Everybody needs security aware neighbours

Jul 07, 2015 By Amit Ashbel

YIT (Yedioth Information Technologies) is a leading IT company and software house, specializing in internet and mobile solutions. Established 15 years ago as the IT arm of Yedioth Aharonoth Group, in order to supply technology solutions to the entire Group, YIT extensive experience drove its expansion to deliver same expertise to various market leading customers.

Among company’s customers are YNET, Calcalist, Daka90, Israel’s intelligence , AllJobs, Gindi Holdings, Citizen’s Empowerment Center In Israel and World Jewish Heritage”


YIT has acquired Checkmarx’s CxSAST solution just a few months ago and have immediately implemented it as part of their security review process. Starting off with a single project less than 2 weeks after the purchase YIT have quickly adapted Checkmarx’s solution and is currently scanning tens of different projects on a regular basis.

As YIT are next door to Checkmarx’s offices in Tel Aviv, I decided to go there in person to hear from them directly about their experience with Checkmarx. I met with Yair Glikman, one of YIT’s development managers and Ilan Norman the Head of Security.

At first I asked about the implementation process and how quickly were they able to get the system up and running.

“As with most complex technical solution, there were a few hiccups upon initial setup however that was quickly and efficiently addressed by the technical support staff at Checkmarx” said Yair Glikman.

Since implementation, which took less than two weeks, YIT have been using CxSAST to scan multiple languages includign Mobile code and additional languages are planned to be scanned in the short term.


Yair is in charge of implementation and management of the platform from R&D perspective and he explained how they use the solution today. Each project is automatically pulled directly from the source code repository and scanned by CxSAST.  Both Git and TFS are used for different projects and CxSAST is connected directly with both.

Results are automatically delivered to team leaders of each group and evaluated. Team leaders then assign fixes to the relevant developers.

A decision making group is assigned to decide regarding what lower level vulnerabilities have to be addressed however there is a clear agreement between security teams and development teams said that code will not be released to production with vulnerabilities ranked as high severity.

YIT employ very high level developers and engineers resulting in top notch code. Looking at the Project severity graph you can see relatively good results which portray the code quality and clear coding guidelines. Nevertheless YIT still decided to add additional layers to cover items which the human eye may have missed.

Being a favorite target for cyber-attacks, YIT employs multiple layers of security on their hosting network and software including WAF, Dynamic testing tools and some additional layers which they prefer to keep confidential.

The full Case Study is available here

The following two tabs change content below.

Amit Ashbel

Cyber Security Evangelist at Checkmarx
Amit Ashbel has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats. Amit also speaks at high profile events and conferences such as Blackhat, Defcon, OWASP, and others.

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.