Software Exposure is the new unknown. But not for long.
Manage Software Exposure at the Speed of DevOps
Gartner Magic Quadrant for Application Security Testing, 2018
The Complete Guide to Developer Secure Coding Education
CISO of Brussels Airlines answers "Why Checkmarx?"
Checkmarx is pioneering Software Exposure
When asked about Super Bowl XLI, most casual fans will remember the rain soaked classic in Miami that featured Peyton Manning leading the Indianapolis Colts to his first championship. But for those in the cyber-security industry, the game stood out for another, less-publicized reason.
Just days before kickoff, some of the Dolphins’ websites were found to be compromised by malware and were infecting users’ devices as well. Given the timing of the attack, the websites were receiving heavy traffic prior to the Super Bowl. The solution proved to be costly both in terms of time and dollars. Amit Ashbel is the Director of Product Marketing at Checkmarx, a company that seeks to help implement security features at the earliest stages of software development. We spoke to Ashbel about how the company, founded in 2006 shortly before the Dolphins’ hack, is working with developers to ensure that hackers don’t have a way to attack their software in similar ways in today’s even more technologically advanced times.
“While the software industry has been dealing with security risks for a couple of decades already, these new players are not always addressing security properly at first, thus leaving a fertile attack surface for attackers,” Ashbel said, referring to the growth of apps and software in sports and sports media. “Protecting the code at the initial design stage is probably the largest advantage an organization has over the hacker (access to the code itself).”
Continue reading this article at SportTechie.com.
The world is moving at an incredible pace. New technologies are regularly announced and whole ecosystems developed around them; such as the internet of things. However, with these new developments come security risks to both businesses and consumers; hacking and cyber crime are now widely reported.
The first step to combating these increased risks is to secure the application code in order to stop vulnerabilities at the root. Automated application security testing is a vital part of this - but how does automated testing work in practice and what are the benefits of an automated testing process for developers and businesses?
Continue reading this article in Test Magazine here (pages 40-41).
The first step to combating these increased risks is to secure the application code in order to stop vulnerabilities at the root. Automated application security testing is a vital part of this – but how does automated testing work in practice and what are the benefits of an automated testing process for developers and businesses?
Most of us think of website hacks as illicit activities aimed at siphoning critical information or disrupting the business of website owners. But what happens when your site becomes hacked, not for the purpose of harming you but rather to further the ends of other parties? Most likely, the attackers would manage to feed off your resources and reputation for months or years without being discovered, because it’s hard to take note of something that isn’t directly affecting you.
Not all website-related hacks are carried out by compromising the server. Many of them use malvertising, a hacking technique that takes advantage of ad delivery networks and leverages vulnerabilities on client machines such as bugs in Adobe Flash and Microsoft Silverlight.
But where web servers are concerned, source code flaws are the main reason websites are compromised. “Today we see that a major number of attacks against websites are based on vulnerabilities which have not been properly addressed at the code level of the web application,” says Amit Ashbel, director of product marketing of cybersecurity firm Checkmarx.
While developers usually do test the code of their websites, it isn’t necessarily the security flaws they seek. “Unfortunately it is not always common practice to have developers identify and address the vulnerabilities just like they would address functionality bugs triggered by their code,” Ashbel elaborates.
Read the full article on TechCrunch.
Cyberterrorism: just how real is the threat?
When confronted with the idea of cyberterrorism, much of the population would shrug. How much would a large scale disruption of computer networks or a malware attack on a government actually affect the average person’s life or livelihood? Is cyberterrorism really an imminent threat?
The issue lies with the terrorism part of the word. When compared to the al-Qaeda attack in Burkina Faso, the suicide bombings in Iraq, the Paris attacks, the Brussels bombings, the nightclub shooting in Orlando or any number of atrocities motivated by ideology the world over, cyberterrorism just doesn’t seem to rank. But the threats presented by cyberterrorism both present and future are real, and they’re certainly alarming.
As application security provider Checkmarx states, there is no one solution to guarding against cyberterrorism. With individuals, businesses, organizations, governments and beyond all needing protection against ideologically-motivated attacks and breaches, the scope is simply too huge. However, as Checkmarx also points out, secured websites, applications and infrastructure is rooted in secure application development that starts at the beginning of coding.
Even if you think your organization would never be a target of a cyberterrorism attack, take a lesson from all of the organizations that were affected by data breaches that ultimately landed their users on a list of ISIS targets. Your users are your responsibility, and whether you’re talking hackers or terrorists, it’s a responsibility that can’t be anything other than the highest priority.
Continue reading this article on Information Security Buzz.
Checkmarx announced that together with its partner Tantallon are working with a major UK financial services group to create a new type of ‘belt and braces’ approach to securing and deploying its applications into the Amazon Web Services cloud.
The customer, a top 3 UK financial institution with assets in excess of £800 billion has made a strategic decision to improve the agility of its software development cycle through the use of web scale architecture and rapid provisioning offered by AWS. However, with a preference to keep all code within the organisation’s own data centres, it was felt that additional security measures were required to protect critical applications moving from the organisation into AWS.
The institution has been working with Tantallon, an independent cyber security consulting firm that provides advisory, implementation and managed services to Fortune 1000 clients and government organisations on a global basis.
As Steve Street, Managing Director for Tantallon explains, “We looked at a number of options, but Checkmarx was the only solution suited to this project as it meets the typical requirement from the financial services sector that no proprietary code should leave an institution’s premises for inspection, while still offering the capability of enforcing and automating code scanning, prior to release to a given Public Cloud.”
The first part of the two stage project has already helped the institution successfully deploy a fully integrated Checkmarx CxSAST static code analysis on-site solution as part of secure Software Development Lifecycle transition, which is scanning millions of lines of code each week. Stage two takes this technology and places a version in AWS offering an equivalent system that automates the scanning process as a last step for apps before making their way to the cloud.
Checkmarx CxSAST is a powerful source code analysis solution that provides tools for identifying, tracking, and repairing technical and logical flaws in the source code. Without needing to build or compile a software project’s source code, CxSAST builds a logical graph of the code’s elements and flows which is examined for issues such as security vulnerabilities, compliance issues, and business logic problems. CxSAST comes with an extensive list of hundreds of pre-configured queries for known security vulnerabilities for each programming language including Java, PHP, Scripting languages, like Java Script, and also .NET technologies (C#, vb.Net). Additionally, Checkmarx is scanning mobile platforms such as Android, iOS and windows mobile.
CxSAST provides scan results to the customer as either static reports or in an interactive interface that enables tracking of runtime behaviour per vulnerability through the code, and provides tools and guidelines for remediation. Results can be customised to eliminate false positives, and various types of workflow metadata can be added to each result instance which can be used for subsequent scans to further increase performance.
“Checkmarx has the additional benefit of offering both proprietary and open source code analysis,” explains Street, “along with industry leading support for widest number of languages and deployment methods which is essential as the organisation explores a number of innovative new applications built using the latest development languages.”
The project is part of a wider move to adopt the cloud across the UK Financial services sector as regulatory and compliance hurdles have been overcome through clarification and agreement with the FCA. “The typical application development cycle within financial services has traditionally been sluggish as development teams struggle to navigate through the complexities of the internal processes across disparate systems and networks while adhering to both internal and regulatory guidelines. This project has the potential to help the institution become more agile in its development lifecycle, while strengthening security across the board.” The onsite phase is already deployed while the AWS portion of the project, which will automate much of the development workflow is now underway with more details to follow at a later date.
The proliferation of IoT devices in the workplace presents a huge security risk and if new research from ForeScout Techologies is anything to go by, organisations are ill-prepared to deal with this rise and the associated threat. Even worse, by the time some of the IoT devices reach businesses, they are already vulnerable due to the lack of industry regulations and current approach to development. In order to stem the security issues with IoT applications and devices, there needs to be a step change in the development process. It has simply never been more important that these devices and platforms be developed securely in the first instance.
There is no doubt that IoT is on the rise; Gartner has estimated that there will be 6.4 billion connected things globally by the end of this year and projects that figure to reach 21 billion by 2020. So for every ten IoT devices today, there will be approximately thirty in just four years time. But the poll from ForeScout clearly suggests that businesses are not prepared to deal with these devices with 85 per cent of the 350 IT professionals surveyed saying that they weren’t sure if they could detect an IoT device as soon as it connects to the network. Of course, as soon as an infected device connects to the network, the security of the entire network is compromised.
Continue reading this article on ITProPortal.com.
Every day, almost one million malware threats are introduced in the ceaseless jungle that is the internet. And yet, software developers, security experts, and IT administrators are expected to stay up-to-date with these latest threats to ensure that network environments and software applications are secured against them. Sure thing, you might think. I’ll get to today’s million malware threats right after I finish counting raindrops. We’re here to offer our assistance by going through a few of the most common malware threats that organisations face today.
Malware threats continue to plague the internet and they aren’t going to stop. The right breach can bank an attacker millions in dark market money, so it’s financially beneficial for an attacker to create new and unexpected threats and use them to attack critical applications. While you’re never going to be able to keep up with every emerging threat, you do need to stay informed on the ones that become common. One way to do so is by checking out repositories such as Checkmarx’s vulnerability knowledge base. Another way is to read up on the five types of vulnerabilities that can be exploited by malware listed below.
Continue reading this article on Lifehacker Australia.
Shark Week is upon us and making swimmers think twice before jumping in the ocean. The chances that a shark might attack are slim, but hidden dangers are always lurking beneath the waves. Similarly, most of us are relaxed by our trust that the powerful mobile OSes will keep attackers far from our personal data. After all, Apple built iOS with security in mind, and Google is synonymous with security, isn't it? Yes and no.
While our mobile devices are shipped with built-in protection, the shields securing our personal data are only as strong as the weakest links in the apps we use. These weak links are vulnerabilities that increasingly are similar to the threats faced by Web apps as more mobile apps are communicating with external servers over which mobile OSes have no control. We're swimming among vulnerabilities and cyber-criminals. And given how much personal data we store on our devices, it's important to be informed of the risks of not practicing secure mobile app development. Otherwise, the consequences could sink brand equity and revenue, costing your company an arm and a leg. Working with app security testing vendor Checkmarx, eWEEK created a list of vulnerabilities to help keep you on the alert.
Continue reading this article on eWeek.com.
Shark Week is upon us and making swimmers think twice before jumping in the ocean. The chances that a shark might attack are slim, but hidden dangers are always lurking beneath the waves. Similarly, most of us are relaxed by our trust that the powerful mobile OSes will keep attackers far from our personal data. After all, Apple built iOS with security in mind, and Google is synonymous with security, isn’t it? Yes and no.
While our mobile devices are shipped with built-in protection, the shields securing our personal data are only as strong as the weakest links in the apps we use. These weak links are vulnerabilities that increasingly are similar to the threats faced by Web apps as more mobile apps are communicating with external servers over which mobile OSes have no control. We’re swimming among vulnerabilities and cyber-criminals. And given how much personal data we store on our devices, it’s important to be informed of the risks of not practicing secure mobile app development. Otherwise, the consequences could sink brand equity and revenue, costing your company an arm and a leg. Working with app security testing vendor Checkmarx, eWEEK created a list of vulnerabilities to help keep you on the alert.
No matter how good your perimeter security is, experts agree: Your system has been breached, whether you know it or not. The costs of security flaws—cybersecurity expert Joe Franscella calls them “The Five Horsemen of the Internet Apocalypse: Scam, Extortion, Embarrassment, Theft and Death”—are enormous. So why don’t we consider security a first-class citizen in DevOps?
What’s holding us back is cultural, but it’s also technical. “Part of the problem is that most security tools are too slow to work in a Continuous Integration model,” said Guckenheimer. “Checkmarx is probably the tool that’s cracked that first. Ideally, you want to be able to have your code scanned as part of the pull request in the Continuous Integration flow, and that’s just not practical with most tools that exist.
Continue reading this article on SDTimes.com.
News hit over Memorial Day weekend of a massive breach of the social network Myspace. Usernames and passwords of 360 past and present users were stolen. This may end up being the largest data breach of all time, according to Sophos researchers.
At mid-month, the GoToMyPC hack reminded us that old data breaches will continue to rear their ugly heads. This hack was one of several that can be blamed on the 2012 LinkedIn hack, says CSO's Steve Ragan. "The organizations that have been targeted operate in the manufacturing industry, retail industry, and a number of other verticals," Ragan said. "The common thread in each case is the LinkedIn list, generic password policies, a lack of two-factor authentication, and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer."
The following infographic from application security provider Checkmarx offers a timeline view of some of this months notable hacks and breaches:
Check out the infographic and continue reading on CIO.com.
At mid-month, the GoToMyPC hack reminded us that old data breaches will continue to rear their ugly heads. This hack was one of several that can be blamed on the 2012 LinkedIn hack, says CSO’s Steve Ragan. “The organizations that have been targeted operate in the manufacturing industry, retail industry, and a number of other verticals,” Ragan said. “The common thread in each case is the LinkedIn list, generic password policies, a lack of two-factor authentication, and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer.”