Checkmarx Acquires Custodela to Bring Enhanced Automation to DevSecOps Programs!

In the News

9 Security Mistakes Every Java Developer Must Avoid

18 May 2015 | By Sharon Solomon

Java has come a long way since it was introduced in mid-1995. Its cross-platform characteristics have made it the benchmark when it comes to client-side web programming. But with cybercrime and hackings reaching epidemic levels due to its widespread usage and distribution, the need for secure Java development has become the call of the hour.

A recent Kaspersky lab report mentions Java as the most attacked programming language, with more and more hacking incidents being reported worldwide. Java’s susceptibility is largely due to its segmentation problem. Not all developers are using the latest version (Java 9), which basically means that the latest security updates are not always applied.

Read the full article here

Java has come a long way since it was introduced in mid-1995. Its cross-platform characteristics have made it the benchmark when it comes to client-side web programming. But with cybercrime and hackings reaching epidemic levels due to its widespread usage and distribution, the need for secure Java development has become the call of the hour.

A recent Kaspersky lab report mentions Java as the most attacked programming language, with more and more hacking incidents being reported worldwide. Java’s susceptibility is largely due to its segmentation problem. Not all developers are using the latest version (Java 9), which basically means that the latest security updates are not always applied.

Read the full article here


</close>

Starbucks customers’ mobile accounts breached by thieves

17 May 2015 | By Elizabeth Weise

Some Starbucks customers have had money siphoned out of their Starbucks mobile app by thieves using a clever new attack, but Starbucks itself hasn't been hacked, the company said Friday.

It works like this: First, the thieves buy stolen passwords and IDs on the underground market.

They then use an automated program to try the stolen combinations one after another on the Starbucks mobile app until one works, according to application security firm Checkmarx. This is what's called a "brute force" attack. These programs can "process" hundreds of ID-password combinations a second.

If the user has it set the app up to automatically reload from their credit card or PayPal account, the thieves can immediately steal again as soon as the app has more money in it, according to application security firm Checkmarx.

Read the full article here.

Some Starbucks customers have had money siphoned out of their Starbucks mobile app by thieves using a clever new attack, but Starbucks itself hasn’t been hacked, the company said Friday.

It works like this: First, the thieves buy stolen passwords and IDs on the underground market.

They then use an automated program to try the stolen combinations one after another on the Starbucks mobile app until one works, according to application security firm Checkmarx. This is what’s called a “brute force” attack. These programs can “process” hundreds of ID-password combinations a second.

If the user has it set the app up to automatically reload from their credit card or PayPal account, the thieves can immediately steal again as soon as the app has more money in it, according to application security firm Checkmarx.

Read the full article here.


</close>

The Anonymous Inoculation

4 May 2015 | By Niv Elis

In its third year of coordinating cyber attacks against Israel, the online “hacktivist” group Anonymous decided to up its rhetoric. On April 7, the group promised in a video, it would unleash “an electronic Holocaust” on the Jewish state, threatening to wipe Israel from the cyber- security map.

Though Anonymous garnered plenty of media attention, the question is whether it did any lasting damage. Most analysts saw it as a childish nuisance; one pro-Israeli hacktivist even broke into an OpIsrael website and posted messages defending the Jewish state. “As long as it’s a dispersed effort [comprised of] ad-hoc teams getting together for activist causes, I don’t see that as a major threat. We should be more concerned about Russia or China, which have real cyber armies,” said Asaph Schulman, vice president of marketing at Checkmarx. “It’s not like the Chinese trying to hack Lockheed Martin for the latest IP in aerodynamics.”

This article was originally featured in the Jerusalem Post. Read the rest of the article here (PDF).

In its third year of coordinating cyber attacks against Israel, the online “hacktivist” group Anonymous decided to up its rhetoric. On April 7, the group promised in a video, it would unleash “an electronic Holocaust” on the Jewish state, threatening to wipe Israel from the cyber- security map.

Though Anonymous garnered plenty of media attention, the question is whether it did any lasting damage. Most analysts saw it as a childish nuisance; one pro-Israeli hacktivist even broke into an OpIsrael website and posted messages defending the Jewish state. “As long as it’s a dispersed effort [comprised of] ad-hoc teams getting together for activist causes, I don’t see that as a major threat. We should be more concerned about Russia or China, which have real cyber armies,” said Asaph Schulman, vice president of marketing at Checkmarx. “It’s not like the Chinese trying to hack Lockheed Martin for the latest IP in aerodynamics.”

This article was originally featured in the Jerusalem Post. Read the rest of the article here (PDF).


</close>

Checkmarx: Turning Hackers Into Unwitting Product Developers

21 Apr 2015 | By Steve Bowcut

Brilliance Security Magazine had the good fortune of sitting down with Maty Siman, Founder and CTO, of Checkmarx at the RSA Conference in San Francisco.  Mr. Siman’s obvious intelligence yet humble demeanor enables him to standout as a notable leader in the security industry.  Founded in 2006 and headquartered in Tel Aviv, Checkmarx develops Static Code Analysis solutions which enable organizations to introduce security into their Software Development Lifecycle.

Read the full article here.

Brilliance Security Magazine had the good fortune of sitting down with Maty Siman, Founder and CTO, of Checkmarx at the RSA Conference in San Francisco.  Mr. Siman’s obvious intelligence yet humble demeanor enables him to standout as a notable leader in the security industry.  Founded in 2006 and headquartered in Tel Aviv, Checkmarx develops Static Code Analysis solutions which enable organizations to introduce security into their Software Development Lifecycle.

Read the full article here.


</close>

Virtual Forge and Checkmarx seal unique partnership for Static Application Security Testing

15 Mar 2015 | By Virtual Forge & Checkmarx

The new partnership between Virtual Forge and Checkmarx offers companies a powerful platform for testing and ensuring the application security of business applications, including those that are developed in SAP ABAP.

Much of the data breaches still take place through the exploitation of vulnerabilities and security holes in software. Many companies therefore see the need to identify application vulnerabilities as early as possible and to fix them. For this very purpose, Static Application Security Testing (SAST) solutions have been proven as effective means.

Read the full article here.

 

The new partnership between Virtual Forge and Checkmarx offers companies a powerful platform for testing and ensuring the application security of business applications, including those that are developed in SAP ABAP.

Much of the data breaches still take place through the exploitation of vulnerabilities and security holes in software. Many companies therefore see the need to identify application vulnerabilities as early as possible and to fix them. For this very purpose, Static Application Security Testing (SAST) solutions have been proven as effective means.

Read the full article here.

 


</close>

Securing Business Applications in Real-Time

29 Jan 2015 | By Ian Barker

As demand to access company information on the move and from mobile devices increases it places extra strain on security resources.

Existing web applications firewalls (WAFs) monitor traffic but don’t have an understanding of the logic of data flows and the behavior of applications. This can make it hard for them to distinguish between legitimate traffic and attacks on apps such as SQL injection and cross-site scripting.

Israel-based security company Checkmarx is launching a run-time application self-protection (RASP) tool called CxRASP which will monitor an app’s bidirectional data flow, enabling the detection of and defense against real-time attacks.

Checkmarx’s technology ‘listens’ at each interaction junction of the app, covering access points between the application and the user, the database, the network, and the file system. With complete visibility into the app’s input and output, CxRASP tailors the protection mechanism to the specific flow within the application to achieve high detection accuracy in real-time. Suspicious activity is flagged when it enters the app, and then verified to see if it is actually malicious at the output to minimize false positives and false negatives. If an attack is identified, the organization is alerted and instructions are sent on how to fix the vulnerability.

“The fast increasing number of applications and the resulting vast amounts of insecure code written and released into production means that we need a more intelligent way to ensure software security,” says Emmanuel Benzaquen, CEO of Checkmarx. “CxRASP is the ultimate way to protect applications as it lets applications do the work of protecting themselves so that security vulnerabilities are revealed and blocked in real-time”.

The product can be integrated with static application security testing tools from Checkmarx and elsewhere to ensure application protection throughout the development process.

This article originally appeared on BetaNews

As demand to access company information on the move and from mobile devices increases it places extra strain on security resources.

Existing web applications firewalls (WAFs) monitor traffic but don’t have an understanding of the logic of data flows and the behavior of applications. This can make it hard for them to distinguish between legitimate traffic and attacks on apps such as SQL injection and cross-site scripting.

Israel-based security company Checkmarx is launching a run-time application self-protection (RASP) tool called CxRASP which will monitor an app’s bidirectional data flow, enabling the detection of and defense against real-time attacks.

Checkmarx’s technology ‘listens’ at each interaction junction of the app, covering access points between the application and the user, the database, the network, and the file system. With complete visibility into the app’s input and output, CxRASP tailors the protection mechanism to the specific flow within the application to achieve high detection accuracy in real-time. Suspicious activity is flagged when it enters the app, and then verified to see if it is actually malicious at the output to minimize false positives and false negatives. If an attack is identified, the organization is alerted and instructions are sent on how to fix the vulnerability.

“The fast increasing number of applications and the resulting vast amounts of insecure code written and released into production means that we need a more intelligent way to ensure software security,” says Emmanuel Benzaquen, CEO of Checkmarx. “CxRASP is the ultimate way to protect applications as it lets applications do the work of protecting themselves so that security vulnerabilities are revealed and blocked in real-time”.

The product can be integrated with static application security testing tools from Checkmarx and elsewhere to ensure application protection throughout the development process.

This article originally appeared on BetaNews


</close>

The unsung achiever: Pakistani tops lists of ethical hackers of 2014

3 Jan 2015 | By Farooq Baloch

The world’s leading information security publications have featured Pakistani security researcher, Rafay Baloch, as one of the top ethical hackers in 2014, putting the 21-year-old Karachiite on top of their lists, The Express Tribune learnt on Thursday.

“Ethical hacking, which makes the information world more secure, is one way we [Pakistanis] can change our country’s negative perception in the world,” said Baloch.

Checkmarx, a source code analysis company based out of Tel Aviv, Israel, recognized Baloch as one of the world’s top five ethical hackers who made the headlines in 2014 for exposing a serious vulnerability – a Same-Origin Policy (SOP) bypass – in Android’s Open Source Platform browser (versions older than 4.4).

The recognition comes from a company that has, arguably, the best tool for Static Application Security Testing. Checkmarx was ranked number one for static analysis in “Critical Capabilities for Application Security Testing”, a 2014 report by the world’s leading information technology research and advisory company, Gartner.

Read the rest of this article here.

The world’s leading information security publications have featured Pakistani security researcher, Rafay Baloch, as one of the top ethical hackers in 2014, putting the 21-year-old Karachiite on top of their lists, The Express Tribune learnt on Thursday.

“Ethical hacking, which makes the information world more secure, is one way we [Pakistanis] can change our country’s negative perception in the world,” said Baloch.

Checkmarx, a source code analysis company based out of Tel Aviv, Israel, recognized Baloch as one of the world’s top five ethical hackers who made the headlines in 2014 for exposing a serious vulnerability – a Same-Origin Policy (SOP) bypass – in Android’s Open Source Platform browser (versions older than 4.4).

The recognition comes from a company that has, arguably, the best tool for Static Application Security Testing. Checkmarx was ranked number one for static analysis in “Critical Capabilities for Application Security Testing”, a 2014 report by the world’s leading information technology research and advisory company, Gartner.

Read the rest of this article here.


</close>

Checkmarx Ranked #1 for “Static Analysis Product” in Gartner’s 2014 Critical Capabilities for Application Security Testing Report

30 Dec 2014 | By Asaph Schulman

TEL AVIV, Israel, Dec 30, 2014 (BUSINESS WIRE) -- Checkmarx, web and mobile Application Security Testing (AST) solutions provider, was positioned as a Leader in The Forrester Wave™: Application Security, Q4 2014.

Forrester Research, Inc. invited 12 AST solution providers to participate and rated the providers based on 82 specific criteria within their current offerings, strategies, and market presence. The report offers a comprehensive assessment of each vendor for security and risk professionals. In Forrester’s evaluation, Checkmarx received among the highest scores for Customer References, Corporate Strategy and Developer Education and Training.

“Checkmarx’s solution has strong functional capabilities in deployment, concurrent use, scanning automation, configurable rules and scans, target scanning, and multiple user report,” the report noted. “The Checkmarx offering has strong static analysis levels around source code scanning, varied language and framework support, analysis levels, and custom static analysis rules.”

Read the rest of the release here.

TEL AVIV, Israel, Dec 30, 2014 (BUSINESS WIRE) — Checkmarx, web and mobile Application Security Testing (AST) solutions provider, was positioned as a Leader in The Forrester Wave™: Application Security, Q4 2014.

Forrester Research, Inc. invited 12 AST solution providers to participate and rated the providers based on 82 specific criteria within their current offerings, strategies, and market presence. The report offers a comprehensive assessment of each vendor for security and risk professionals. In Forrester’s evaluation, Checkmarx received among the highest scores for Customer References, Corporate Strategy and Developer Education and Training.

“Checkmarx’s solution has strong functional capabilities in deployment, concurrent use, scanning automation, configurable rules and scans, target scanning, and multiple user report,” the report noted. “The Checkmarx offering has strong static analysis levels around source code scanning, varied language and framework support, analysis levels, and custom static analysis rules.”

Read the rest of the release here.


</close>

The Business Value of Partial Code Scanning

29 Dec 2014 | By Kevin Beaver

It’s kind of funny and ironic that we humans are all about instant gratification, yet with information risk issues such as source code analysis, we tend to want to wait until everything’s perfect (and way more costly) before we get started. This reminds me of the Mark Victor Hansen quote:

“Don’t wait until everything is just right. It will never be perfect. There will always be challenges, obstacles and less than perfect conditions. So what. Get started now. With each step you take, you will grow stronger and stronger, more and more skilled, more and more self-confident and more and more successful.”

I wrote this article in conjunction with the nice folks at Checkmarx who happen to produce the best static source code analysis tool I’ve used…especially given its price compared to the competition – it’s not even in the same galaxy as some of the others out there. Definitely worth checking out.

Check out Kevin's blog for more.

It’s kind of funny and ironic that we humans are all about instant gratification, yet with information risk issues such as source code analysis, we tend to want to wait until everything’s perfect (and way more costly) before we get started. This reminds me of the Mark Victor Hansen quote:

“Don’t wait until everything is just right. It will never be perfect. There will always be challenges, obstacles and less than perfect conditions. So what. Get started now. With each step you take, you will grow stronger and stronger, more and more skilled, more and more self-confident and more and more successful.”

I wrote this article in conjunction with the nice folks at Checkmarx who happen to produce the best static source code analysis tool I’ve used…especially given its price compared to the competition – it’s not even in the same galaxy as some of the others out there. Definitely worth checking out.

Check out Kevin’s blog for more.


</close>

8 Cybersecurity Resolutions to Make for 2015

8 Dec 2014 | By Nicole Fallon

It seems that 2014 was the year of data breaches in the business world. Target, Home Depot, AT&T, JP Morgan, eBay, P.F. Chang’s and other high-profile brands all fell victim to cybercriminals, compromising both the companies’ reputations and their customers’ information.

1. Secure your mobile apps

You know you need to protect your business’s website and payment system, but what about your mobile app? If you’ve created an app for your customers to use, it may not be as secure as you think.

“Mobile apps serve as a portal to your business’ system as well as your customers’ phones,” said Asaph Schulman, vice president of marketing at Web and mobile-app security solutions provider Checkmarx. “Making sure your app is secured before releasing it to the public will keep you and your customers happy and safe. Don’t assume that your Web developer will consider security as part of their brief, unless you insist on it.”

Read the whole article at Business News Daily.

It seems that 2014 was the year of data breaches in the business world. Target, Home Depot, AT&T, JP Morgan, eBay, P.F. Chang’s and other high-profile brands all fell victim to cybercriminals, compromising both the companies’ reputations and their customers’ information.

1. Secure your mobile apps

You know you need to protect your business’s website and payment system, but what about your mobile app? If you’ve created an app for your customers to use, it may not be as secure as you think.

“Mobile apps serve as a portal to your business’ system as well as your customers’ phones,” said Asaph Schulman, vice president of marketing at Web and mobile-app security solutions provider Checkmarx. “Making sure your app is secured before releasing it to the public will keep you and your customers happy and safe. Don’t assume that your Web developer will consider security as part of their brief, unless you insist on it.”

Read the whole article at Business News Daily.


</close>