In the News

By the numbers: Cyber attack costs compared

24 May 2016 | By CSO Staff

Data breaches caused by malicious insiders and malicious code can take as long 50 days or more to fix, according to Ponemon Institute's 2015 Cost of Cyber Crime Study. While malware, viruses, worms, trojans, and botnets take only an estimated 2-5 days to fix.

Unsurprisingly, attacks by malicious insiders are also the costliest to fix ($145,000 according to the Ponemon study), followed by denial of service ($127,000) and Web-based attacks ($96,000).

This infographic from application security software provider Checkmarx highlights these and other significant statistics about how much different types of cyber attacks are costing companies around the world.

See the infographic & continue reading at CSO Online.

Data breaches caused by malicious insiders and malicious code can take as long 50 days or more to fix, according to Ponemon Institute’s 2015 Cost of Cyber Crime Study. While malware, viruses, worms, trojans, and botnets take only an estimated 2-5 days to fix.

Unsurprisingly, attacks by malicious insiders are also the costliest to fix ($145,000 according to the Ponemon study), followed by denial of service ($127,000) and Web-based attacks ($96,000).

This infographic from application security software provider Checkmarx highlights these and other significant statistics about how much different types of cyber attacks are costing companies around the world.

See the infographic & continue reading at CSO Online.


</close>

Crowdsource your security knowledge: A simple guide to OWASP Top 10

20 May 2016 | By Debbie Fletcher

Over the past two years, the Internet has seen some of the biggest, most devastating data breaches in history. With each attack, millions of personal identifiable information records are stolen, leading to the possibility of identity theft, banking fraud, and in some of the most notable cases, that's right -- divorce.

OWASP is a non-profit organization that uses the cloud to crowdsource case studies and information surrounding security. When you don’t have time to research security trends due to your other work demands, life demands or Netflix, OWASP is excellent enough to aggregate this information for you.

Every few years, OWASP publishes a list of the biggest security threats -- the so-called Top 10 Project. These attacks include threats against infrastructure and applications, and the information is gathered from open-source participants.

According to cybersecurity organization Checkmarx, every one of the OWASP 10 vulnerabilitiesshould be a concern for developers. Whether you use tools or manual scripts written from scratch to deal with these concerns is up to you, but these vulnerabilities need to be tested for before deploying an application to production.

Continue reading this article on BetaNews.com.

Over the past two years, the Internet has seen some of the biggest, most devastating data breaches in history. With each attack, millions of personal identifiable information records are stolen, leading to the possibility of identity theft, banking fraud, and in some of the most notable cases, that’s right — divorce.

OWASP is a non-profit organization that uses the cloud to crowdsource case studies and information surrounding security. When you don’t have time to research security trends due to your other work demands, life demands or Netflix, OWASP is excellent enough to aggregate this information for you.

Every few years, OWASP publishes a list of the biggest security threats — the so-called Top 10 Project. These attacks include threats against infrastructure and applications, and the information is gathered from open-source participants.

According to cybersecurity organization Checkmarx, every one of the OWASP 10 vulnerabilitiesshould be a concern for developers. Whether you use tools or manual scripts written from scratch to deal with these concerns is up to you, but these vulnerabilities need to be tested for before deploying an application to production.

Continue reading this article on BetaNews.com.


</close>

Hacker looks to sell 117M LinkedIn passwords from 2012 data breach

19 May 2016 | By James Rogers

LinkedIn says that it is moving quickly to deal with the release of data from a 2012 security breach, which could include 117 million passwords.

A hacker is reportedly looking to sell a package containing account records for 167 million LinkedIn users on the darknet. Some 117 million of the accounts are said to contain “hashed” passwords, which use an algorithm to protect the password.

Selling off additional data is regular practice by cybercriminals, according to Amit Ashbel, director of product marketing at application security specialist Checkmarx. “Once they manage a large hack they will always save something for a rainy day,” he said, via email. “The fact that these are now being sold online indicates to me more than anything else that the hacker needs cash and now is the time to pop out that old stash and sell to the highest bidder.”

Continue reading this article on Fox News.

LinkedIn says that it is moving quickly to deal with the release of data from a 2012 security breach, which could include 117 million passwords.

A hacker is reportedly looking to sell a package containing account records for 167 million LinkedIn users on the darknet. Some 117 million of the accounts are said to contain “hashed” passwords, which use an algorithm to protect the password.

Selling off additional data is regular practice by cybercriminals, according to Amit Ashbel, director of product marketing at application security specialist Checkmarx. “Once they manage a large hack they will always save something for a rainy day,” he said, via email. “The fact that these are now being sold online indicates to me more than anything else that the hacker needs cash and now is the time to pop out that old stash and sell to the highest bidder.”

Continue reading this article on Fox News.


</close>

Tools, skills and budgets can help developers fight rise in Web app cyber attacks

18 May 2016 | By

Checkmarx announced that three recent reports highlight the challenge faced by developers in securing code as attacks against web applications increase, while security budgets for developers remain low.

As highlighted by the influential Data Breach Investigation Report 2016, attacks against web applications have seen a dramatic rise in the last year. Attacks against every business sector rose significantly with financial particularly hard hit with a 51% increase in the number of reported incidents. The report also suggests that Common Vulnerabilities and Exposures (CVE’s) are not being addressed quickly enough by developers with the top 10 vulnerabilities accounting for 85% of successful exploited traffic.

“Developers are gravitating towards JavaScript, being asked to create more applications by using faster development cycles. Meanwhile, the number of attacks against them grows and information security budgets have remained largely static,” says Amit Ashbel, Cyber Security Evangelist and Director of Product Marketing for Checkmarx, “This is an unenviable position for developers and a situation that needs to be looked at more carefully by budget holders if they want to stop the problem from getting worse.”

Continue reading on GlobalSecurityMag.com.

Checkmarx announced that three recent reports highlight the challenge faced by developers in securing code as attacks against web applications increase, while security budgets for developers remain low.

As highlighted by the influential Data Breach Investigation Report 2016, attacks against web applications have seen a dramatic rise in the last year. Attacks against every business sector rose significantly with financial particularly hard hit with a 51% increase in the number of reported incidents. The report also suggests that Common Vulnerabilities and Exposures (CVE’s) are not being addressed quickly enough by developers with the top 10 vulnerabilities accounting for 85% of successful exploited traffic.

“Developers are gravitating towards JavaScript, being asked to create more applications by using faster development cycles. Meanwhile, the number of attacks against them grows and information security budgets have remained largely static,” says Amit Ashbel, Cyber Security Evangelist and Director of Product Marketing for Checkmarx, “This is an unenviable position for developers and a situation that needs to be looked at more carefully by budget holders if they want to stop the problem from getting worse.”

Continue reading on GlobalSecurityMag.com.


</close>

Click-fraud botnet infects 900K to earn money via Google AdSense

17 May 2016 | By Robert Abel

A click-fraud botnet dubbed “Redirector.Paco Trojan” has infected 900,000 IPs worldwide and has the ability to reconfigure browser settings and network communications.

The malware is spread via installers that are distributed through unscrupulous download sites and by exploiting web application vulnerabilities, Checkmarx Director of Product Marketing Amit Ashbel told SCMagazine.com via emailed comments.

Ashbel said the botnet has gone to great lengths to reconfigure browser settings and network communication configurations and the malware's ability to tamper with AdSense should worry Google.

“While the attack has targeted the PC communication channel, at the same time it has launched a man in the middle (MitM) attack technique tampering with Google's results which I guess will have some level of impact (even if minor) on the search engine giant's service,”  Ashbel said.

Continue reading this article on SCMagazine.com.

A click-fraud botnet dubbed “Redirector.Paco Trojan” has infected 900,000 IPs worldwide and has the ability to reconfigure browser settings and network communications.

The malware is spread via installers that are distributed through unscrupulous download sites and by exploiting web application vulnerabilities, Checkmarx Director of Product Marketing Amit Ashbel told SCMagazine.com via emailed comments.

Ashbel said the botnet has gone to great lengths to reconfigure browser settings and network communication configurations and the malware’s ability to tamper with AdSense should worry Google.

“While the attack has targeted the PC communication channel, at the same time it has launched a man in the middle (MitM) attack technique tampering with Google’s results which I guess will have some level of impact (even if minor) on the search engine giant’s service,”  Ashbel said.

Continue reading this article on SCMagazine.com.


</close>

Security Pros Concerned About Facebook Payment Expansion

1 May 2016 | By Maria Korolov

Facebook's Messenger app has allowed users to send money to friends using their debit cards since last spring, but recent reports indicate that Facebook may be considering a move into the retail payments space as well, following in the tracks of Apple, Samsung and Google. Facebook will need to be careful, however, not to simply become yet another channel for criminals, security experts say.

"Facebook creates enough data which the hacker can easily correlate and cross correlate in order to create a convincing and reliable story," said Amit Ashbel, product marketing manager at Checkmarx. "You can never know who you are really talking with on Facebook. If a hacker has successfully infiltrated a Facebook account of one of your friends, they are now your friend, family or colleague."

If Facebook continues to expand its payments platform to become a serious player, it will be facing the hackers' full arsenal of existing weapons, in addition to the social engineering issues, he said.

Read the full article at CSO Online.

 

Facebook’s Messenger app has allowed users to send money to friends using their debit cards since last spring, but recent reports indicate that Facebook may be considering a move into the retail payments space as well, following in the tracks of Apple, Samsung and Google. Facebook will need to be careful, however, not to simply become yet another channel for criminals, security experts say.

“Facebook creates enough data which the hacker can easily correlate and cross correlate in order to create a convincing and reliable story,” said Amit Ashbel, product marketing manager at Checkmarx. “You can never know who you are really talking with on Facebook. If a hacker has successfully infiltrated a Facebook account of one of your friends, they are now your friend, family or colleague.”

If Facebook continues to expand its payments platform to become a serious player, it will be facing the hackers’ full arsenal of existing weapons, in addition to the social engineering issues, he said.

Read the full article at CSO Online.

 


</close>

Static Code Analysis Tools for Bulletproof Software Security

30 Mar 2016 | By Debbie Fletcher

Software security is no longer just anti-virus and firewalls. The cloud today offers plenty of excellent options for software developers to increase user reach and availability, yet while these options are beneficial for marketing and revenue, they create many more possibilities for security holes.

Manual security reviews are useful, but humans are humans after all, and they just aren't capable of finding every security hole within a large or even midsize application.

According to this list by static code analysis tools provider Checkmarx, there are dozens of tools on the market, and the best way to secure your application is to combine these tools with a human review. Why? Because while these tools can find most problems, they can sometimes return false positive or false negatives that a human reviewer would actually catch.

Continue reading this article on InfoSecurity.com

Software security is no longer just anti-virus and firewalls. The cloud today offers plenty of excellent options for software developers to increase user reach and availability, yet while these options are beneficial for marketing and revenue, they create many more possibilities for security holes.

Manual security reviews are useful, but humans are humans after all, and they just aren’t capable of finding every security hole within a large or even midsize application.

According to this list by static code analysis tools provider Checkmarx, there are dozens of tools on the market, and the best way to secure your application is to combine these tools with a human review. Why? Because while these tools can find most problems, they can sometimes return false positive or false negatives that a human reviewer would actually catch.

Continue reading this article on InfoSecurity.com


</close>

Here Are Israel’s 15 Top-Funded Startups

22 Feb 2016 | By Osman Husain

Our country-by-country analysis of the top funded startups continues with the latest installment – Israel. One of the most impressive aspects of Israel’s startup ecosystem is the innate need to build products that have a global appeal. Israeli entrepreneurs are limited by the small domestic market – with only 8 million residents, it’s not big enough to sustain companies that only look inward. There are also security challenges to contend with.

Despite these barriers, Israeli startups continue to innovate and attract significant investor cash. In 2015 alone, startups from the country raised a cumulative US$3.6 billion in funding with an average deal size of US$10.9 million. The overall tally represented 67 percent growth from 2014. Our list of the top funded startups in Israel – using figures from our database – shows dominance in the cybersecurity, ad tech, and big data verticals, areas where companies from the country have traditionally excelled in.

#2: Checkmarx

Checkmarx helps identify vulnerabilities in software code with their solutions, which work with almost every programming language in use today.

Continue reading on Tech in Asia.

Our country-by-country analysis of the top funded startups continues with the latest installment – Israel. One of the most impressive aspects of Israel’s startup ecosystem is the innate need to build products that have a global appeal. Israeli entrepreneurs are limited by the small domestic market – with only 8 million residents, it’s not big enough to sustain companies that only look inward. There are also security challenges to contend with.

Despite these barriers, Israeli startups continue to innovate and attract significant investor cash. In 2015 alone, startups from the country raised a cumulative US$3.6 billion in funding with an average deal size of US$10.9 million. The overall tally represented 67 percent growth from 2014. Our list of the top funded startups in Israel – using figures from our database – shows dominance in the cybersecurity, ad tech, and big data verticals, areas where companies from the country have traditionally excelled in.

#2: Checkmarx

Checkmarx helps identify vulnerabilities in software code with their solutions, which work with almost every programming language in use today.

Continue reading on Tech in Asia.


</close>

15 Israeli Startups to Watch in 2016

21 Jan 2016 | By Dave Kerpen

From creating instant messaging technology and Waze to inventing drip irrigation and water desalination solutions, Israel has become a global tech leader. This year, investors have been flocking to Israel from New York, China and all over the world in order to find opportunities, as Israeli entrepreneurs continue to raise the bar and think out-of-the-box. Here are 15 exciting Israeli tech startups to watch in 2016, in the fields of finance, media, advertising, health, consumer tech, and cyber security, from A to Z:

Checkmarx

Checkmarx tackles zero-day exploits at the source, in lines of code as they're being written. By monitoring every stage of its clients' software development, Checkmarx is able to scrutinize code with a fine-toothed comb and find vulnerabilities early. It's much cheaper and more effective to fix a problem when it's new rather than "patch" it after having been on the market. The financial value of unearthing software vulnerabilities is virtually incalculable for a big company, since the potential costs of hacks are so high. So business is booming for Checkmarx, with clients like Coca-Cola, SAP, and Salesforce. In June, the company closed a monster round of venture funding worth $84 million, bringing total investments to $92 million.

Read the full post here.

From creating instant messaging technology and Waze to inventing drip irrigation and water desalination solutions, Israel has become a global tech leader. This year, investors have been flocking to Israel from New York, China and all over the world in order to find opportunities, as Israeli entrepreneurs continue to raise the bar and think out-of-the-box. Here are 15 exciting Israeli tech startups to watch in 2016, in the fields of finance, media, advertising, health, consumer tech, and cyber security, from A to Z:

Checkmarx

Checkmarx tackles zero-day exploits at the source, in lines of code as they’re being written. By monitoring every stage of its clients’ software development, Checkmarx is able to scrutinize code with a fine-toothed comb and find vulnerabilities early. It’s much cheaper and more effective to fix a problem when it’s new rather than “patch” it after having been on the market. The financial value of unearthing software vulnerabilities is virtually incalculable for a big company, since the potential costs of hacks are so high. So business is booming for Checkmarx, with clients like Coca-Cola, SAP, and Salesforce. In June, the company closed a monster round of venture funding worth $84 million, bringing total investments to $92 million.

Read the full post here.


</close>

Could smart toys put your child’s security at risk?

23 Dec 2015 | By Gabriel Avner

With Christmas just around the corner, parents everywhere have been hunting for this season’s hottest toys. One of the biggest trends for kids – as if it were any surprise – have been toys that connect to the Internet, adding fun features and a whole new dimension to play.

For all their benefits, these toys come with a host of risks that parents and even the companies themselves are just starting to wake up to. Many parents and experts are wondering whether their children’s information is being kept safe, and how vulnerable they are to malicious hackers.

One of the most severe cases came to light this month when news broke that the Hong Kong-based manufacturer VTECH had been the victim of hackers. The revelation was accompanied by a wave of widespread shock that the attackers had managed to walk away with the personal data of over six million kids.

Amit Ashbel, a Cyber Security Evangelist at Checkmarx who posted on the attack, spoke with Geektime about the hack, saying that, “The hacking was on a really basic level. The data was stolen with an SQL injection, which is very common. It could have been very easy to prevent through better security in the coding.”

“Their level of encryption was weak at best and out of date when compared to industry standards,” Ashbel explained, highlighting an issue that is unfortunately exceedingly common throughout the sector.

Read the whole article here.

With Christmas just around the corner, parents everywhere have been hunting for this season’s hottest toys. One of the biggest trends for kids – as if it were any surprise – have been toys that connect to the Internet, adding fun features and a whole new dimension to play.

For all their benefits, these toys come with a host of risks that parents and even the companies themselves are just starting to wake up to. Many parents and experts are wondering whether their children’s information is being kept safe, and how vulnerable they are to malicious hackers.

One of the most severe cases came to light this month when news broke that the Hong Kong-based manufacturer VTECH had been the victim of hackers. The revelation was accompanied by a wave of widespread shock that the attackers had managed to walk away with the personal data of over six million kids.

Amit Ashbel, a Cyber Security Evangelist at Checkmarx who posted on the attack, spoke with Geektime about the hack, saying that, “The hacking was on a really basic level. The data was stolen with an SQL injection, which is very common. It could have been very easy to prevent through better security in the coding.”

“Their level of encryption was weak at best and out of date when compared to industry standards,” Ashbel explained, highlighting an issue that is unfortunately exceedingly common throughout the sector.

Read the whole article here.


</close>

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.