Checkmarx Acquires Custodela to Bring Enhanced Automation to DevSecOps Programs!

In the News

Share the Cost of Secure Application Development

22 Nov 2017 | By Amit Ashbel

The cost of protecting applications from cyberattacks is climbing fast. So, it's time for business units to help cover the pricetag.

The 2017 Ponemon Institute study reaffirms that while this year has seen more hacks and breaches than 2016, organizations are actually spending less money per breach. But the climbing security stocks in the wake of recent hacks seem to indicate that organizations and their CISOs are more than prepared to invest in increased security measures.

In fact, SANS Institute reported last year that despite IT budgets decreasing overall, on average, security budgets are increasing. Furthermore, 76% of SANS respondents said application security fell into their top spending category.

The cost of protecting applications from cyberattacks is climbing fast. So, it’s time for business units to help cover the pricetag.

The 2017 Ponemon Institute study reaffirms that while this year has seen more hacks and breaches than 2016, organizations are actually spending less money per breach. But the climbing security stocks in the wake of recent hacks seem to indicate that organizations and their CISOs are more than prepared to invest in increased security measures.

In fact, SANS Institute reported last year that despite IT budgets decreasing overall, on average, security budgets are increasing. Furthermore, 76% of SANS respondents said application security fell into their top spending category.


</close>

The Best Way for Dev and Ops to Collaborate

9 Nov 2017 | By DevOps Digest

The DevOps culture removes the barriers between departments, and especially among those most deeply involved in DevOps; that is, the operations teams and developers. Historically, there has been a culture of inefficiency and miscommunication between developers and operations teams. This is due to many reasons, but primarily is due to a lack of unified goals: Developers work to code a project as quickly as possible to hand it off to operations in order for them to release it. But with DevOps requirements for small teams comprised of diverse team members working together on a project, and because agile processes are so dependent on the integration of these teams and their tools, collaboration in DevOps enterprises are automatically improved. These single teams break down silos by bringing together employees of diverse skill levels and backgrounds to help inspire more mutual trust and respect.
Amit Ashbel
Director of Product Marketing & Cyber Security Evangelist, Checkmarx

The DevOps culture removes the barriers between departments, and especially among those most deeply involved in DevOps; that is, the operations teams and developers. Historically, there has been a culture of inefficiency and miscommunication between developers and operations teams. This is due to many reasons, but primarily is due to a lack of unified goals: Developers work to code a project as quickly as possible to hand it off to operations in order for them to release it. But with DevOps requirements for small teams comprised of diverse team members working together on a project, and because agile processes are so dependent on the integration of these teams and their tools, collaboration in DevOps enterprises are automatically improved. These single teams break down silos by bringing together employees of diverse skill levels and backgrounds to help inspire more mutual trust and respect.
Amit Ashbel
Director of Product Marketing & Cyber Security Evangelist, Checkmarx


</close>

How Checkmarx Is Helping Developers Improve Mobile Security Skills

26 Oct 2017 | By Tom Smith

Checkmarx has launched new mobile security courses for developers. The interactive courses include secure coding for Android Java, Android Kotlin, iOS Objective C, and iOS Swift.

There are 9 free courses which can be found here. For each of the languages, there are one or two free exercises in each course depending on how many total exercises are offered. To have access to all the exercises, there is a paid option to upgrade.

Checkmarx has launched new mobile security courses for developers. The interactive courses include secure coding for Android Java, Android Kotlin, iOS Objective C, and iOS Swift.

There are 9 free courses which can be found here. For each of the languages, there are one or two free exercises in each course depending on how many total exercises are offered. To have access to all the exercises, there is a paid option to upgrade.


</close>

Checkmarx 2018 Predictions: DevOps is Here to Stay

23 Oct 2017 | By Matt Rose

One of the biggest areas for application security in 2018 is how it fits within a true DevOps environment. In my discussions with some of the largest organizations in the world there seems to be one common theme, and that is the movement to a true DevOps program. DevOps is a hot topic that pretty much every major enterprise is discussing or looking to implement. But what is DevOps and how does it help an organization develop and deliver better applications faster?  What are the core disciplines of DevOps?  Who are the players in a DevOps environment? These questions are being answered in many different ways from organization to organization but there seems to be a common theme emerging that everyone is at least thinking about DevOps.

That being said, I would say that only 5% of companies feel they have a true DevOps program in place and the other 95% are currently in a transition phase from a more structured Waterfall develops program.

The analogy I like to share is that DevOps programs are the equivalent to the social media culture that is here to stay, and to a point is actually expected by businesses and consumers. People no longer want to wait for new content, news feeds, product information or anything else for that matter. They want it NOW and feel that any delay in access to that information is unacceptable and frustrating.  As a kid I use to wait for the newspaper to be delivered in the morning to see what happened in the world the day before and then watched the 6:00 pm news to see what happened during the day. Information came out in very structured blocks of scheduled delivery. Local news broadcasts and newspapers were the structured blocks of information. Things are much different in today's social media driven culture. Sure newspapers and local news broadcasts still exist but the ridged structure of deliver is gone.  Information is available 24X7 via websites, news feeds, pod casts, Facebook, tweets, snaps, and tons of other different delivery methods.

DevOps is the way that the software release process has transformed from a scheduled and structured delivery process to a social media type delivery model.  No longer do organizations who develop applications wait for the equivalent of a morning newspaper or 6:00 pm local news broadcast. This is the old way to develop software in a waterfall or typical design, code, test release process.

 

One of the biggest areas for application security in 2018 is how it fits within a true DevOps environment. In my discussions with some of the largest organizations in the world there seems to be one common theme, and that is the movement to a true DevOps program. DevOps is a hot topic that pretty much every major enterprise is discussing or looking to implement. But what is DevOps and how does it help an organization develop and deliver better applications faster?  What are the core disciplines of DevOps?  Who are the players in a DevOps environment? These questions are being answered in many different ways from organization to organization but there seems to be a common theme emerging that everyone is at least thinking about DevOps.

That being said, I would say that only 5% of companies feel they have a true DevOps program in place and the other 95% are currently in a transition phase from a more structured Waterfall develops program.

The analogy I like to share is that DevOps programs are the equivalent to the social media culture that is here to stay, and to a point is actually expected by businesses and consumers. People no longer want to wait for new content, news feeds, product information or anything else for that matter. They want it NOW and feel that any delay in access to that information is unacceptable and frustrating.  As a kid I use to wait for the newspaper to be delivered in the morning to see what happened in the world the day before and then watched the 6:00 pm news to see what happened during the day. Information came out in very structured blocks of scheduled delivery. Local news broadcasts and newspapers were the structured blocks of information. Things are much different in today’s social media driven culture. Sure newspapers and local news broadcasts still exist but the ridged structure of deliver is gone.  Information is available 24X7 via websites, news feeds, pod casts, Facebook, tweets, snaps, and tons of other different delivery methods.

DevOps is the way that the software release process has transformed from a scheduled and structured delivery process to a social media type delivery model.  No longer do organizations who develop applications wait for the equivalent of a morning newspaper or 6:00 pm local news broadcast. This is the old way to develop software in a waterfall or typical design, code, test release process.

 


</close>

Checkmarx Expands Codebashing Developer Application Security Training With New Interactive Mobile Security Courses

17 Oct 2017 | By DevOps Digest

The importance of integrating security tests in the software development life cycle is commonly discussed and widely agreed upon, yet getting developers to write secure code to begin with is known to be a challenge. According to the SANS 2016 State of Application Security survey, the lack of application security (AppSec) skills, tools and methods are top challenges organizations face when implementing AppSec solutions.

The importance of integrating security tests in the software development life cycle is commonly discussed and widely agreed upon, yet getting developers to write secure code to begin with is known to be a challenge. According to the SANS 2016 State of Application Security survey, the lack of application security (AppSec) skills, tools and methods are top challenges organizations face when implementing AppSec solutions.


</close>

ShiftLeft’s new cybersecurity platform customizes itself for every workload

11 Oct 2017 | By Maria Deutscher

Thanks to sophisticated development tools and practices that have emerged in recent years, application teams are producing code faster than ever. The downside is that the shorter release cycles become, the less time is left to check for potential security flaws.

Thanks to sophisticated development tools and practices that have emerged in recent years, application teams are producing code faster than ever. The downside is that the shorter release cycles become, the less time is left to check for potential security flaws.


</close>

Cloud-native apps push static code analysis tools to the limit

27 Sep 2017 | By Cameron McKenzie

Matt Rose is the global director of application security strategy at Checkmarx, an organization that provides static code analysis tools that play a key role in the secure software testing phase of the software development lifecycle. In other words, Mr. Rose knows a thing or two about securing applications.
Read the full interview here

Matt Rose is the global director of application security strategy at Checkmarx, an organization that provides static code analysis tools that play a key role in the secure software testing phase of the software development lifecycle. In other words, Mr. Rose knows a thing or two about securing applications.
Read the full interview here


</close>

Pumpkin-Spiced Cybersecurity: October Is National Cyber Security Awareness Month

27 Sep 2017 | By Jimmy H. Koo

Cyberattacks, including global ransomware attacks, massive data breaches, and distributed denial-of-service attacks have recently dominated the headlines, saturating consumers’ news intake with stories about cybersecurity threats. These repeated reminders of the cybersecurity boogie man, ways to protect personally identifiable information, and advertisements for products to fight hackers, can lead to security fatigue, which in turn may lead to risky computing behavior.

 

“Companies need to realize that security fatigue is a real thing,” Matt Rose, global director of application security strategy at Checkmarx Ltd. in Charlotte, N.C. told Bloomberg BNA Sept. 27. “Things like text verification, captcha, finger print recognition, and strong passwords may actually introduce more of a security risk as the company now has more data points on a customer in order to verify they are who they are,” he said.

Click here to continue reading

Cyberattacks, including global ransomware attacks, massive data breaches, and distributed denial-of-service attacks have recently dominated the headlines, saturating consumers’ news intake with stories about cybersecurity threats. These repeated reminders of the cybersecurity boogie man, ways to protect personally identifiable information, and advertisements for products to fight hackers, can lead to security fatigue, which in turn may lead to risky computing behavior.

 

“Companies need to realize that security fatigue is a real thing,” Matt Rose, global director of application security strategy at Checkmarx Ltd. in Charlotte, N.C. told Bloomberg BNA Sept. 27. “Things like text verification, captcha, finger print recognition, and strong passwords may actually introduce more of a security risk as the company now has more data points on a customer in order to verify they are who they are,” he said.

Click here to continue reading


</close>

A bug fix always beats a round of risk assessments

26 Sep 2017 | By Cameron McKenzie

“Many organizations have an effective process for identifying problems, but no process for remediation,” said Matt Rose, the global director of application security strategy at Checkmarx. “Organizations do a lot of signing off on risk. Instead of saying ‘let’s remediate that’ they say ‘what’s the likelihood of this actually happening?'”

 

Sadly, the trend towards cloud-native, DevOps based development hasn’t reversed the this trend towards preferring risk assessment over problem remediation. The goal of any team that is embracing DevOps and implementing a system of continuous delivery is to eliminate as many manual processes as possible. A big part of that process is integrating software quality and static code analysis tools into the continuous integration server’s build process. But simply automating the process isn’t enough. “A lot of times people just automate and don’t actually remediate,” said Rose.

Continue reading on The Server Side

“Many organizations have an effective process for identifying problems, but no process for remediation,” said Matt Rose, the global director of application security strategy at Checkmarx. “Organizations do a lot of signing off on risk. Instead of saying ‘let’s remediate that’ they say ‘what’s the likelihood of this actually happening?’”

 

Sadly, the trend towards cloud-native, DevOps based development hasn’t reversed the this trend towards preferring risk assessment over problem remediation. The goal of any team that is embracing DevOps and implementing a system of continuous delivery is to eliminate as many manual processes as possible. A big part of that process is integrating software quality and static code analysis tools into the continuous integration server’s build process. But simply automating the process isn’t enough. “A lot of times people just automate and don’t actually remediate,” said Rose.

Continue reading on The Server Side


</close>

CloudBees, partners add Jenkins services, security

25 Sep 2017 | By Darryl K. Taft

For its part, Checkmarx, an application security software company, introduced a new release of its Interactive Application Security Testing product, CxIAST. The product enables continuous application security testing in real time, so software delivery schedules are not affected by security testing.

Click here to continue reading

For its part, Checkmarx, an application security software company, introduced a new release of its Interactive Application Security Testing product, CxIAST. The product enables continuous application security testing in real time, so software delivery schedules are not affected by security testing.

Click here to continue reading


</close>