that can universally analyze and find any code flaws–including security vulnerabilities.

The implication of Checkmarx’s technical approach is an unparalleled ability to inspect and summarize application security risk quickly (by application security testing software), non-intrusively and accurately. How? First, Checkmarx starts by scanning code without compilation using a patented Virtual Compiler (VC). This is in full contrast to other tools requiring running application to perform application security testing. Not only does the Checkmarx VC find problems pre-compilation, but it allows for scanning across fragmented organizational structures due to geographic dispersion, outsourcing, and open sourcing and so on. This technology normalizes code, creating a universal representation and flow map that is optimized for risk analysis, unlike traditionally compiled code that is tuned for production.

To perform the initial application security testing, Checkmarx provides out-of-the-box queries to detect all known security vulnerabilities. The flexibility of the query language enables easy customization to frameworks and corporate standards, further enhancing the intial results. Beyond detection of common software security vulnerabilities such as the OWASP Top Ten, Checkmarx extends the risk coverage spectrum uncovering for example abuse cases involving business logic flaws the essential element to prevent fraud. This is taking software security testing a step beyond extending the notion of application security software for testing, to enable true risk assessment. The persistent mapping is ideal to detect vulnerabilities spanning throughout composite applications assembled from different programming languages like C# and ASP which are both transformed to the same universal format. In addition, it enables true application understanding and impact analysis. For example, application can be tested for newly emerged attacks just by changing queries that address new attacks, without the need to run scans again.

Checkmarx is ideally positioned to create the Application Risk Intelligence space beyond the enterprises. The Checkmarx technology can assist service platforms such as Salesforce.com with their security efforts. Its existing portfolio of languages includes the main stream languages like Java with its frameworks, Java applets, Ajax, VB .Net, VB, C#, ASP and ANSI C/C++. Moreover, it supports cloud dialects like Force.com: Apex and Visual Force and adding new emerging platforms and languages are very quick. Other vendors have hard time in offering their technologies because they do not work with languages such as Apex, interpreted languages, and non-IT developers as users of SAST technologies.