Checkmarx: Challenging The Application Security Field

Nov 05, 2013 By Sarah Vonnegut

This article originally appeared in Israeli publication The Marker. Read it in Hebrew here

By Jonathan Raveh

In a world where security breaches can cause enormous daily losses of up to millions of dollars, companies have started to develop a deeper understanding of what it takes to protect and secure the digital side of their operations as tightly as possible.

Security breaches have many different faces and can be used to steal anything from business intelligence to valuable customer data, severely disrupting business operations of a particular company or political group. Medium and large companies are investing millions of dollars annually on information security solutions, and Israeli company Checkpoint is an instance of success in riding the wave of the rising demand for solutions to protect against hackers and vulnerabilities in real-time network environments. Checkpoint is just one example, though. In fact, evolving security issues in recent years in Israel and around the world means that protection from hacking the network environment is no longer enough. Because many security solutions previously only focused on protecting the network environment, today’s sophisticated hackers are turning to less secured areas that are easier to hack.

These days, they’re actually using vulnerabilities within the functioning of websites and mobile apps to dominate the servers running them. From there it’s just a few clicks away to taking over the network and stealing data. All they need is a browser.

There’s a trend of companies having their sites assessed by “friendly” hackers who are hired to actually hack the company’s site and report back with any security issues they discovered on the site. The companies can then use the “friendly” hacker’s findings to correct the uncovered breaches.

The problem with this so-called “friendly hacking” is that the process is costly and is usually done when the site has already been developed or is ready to launch. Repair costs and time constraints at these later stages are significantly higher than if the same security breaches had been repaired during development. These days there are a growing number of resources dedicated to helping an organization take preventive measures; that is, finding and eliminating security vulnerabilities before the product makes it to market. Up until just a few years ago there were not strong enough tools on the market providing such services.

Checkmarx, the Israeli developer of solutions dedicated to testing and analyzing code in order to identify vulnerabilities and security issues, was established to solve the problem of application security. The idea for the company’s creation, which launched in 2006, arose from founder Maty Siman’s army experience in the Information Systems and Technology branch: while looking for solutions similar to what Checkmarx offers today, he was unable to find a strong enough solution that met the army’s needs.

The company specializes in Static Application Security Testing, or SAST. The advantage of using SAST tools over dynamic code testing (DAST) lies in SAST’s ability to not only detect security failures very early in a code’s development but also then directing the user to the exact location where a failure was detected so that the repair can be done quickly and in the moment.

There are very few operators in this field because of the complex nature of code analysis and uncovering vulnerabilities. Checkmarx competes with giants such as HP (which acquired Fortify in 2010), IBM (which acquired Ounce Labs, now called AppScan, in 2009) as well as with Veracode – all companies with extensive business connections and  marketing budgets, offering customers additional solutions in the security market and beyond.

Despite this, or perhaps because of the company’s relatively small size, Checkmarx has managed to differentiate itself with niche products and solutions that competitors simply don’t offer . That, on top of the convenience and user-friendly interface offered by Checkmarx’s solutions, earned the company the esteemed title of “Visionary” by the research firm Gartner in 2010.

Asaph Shulman, Vice President of Marketing at Checkmarx, said that the company’s growth “has stemmed from 3 distinct product advantages: high accuracy in identifying security breaches, system integration capability as an integral part from the development environment that enables rapid detection and correction of security problems, and the unique ability of Checkmarx to minimize the efforts required to block the issues and loopholes discovered. Our competitors are doing a great job, but none of them incorporate all these features together into the product they offer their customers.”

Extensive activity and rapid growth put Checkmarx in eighth place in the Deloitte Fast 50 published last week, which measures the fastest growing companies in Israel over the last 5 years. During this period, according to Deloitte, Checkmarx grew more than 2,200 percent.

Checkmarx’s partnerships include Salesforce and Ofer Hi-Tech, a subsidiary of the Ofer Brothers. The company currently has 60 employees, most of them working in Israel. Its customers include government agencies such as the U.S. Army and major Fortune 500 companies in over 30 countries. Competition in the security market in general and in the SAST arena is increasing, but with demand for these solutions on the rise, there is more room for competitors small and medium-sized competitors, for example Checkmarx, to generate profitable business models over the years.

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.