Checkmarx Launches Infrastructure as Code Scanning Solution to Secure Cloud-Native Applications: KICS

Application Security Glossary

DevOps

DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality.

DevOps Security

Research from the Gartner Group has demonstrated that nearly 75% of successful attacks made against an application are exploiting vulnerabilities which are already well understood, and for which a patch or remediation recommendation for is available. Some say that DevOps can by its very nature make software less secure. That’s because DevOps teams work with agile methodologies, and often in continuous deployment environments that may quickly fall behind the application security practices used in environments with fewer deployments.

Read More >>

DevSecOps

DevSecOps means thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down. Selecting the right tools to continuously integrate security, like agreeing on an integrated development environment (IDE) with security features, can help meet these goals. However, effective DevOps security requires more than new tools—it builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later.

Directory Traversal Vulnerability

Directory Traversal Defined

Directory Traversal (DT) is a HTTP exploit that malicious hackers use in order to gain access to account directories and the data contained within. A successful exploit can result in the entire web server being compromised, including access to directories that are used to control access to restricted areas. For example, the Root Directory is the top-level directory on the server’s file system. Directory Traversal can be used to gain unauthorized access to this sensitive directory. However, Access Control Lists (ACLs) can be used to control and manage user access for viewing, modifying and executing files.

Read More >>

Docker

Docker is a widely used container format. Docker defines a standard format for packaging and porting software, much like ISO containers define a standard for shipping freight. As a runtime instance of a Docker image, a container consists of three parts:

• A Docker image
• An environment in which the image is executed
• A set of instructions for running the image.

Docker Swarm

Is the name of a standalone native clustering tool for Docker. Docker Swarm combines several Docker hosts and exposes them as a single virtual Docker host. It serves the standard Docker API, so any tool that already works with Docker can transparently scale up to multiple hosts.

Droid Intent Data Flow Analysis for Information Leakage (DidFail)

Droid Intent Data Flow Analysis for Information Leakage (DidFail) is an analysis method that is designed to identify and expose potential data leaks within Android applications. This methodology eventually helps developers learn about secure coding practices, eventually helping them to produce robust mobile applications that are tougher to crack. More and more leading organizations worldwide are introducing DidFail into their environments to enhance mobile application security.

Read More >>

Engine

A Checkmarx engine is where the magic happens (it’s also where a large part of our secret sauce resides).
An engine could refer to any of the following products:

  • CxSAST – A CxSAST engine is the part of the system that is running CxQueries on the source code the customer wishes to scan.
    Using each query the engines attempts to find different types of security vulnerabilities which are called results.
  • SCA/OSA
  • IAST

IaC (KICS) – is a standalone engine which scans and finds misconfigurations and potential vulnerabilities in infrastructure code. See kics.io for more information

Enterprise Application Security through Secure Development

How critical is secure development?

Web threats are constant threats to company security. A single data breach can cost companies thousands or even millions of dollars. If a malicious attacker gains unauthorized access to the company network, it can put sensitive company information, confidential customer and client information, and company assets at risk. Malware is the leading cause of data breaches, and malicious code can often be hidden in application code without detection. Applications, whether developed on-site or third-party implementations, must be completely secured. The cost incurred for each lost or stolen record containing sensitive and confidential information increased more than nine percent to a consolidated average of $145, while overall, the average data breach has increased 15% over the last year for total company response costs of $3.5 million.

Read More >>

Ethical Hacking For Company Security

Ethical hacking explained

Ethical hacking is typically an authorized attack on a system in order to determine flaws and vulnerabilities which could lead to unauthorized access of company data and assets if the flaws are not properly patched. An ethical hack typically comes from white hat hackers, skilled professionals who will attack company networks and infrastructure, but they do not do so maliciously.

Read More >>