In the News

Reach ’em and teach ’em–educating developers on application security

10 Aug 2016 | By CSO

How are developers supposed to build security throughout the development lifecycle if they are not taught security at any stage of their education? Vulnerabilities exist because products made by developers who have close to no knowledge of security are hitting the market.

Rather than accept the idea that software will never be 100 percent secure, academia and industry leaders can be more proactive and teach developers how to think about application security.

In a white paper, "App-Sec How-To Guide: Getting your Developers to Beg for Security" security vendor Checkmarx said, "The real secret, then, to getting developers excited about creating secure code is to use those techniques and tools that motivate them in other areas of their work: a way to visualize their work; providing a strong support system; giving solid feedback in a short timeframe; and allowing developers to learn not only from their own mistakes, but also from those developers around them."

Asaph Schulman, vice president of marketing at Checkmarx, said that focusing on security throughout the development process demands understanding the most common application layer security vulnerabilities. "SQL injection is one," said Schulman. "Any teenager with a 'Hacking for Dummies' book can exploit and create huge damage with something so simple."

Continue reading this article on CSO Online

How are developers supposed to build security throughout the development lifecycle if they are not taught security at any stage of their education? Vulnerabilities exist because products made by developers who have close to no knowledge of security are hitting the market.

Rather than accept the idea that software will never be 100 percent secure, academia and industry leaders can be more proactive and teach developers how to think about application security.

In a white paper, “App-Sec How-To Guide: Getting your Developers to Beg for Security” security vendor Checkmarx said, “The real secret, then, to getting developers excited about creating secure code is to use those techniques and tools that motivate them in other areas of their work: a way to visualize their work; providing a strong support system; giving solid feedback in a short timeframe; and allowing developers to learn not only from their own mistakes, but also from those developers around them.”

Asaph Schulman, vice president of marketing at Checkmarx, said that focusing on security throughout the development process demands understanding the most common application layer security vulnerabilities. “SQL injection is one,” said Schulman. “Any teenager with a ‘Hacking for Dummies’ book can exploit and create huge damage with something so simple.”

Continue reading this article on CSO Online


</close>

From download to deposit, mobile banking only as safe as your app

10 Aug 2016 | By Alyssa Oursler

Once upon a time, depositing a check required actually visiting a bank. Now, the same task can be as simple as taking out your smartphone, opening an app and snapping a picture. But as mobile banking increasingly replaces, or at least supplements, traditional banking, questions arise about the trade-offs between security and convenience.

The good news is that security experts tend to agree on some common, simple guidelines for more secure mobile banking.  First off, never download banking apps on a jailbroken device — one that's been modified to let users make changes and download apps not approved — because the operating system's security layer is no longer enforced, warns Amit Ashbel, a cybersecurity expert with Checkmarx. Similarly, apps should only be downloaded from a phone’s native app store. Android users especially should be wary of anything that requires third-party permissions.

Continue reading this article on USA Today

Once upon a time, depositing a check required actually visiting a bank. Now, the same task can be as simple as taking out your smartphone, opening an app and snapping a picture. But as mobile banking increasingly replaces, or at least supplements, traditional banking, questions arise about the trade-offs between security and convenience.

The good news is that security experts tend to agree on some common, simple guidelines for more secure mobile banking.  First off, never download banking apps on a jailbroken device — one that’s been modified to let users make changes and download apps not approved — because the operating system’s security layer is no longer enforced, warns Amit Ashbel, a cybersecurity expert with Checkmarx. Similarly, apps should only be downloaded from a phone’s native app store. Android users especially should be wary of anything that requires third-party permissions.

Continue reading this article on USA Today


</close>

AppSec for dummies: Protecting your organization from application layer security threats

5 Aug 2016 | By Pentago

I never thought it would happen to me. Unfortunately this kind of thinking applies to so many situations in day to day life. Having your phone stolen from your unlocked car in the ten seconds it took you to pay for gas. Losing two years’ worth of photos because you didn’t back up your personal computer.

As part of an organization, there is a high probability high impact risk you take every day with your applications’ security if you aren’t taking the proper application security precautions. In other words, a very bad thing is very likely to happen.

But how do you manage the seemingly many application security risks? Application security Checkmarx offers a detailed guide to the 5 main methodologies in use today, and a short summary is below.

Read the whole article on Toolbox.com

I never thought it would happen to me. Unfortunately this kind of thinking applies to so many situations in day to day life. Having your phone stolen from your unlocked car in the ten seconds it took you to pay for gas. Losing two years’ worth of photos because you didn’t back up your personal computer.

As part of an organization, there is a high probability high impact risk you take every day with your applications’ security if you aren’t taking the proper application security precautions. In other words, a very bad thing is very likely to happen.

But how do you manage the seemingly many application security risks? Application security Checkmarx offers a detailed guide to the 5 main methodologies in use today, and a short summary is below.

Read the whole article on Toolbox.com


</close>

Checkmarx Announces Exclusive Partnership with TOYO Corporation

3 Aug 2016 | By

Checkmarx, a global leader in software application security, today announced it has entered into an exclusive agency partnership with TOYO, leader of the world's most advanced measurement instruments and systems, to offer Checkmarx’ flagship Static Application Security Testing tool “Checkmarx CxSAST” to TOYO customers as a security solution at the source code level. With Checkmarx CxSAST, TOYO will enable its customers to develop and implement secure code more effectively and mitigate security risks prevalent within IoT connected environments.

Checkmarx CxSAST, which specializes in detecting vulnerabilities in source codes and making it visible for developing secure applications, will be a critical component to software development sites around the world that rely on TOYO’s services across the entire system development process from modules to complex large-scale products.

“Since Checkmarx' founding in 2006, our commitment is to enable organizations to detect and remediate security vulnerabilities within their software application. TOYO's renowned services and measurement technology ties perfectly into our application security solutions, further extending our capabilities across the Software Development Lifecycle (SDLC),” said Emmanuel Benzaquen, CEO of Checkmarx. “Together, our combined strength and experience will enable our customers to better measure the security posture of their application code. We’re absolutely thrilled for this new partnership with TOYO, and together we will support businesses and developers building and deploying secure software."

TOYO has considerable experience marketing support and software development tools for companies focused on developing embedded systems for enterprises. With the growth in IoT and FinTech, customers are now demanding new solutions for security and system vulnerabilities. TOYO will expand and reinforce its business by providing new services for these two key areas.

“With IoT and FinTech expanding, "Secure Coding," the practice of developing software programs eliminating security vulnerabilities, has been gaining greater importance, along with the guarantee of software and application quality.

Checkmarx' globally esteemed security static analysis tool "CxSAST" combined with our accumulated static analysis know-how for source code quality improvement will allow us to offer solutions for developing more secure, safer software and applications of higher quality.

We guarantee our customers in Japan that we will provide greater solutions and services through our strategic and firm partnership with Checkmarx," said Mitsuru Onodera, Senior VP TOYO Corporation.

About TOYO
TOYO Corporation has been mainly providing state-of-the-art “measurement tools” importing from western vendors for Japanese researchers and developers, as its mission to contribute to the advancement of Japanese technologies with a keyword “Technology and Information” since the time of its founding in 1953. Technical abilities of our engineers accounting for 70% of all employees that are over 530 people back up the efforts, for instance, providing repair/calibration works, technical supports, in-house development at “TOYO Technical Center," and holding all kinds of seminars for customers in “Technology Interface Center."

 

Read the original release here.

Checkmarx, a global leader in software application security, today announced it has entered into an exclusive agency partnership with TOYO, leader of the world’s most advanced measurement instruments and systems, to offer Checkmarx’ flagship Static Application Security Testing tool “Checkmarx CxSAST” to TOYO customers as a security solution at the source code level. With Checkmarx CxSAST, TOYO will enable its customers to develop and implement secure code more effectively and mitigate security risks prevalent within IoT connected environments.

Checkmarx CxSAST, which specializes in detecting vulnerabilities in source codes and making it visible for developing secure applications, will be a critical component to software development sites around the world that rely on TOYO’s services across the entire system development process from modules to complex large-scale products.

“Since Checkmarx’ founding in 2006, our commitment is to enable organizations to detect and remediate security vulnerabilities within their software application. TOYO’s renowned services and measurement technology ties perfectly into our application security solutions, further extending our capabilities across the Software Development Lifecycle (SDLC),” said Emmanuel Benzaquen, CEO of Checkmarx. “Together, our combined strength and experience will enable our customers to better measure the security posture of their application code. We’re absolutely thrilled for this new partnership with TOYO, and together we will support businesses and developers building and deploying secure software.”

TOYO has considerable experience marketing support and software development tools for companies focused on developing embedded systems for enterprises. With the growth in IoT and FinTech, customers are now demanding new solutions for security and system vulnerabilities. TOYO will expand and reinforce its business by providing new services for these two key areas.

“With IoT and FinTech expanding, “Secure Coding,” the practice of developing software programs eliminating security vulnerabilities, has been gaining greater importance, along with the guarantee of software and application quality.

Checkmarx’ globally esteemed security static analysis tool “CxSAST” combined with our accumulated static analysis know-how for source code quality improvement will allow us to offer solutions for developing more secure, safer software and applications of higher quality.

We guarantee our customers in Japan that we will provide greater solutions and services through our strategic and firm partnership with Checkmarx,” said Mitsuru Onodera, Senior VP TOYO Corporation.

About TOYO
TOYO Corporation has been mainly providing state-of-the-art “measurement tools” importing from western vendors for Japanese researchers and developers, as its mission to contribute to the advancement of Japanese technologies with a keyword “Technology and Information” since the time of its founding in 1953. Technical abilities of our engineers accounting for 70% of all employees that are over 530 people back up the efforts, for instance, providing repair/calibration works, technical supports, in-house development at “TOYO Technical Center,” and holding all kinds of seminars for customers in “Technology Interface Center.”

 

Read the original release here.


</close>

Pokémon GO—Sacrificing Privacy to Catch ‘Em All?

27 Jul 2016 | By Jimmy H. Koo

Players of Pokémon GO, a wildly popular location-based augmented reality game, may be missing real life threats to their private information.

Pokémon GO creates several privacy and security concerns, particularly for children playing the game, including geolocation tracking, excessive collection of personal data and possible sale of such information to third parties, privacy and security professionals told Bloomberg BNA.

By collecting geolocation data, Niantic is able to “keep track of anyone, at any time, while they're playing the game or letting it run in the background,” Asaph Schulman, vice president of marketing at app security company Checkmarx Ltd. in Tel Aviv, told Bloomberg BNA. Additionally, Schulman said, the game's privacy policy allows Niantic to share aggregate information with third parties, “effectively giving them the right to sell users' geolocation data.”

Continue reading this article on Bloomberg BNA

Players of Pokémon GO, a wildly popular location-based augmented reality game, may be missing real life threats to their private information.

Pokémon GO creates several privacy and security concerns, particularly for children playing the game, including geolocation tracking, excessive collection of personal data and possible sale of such information to third parties, privacy and security professionals told Bloomberg BNA.

By collecting geolocation data, Niantic is able to “keep track of anyone, at any time, while they’re playing the game or letting it run in the background,” Asaph Schulman, vice president of marketing at app security company Checkmarx Ltd. in Tel Aviv, told Bloomberg BNA. Additionally, Schulman said, the game’s privacy policy allows Niantic to share aggregate information with third parties, “effectively giving them the right to sell users’ geolocation data.”

Continue reading this article on Bloomberg BNA


</close>

5 ‘Mr. Robot’ Hacks That Could Happen in Real Life

20 Jul 2016 | By Sarah Vonnegut

Hollywood hacking films have given the job of hacker a sort of glamour, with their fast-fingered hacks taking over the world, while in picture perfect makeup. And the InfoSec community has hated every single second of them.  But where other movies and shows  (We’re looking at you, CSI:Cyber) take the hacking scenes way too liberally with no root in reality, one show has held up as a beacon of hope for how hacking can be realistically portrayed on the silver screen: Mr. Robot.

Although real-life security issues -- hackers finding XSS and blind SQLi vulnerabilities -- surrounded the premier season last year, the show itself actively works to mimic real-life security and hacking scenarios. From accurate computer code, to the realism of using social engineering in getting the information needed for an attack, to the actual tools and slang the characters use, Mr. Robot has been mostly spot-on with the security stuff -- and the InfoSec community has sounded its approval.

Continue reading this article on DarkReading

Hollywood hacking films have given the job of hacker a sort of glamour, with their fast-fingered hacks taking over the world, while in picture perfect makeup. And the InfoSec community has hated every single second of them.  But where other movies and shows  (We’re looking at you, CSI:Cyber) take the hacking scenes way too liberally with no root in reality, one show has held up as a beacon of hope for how hacking can be realistically portrayed on the silver screen: Mr. Robot.

Although real-life security issues — hackers finding XSS and blind SQLi vulnerabilities — surrounded the premier season last year, the show itself actively works to mimic real-life security and hacking scenarios. From accurate computer code, to the realism of using social engineering in getting the information needed for an attack, to the actual tools and slang the characters use, Mr. Robot has been mostly spot-on with the security stuff — and the InfoSec community has sounded its approval.

Continue reading this article on DarkReading


</close>

Sports Companies Are Now Facing Security Issues Of Tech Companies

19 Jul 2016 | By Solomon David

When asked about Super Bowl XLI, most casual fans will remember the rain soaked classic in Miami that featured Peyton Manning leading the Indianapolis Colts to his first championship. But for those in the cyber-security industry, the game stood out for another, less-publicized reason.

Just days before kickoff, some of the Dolphins’ websites were found to be compromised by malware and were infecting users’ devices as well. Given the timing of the attack, the websites were receiving heavy traffic prior to the Super Bowl. The solution proved to be costly both in terms of time and dollars. Amit Ashbel is the Director of Product Marketing at Checkmarx, a company that seeks to help implement security features at the earliest stages of software development. We spoke to Ashbel about how the company, founded in 2006 shortly before the Dolphins’ hack, is working with developers to ensure that hackers don’t have a way to attack their software in similar ways in today’s even more technologically advanced times.

“While the software industry has been dealing with security risks for a couple of decades already, these new players are not always addressing security properly at first, thus leaving a fertile attack surface for attackers,” Ashbel said, referring to the growth of apps and software in sports and sports media. “Protecting the code at the initial design stage is probably the largest advantage an organization has over the hacker (access to the code itself).”

Continue reading this article at SportTechie.com.

When asked about Super Bowl XLI, most casual fans will remember the rain soaked classic in Miami that featured Peyton Manning leading the Indianapolis Colts to his first championship. But for those in the cyber-security industry, the game stood out for another, less-publicized reason.

Just days before kickoff, some of the Dolphins’ websites were found to be compromised by malware and were infecting users’ devices as well. Given the timing of the attack, the websites were receiving heavy traffic prior to the Super Bowl. The solution proved to be costly both in terms of time and dollars. Amit Ashbel is the Director of Product Marketing at Checkmarx, a company that seeks to help implement security features at the earliest stages of software development. We spoke to Ashbel about how the company, founded in 2006 shortly before the Dolphins’ hack, is working with developers to ensure that hackers don’t have a way to attack their software in similar ways in today’s even more technologically advanced times.

“While the software industry has been dealing with security risks for a couple of decades already, these new players are not always addressing security properly at first, thus leaving a fertile attack surface for attackers,” Ashbel said, referring to the growth of apps and software in sports and sports media. “Protecting the code at the initial design stage is probably the largest advantage an organization has over the hacker (access to the code itself).”

Continue reading this article at SportTechie.com.


</close>

Securing Code to Fight Cyber Crime

19 Jul 2016 | By Amit Ashbel

The world is moving at an incredible pace. New technologies are regularly announced and whole ecosystems developed around them; such as the internet of things. However, with these new developments come security risks to both businesses and consumers; hacking and cyber crime are now widely reported.

The first step to combating these increased risks is to secure the application code in order to stop vulnerabilities at the root. Automated application security testing is a vital part of this - but how does automated testing work in practice and what are the benefits of an automated testing process for developers and businesses?

Continue reading this article in Test Magazine here (pages 40-41).

The world is moving at an incredible pace. New technologies are regularly announced and whole ecosystems developed around them; such as the internet of things. However, with these new developments come security risks to both businesses and consumers; hacking and cyber crime are now widely reported.

The first step to combating these increased risks is to secure the application code in order to stop vulnerabilities at the root. Automated application security testing is a vital part of this – but how does automated testing work in practice and what are the benefits of an automated testing process for developers and businesses?

Continue reading this article in Test Magazine here (pages 40-41).


</close>

Your website may be engaged in secret criminal activity

16 Jul 2016 | By Ben Dickson

Most of us think of website hacks as illicit activities aimed at siphoning critical information or disrupting the business of website owners. But what happens when your site becomes hacked, not for the purpose of harming you but rather to further the ends of other parties? Most likely, the attackers would manage to feed off your resources and reputation for months or years without being discovered, because it’s hard to take note of something that isn’t directly affecting you.

Source code flaws are at the heart of website hacks

Not all website-related hacks are carried out by compromising the server. Many of them use malvertising, a hacking technique that takes advantage of ad delivery networks and leverages vulnerabilities on client machines such as bugs in Adobe Flash and Microsoft Silverlight.

But where web servers are concerned, source code flaws are the main reason websites are compromised. “Today we see that a major number of attacks against websites are based on vulnerabilities which have not been properly addressed at the code level of the web application,” says Amit Ashbel, director of product marketing of cybersecurity firm Checkmarx.

While developers usually do test the code of their websites, it isn’t necessarily the security flaws they seek. “Unfortunately it is not always common practice to have developers identify and address the vulnerabilities just like they would address functionality bugs triggered by their code,” Ashbel elaborates.

Read the full article on TechCrunch.

Most of us think of website hacks as illicit activities aimed at siphoning critical information or disrupting the business of website owners. But what happens when your site becomes hacked, not for the purpose of harming you but rather to further the ends of other parties? Most likely, the attackers would manage to feed off your resources and reputation for months or years without being discovered, because it’s hard to take note of something that isn’t directly affecting you.

Source code flaws are at the heart of website hacks

Not all website-related hacks are carried out by compromising the server. Many of them use malvertising, a hacking technique that takes advantage of ad delivery networks and leverages vulnerabilities on client machines such as bugs in Adobe Flash and Microsoft Silverlight.

But where web servers are concerned, source code flaws are the main reason websites are compromised. “Today we see that a major number of attacks against websites are based on vulnerabilities which have not been properly addressed at the code level of the web application,” says Amit Ashbel, director of product marketing of cybersecurity firm Checkmarx.

While developers usually do test the code of their websites, it isn’t necessarily the security flaws they seek. “Unfortunately it is not always common practice to have developers identify and address the vulnerabilities just like they would address functionality bugs triggered by their code,” Ashbel elaborates.

Read the full article on TechCrunch.


</close>

The Real Threat Of Cyberterrorism

11 Jul 2016 | By Benjamin Stone

Cyberterrorism: just how real is the threat?

When confronted with the idea of cyberterrorism, much of the population would shrug. How much would a large scale disruption of computer networks or a malware attack on a government actually affect the average person’s life or livelihood? Is cyberterrorism really an imminent threat?

The issue lies with the terrorism part of the word. When compared to the al-Qaeda attack in Burkina Faso, the suicide bombings in Iraq, the Paris attacks, the Brussels bombings, the nightclub shooting in Orlando or any number of atrocities motivated by ideology the world over, cyberterrorism just doesn’t seem to rank. But the threats presented by cyberterrorism both present and future are real, and they’re certainly alarming.

As application security provider Checkmarx states, there is no one solution to guarding against cyberterrorism. With individuals, businesses, organizations, governments and beyond all needing protection against ideologically-motivated attacks and breaches, the scope is simply too huge. However, as Checkmarx also points out, secured websites, applications and infrastructure is rooted in secure application development that starts at the beginning of coding.

Even if you think your organization would never be a target of a cyberterrorism attack, take a lesson from all of the organizations that were affected by data breaches that ultimately landed their users on a list of ISIS targets. Your users are your responsibility, and whether you’re talking hackers or terrorists, it’s a responsibility that can’t be anything other than the highest priority.

Continue reading this article on Information Security Buzz.

Cyberterrorism: just how real is the threat?

When confronted with the idea of cyberterrorism, much of the population would shrug. How much would a large scale disruption of computer networks or a malware attack on a government actually affect the average person’s life or livelihood? Is cyberterrorism really an imminent threat?

The issue lies with the terrorism part of the word. When compared to the al-Qaeda attack in Burkina Faso, the suicide bombings in Iraq, the Paris attacks, the Brussels bombings, the nightclub shooting in Orlando or any number of atrocities motivated by ideology the world over, cyberterrorism just doesn’t seem to rank. But the threats presented by cyberterrorism both present and future are real, and they’re certainly alarming.

As application security provider Checkmarx states, there is no one solution to guarding against cyberterrorism. With individuals, businesses, organizations, governments and beyond all needing protection against ideologically-motivated attacks and breaches, the scope is simply too huge. However, as Checkmarx also points out, secured websites, applications and infrastructure is rooted in secure application development that starts at the beginning of coding.

Even if you think your organization would never be a target of a cyberterrorism attack, take a lesson from all of the organizations that were affected by data breaches that ultimately landed their users on a list of ISIS targets. Your users are your responsibility, and whether you’re talking hackers or terrorists, it’s a responsibility that can’t be anything other than the highest priority.

Continue reading this article on Information Security Buzz.


</close>

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.