In the News

Mobile data theft a risk from shared app libraries

16 Aug 2017 | By Michael Heller

Matthew Rose, ‎global director of application security strategy at Checkmarx, an application security software vendor headquartered in Israel, said there were a number of ways a shared library might be infected by a malicious actor.

"Typically third-party libraries are maintained by a group of people who maintain the code base. Since these libraries have many contributors it is sometimes difficult to have one person responsible for the entire library code base which can potentially allow malicious code to be inserted," Rose told SearchSecurity. "There is also the question of these libraries inheriting functionality from other code bases so there are definite tradeoffs in terms of risk versus the utilization of existing third party libraries."

 

Click here to read the full article

Matthew Rose, ‎global director of application security strategy at Checkmarx, an application security software vendor headquartered in Israel, said there were a number of ways a shared library might be infected by a malicious actor.

“Typically third-party libraries are maintained by a group of people who maintain the code base. Since these libraries have many contributors it is sometimes difficult to have one person responsible for the entire library code base which can potentially allow malicious code to be inserted,” Rose told SearchSecurity. “There is also the question of these libraries inheriting functionality from other code bases so there are definite tradeoffs in terms of risk versus the utilization of existing third party libraries.”

 

Click here to read the full article


</close>

Alert: Avoid These Security Cameras Like the Plague

3 Aug 2017 | By Paul Wagenseil

The Loftek CXS-2200 and VStarcam C7837WIP, which look nearly identical, contained more than a dozen vulnerabilities between them, many of which would let an attacker take over the camera from the internet.

"The vulnerabilities just kept on coming," the report notes. "A malicious user can exploit your device to track your day-to-day, know when you’re home or out, steal your email information, steal your wireless connection, gain control of other connected devices, use your camera as a bot, listen in to your conversations, record video, and more."

"It is clearly worth spending a bit more money on a more secure camera," the report adds.

 

Click here to continue reading

The Loftek CXS-2200 and VStarcam C7837WIP, which look nearly identical, contained more than a dozen vulnerabilities between them, many of which would let an attacker take over the camera from the internet.

“The vulnerabilities just kept on coming,” the report notes. “A malicious user can exploit your device to track your day-to-day, know when you’re home or out, steal your email information, steal your wireless connection, gain control of other connected devices, use your camera as a bot, listen in to your conversations, record video, and more.”

“It is clearly worth spending a bit more money on a more secure camera,” the report adds.

 

Click here to continue reading


</close>

Two IP-enabled cameras full of flaws

3 Aug 2017 | By Teri Robinson

Checkmarx researchers said a pair of IP-enabled security cameras have nearly two dozen flaws that would make them vulnerable to attack.

Loftek DSS-2200 and VStarcam C7837WIP, manufactured in China and aimed at the consumer market, also can be pressed into service as botnets to execute distributed denial of service (DDoS) attacks, according to report by Threatpost.

 

Continue reading on SC Magazine

Checkmarx researchers said a pair of IP-enabled security cameras have nearly two dozen flaws that would make them vulnerable to attack.

Loftek DSS-2200 and VStarcam C7837WIP, manufactured in China and aimed at the consumer market, also can be pressed into service as botnets to execute distributed denial of service (DDoS) attacks, according to report by Threatpost.

 

Continue reading on SC Magazine


</close>

Two Popular IP Cameras Riddled With Vulnerabilities

3 Aug 2017 | By Tom Spring

Two consumer-grade IP-enabled security cameras manufactured by Loftek and VStartcam are riddled with nearly two dozen vulnerabilities that expose them to remote attacks. According to researchers, more than 1.3 million of the cameras are in use today, with 200,000 models located in the United States.

Based on a report released Tuesday by Checkmarx, the Loftek DSS-2200 and VStarcam C7837WIP allow a malicious user to easily exploit the devices. Not only can adversaries enlist them into DDoS botnets, but they can also gain control of additional devices that share the same network.

 

Click here to read the full article 

Two consumer-grade IP-enabled security cameras manufactured by Loftek and VStartcam are riddled with nearly two dozen vulnerabilities that expose them to remote attacks. According to researchers, more than 1.3 million of the cameras are in use today, with 200,000 models located in the United States.

Based on a report released Tuesday by Checkmarx, the Loftek DSS-2200 and VStarcam C7837WIP allow a malicious user to easily exploit the devices. Not only can adversaries enlist them into DDoS botnets, but they can also gain control of additional devices that share the same network.

 

Click here to read the full article 


</close>

Remotely Exploitable Flaws Found in Popular IP Cameras

2 Aug 2017 | By Eduard Kovacs

Checkmarx researchers have analyzed a couple of IP cameras from Loftek and VStarcam and discovered several new vulnerabilities and variations of previously found flaws.

In Loftek’s CXS 2200 camera, experts discovered cross-site request forgery (CSRF) flaws that can be exploited to add new admin users, server-side request forgery (SSRF) flaws that can be used for denial-of-service (DoS) attacks and to find other devices on the local network or the Internet, stored cross-site scripting (XSS) bugs that can be used to execute arbitrary code, and file disclosure vulnerabilities.

In the VStarcam C7837WIP camera, researchers found stored XSS, open redirect, and forced factory reset weaknesses. Both cameras allow attackers to manipulate HTTP responses, which can be useful for conducting XSS, cross-user defacement, cache poisoning and page hijacking attacks.

 

Click here to read the full article 

Checkmarx researchers have analyzed a couple of IP cameras from Loftek and VStarcam and discovered several new vulnerabilities and variations of previously found flaws.

In Loftek’s CXS 2200 camera, experts discovered cross-site request forgery (CSRF) flaws that can be exploited to add new admin users, server-side request forgery (SSRF) flaws that can be used for denial-of-service (DoS) attacks and to find other devices on the local network or the Internet, stored cross-site scripting (XSS) bugs that can be used to execute arbitrary code, and file disclosure vulnerabilities.

In the VStarcam C7837WIP camera, researchers found stored XSS, open redirect, and forced factory reset weaknesses. Both cameras allow attackers to manipulate HTTP responses, which can be useful for conducting XSS, cross-user defacement, cache poisoning and page hijacking attacks.

 

Click here to read the full article 


</close>

Checkmarx: Proactive Threat Protection

31 Jul 2017 | By CIO Review

Today’s cyber landscape leaves no room for mistakes when it comes to the security of software and applications. Enterprises are well aware of the harsh consequences of a cyberattack. Moreover, with end users expecting software vendors to deliver cutting edge software at the speed of light, enterprises find themselves constantly juggling between quick releases and secure releases. “The current approach toward fixing security vulnerabilities at the end of the software development lifecycle creates a recurring cycle of delivery delays,” states Emmanuel Benzaquen, Checkmarx’s CEO. In light of this, Checkmarx is reshaping the ways of application security testing by tapping into the DevOps cycle as early as where developers are coding, making security a seamless and effortless component of the process. “We believe the sooner security vulnerabilities are fixed, the faster the application delivery will be,” he adds.

 

Click here to read the full article

Today’s cyber landscape leaves no room for mistakes when it comes to the security of software and applications. Enterprises are well aware of the harsh consequences of a cyberattack. Moreover, with end users expecting software vendors to deliver cutting edge software at the speed of light, enterprises find themselves constantly juggling between quick releases and secure releases. “The current approach toward fixing security vulnerabilities at the end of the software development lifecycle creates a recurring cycle of delivery delays,” states Emmanuel Benzaquen, Checkmarx’s CEO. In light of this, Checkmarx is reshaping the ways of application security testing by tapping into the DevOps cycle as early as where developers are coding, making security a seamless and effortless component of the process. “We believe the sooner security vulnerabilities are fixed, the faster the application delivery will be,” he adds.

 

Click here to read the full article


</close>

Playing Games To Learn Code, Checkmarx Acquires Codebashing

26 Jul 2017 | By Adrian Bridgwater

Application security testing company Checkmarx has now acquired the somewhat aggressively named Codebashing, a company that specializes in game-like application security education and training for software application developers.

 

Read the full article on Forbes

Application security testing company Checkmarx has now acquired the somewhat aggressively named Codebashing, a company that specializes in game-like application security education and training for software application developers.

 

Read the full article on Forbes


</close>

Checkmarx acquired Codebashing

26 Jul 2017 | By Christian Hargrave

Checkmarx has acquired Codebashing, an application security education company that delivers Game-like AppSec Training for Developers.

Traditional secure coding education is ineffective and cannot scale to deliver continuous and across the board secure coding knowledge. Long training courses disrupt the developer’s daily routine and don't address the specific challenge as it appears. Moreover, participants tend to retain only a fraction of the materials in between the traditional “annual” training cycles.

 

Click here to continue reading 

Checkmarx has acquired Codebashing, an application security education company that delivers Game-like AppSec Training for Developers.

Traditional secure coding education is ineffective and cannot scale to deliver continuous and across the board secure coding knowledge. Long training courses disrupt the developer’s daily routine and don’t address the specific challenge as it appears. Moreover, participants tend to retain only a fraction of the materials in between the traditional “annual” training cycles.

 

Click here to continue reading 


</close>

Checkmarx Acquires Codebashing to Redefine Secure Coding Education

25 Jul 2017 | By Dark Reading

Through Acquisition, Checkmarx will Provide Interactive Tools to Further Developer Application Security Knowledge and Deliver Secure Applications Even Faster.

 Checkmarx, a global leader in application security testing solutions, today announced its acquisition of Codebashing, a leading application security education company that delivers Game-like AppSec Training for Developers.
Read the full article on Dark Reading

Through Acquisition, Checkmarx will Provide Interactive Tools to Further Developer Application Security Knowledge and Deliver Secure Applications Even Faster.

 Checkmarx, a global leader in application security testing solutions, today announced its acquisition of Codebashing, a leading application security education company that delivers Game-like AppSec Training for Developers.
Read the full article on Dark Reading

</close>

Checkmarx Acquires Codebashing

25 Jul 2017 | By DevOps Digest

Checkmarx announced the acquisition of Codebashing, an application security education company that delivers Game-like AppSec Training for Developers.

By shifting security left and empowering developers to deliver secure applications, this acquisition allows Checkmarx to introduce continuous, in-context, bite sized secure coding training. Effective training allows enterprises to grow their in-house security skills, which results in fewer vulnerabilities being introduced into code in the first place.

Codebashing delivers a hands-on interactive training platform built by developers for the needs of developers. Education gamification saves precious time and eliminates the need for expensive secure coding courses with irrelevant material, allowing organizations to implement secure coding training in a DevOps and CI/CD environment without impacting delivery timelines.

 

Click here to read the full article 

Checkmarx announced the acquisition of Codebashing, an application security education company that delivers Game-like AppSec Training for Developers.

By shifting security left and empowering developers to deliver secure applications, this acquisition allows Checkmarx to introduce continuous, in-context, bite sized secure coding training. Effective training allows enterprises to grow their in-house security skills, which results in fewer vulnerabilities being introduced into code in the first place.

Codebashing delivers a hands-on interactive training platform built by developers for the needs of developers. Education gamification saves precious time and eliminates the need for expensive secure coding courses with irrelevant material, allowing organizations to implement secure coding training in a DevOps and CI/CD environment without impacting delivery timelines.

 

Click here to read the full article 


</close>

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.