Application Security Trends

Traditional security is well past its expiration date. Learn about the latest trends in AppSec in these posts, from DevOps to SAST and everything in between.
Code Injections

5 Deadly Code Injections That Can Obliterate Your Application

May 13, 2015 By Sharon Solomon | Cybercrime has evolved significantly over the years. While initially based mainly on social engineering and phishing, hackers today implement a wide range of techniques to exploit vulnerable applications with porous code. Code injections have arguably become the weapons of choice for hackers and are constantly being used to perform high-profile hackings worldwide.     

Read More »
Logo

PCI DSS Compliance Made Easy Using Source Code Analysis

May 05, 2015 By Sharon Solomon | The e-commerce and retail fields have undergone mammoth changes over the last decade. Paying in hard cash has almost become a thing of the past. Credit and debit cards are now being used to conduct millions of transactions and e-shopping purchases on a daily basis worldwide. But this new reality has also introduced numerous security perils.  

Read More »
Moscone

19 Points of AppSec Wisdom from RSA 2015

Apr 30, 2015 By Amit Ashbel | So, we are back from RSAC 2015!  Our heads full with new information, our sales teams loaded with new connections to follow up with and our bags full of useless giveaways :). Other than achieving absolute culinary success with some quite impressive restaurants and enjoying an impressive Faith No More concert at the San Francisco Warfield we also did some work. As usual it was an interesting and fruitful RSA Conference. Concentrating on Application Security, which had its own dedicated track, we decided to summarize a few of the more interesting talks. Among those, our own one and only, Maty Siman.

Read More »
Thumb

SAST vs DAST – Why SAST?

Apr 29, 2015 By Sharon Solomon | Application security used to be an afterthought until a few years ago, but the exponential rise in cybercrime and malicious activity has made organizations pay more attention to this crucial aspect. This realization has also brought up a widespread discussion about the pros and cons of the various AppSec solutions that are on offer in the market.   While Penetration (Pen) Testing, Interactive Application Security Testing (IAST) and Web Application Firewalls (WAF) are widely recognized security methodologies, they are typically used as processes to compliment the two most popular solutions in use today – Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).  

Read More »
CI

All You Wanted To Know About Continuous Integration Security

Apr 07, 2015 By Sharon Solomon | Continuous Integration (CI) is an application development practice that’s becoming more and more popular in large software development organizations. While it boosts productivity and code integrity, it introduces new technical challenges in the security process, magnifying the importance of selecting of the right solution for the task.  

Read More »
CISO Gary Hayslip, San Diego

CISO Insights: How the CISO of San Diego Secures His City

Mar 26, 2015 By Sarah Vonnegut | This article is the first in a series of interviews with CISOs in various industries. Our goal is to share our conversations with different Chief Information Security Officers about how they deal with daily tasks as well as the bigger picture of innovating security practices around business operations.   Gary Hayslip is currently the Deputy Director and Chief Information Security Officer for the city of San Diego, a role he’s held for the past two years. Previous to that, Gary spent over 25 years as a Information Security professional in the US Navy Command, working his way up to becoming CISO.   We had the opportunity to interview Gary about the risks and rewards of securing a major city, as well as what he’s learned over his many years in the industry and shared the highlights below. You can also grab the full interview here and be sure to follow Gary on Twitter!  

Read More »
Ali Express

The AliExpress XSS Hacking Explained

Mar 24, 2015 By Sharon Solomon | This post was originally published on the AppSec-Labs blog.   As you may have heard it was recently advertised that AliExpress, one of the world’s largest online shopping websites, was found to have substantial security shortcomings. As one of the people who discovered the Cross-Site Scripting (XSS) vulnerability, I would like to discuss and elaborate on it in the following post.   A few months ago, I purchased some items from AliExpress. After the purchase, I sent a message to the seller in order to ask him a question regarding the items. From my experience as an application security expert at AppSec Labs, I had suspected that it might be vulnerable to a certain security breach, and so I started to investigate the issue locally without harming the system or its users.  

Read More »
AppSec 101

AppSec 101: The Secure Software Development Life Cycle

Mar 19, 2015 By Sharon Solomon | Due to the growing demand for robust applications, the secure Software Development Life Cycle methodology is gaining momentum all over the world. Its effectiveness in combating vulnerabilities has made it mandatory in many organizations. The objective of this article is to introduce the user to the basics of the secure Software Development Life Cycle (also known as sSDLC).  

Read More »
The Big Debate

Open Source vs. Commercial Tools: Static Code Analysis Showdown

Mar 17, 2015 By Sarah Vonnegut | It’s the never-ending dilemma; the ‘Coke or Pepsi’ debate of the software and security world, and there’s still no definitive answer.   As the application security market grows, so too does the variety of tools available to organizations seeking to secure their applications. And with both open source and commercial tools popping up and solid options on either side, the decision isn’t made any easier to the question emerging in organizations around the world: When it comes to selecting tools for source code analysis, should we choose open source or commercial?   A few months ago, we released The Ultimate List of Open Source Static Code Analysis (SCA) Tools and heard that many found it useful when deciding between the options for open source SCA platforms.

Read More »
Secure Your Code

What’s Holding You­­­­ Back from Securing Your Code?

Feb 25, 2015 By Amit Ashbel | Organizations today are aware of security risks they can be exposed to as a result of bad or wrong code practice.  However, while awareness is the first step, being able to act is a whole other ballgame.
After witnessing more and more companies being hit by attacks based on well-known vulnerabilities, we sought to understand what’s holding organizations back when it comes to implement secure coding practices.
Checkmarx gathered a slew of professionals from organizations around the globe in the same room and asked them one simple question: “What is holding you back from ensuring your Application code is secure?”

Read More »

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.

SUBSCRIBE