Checkmarx Blog

Mobile Application Security Testing Tools

How to Get More Out of Your Mobile Application Security Testing Tools

Apr 15, 2016 By Sarah Vonnegut | Users expect the apps they download to be secure and safe, in addition to fast and feature-packed. It’s up to the organizations releasing applications – which most likely includes you, if you’re reading this – to meet (and exceed) their expectations. If you don’t meet expectations, you’re in bad luck: A 2013 study found that 88% of Americans have negative views of companies with mobile apps or sites that perform poorly or too slowly.
Read More »
Software Security Testing

Who Needs Software Security, Anyway?

Apr 12, 2016 By Andrei Cheremskoy | In recent years, the advent of mobile and cloud computing revolution has brought to light a serious issue affecting both organizations and individuals: software security. Every day, there’s a new story we hear about some website or application being penetrated, releasing sensitive information that is sold, abused, and exploited. As a consequence, companies lose their credibility (along with hefty financial losses) and customers lose their trust in companies’ ability to secure their personal information.
Read More »
mossack fonseca panama papers CMS connection

Panama Papers: The CMS Connection?

Apr 11, 2016 By Paul Curran | In early April 2016, reports emerged detailing history’s largest data leak, the Panama Papers. This incredible leak of sensitive data concerning both Mossack Fonseca and their clients contained 2.6 TB of data which included 11.5 million documents relating to over 200,000 companies and exposed the hidden fortunes of politicians, dictators and the super-rich. In comparison to understand the size and significance of this leak, the 2010 Wikileaks from 2010 which contained a mere 1.7GB of data.
Read More »
Static Analysis Tools

Static Analysis Tools: All You Need to Know

Apr 08, 2016 By Sarah Vonnegut | Application security is finally beginning to hit the mainstream, and organizations are beginning to see the benefit and need of securing their applications, both internal and external. With so many facets to AppSec, it can be hard to know where to start, especially when trying to build a program from scratch.
Read More »
Google Vendor Security Review

Google Vendor Security Review Tool Goes Open Source

Apr 07, 2016 By Paul Curran | In an ongoing effort to share their knowledge and expertise, Google recently announced on its security blog that they have released to open source their Vendor Security Assessment Questionnaire (VSAQ) on GitHub under the Apache License Version 2. The Google Vendor Security Review Tool questionnaire is used by Google to evaluate the quality of security and privacy for hundreds of vendors each year. Each of the four questionnaires that they have made available consist of a series of questions that adapt and adjust based on the responses in a way that The Register refers to as a, “choose-your-own-adventure,” style of questionnaire.
Read More »
android metaphor stagefright attack large

Another Android Stagefright Vulnerability is Exposed

Apr 06, 2016 By Paul Curran | In mid March, the advanced software researchers at NorthBit released a video and detailed research PDF demonstrating proof of concept of a notorious exploit that can essentially offer hackers control over device hardware and data of certain Android phones. This latest exploit of Android’s Stagefright is referred to as “Metaphor.”
Read More »
Blog Headers (10)

Secure Application Development: Avoiding 5 Common Mistakes

Apr 01, 2016 By Sarah Vonnegut | It’s 2016 – and yet, somehow, ‘easy-to-avoid’ vulnerabilities like SQL injection and XSS can be found on websites of government agencies, Global 500 companies, as well as in highly sensitive medical and financial applications developed and deployed around the world. Two decades of the same kinds of attacks and we still haven’t gotten secure application development figured out.
Read More »
White Box vs Black Box

White Box vs. Black Box Testing Tools: How Would You Treat Your Symptoms?

Mar 28, 2016 By Amit Ashbel | When I feel ill, I take a trip to my doctor.  At first, the doctor will run some tests to see if there is anything visible that can help indicate what treatment should be given. (Disclaimer: the writer of this post is in no way or manner a medical doctor).
The Black Box approach
The doctor’s initial prognosis for a regularly healthy person is usually based on visible symptoms and information reported by the patient. A runny nose could indicate a simple cold. However, it can also indicate the flu, allergies, sinusitis, deviated septum and sometimes, it could even indicate pregnancy. If symptoms don’t persist or increase in severity, the doctor will maintain their prognosis and assign a standard treatment.
Read More »
Open Source Component Security

How Secure Are Your Open Source Components?

Mar 25, 2016 By Sarah Vonnegut | For organizations around the world, open source code has allowed faster time to market, decreased the workload for developers and lowered costs for the organization. The ability for great minds from around the world to come together on a piece of code has given us Linux, Mozilla Firefox, WordPress, and hundreds of thousands of other projects in daily use.
  Yet, for all the positive open source components bring to the table, there is a dark side. For hackers, open source components are a goldmine. Unlike with custom applications developed in organizations, if a hacker finds just one critical vulnerability in the open source code, they can attack any of the hundreds of thousands of systems that use that component in their applications. Just last month, a buffer overflow vulnerability was discovered in the glibc library, allowing attackers to remotely execute malicious code.
Read More »
Application Security Knowledge

10 Easy Ways to Increase Your Application Security Knowledge

Mar 18, 2016 By Sarah Vonnegut | If you’re new to the world of security, in whatever capacity, gaining a good understanding of AppSec can seem daunting and distant – but don’t fear. Becoming more application security aware doesn’t have to be hard or time-consuming. It can be as easy as taking a few minutes out of every day to advance your application security knowledge to a higher level – no matter where it stands today.
Read More »

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.