Checkmarx Blog


The Cybersecurity Organizations & Resources You Need to Know

Feb 12, 2016 By Sarah Vonnegut | No matter where you are on your journey in security, there is always room to keep learning. Especially in the security industry, it’s important to aim for a deep understanding of software and how applications interact on the web. In such a dynamic field, there’s no doubt the learning will never end.   Luckily for students of cybersecurity, there are plenty of organizations doing the hard work to help us better understand what we’re working to protect, and how best to secure our own organizations. These organizations are helping fight the “cyber battles” – and are helping us do the same. From nonprofits to university centers to government-funded research facilities, the security industry has its’ bases covered. There’s a never-ending mountain of high-quality research and guides anyone interested can access – if you know the right places to look.   We’ve already written about the best cybersecurity blogs to keep up to date. But if you’re looking for more in-depth guides, research and best practices to soak up, your search is over. Here’s a list of cybersecurity organizations serving the industry and some of the best resources they each offer.  
InfoSec Organizations & Their Best Free Resources
  OWASP   If you’re in security, you’re probably pretty familiar with OWASP, but developers are still getting to know it. OWASP, which stands for the Open Web Application Security Project, is a nonprofit organization run with the power of volunteers with security expertise from around the world. Vendor-neutral and run as a Free and Open organization, OWASP is an amazing resource for all things AppSec and is available to anyone. And if you’re able to get involved, there are always new projects and updates requiring experts in all software development fields.   Top OWASP Resources & Projects:     OWASP Top 10     It’s THE industry standard, and though it only covers 10 vulnerabilities, the list, a new version of which has been released every three years since 2004, has the power of the thousands of security experts and hundreds of thousands of research hours behind it.   OWASP Top 10 list Courtesy: OWASP What makes the OWASP Top 10 so fantastic is that there are so many materials and guides to create around the OWASP Top 10, and that’s what makes it accessible to non-security experts, as well – especially because so many multilingual volunteers have translated the list to 12 languages and counting. SQL Injection and Cross-Site Scripting have finally come into the mainstream development world, and a big part of that is thanks to the OWASP Top 10.     OWASP ESAPI   ESAPI is a great example of the kind of reach OWASP has, because this project, an Enterprise Security API, is used by heavyweight organizations including American Express, Booz Allen Hamilton, MITRE, The Hartford Insurance, and many more. Designed to help developers retrofit security into already existing apps and write new, lower-risk applications from the start, ESAPI’s control library has updated versions for Java and JavaScript on the OWASP GitHub page.   The best part is that a new ESAPI version,, was just released this week, making this a great time to see if the framework is right for your organization. Get full details of the release here.     Secure Coding Practices Quick Reference Guide   An example of how OWASP is reaching developers is the Secure Coding Practices Quick Reference Guide, which “at only 17 pages, is easy to read and digest.” Written in checklist format and doesn’t mention specific tools, it’s perfect to print off for developers and work on integrating the principles into your SDLC, if you haven’t already.   The printable PDF version is available here.   The SANS Institute   The SANS Institute, SANS for short, is among the largest information security organizations globally, and provides security training and certifications to thousands of security professionals and ethical hackers annually. Classes are available both online and in-person, making SANS courses accessible to the masses.   SANS also operates the Internet Storm Center, an offshoot organization that aims to keep the internet safe by providing a free analysis and warning service to organizations and individuals around the world.   Top SANS Resources:   CWE/SANS Top 25   The Top 25, like the OWASP Top 10, is an industry standard on which many organizations and tools help guide their secure coding and security testing policies. The 25 Most Dangerous Software Errors are vulnerabilities that are “easy to find, and easy to exploit,” making them prime targets in enterprise applications. The list is designed to help spread awareness and educate developers on important coding errors that could lead to high-risk exploits that they may not even be aware of. A group effort between MITRE, the SANS Institute and security experts around the world, the list was last updated in 2011.   The list is also available on the CWE website, where they also offer a list of tips for how each type of user can best make use of the list. In addition, the Build Security In initiative offered by the U.S. Department of Homeland Security extends on the Top 25 Most Dangerous Software Errors to offer “practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development.”   The Critical Security Controls   This list of recommendations for organizations trying to lower their security risks provide actionable and clear-cut techniques to detect and stop prevalent application attacks. Backed by high-ranking security experts in the US Department of Homeland Security, U.S. Department of Defense, the FBI and many other critical organizations, the Controls help organizations to both defend and stop attacks already in place.   Now in its’ sixth version, the guide’s goal is to “protect critical assets, infrastructure, and information by strengthening your organization’s defensive posture through continuous, automated protection and monitoring of your sensitive information technology infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs.”   This resource is available for download here (after filling out details).   Reading Room   The SANS Reading Room offers research papers in all areas of InfoSec topics, “from SCADA to wireless security, from firewalls to intrusion detection.” This area of the SANS site boasts over 75,000 unique visitors a month, so if you’re not familiar with this fantastic resource, the time has come.   It really depends on what you’re looking for, but if you’re interested in just diving in, here are their top 25 most popular papers from the past year.   ISACA   ISACA, previously called the Information Systems Audit and Control Association but now covers much more ground, is another nonprofit global InfoSec organization. Boasting over 140,000 members worldwide, ISACA is run in part by the huge number of volunteers that help lead the organization. They offer some great pieces of research, and while some of them do cost money or require membership to download, there are plenty of free resources, a select few of which are highlighted below.   Top ISACA Research:   DevOps Practitioner Considerations   When an organization is considering moving to a DevOps ecosystem, there are many security and risk-based factors to ensure will be covered during the transition. This whitepaper offers guidance outlining considerations on the risks of DevOps, the controls that can help mitigate key risk areas, and specific actions security professionals can take to help mitigate potential risk.   Internet of Things: Risk and Value Considerations   While we’ve all heard the horror stories about the Internet of Things wreaking havoc on any number of personal or public appliances, it’s not always clear how IoT can put our own organizations at risk and what we need to be prepared for. The IoT revolution is underway, and this whitepaper helps raise awareness about the risks security professionals need to be on the lookout for.     Cloud Security Alliance   Founded in 2008, this non-profit has a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”   Backed by eBay CISO Dave Cullinane, the goal of the organization is to offer a common baseline for how organizations understand security for their cloud computing needs.   Top Cloud Security Alliance (CSA) Resources:   CloudBytes Webinars   CSA offers monthly webinars conducted by members to help spread awareness on a variety of Cloud Security topics. There’s an impressive collection of webinars with high-quality speaker on relevant topics, so if you’re into watching webinars (and want to learn more about Cloud Security), this is the area of the site for you.   Working Groups   Have an idea for cloud security research you’d like to help get off the ground? CSA’s Working Groups offer volunteers a way to connect to projects – or start their own – that they’re interested in helping out with in 28 different areas of Cloud Security.   White Papers   CSA also offers a group of white papers available for download and licensed under a Creative-Commons Attribution license so that non-commercial uses are perfectly fine, as long as you give credit where credit is due. These papers touch on a number of different Cloud Security topics, from auditing distributed databases to securing cloud data under the new European Data Protection laws.     NIST SAMATE   The National Institute of Standards and Technology, a U.S. organization dedicated to creating standards for different verticals, has developed this set of evaluation documents to help organizations determine the right tools for their development environment and help evaluate the effectiveness of different tools and techniques. SAMATE covers source code analysis tools, vulnerability scanners, binary code scanners, and the exposition of static analysis tools, with a broad scope, “ranging from operating systems to firewalls, SCADA to web applications, source code security analyzers to correct-by-construction methods.”     CERT   The CERT Division of the Software Engineering Institute has a great history, having been created in response to the Morris worm dating back to 1988. Working with the Department of Homeland Security, along with other government and academic partners, the CERT Division offers a variety of resources and publications to help organizations enhance their security profiles. As an offshoot of the Software Engineering Institute housed at Carnegie Mellon University, the CERT Division has first-class facilities and connections that allow the team to help propel the security industry forward.   The CERT Division divides their work into different topics, with each topic offering a wide range of research, publications and other documents for download. Their secure coding resources are among the best, with various guidelines, research papers and international standards they’ve helped develop available to anyone.      
</Read More>
Secure Code Review

5 Best Practices for the Perfect Secure Code Review

Feb 05, 2016 By Sarah Vonnegut | You’ve worked hard to ensure that security tools and processes are integrated throughout development, and an application or update is days or possibly just hours away from release. Your app is ready to go, right? Wrong! You’ve got one more step in the security process before you can give the green light where security is concerned: A Secure Code Review. In many industries, including the healthcare and payment verticals, secure code reviews are a mandatory part of the compliance requirement, and they offer an added layer of security before your application is released. Whether mandated or not, secure code reviews offer an added value for the security of your application and the organization at large.
</Read More>
OSI Model

Application Layer Security Within the OSI Model

Feb 04, 2016 By Sharon Solomon | With more and more high-profile hackings taking place in recent years, application security has become the call of the hour. But while the awareness is on the rise, not all security officers and developers know what exactly needs to be secured. One aspect that is often overlooked during development is application layer security. The following article will delve into this very aspect and show how crucial it is to protect applications inside-out.
</Read More>

Israeli IT Prodigies Visit Checkmarx HQ

Jan 27, 2016 By Sharon Solomon | Checkmarx is continuing its tradition of hosting the brightest programming and computing minds from Israel’s leading academic institutions. This year it was a group of young kids who are currently honing their skills at the Tel Aviv University (TAU). They are a part of a special program that will enable them to complete their college degree by the age of 18. Here are a few highlights from their visit at the Checkmarx headquarters in Tel Aviv.
</Read More>
Ultimate Guide to CSRF

The Ultimate Guide to Understanding & Preventing CSRF

Jan 22, 2016 By Sarah Vonnegut | We hear about SQL injection and Cross-Site Scripting constantly – but there are eight other high-risk vulnerabilities we need to be aware of just in the OWASP Top Ten. And the vulnerability rounding out the top three is an important one to keep our eyes out for: Cross-Site Request Forgery, normally shortened as CSRF or XSRF.     CSRF is widespread in today’s web apps, OWASP says, and can cause some major damage when exposed in an app that deals with money or data. Just how much damage? The most powerful CSRF attack is most likely this attack discovered against uTorrent in 2008, which would have given an attacker complete control over a victim’s system using a record three CSRF attacks in a row. And while most CSRF attacks aren’t as damaging as that one, they can do damage, given an opportunity in a data-rich web application.  
</Read More>
Smart City

Internet of Things (IoT) – Hack My Smart City

Jan 21, 2016 By Sharon Solomon | The modern metropolitan is becoming more and more computerized. Mega computers are running the show in more ways that can be comprehended – traffic signals, electricity networks, water supply pipes, public transport services and other civil utilities. While the Smart City concept is improving the standards of urban services, how safe really is it for us? How can these automated systems stay safe from hackers and cyberattacks?
</Read More>
Online Banking Security

All You Wanted To Know About Online Banking Security

Jan 17, 2016 By Sharon Solomon | Gone are the days when people frequented their banks to get their errands done. With more and more banking activities being performed online via web and mobile applications, the security risks are rising exponentially. But are banks and financial institutions doing enough to safeguard our privacy and financial assets? What are the risks and what role do application developers play in providing online banking security? Let’s take a closer look.
</Read More>
Security Experts

Security Experts Speak: Biggest AppSec Priorities and Concerns in 2016

Jan 15, 2016 By Sarah Vonnegut | Each year opens a new Pandora’s Box for the security industry, with a slew of never-before-seen evil wonders that can throw anyone not prepared for a loop. That’s why risk management is so critical in our field – since we can’t know what’s to come, we need to prepare as best we can before that worst-case scenario happens. If you’re not a security expert, though, it can be difficult to figure out where to spend your energy over the year in terms of securing your organization. 
To help give a bit of perspective to what top security experts are gearing up for this year, we asked eight of the world’s top security experts in various roles, including a pentester, several CISOs, a secure developer, a security engineer and an international speaker on security topics, to share their thoughts with us.  
</Read More>
eBay XSS Vulnerability

What You Need To Know – Millions of eBay Users Exposed

Jan 14, 2016 By Sharon Solomon | Online e-commerce has become the rage. Millions of people worldwide are doing their shopping on the various online platforms. But even enormous e-commerce platforms like eBay are not immune to cybercrime, as security researcher MLT demonstrated recently. The culprit this time was Cross Site Scripting (XSS), a common application layer vulnerability that obviously was not detected/remediated during development.
</Read More>

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Follow us on Feedly
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.