Checkmarx Blog


PCI DSS Compliance Made Easy Using Source Code Analysis

May 05, 2015 By Sharon Solomon | The e-commerce and retail fields have undergone mammoth changes over the last decade. Paying in hard cash has almost become a thing of the past. Credit and debit cards are now being used to conduct millions of transactions and e-shopping purchases on a daily basis worldwide. But this new reality has also introduced numerous security perils.  
Read More »

19 Points of AppSec Wisdom from RSA 2015

Apr 30, 2015 By Amit Ashbel | So, we are back from RSAC 2015!  Our heads full with new information, our sales teams loaded with new connections to follow up with and our bags full of useless giveaways :). Other than achieving absolute culinary success with some quite impressive restaurants and enjoying an impressive Faith No More concert at the San Francisco Warfield we also did some work. As usual it was an interesting and fruitful RSA Conference. Concentrating on Application Security, which had its own dedicated track, we decided to summarize a few of the more interesting talks. Among those, our own one and only, Maty Siman.
Read More »


Apr 29, 2015 By Sharon Solomon | Application security used to be an afterthought until a few years ago, but the exponential rise in cybercrime and malicious activity has made organizations pay more attention to this crucial aspect. This realization has also brought up a widespread discussion about the pros and cons of the various AppSec solutions that are on offer in the market.   While Penetration (Pen) Testing, Interactive Application Security Testing (IAST) and Web Application Firewalls (WAF) are widely recognized security methodologies, they are typically used as processes to compliment the two most popular solutions in use today – Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).  
Read More »

15 Vulnerable Sites To (Legally) Practice Your Hacking Skills

Apr 16, 2015 By Sarah Vonnegut | They say the best defense is a good offense – and it’s no different in the InfoSec world. Use these 15 deliberately vulnerable sites to practice your hacking skills so you can be the best defender you can – whether you’re a developer, security manager, auditor or pen-tester. Always remember: Practice makes perfect! What other sites have you used to practice on? Let us know below! 15 Vulnerable Sites To (Legally) Practice Your Hacking Skills //
View more lists from Checkmarx Now that you’ve mastered your offensive security skills, make sure you understand what you’re defending against with our AppSec Beginner’s Guide!
Read More »
XSS Guide new site

XSS: The Definitive Guide to Cross-Site Scripting Prevention

Apr 14, 2015 By Sarah Vonnegut | As old as web browsers themselves, cross-site scripting (XSS) has been an ongoing issue in the security world. Its’ consistent appearance on the OWASP Top 10 and in news reports of cross-site scripting attacks has kept the security issue in the spotlight over the years. Yet after two decades the security issue remains one of the most common attacks on web applications, with consistent reports of over 70% of sites at risk.   So, what is Cross-Site Scripting and how do we change our habits as users, developers and security professionals so we can prevent attacks once and for all?   
Read More »

All You Wanted To Know About Continuous Integration Security

Apr 07, 2015 By Sharon Solomon | Continuous Integration (CI) is an application development practice that’s becoming more and more popular in large software development organizations. While it boosts productivity and code integrity, it introduces new technical challenges in the security process, magnifying the importance of selecting of the right solution for the task.  
Read More »
CISO Gary Hayslip, San Diego

CISO Insights: How the CISO of San Diego Secures His City

Mar 26, 2015 By Sarah Vonnegut | This article is the first in a series of interviews with CISOs in various industries. Our goal is to share our conversations with different Chief Information Security Officers about how they deal with daily tasks as well as the bigger picture of innovating security practices around business operations.   Gary Hayslip is currently the Deputy Director and Chief Information Security Officer for the city of San Diego, a role he’s held for the past two years. Previous to that, Gary spent over 25 years as a Information Security professional in the US Navy Command, working his way up to becoming CISO.   We had the opportunity to interview Gary about the risks and rewards of securing a major city, as well as what he’s learned over his many years in the industry and shared the highlights below. You can also grab the full interview here and be sure to follow Gary on Twitter!  
Read More »
Ali Express

The AliExpress XSS Hacking Explained

Mar 24, 2015 By Sharon Solomon | This post was originally published on the AppSec-Labs blog.   As you may have heard it was recently advertised that AliExpress, one of the world’s largest online shopping websites, was found to have substantial security shortcomings. As one of the people who discovered the Cross-Site Scripting (XSS) vulnerability, I would like to discuss and elaborate on it in the following post.   A few months ago, I purchased some items from AliExpress. After the purchase, I sent a message to the seller in order to ask him a question regarding the items. From my experience as an application security expert at AppSec Labs, I had suspected that it might be vulnerable to a certain security breach, and so I started to investigate the issue locally without harming the system or its users.  
Read More »
AppSec 101

AppSec 101: The Secure Software Development Life Cycle

Mar 19, 2015 By Sharon Solomon | Due to the growing demand for robust applications, the secure Software Development Life Cycle methodology is gaining momentum all over the world. Its effectiveness in combating vulnerabilities has made it mandatory in many organizations. The objective of this article is to introduce the user to the basics of the secure Software Development Life Cycle (also known as sSDLC).  
Read More »
The Big Debate

Open Source vs. Commercial Tools: Static Code Analysis Showdown

Mar 17, 2015 By Sarah Vonnegut | It’s the never-ending dilemma; the ‘Coke or Pepsi’ debate of the software and security world, and there’s still no definitive answer.   As the application security market grows, so too does the variety of tools available to organizations seeking to secure their applications. And with both open source and commercial tools popping up and solid options on either side, the decision isn’t made any easier to the question emerging in organizations around the world: When it comes to selecting tools for source code analysis, should we choose open source or commercial?   A few months ago, we released The Ultimate List of Open Source Static Code Analysis (SCA) Tools and heard that many found it useful when deciding between the options for open source SCA platforms.
Read More »

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.