Posts by Paul Curran:


BSIMM in the Age of Agile

Apr 13, 2017 By Paul Curran | Since 2009, the Build Security in Maturity Model (BSIMM) has been helping organizations across a wide range of verticals build long-term plans for software security initiatives based on actual observed data from the field provided by nearly 100 participating firms.   In the most recent BSIMM report, released in late 2016, BSIMM co-author and inventor Gary McGraw highlights the challenge organizations face when it comes to correctly implementing security in agile development environments. For organizations adopting continuous integration/continuous deployment (CICD) and DevOps, security may be seen an inhibitor, but it doesn’t need to be. Read on to find out why.

</Read More>

How You can be Coding Securely in Go

Apr 06, 2017 By Paul Curran | For the third year in a row, Go has made the top 5 most loved programming languages and ranks number three in terms of “most wanted” programming language in Stack Overflow’s 2017 developer survey.   Additionally, Go developers are also among the top 5 highest paid according to tens of thousands of respondents of the same survey. Adding secure coding knowledge to the ability to develop in Go can lead to an even larger annual salary as security aware developers tend to earn more. Read on to learn about the secure coding resource that Checkmarx built to help developers across all verticals code securely in Go. 

</Read More>

Bamboo vs Jenkins

Mar 12, 2017 By Paul Curran | The adoption of DevOps increased from 66 percent in 2015 to 74 percent in 2016 and the trend shows no sign of slowing down in 2017.   As more enterprises expand their teams working on continuous integration (CI), deployment, and delivery, there is an increasing demand to find the best solution to fit their deployment needs.   Read on to understand the benefits of Bamboo and Jenkins, two of the leading platforms for CI deployment and delivery, as well as the options available for implementing security through static code analysis in both of these solutions.

</Read More>

What You Need to Know: Julian Assange & WikiLeaks [INFOGRAPHIC]

Mar 09, 2017 By Paul Curran | Julian Assange is an Australian activist, computer programmer, and hacker who, in December 2006, founded WikiLeaks. His goal was to provide a platform where classified and sensitive documents can be posted anonymously.   Since its’ start, WikiLeaks drew a lot of attention following some major information exposed on the site, however the first major leak resulting in legal charges (against WikiLeaks) was the exposure of Swiss Bank and Julius Baer for involvement in money laundering.  

</Read More>

Trump Website Hacked: Subdomain Takeover Defaces Fundraising Site

Feb 22, 2017 By Paul Curran | The 2016 American elections were overshadowed with cybersecurity concerns, accusations and in some cases, actual attacks. After an election season full of the current U.S. president accusing his opponent of “treasonously” weak cybersecurity, one of his own domains, associated with his fundraising efforts has been hacked and defaced by way of a subdomain takeover.     On February 20th, hackers acting under the pseudonym “Pro_Mast3r” defaced one of Donald Trump’s official websites which is used for fundraising. Checkmarx’s Security Research Team wrote a detailed brief which explains the vulnerability that the malicious party used, an example via proof of concept as well as tools which can be used to prevent such attacks in the future.

</Read More>

Speed up and Save: The ROI of Shifting Security Left [VIDEO]

Feb 09, 2017 By Paul Curran | A key differentiator for application security testing solutions (AST) is the ROI that each method brings to the organization. How much time can be saved? How much money can your organization save during remediation? When vulnerabilities make it past the development stage and onto production, how many different departments need to be involved in remediation efforts? These are all questions that need to be considered when deciding which security solution brings the most value to your organization.    AST ROI can be measured in terms of cost of company resources in dollars, personnel and time needed to remediate detected vulnerabilities.

</Read More>

Cybersecurity in 2017: Interview with OWASP Author Jim Manico

Jan 29, 2017 By Paul Curran | As the software world still reels from the major hacks and breaches that occurred, and surfaced, in 2016, it’s critical that organizations ensure that their code security gets the attention that it deserves in 2017, and beyond.   In order to gain some quick insight into the application security landscape for 2017, we conducted a short interview with Jim Manico.

</Read More>

MISRA C: Security Compliance from the Streets to the Skies

Jan 08, 2017 By Paul Curran | The Motor Industry Software Reliability Association (MISRA) is an organization whose mandate is “to provide assistance to the automotive industry in the application and creation within vehicle systems of safe and reliable software.” MISRA’s steering committee steering is made up of a mixture of automotive manufactures, such as Ford and Jaguar, component suppliers as well as The University of Leeds.   While MISRA is commonly known for it’s safety and security standards for the automotive industry, this organization produces comprehensive software guidelines which aim to standardize code safety, security and reliability in software used in a variety of sectors.  

</Read More>
owasp standards

From McAfee to Verizon: Violations of the OWASP Standards Making the Headlines

Dec 20, 2016 By Paul Curran | The Open Web Application Security Project (OWASP) Web Top 10 list has long been the “Gold Standard” for application security testing and when it comes to the Web Top 10, the OWASP standards are due for an update in 2017.   Typically, this list is updated and adjusted every three years (as it was in 2007, 2010 and 2013) to account for changes in the threat landscape for web applications, however, the current OWASPWeb Top 10 has not been updated since 2013. 

</Read More>

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Follow us on Feedly

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.