In the News

Cloud-native apps push static code analysis tools to the limit

27 Sep 2017 | By Cameron McKenzie

Matt Rose is the global director of application security strategy at Checkmarx, an organization that provides static code analysis tools that play a key role in the secure software testing phase of the software development lifecycle. In other words, Mr. Rose knows a thing or two about securing applications.
Read the full interview here

Matt Rose is the global director of application security strategy at Checkmarx, an organization that provides static code analysis tools that play a key role in the secure software testing phase of the software development lifecycle. In other words, Mr. Rose knows a thing or two about securing applications.
Read the full interview here


</close>

Pumpkin-Spiced Cybersecurity: October Is National Cyber Security Awareness Month

27 Sep 2017 | By Jimmy H. Koo

Cyberattacks, including global ransomware attacks, massive data breaches, and distributed denial-of-service attacks have recently dominated the headlines, saturating consumers’ news intake with stories about cybersecurity threats. These repeated reminders of the cybersecurity boogie man, ways to protect personally identifiable information, and advertisements for products to fight hackers, can lead to security fatigue, which in turn may lead to risky computing behavior.

 

“Companies need to realize that security fatigue is a real thing,” Matt Rose, global director of application security strategy at Checkmarx Ltd. in Charlotte, N.C. told Bloomberg BNA Sept. 27. “Things like text verification, captcha, finger print recognition, and strong passwords may actually introduce more of a security risk as the company now has more data points on a customer in order to verify they are who they are,” he said.

Click here to continue reading

Cyberattacks, including global ransomware attacks, massive data breaches, and distributed denial-of-service attacks have recently dominated the headlines, saturating consumers’ news intake with stories about cybersecurity threats. These repeated reminders of the cybersecurity boogie man, ways to protect personally identifiable information, and advertisements for products to fight hackers, can lead to security fatigue, which in turn may lead to risky computing behavior.

 

“Companies need to realize that security fatigue is a real thing,” Matt Rose, global director of application security strategy at Checkmarx Ltd. in Charlotte, N.C. told Bloomberg BNA Sept. 27. “Things like text verification, captcha, finger print recognition, and strong passwords may actually introduce more of a security risk as the company now has more data points on a customer in order to verify they are who they are,” he said.

Click here to continue reading


</close>

A bug fix always beats a round of risk assessments

26 Sep 2017 | By Cameron McKenzie

“Many organizations have an effective process for identifying problems, but no process for remediation,” said Matt Rose, the global director of application security strategy at Checkmarx. “Organizations do a lot of signing off on risk. Instead of saying ‘let’s remediate that’ they say ‘what’s the likelihood of this actually happening?'”

 

Sadly, the trend towards cloud-native, DevOps based development hasn’t reversed the this trend towards preferring risk assessment over problem remediation. The goal of any team that is embracing DevOps and implementing a system of continuous delivery is to eliminate as many manual processes as possible. A big part of that process is integrating software quality and static code analysis tools into the continuous integration server’s build process. But simply automating the process isn’t enough. “A lot of times people just automate and don’t actually remediate,” said Rose.

Continue reading on The Server Side

“Many organizations have an effective process for identifying problems, but no process for remediation,” said Matt Rose, the global director of application security strategy at Checkmarx. “Organizations do a lot of signing off on risk. Instead of saying ‘let’s remediate that’ they say ‘what’s the likelihood of this actually happening?’”

 

Sadly, the trend towards cloud-native, DevOps based development hasn’t reversed the this trend towards preferring risk assessment over problem remediation. The goal of any team that is embracing DevOps and implementing a system of continuous delivery is to eliminate as many manual processes as possible. A big part of that process is integrating software quality and static code analysis tools into the continuous integration server’s build process. But simply automating the process isn’t enough. “A lot of times people just automate and don’t actually remediate,” said Rose.

Continue reading on The Server Side


</close>

CloudBees, partners add Jenkins services, security

25 Sep 2017 | By Darryl K. Taft

For its part, Checkmarx, an application security software company, introduced a new release of its Interactive Application Security Testing product, CxIAST. The product enables continuous application security testing in real time, so software delivery schedules are not affected by security testing.

Click here to continue reading

For its part, Checkmarx, an application security software company, introduced a new release of its Interactive Application Security Testing product, CxIAST. The product enables continuous application security testing in real time, so software delivery schedules are not affected by security testing.

Click here to continue reading


</close>

Containers and microservices complicate cloud-native security

13 Sep 2017 | By Cameron McKenzie

But not every data breach can be blamed on an end user, which is why developers must be vigilant when it comes to cloud-native security. According to Matt Rose, global director of application security strategy at Checkmarx, it's commonplace for his software company's static code analysis tools to identify places where input isn't properly validated -- making SQL injection a very plausible threat -- administrative passwords are exposed in plain text, opportunities exist for buffer overruns and private user information is inadvertently written to the file system.

But not every data breach can be blamed on an end user, which is why developers must be vigilant when it comes to cloud-native security. According to Matt Rose, global director of application security strategy at Checkmarx, it’s commonplace for his software company’s static code analysis tools to identify places where input isn’t properly validated — making SQL injection a very plausible threat — administrative passwords are exposed in plain text, opportunities exist for buffer overruns and private user information is inadvertently written to the file system.


</close>

Jenkins World 2017 Highlights the Growing Ubiquity of Continuous Integration

31 Aug 2017 | By Alex Handy

Matt Rose, global director of application security strategy at Checkmarx, said that Jenkins is the bellwether for the CI/CD world. “Most of our customers are using Jenkins in some way. I see a lot of people in the evolution stage of true CI/CD. Very few feel they are 100 percent there right now,” said Rose. He was at Jenkins World to help spread the gospel of static analysis as part of the build and test process.

Click here to continue reading.

 

Matt Rose, global director of application security strategy at Checkmarx, said that Jenkins is the bellwether for the CI/CD world. “Most of our customers are using Jenkins in some way. I see a lot of people in the evolution stage of true CI/CD. Very few feel they are 100 percent there right now,” said Rose. He was at Jenkins World to help spread the gospel of static analysis as part of the build and test process.

Click here to continue reading.

 


</close>

Gigster receives $20M in funding, Checkmarx’s DevSecOps platform, and Okta’s two-factor authentication — SD Times news digest: August 30, 2017

30 Aug 2017 | By Madison Moore

At Jenkins World 2017, Checkmarx announced its new Interactive Application Security Testing solution, CxIAST, which gives teams continuous application security testing in real time, with zero scan time, accuracy and seamless implementation.

 

“CxIAST is a game changer for organizations who are struggling to deliver secure software faster,” said Maty Siman, CTO and founder, Checkmarx. “Our unified AppSec platform correlates data and results from all Checkmarx products across the software development lifecycle and then leverages that information intelligently to generate fast, accurate and actionable results.”

Continue reading

At Jenkins World 2017, Checkmarx announced its new Interactive Application Security Testing solution, CxIAST, which gives teams continuous application security testing in real time, with zero scan time, accuracy and seamless implementation.

 

“CxIAST is a game changer for organizations who are struggling to deliver secure software faster,” said Maty Siman, CTO and founder, Checkmarx. “Our unified AppSec platform correlates data and results from all Checkmarx products across the software development lifecycle and then leverages that information intelligently to generate fast, accurate and actionable results.”

Continue reading


</close>

Mobile data theft a risk from shared app libraries

16 Aug 2017 | By Michael Heller

Matthew Rose, ‎global director of application security strategy at Checkmarx, an application security software vendor headquartered in Israel, said there were a number of ways a shared library might be infected by a malicious actor.

"Typically third-party libraries are maintained by a group of people who maintain the code base. Since these libraries have many contributors it is sometimes difficult to have one person responsible for the entire library code base which can potentially allow malicious code to be inserted," Rose told SearchSecurity. "There is also the question of these libraries inheriting functionality from other code bases so there are definite tradeoffs in terms of risk versus the utilization of existing third party libraries."

 

Click here to read the full article

Matthew Rose, ‎global director of application security strategy at Checkmarx, an application security software vendor headquartered in Israel, said there were a number of ways a shared library might be infected by a malicious actor.

“Typically third-party libraries are maintained by a group of people who maintain the code base. Since these libraries have many contributors it is sometimes difficult to have one person responsible for the entire library code base which can potentially allow malicious code to be inserted,” Rose told SearchSecurity. “There is also the question of these libraries inheriting functionality from other code bases so there are definite tradeoffs in terms of risk versus the utilization of existing third party libraries.”

 

Click here to read the full article


</close>

Alert: Avoid These Security Cameras Like the Plague

3 Aug 2017 | By Paul Wagenseil

The Loftek CXS-2200 and VStarcam C7837WIP, which look nearly identical, contained more than a dozen vulnerabilities between them, many of which would let an attacker take over the camera from the internet.

"The vulnerabilities just kept on coming," the report notes. "A malicious user can exploit your device to track your day-to-day, know when you’re home or out, steal your email information, steal your wireless connection, gain control of other connected devices, use your camera as a bot, listen in to your conversations, record video, and more."

"It is clearly worth spending a bit more money on a more secure camera," the report adds.

 

Click here to continue reading

The Loftek CXS-2200 and VStarcam C7837WIP, which look nearly identical, contained more than a dozen vulnerabilities between them, many of which would let an attacker take over the camera from the internet.

“The vulnerabilities just kept on coming,” the report notes. “A malicious user can exploit your device to track your day-to-day, know when you’re home or out, steal your email information, steal your wireless connection, gain control of other connected devices, use your camera as a bot, listen in to your conversations, record video, and more.”

“It is clearly worth spending a bit more money on a more secure camera,” the report adds.

 

Click here to continue reading


</close>

Two IP-enabled cameras full of flaws

3 Aug 2017 | By Teri Robinson

Checkmarx researchers said a pair of IP-enabled security cameras have nearly two dozen flaws that would make them vulnerable to attack.

Loftek DSS-2200 and VStarcam C7837WIP, manufactured in China and aimed at the consumer market, also can be pressed into service as botnets to execute distributed denial of service (DDoS) attacks, according to report by Threatpost.

 

Continue reading on SC Magazine

Checkmarx researchers said a pair of IP-enabled security cameras have nearly two dozen flaws that would make them vulnerable to attack.

Loftek DSS-2200 and VStarcam C7837WIP, manufactured in China and aimed at the consumer market, also can be pressed into service as botnets to execute distributed denial of service (DDoS) attacks, according to report by Threatpost.

 

Continue reading on SC Magazine


</close>

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.