Application Security Trends

Traditional security is well past its expiration date. Learn about the latest trends in AppSec in these posts, from DevOps to SAST and everything in between.
Ali Express

The AliExpress XSS Hacking Explained

Mar 24, 2015 By Sharon Solomon | This post was originally published on the AppSec-Labs blog.   As you may have heard it was recently advertised that AliExpress, one of the world’s largest online shopping websites, was found to have substantial security shortcomings. As one of the people who discovered the Cross-Site Scripting (XSS) vulnerability, I would like to discuss and elaborate on it in the following post.   A few months ago, I purchased some items from AliExpress. After the purchase, I sent a message to the seller in order to ask him a question regarding the items. From my experience as an application security expert at AppSec Labs, I had suspected that it might be vulnerable to a certain security breach, and so I started to investigate the issue locally without harming the system or its users.  

Read More »
AppSec 101

AppSec 101: The Secure Software Development Life Cycle

Mar 19, 2015 By Sharon Solomon | Due to the growing demand for robust applications, the secure Software Development Life Cycle methodology is gaining momentum all over the world. Its effectiveness in combating vulnerabilities has made it mandatory in many organizations. The objective of this article is to introduce the user to the basics of the secure Software Development Life Cycle (also known as sSDLC).  

Read More »
The Big Debate

Open Source vs. Commercial Tools: Static Code Analysis Showdown

Mar 17, 2015 By Sarah Vonnegut | It’s the never-ending dilemma; the ‘Coke or Pepsi’ debate of the software and security world, and there’s still no definitive answer.   As the application security market grows, so too does the variety of tools available to organizations seeking to secure their applications. And with both open source and commercial tools popping up and solid options on either side, the decision isn’t made any easier to the question emerging in organizations around the world: When it comes to selecting tools for source code analysis, should we choose open source or commercial?   A few months ago, we released The Ultimate List of Open Source Static Code Analysis (SCA) Tools and heard that many found it useful when deciding between the options for open source SCA platforms.

Read More »
Secure Your Code

What’s Holding You­­­­ Back from Securing Your Code?

Feb 25, 2015 By Amit Ashbel | Organizations today are aware of security risks they can be exposed to as a result of bad or wrong code practice.  However, while awareness is the first step, being able to act is a whole other ballgame.
After witnessing more and more companies being hit by attacks based on well-known vulnerabilities, we sought to understand what’s holding organizations back when it comes to implement secure coding practices.
Checkmarx gathered a slew of professionals from organizations around the globe in the same room and asked them one simple question: “What is holding you back from ensuring your Application code is secure?”

Read More »

Safer Swift Development With Checkmarx’s New API

Feb 23, 2015 By Sharon Solomon | After using Objective-C for decades, Apple is swaying towards its newer and safer Swift programming language. The latter is compatible with Apple’s Cocoa/Cocoa Touch frameworks and works with almost all of the Objective-C code written for Apple computing and mobile devices. This shift has not been smooth and Swift development still has some security issues.

Read More »
Game of Hacks

Game of Hacks: Promoting Secure Coding Practices

Jan 20, 2015 By Sharon Solomon | Application security has become a huge challenge for IT companies worldwide. More and more exploits, causing widespread financial and technical damage, are being reported on almost a daily basis. While primarily taking these security issues head-on, Checkmarx is also providing an interactive solution to promote secure coding standards within organizations.  

Read More »

Recent PayPal Bug Highlights CSRF Vulnerability Risks

Dec 15, 2014 By Sharon Solomon | PayPal has revolutionized the e-commerce market in recent years with its convenient characteristics that bolster user privacy. Gone are the days when online shopping required cumbersome bank transfers or complex credit card verifications. Unfortunately there is still work to be done on the security front after Egyptian researcher Yasser Ali shocked the world with his PayPal bug finding.

Read More »

SQL Injection Tutorial: Tackling SQLi with Source Code Analysis

Nov 20, 2014 By Sharon Solomon | The impact of the Drupal fiasco is still being felt across all industry sectors. The world’s third biggest CMS platform was compromised with arguably the oldest hacking technique in existence – the SQL injection (SQLi). While the Drupal 7.32 update has resolved this specific problem, SQL injections won’t really go away until they are treated from the root – the application code.    

Read More »

The Ultimate List of Open Source Static Code Analysis Security Tools

Nov 13, 2014 By Sarah Vonnegut | Doing security the right way demands an army – of developers, security teams, and the tools that each uses to help create and maintain secure code.   With the increasingly important mindset of creating quality, secure code from the start, we’ve seen a greater shift towards the adoption of tools designed to detect flaws as quickly as possible in the software development lifecycle (SDLC).   One of those tools is static code analysis. The true strength of static source code analysis (SCA) is in quickly and automatically checking everything “under the hood” without actually executing the code. Because it works to discover issues that can be hard to discover manually, it’s a perfect companion to the human eye. Even the most senior security people still miss security flaws. After all – we are still human, so the combination of machine and man make for better coverage.

Read More »

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.