Checkmarx Blog

CI

All You Wanted To Know About Continuous Integration Security

Apr 07, 2015 By Sharon Solomon | Continuous Integration (CI) is an application development practice that’s becoming more and more popular in large software development organizations. While it boosts productivity and code integrity, it introduces new technical challenges in the security process, magnifying the importance of selecting of the right solution for the task.  
Read More »
CISO Gary Hayslip, San Diego

CISO Insights: How the CISO of San Diego Secures His City

Mar 26, 2015 By Sarah Vonnegut | This article is the first in a series of interviews with CISOs in various industries. Our goal is to share our conversations with different Chief Information Security Officers about how they deal with daily tasks as well as the bigger picture of innovating security practices around business operations.   Gary Hayslip is currently the Deputy Director and Chief Information Security Officer for the city of San Diego, a role he’s held for the past two years. Previous to that, Gary spent over 25 years as a Information Security professional in the US Navy Command, working his way up to becoming CISO.   We had the opportunity to interview Gary about the risks and rewards of securing a major city, as well as what he’s learned over his many years in the industry and shared the highlights below. You can also grab the full interview here and be sure to follow Gary on Twitter!  
Read More »
Ali Express

The AliExpress XSS Hacking Explained

Mar 24, 2015 By Sharon Solomon | This post was originally published on the AppSec-Labs blog.   As you may have heard it was recently advertised that AliExpress, one of the world’s largest online shopping websites, was found to have substantial security shortcomings. As one of the people who discovered the Cross-Site Scripting (XSS) vulnerability, I would like to discuss and elaborate on it in the following post.   A few months ago, I purchased some items from AliExpress. After the purchase, I sent a message to the seller in order to ask him a question regarding the items. From my experience as an application security expert at AppSec Labs, I had suspected that it might be vulnerable to a certain security breach, and so I started to investigate the issue locally without harming the system or its users.  
Read More »
AppSec 101

AppSec 101: The Secure Software Development Life Cycle

Mar 19, 2015 By Sharon Solomon | Due to the growing demand for robust applications, the secure Software Development Life Cycle methodology is gaining momentum all over the world. Its effectiveness in combating vulnerabilities has made it mandatory in many organizations. The objective of this article is to introduce the user to the basics of the secure Software Development Life Cycle (also known as sSDLC).  
Read More »
The Big Debate

Open Source vs. Commercial Tools: Static Code Analysis Showdown

Mar 17, 2015 By Sarah Vonnegut | It’s the never-ending dilemma; the ‘Coke or Pepsi’ debate of the software and security world, and there’s still no definitive answer.   As the application security market grows, so too does the variety of tools available to organizations seeking to secure their applications. And with both open source and commercial tools popping up and solid options on either side, the decision isn’t made any easier to the question emerging in organizations around the world: When it comes to selecting tools for source code analysis, should we choose open source or commercial?   A few months ago, we released The Ultimate List of Open Source Static Code Analysis (SCA) Tools and heard that many found it useful when deciding between the options for open source SCA platforms.
Read More »
Open Source

3 Things to Know About Managing Open Source Components in Your App

Mar 05, 2015 By Sharon Solomon | Manage your software where it’s created. It is in your continuous integration environment where the various pieces of code become software. While some of the software is proprietary, much of it (probably over 50%) is open source components, as your development teams use open source components to boost their productivity and make better products.
You most likely have your proprietary software thoroughly tested, QAed and reviewed via static code analysis on a regular basis. But what about the open source components?  Open source components may have a direct impact on the quality of your software or service.
Read More »
16 CISOs You Should Be Following on

16 CISOs and Security Leaders You Should be Following on Twitter

Feb 26, 2015 By Sarah Vonnegut | A few months ago we published an article, ’21 AppSec & Security Gurus You Should Be Following on Twitter,’ and even we were surprised with the buzz it created. It seems we had hit a chord with our readers, who are apparently pining for new security people to follow on Twitter. So, to feed your hunger for ‘security twits’, we decided to double down and create a list of the best tweeters of security related news and info by security leaders heading organizations – the CISOs and CSOs.
Read More »
Secure Your Code

What’s Holding You­­­­ Back from Securing Your Code?

Feb 25, 2015 By Amit Ashbel | Organizations today are aware of security risks they can be exposed to as a result of bad or wrong code practice.  However, while awareness is the first step, being able to act is a whole other ballgame.
After witnessing more and more companies being hit by attacks based on well-known vulnerabilities, we sought to understand what’s holding organizations back when it comes to implement secure coding practices.
Checkmarx gathered a slew of professionals from organizations around the globe in the same room and asked them one simple question: “What is holding you back from ensuring your Application code is secure?”
Read More »
Swift

Safer Swift Development With Checkmarx’s New API

Feb 23, 2015 By Sharon Solomon | After using Objective-C for decades, Apple is swaying towards its newer and safer Swift programming language. The latter is compatible with Apple’s Cocoa/Cocoa Touch frameworks and works with almost all of the Objective-C code written for Apple computing and mobile devices. This shift has not been smooth and Swift development still has some security issues.
Read More »
Habits of AppSec Leaders

5 Habits of Highly Effective Application Security Leaders

Jan 26, 2015 By Sarah Vonnegut | In our global, digital world, data is king – and malicious attackers are on a constant lookout for ways to conquer the throne. With a rapidly changing business landscape,the old, reactive approaches to security are no longer enough – if they ever were. Effective application security leaders are changing their tactics to keep up with the transformations.    It shouldn’t take a security incident to make an organization pay attention to securing the applications and other areas that are so important to the business. With our ever-increasing reliance on data and the applications that carry it – and hackers ever-growing capabilities in causing more and deeper damage – this truth will only ever become more accurate.  
Read More »

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.