Checkmarx Acquires Custodela to Bring Enhanced Automation to DevSecOps Programs!

In the News

Pokémon GO—Sacrificing Privacy to Catch ‘Em All?

27 Jul 2016 | By Jimmy H. Koo

Players of Pokémon GO, a wildly popular location-based augmented reality game, may be missing real life threats to their private information.

Pokémon GO creates several privacy and security concerns, particularly for children playing the game, including geolocation tracking, excessive collection of personal data and possible sale of such information to third parties, privacy and security professionals told Bloomberg BNA.

By collecting geolocation data, Niantic is able to “keep track of anyone, at any time, while they're playing the game or letting it run in the background,” Asaph Schulman, vice president of marketing at app security company Checkmarx Ltd. in Tel Aviv, told Bloomberg BNA. Additionally, Schulman said, the game's privacy policy allows Niantic to share aggregate information with third parties, “effectively giving them the right to sell users' geolocation data.”

Continue reading this article on Bloomberg BNA

Players of Pokémon GO, a wildly popular location-based augmented reality game, may be missing real life threats to their private information.

Pokémon GO creates several privacy and security concerns, particularly for children playing the game, including geolocation tracking, excessive collection of personal data and possible sale of such information to third parties, privacy and security professionals told Bloomberg BNA.

By collecting geolocation data, Niantic is able to “keep track of anyone, at any time, while they’re playing the game or letting it run in the background,” Asaph Schulman, vice president of marketing at app security company Checkmarx Ltd. in Tel Aviv, told Bloomberg BNA. Additionally, Schulman said, the game’s privacy policy allows Niantic to share aggregate information with third parties, “effectively giving them the right to sell users’ geolocation data.”

Continue reading this article on Bloomberg BNA


</close>

5 ‘Mr. Robot’ Hacks That Could Happen in Real Life

20 Jul 2016 | By Sarah Vonnegut

Hollywood hacking films have given the job of hacker a sort of glamour, with their fast-fingered hacks taking over the world, while in picture perfect makeup. And the InfoSec community has hated every single second of them.  But where other movies and shows  (We’re looking at you, CSI:Cyber) take the hacking scenes way too liberally with no root in reality, one show has held up as a beacon of hope for how hacking can be realistically portrayed on the silver screen: Mr. Robot.

Although real-life security issues -- hackers finding XSS and blind SQLi vulnerabilities -- surrounded the premier season last year, the show itself actively works to mimic real-life security and hacking scenarios. From accurate computer code, to the realism of using social engineering in getting the information needed for an attack, to the actual tools and slang the characters use, Mr. Robot has been mostly spot-on with the security stuff -- and the InfoSec community has sounded its approval.

Continue reading this article on DarkReading

Hollywood hacking films have given the job of hacker a sort of glamour, with their fast-fingered hacks taking over the world, while in picture perfect makeup. And the InfoSec community has hated every single second of them.  But where other movies and shows  (We’re looking at you, CSI:Cyber) take the hacking scenes way too liberally with no root in reality, one show has held up as a beacon of hope for how hacking can be realistically portrayed on the silver screen: Mr. Robot.

Although real-life security issues — hackers finding XSS and blind SQLi vulnerabilities — surrounded the premier season last year, the show itself actively works to mimic real-life security and hacking scenarios. From accurate computer code, to the realism of using social engineering in getting the information needed for an attack, to the actual tools and slang the characters use, Mr. Robot has been mostly spot-on with the security stuff — and the InfoSec community has sounded its approval.

Continue reading this article on DarkReading


</close>

Sports Companies Are Now Facing Security Issues Of Tech Companies

19 Jul 2016 | By Solomon David

When asked about Super Bowl XLI, most casual fans will remember the rain soaked classic in Miami that featured Peyton Manning leading the Indianapolis Colts to his first championship. But for those in the cyber-security industry, the game stood out for another, less-publicized reason.

Just days before kickoff, some of the Dolphins’ websites were found to be compromised by malware and were infecting users’ devices as well. Given the timing of the attack, the websites were receiving heavy traffic prior to the Super Bowl. The solution proved to be costly both in terms of time and dollars. Amit Ashbel is the Director of Product Marketing at Checkmarx, a company that seeks to help implement security features at the earliest stages of software development. We spoke to Ashbel about how the company, founded in 2006 shortly before the Dolphins’ hack, is working with developers to ensure that hackers don’t have a way to attack their software in similar ways in today’s even more technologically advanced times.

“While the software industry has been dealing with security risks for a couple of decades already, these new players are not always addressing security properly at first, thus leaving a fertile attack surface for attackers,” Ashbel said, referring to the growth of apps and software in sports and sports media. “Protecting the code at the initial design stage is probably the largest advantage an organization has over the hacker (access to the code itself).”

Continue reading this article at SportTechie.com.

When asked about Super Bowl XLI, most casual fans will remember the rain soaked classic in Miami that featured Peyton Manning leading the Indianapolis Colts to his first championship. But for those in the cyber-security industry, the game stood out for another, less-publicized reason.

Just days before kickoff, some of the Dolphins’ websites were found to be compromised by malware and were infecting users’ devices as well. Given the timing of the attack, the websites were receiving heavy traffic prior to the Super Bowl. The solution proved to be costly both in terms of time and dollars. Amit Ashbel is the Director of Product Marketing at Checkmarx, a company that seeks to help implement security features at the earliest stages of software development. We spoke to Ashbel about how the company, founded in 2006 shortly before the Dolphins’ hack, is working with developers to ensure that hackers don’t have a way to attack their software in similar ways in today’s even more technologically advanced times.

“While the software industry has been dealing with security risks for a couple of decades already, these new players are not always addressing security properly at first, thus leaving a fertile attack surface for attackers,” Ashbel said, referring to the growth of apps and software in sports and sports media. “Protecting the code at the initial design stage is probably the largest advantage an organization has over the hacker (access to the code itself).”

Continue reading this article at SportTechie.com.


</close>

Securing Code to Fight Cyber Crime

19 Jul 2016 | By Amit Ashbel

The world is moving at an incredible pace. New technologies are regularly announced and whole ecosystems developed around them; such as the internet of things. However, with these new developments come security risks to both businesses and consumers; hacking and cyber crime are now widely reported.

The first step to combating these increased risks is to secure the application code in order to stop vulnerabilities at the root. Automated application security testing is a vital part of this - but how does automated testing work in practice and what are the benefits of an automated testing process for developers and businesses?

Continue reading this article in Test Magazine here (pages 40-41).

The world is moving at an incredible pace. New technologies are regularly announced and whole ecosystems developed around them; such as the internet of things. However, with these new developments come security risks to both businesses and consumers; hacking and cyber crime are now widely reported.

The first step to combating these increased risks is to secure the application code in order to stop vulnerabilities at the root. Automated application security testing is a vital part of this – but how does automated testing work in practice and what are the benefits of an automated testing process for developers and businesses?

Continue reading this article in Test Magazine here (pages 40-41).


</close>

Your website may be engaged in secret criminal activity

16 Jul 2016 | By Ben Dickson

Most of us think of website hacks as illicit activities aimed at siphoning critical information or disrupting the business of website owners. But what happens when your site becomes hacked, not for the purpose of harming you but rather to further the ends of other parties? Most likely, the attackers would manage to feed off your resources and reputation for months or years without being discovered, because it’s hard to take note of something that isn’t directly affecting you.

Source code flaws are at the heart of website hacks

Not all website-related hacks are carried out by compromising the server. Many of them use malvertising, a hacking technique that takes advantage of ad delivery networks and leverages vulnerabilities on client machines such as bugs in Adobe Flash and Microsoft Silverlight.

But where web servers are concerned, source code flaws are the main reason websites are compromised. “Today we see that a major number of attacks against websites are based on vulnerabilities which have not been properly addressed at the code level of the web application,” says Amit Ashbel, director of product marketing of cybersecurity firm Checkmarx.

While developers usually do test the code of their websites, it isn’t necessarily the security flaws they seek. “Unfortunately it is not always common practice to have developers identify and address the vulnerabilities just like they would address functionality bugs triggered by their code,” Ashbel elaborates.

Read the full article on TechCrunch.

Most of us think of website hacks as illicit activities aimed at siphoning critical information or disrupting the business of website owners. But what happens when your site becomes hacked, not for the purpose of harming you but rather to further the ends of other parties? Most likely, the attackers would manage to feed off your resources and reputation for months or years without being discovered, because it’s hard to take note of something that isn’t directly affecting you.

Source code flaws are at the heart of website hacks

Not all website-related hacks are carried out by compromising the server. Many of them use malvertising, a hacking technique that takes advantage of ad delivery networks and leverages vulnerabilities on client machines such as bugs in Adobe Flash and Microsoft Silverlight.

But where web servers are concerned, source code flaws are the main reason websites are compromised. “Today we see that a major number of attacks against websites are based on vulnerabilities which have not been properly addressed at the code level of the web application,” says Amit Ashbel, director of product marketing of cybersecurity firm Checkmarx.

While developers usually do test the code of their websites, it isn’t necessarily the security flaws they seek. “Unfortunately it is not always common practice to have developers identify and address the vulnerabilities just like they would address functionality bugs triggered by their code,” Ashbel elaborates.

Read the full article on TechCrunch.


</close>

The Real Threat Of Cyberterrorism

11 Jul 2016 | By Benjamin Stone

Cyberterrorism: just how real is the threat?

When confronted with the idea of cyberterrorism, much of the population would shrug. How much would a large scale disruption of computer networks or a malware attack on a government actually affect the average person’s life or livelihood? Is cyberterrorism really an imminent threat?

The issue lies with the terrorism part of the word. When compared to the al-Qaeda attack in Burkina Faso, the suicide bombings in Iraq, the Paris attacks, the Brussels bombings, the nightclub shooting in Orlando or any number of atrocities motivated by ideology the world over, cyberterrorism just doesn’t seem to rank. But the threats presented by cyberterrorism both present and future are real, and they’re certainly alarming.

As application security provider Checkmarx states, there is no one solution to guarding against cyberterrorism. With individuals, businesses, organizations, governments and beyond all needing protection against ideologically-motivated attacks and breaches, the scope is simply too huge. However, as Checkmarx also points out, secured websites, applications and infrastructure is rooted in secure application development that starts at the beginning of coding.

Even if you think your organization would never be a target of a cyberterrorism attack, take a lesson from all of the organizations that were affected by data breaches that ultimately landed their users on a list of ISIS targets. Your users are your responsibility, and whether you’re talking hackers or terrorists, it’s a responsibility that can’t be anything other than the highest priority.

Continue reading this article on Information Security Buzz.

Cyberterrorism: just how real is the threat?

When confronted with the idea of cyberterrorism, much of the population would shrug. How much would a large scale disruption of computer networks or a malware attack on a government actually affect the average person’s life or livelihood? Is cyberterrorism really an imminent threat?

The issue lies with the terrorism part of the word. When compared to the al-Qaeda attack in Burkina Faso, the suicide bombings in Iraq, the Paris attacks, the Brussels bombings, the nightclub shooting in Orlando or any number of atrocities motivated by ideology the world over, cyberterrorism just doesn’t seem to rank. But the threats presented by cyberterrorism both present and future are real, and they’re certainly alarming.

As application security provider Checkmarx states, there is no one solution to guarding against cyberterrorism. With individuals, businesses, organizations, governments and beyond all needing protection against ideologically-motivated attacks and breaches, the scope is simply too huge. However, as Checkmarx also points out, secured websites, applications and infrastructure is rooted in secure application development that starts at the beginning of coding.

Even if you think your organization would never be a target of a cyberterrorism attack, take a lesson from all of the organizations that were affected by data breaches that ultimately landed their users on a list of ISIS targets. Your users are your responsibility, and whether you’re talking hackers or terrorists, it’s a responsibility that can’t be anything other than the highest priority.

Continue reading this article on Information Security Buzz.


</close>

Checkmarx and Tantallon help UK financial services institution secure application transition to public cloud

7 Jul 2016 | By Emmanuelle Lamandé

Checkmarx announced that together with its partner Tantallon are working with a major UK financial services group to create a new type of ‘belt and braces’ approach to securing and deploying its applications into the Amazon Web Services cloud.

The customer, a top 3 UK financial institution with assets in excess of £800 billion has made a strategic decision to improve the agility of its software development cycle through the use of web scale architecture and rapid provisioning offered by AWS. However, with a preference to keep all code within the organisation’s own data centres, it was felt that additional security measures were required to protect critical applications moving from the organisation into AWS.

The institution has been working with Tantallon, an independent cyber security consulting firm that provides advisory, implementation and managed services to Fortune 1000 clients and government organisations on a global basis.

As Steve Street, Managing Director for Tantallon explains, “We looked at a number of options, but Checkmarx was the only solution suited to this project as it meets the typical requirement from the financial services sector that no proprietary code should leave an institution’s premises for inspection, while still offering the capability of enforcing and automating code scanning, prior to release to a given Public Cloud.”

The first part of the two stage project has already helped the institution successfully deploy a fully integrated Checkmarx CxSAST static code analysis on-site solution as part of secure Software Development Lifecycle transition, which is scanning millions of lines of code each week. Stage two takes this technology and places a version in AWS offering an equivalent system that automates the scanning process as a last step for apps before making their way to the cloud.

Checkmarx CxSAST is a powerful source code analysis solution that provides tools for identifying, tracking, and repairing technical and logical flaws in the source code. Without needing to build or compile a software project’s source code, CxSAST builds a logical graph of the code’s elements and flows which is examined for issues such as security vulnerabilities, compliance issues, and business logic problems. CxSAST comes with an extensive list of hundreds of pre-configured queries for known security vulnerabilities for each programming language including Java, PHP, Scripting languages, like Java Script, and also .NET technologies (C#, vb.Net). Additionally, Checkmarx is scanning mobile platforms such as Android, iOS and windows mobile.

CxSAST provides scan results to the customer as either static reports or in an interactive interface that enables tracking of runtime behaviour per vulnerability through the code, and provides tools and guidelines for remediation. Results can be customised to eliminate false positives, and various types of workflow metadata can be added to each result instance which can be used for subsequent scans to further increase performance.

“Checkmarx has the additional benefit of offering both proprietary and open source code analysis,” explains Street, “along with industry leading support for widest number of languages and deployment methods which is essential as the organisation explores a number of innovative new applications built using the latest development languages.”
The project is part of a wider move to adopt the cloud across the UK Financial services sector as regulatory and compliance hurdles have been overcome through clarification and agreement with the FCA. “The typical application development cycle within financial services has traditionally been sluggish as development teams struggle to navigate through the complexities of the internal processes across disparate systems and networks while adhering to both internal and regulatory guidelines. This project has the potential to help the institution become more agile in its development lifecycle, while strengthening security across the board.” The onsite phase is already deployed while the AWS portion of the project, which will automate much of the development workflow is now underway with more details to follow at a later date.

Checkmarx announced that together with its partner Tantallon are working with a major UK financial services group to create a new type of ‘belt and braces’ approach to securing and deploying its applications into the Amazon Web Services cloud.

The customer, a top 3 UK financial institution with assets in excess of £800 billion has made a strategic decision to improve the agility of its software development cycle through the use of web scale architecture and rapid provisioning offered by AWS. However, with a preference to keep all code within the organisation’s own data centres, it was felt that additional security measures were required to protect critical applications moving from the organisation into AWS.

The institution has been working with Tantallon, an independent cyber security consulting firm that provides advisory, implementation and managed services to Fortune 1000 clients and government organisations on a global basis.

As Steve Street, Managing Director for Tantallon explains, “We looked at a number of options, but Checkmarx was the only solution suited to this project as it meets the typical requirement from the financial services sector that no proprietary code should leave an institution’s premises for inspection, while still offering the capability of enforcing and automating code scanning, prior to release to a given Public Cloud.”

The first part of the two stage project has already helped the institution successfully deploy a fully integrated Checkmarx CxSAST static code analysis on-site solution as part of secure Software Development Lifecycle transition, which is scanning millions of lines of code each week. Stage two takes this technology and places a version in AWS offering an equivalent system that automates the scanning process as a last step for apps before making their way to the cloud.

Checkmarx CxSAST is a powerful source code analysis solution that provides tools for identifying, tracking, and repairing technical and logical flaws in the source code. Without needing to build or compile a software project’s source code, CxSAST builds a logical graph of the code’s elements and flows which is examined for issues such as security vulnerabilities, compliance issues, and business logic problems. CxSAST comes with an extensive list of hundreds of pre-configured queries for known security vulnerabilities for each programming language including Java, PHP, Scripting languages, like Java Script, and also .NET technologies (C#, vb.Net). Additionally, Checkmarx is scanning mobile platforms such as Android, iOS and windows mobile.

CxSAST provides scan results to the customer as either static reports or in an interactive interface that enables tracking of runtime behaviour per vulnerability through the code, and provides tools and guidelines for remediation. Results can be customised to eliminate false positives, and various types of workflow metadata can be added to each result instance which can be used for subsequent scans to further increase performance.

“Checkmarx has the additional benefit of offering both proprietary and open source code analysis,” explains Street, “along with industry leading support for widest number of languages and deployment methods which is essential as the organisation explores a number of innovative new applications built using the latest development languages.”
The project is part of a wider move to adopt the cloud across the UK Financial services sector as regulatory and compliance hurdles have been overcome through clarification and agreement with the FCA. “The typical application development cycle within financial services has traditionally been sluggish as development teams struggle to navigate through the complexities of the internal processes across disparate systems and networks while adhering to both internal and regulatory guidelines. This project has the potential to help the institution become more agile in its development lifecycle, while strengthening security across the board.” The onsite phase is already deployed while the AWS portion of the project, which will automate much of the development workflow is now underway with more details to follow at a later date.


</close>

The rise of IoT and the associated security risks

7 Jul 2016 | By Amit Ashbel

The proliferation of IoT devices in the workplace presents a huge security risk and if new research from ForeScout Techologies is anything to go by, organisations are ill-prepared to deal with this rise and the associated threat. Even worse, by the time some of the IoT devices reach businesses, they are already vulnerable due to the lack of industry regulations and current approach to development. In order to stem the security issues with IoT applications and devices, there needs to be a step change in the development process. It has simply never been more important that these devices and platforms be developed securely in the first instance.

Businesses are not ready to secure IoT

There is no doubt that IoT is on the rise; Gartner has estimated that there will be 6.4 billion connected things globally by the end of this year and projects that figure to reach 21 billion by 2020. So for every ten IoT devices today, there will be approximately thirty in just four years time. But the poll from ForeScout clearly suggests that businesses are not prepared to deal with these devices with 85 per cent of the 350 IT professionals surveyed saying that they weren’t sure if they could detect an IoT device as soon as it connects to the network. Of course, as soon as an infected device connects to the network, the security of the entire network is compromised.
Continue reading this article on ITProPortal.com

The proliferation of IoT devices in the workplace presents a huge security risk and if new research from ForeScout Techologies is anything to go by, organisations are ill-prepared to deal with this rise and the associated threat. Even worse, by the time some of the IoT devices reach businesses, they are already vulnerable due to the lack of industry regulations and current approach to development. In order to stem the security issues with IoT applications and devices, there needs to be a step change in the development process. It has simply never been more important that these devices and platforms be developed securely in the first instance.

Businesses are not ready to secure IoT

There is no doubt that IoT is on the rise; Gartner has estimated that there will be 6.4 billion connected things globally by the end of this year and projects that figure to reach 21 billion by 2020. So for every ten IoT devices today, there will be approximately thirty in just four years time. But the poll from ForeScout clearly suggests that businesses are not prepared to deal with these devices with 85 per cent of the 350 IT professionals surveyed saying that they weren’t sure if they could detect an IoT device as soon as it connects to the network. Of course, as soon as an infected device connects to the network, the security of the entire network is compromised.
Continue reading this article on ITProPortal.com


</close>

How To Stay Protected In A World Of Non-Stop Malware Threats

5 Jul 2016 | By Naomi Webb

Every day, almost one million malware threats are introduced in the ceaseless jungle that is the internet. And yet, software developers, security experts, and IT administrators are expected to stay up-to-date with these latest threats to ensure that network environments and software applications are secured against them. Sure thing, you might think. I’ll get to today’s million malware threats right after I finish counting raindrops. We’re here to offer our assistance by going through a few of the most common malware threats that organisations face today.

Malware threats continue to plague the internet and they aren’t going to stop. The right breach can bank an attacker millions in dark market money, so it’s financially beneficial for an attacker to create new and unexpected threats and use them to attack critical applications. While you’re never going to be able to keep up with every emerging threat, you do need to stay informed on the ones that become common. One way to do so is by checking out repositories such as Checkmarx’s vulnerability knowledge base. Another way is to read up on the five types of vulnerabilities that can be exploited by malware listed below.

Continue reading this article on Lifehacker Australia

Every day, almost one million malware threats are introduced in the ceaseless jungle that is the internet. And yet, software developers, security experts, and IT administrators are expected to stay up-to-date with these latest threats to ensure that network environments and software applications are secured against them. Sure thing, you might think. I’ll get to today’s million malware threats right after I finish counting raindrops. We’re here to offer our assistance by going through a few of the most common malware threats that organisations face today.

Malware threats continue to plague the internet and they aren’t going to stop. The right breach can bank an attacker millions in dark market money, so it’s financially beneficial for an attacker to create new and unexpected threats and use them to attack critical applications. While you’re never going to be able to keep up with every emerging threat, you do need to stay informed on the ones that become common. One way to do so is by checking out repositories such as Checkmarx’s vulnerability knowledge base. Another way is to read up on the five types of vulnerabilities that can be exploited by malware listed below.

Continue reading this article on Lifehacker Australia


</close>

7 Mobile App Dev Vulnerabilities That Can Cost You an Arm and a Leg

4 Jul 2016 | By Darryl K. Taft

Shark Week is upon us and making swimmers think twice before jumping in the ocean. The chances that a shark might attack are slim, but hidden dangers are always lurking beneath the waves. Similarly, most of us are relaxed by our trust that the powerful mobile OSes will keep attackers far from our personal data. After all, Apple built iOS with security in mind, and Google is synonymous with security, isn't it? Yes and no.

While our mobile devices are shipped with built-in protection, the shields securing our personal data are only as strong as the weakest links in the apps we use. These weak links are vulnerabilities that increasingly are similar to the threats faced by Web apps as more mobile apps are communicating with external servers over which mobile OSes have no control. We're swimming among vulnerabilities and cyber-criminals. And given how much personal data we store on our devices, it's important to be informed of the risks of not practicing secure mobile app development. Otherwise, the consequences could sink brand equity and revenue, costing your company an arm and a leg. Working with app security testing vendor Checkmarx, eWEEK created a list of vulnerabilities to help keep you on the alert.

Continue reading this article on eWeek.com

Shark Week is upon us and making swimmers think twice before jumping in the ocean. The chances that a shark might attack are slim, but hidden dangers are always lurking beneath the waves. Similarly, most of us are relaxed by our trust that the powerful mobile OSes will keep attackers far from our personal data. After all, Apple built iOS with security in mind, and Google is synonymous with security, isn’t it? Yes and no.

While our mobile devices are shipped with built-in protection, the shields securing our personal data are only as strong as the weakest links in the apps we use. These weak links are vulnerabilities that increasingly are similar to the threats faced by Web apps as more mobile apps are communicating with external servers over which mobile OSes have no control. We’re swimming among vulnerabilities and cyber-criminals. And given how much personal data we store on our devices, it’s important to be informed of the risks of not practicing secure mobile app development. Otherwise, the consequences could sink brand equity and revenue, costing your company an arm and a leg. Working with app security testing vendor Checkmarx, eWEEK created a list of vulnerabilities to help keep you on the alert.

Continue reading this article on eWeek.com


</close>