Checkmarx Blog

Shellshock-300x300

All You Need to Know About Shellshock & What You Can Do About It

Oct 02, 2014 By Sarah Vonnegut | So, what happens when a core component of Mac, Linux and other Unix-based operating systems is found to be highly vulnerable and easily exploitable? 
Last week, we found out: On September 24th, the world was first introduced to a family of bugs in the Bash shell, being referred to both as ‘Shellshock’ and ‘Bashdoor’.
Here’s a breakdown of what the Bash bug is, how it can be exploited, and how you can protect yourself.
Background on Bash & the Bash Bug Being Called Shellshock
Bash (short for Bourne Again Shell) is a command-line shell used to type and execute commands. It is prevalent in Mac OS X, Linux, and other versions of UNIX operating systems. It’s also a mainstay on servers running Apache, accounting for about 51% of the world’s servers.
Read More »
Android

Major Android Browser Flaw Allowing Hackers to Bypass SOP Mechanism

Sep 30, 2014 By Sharon Solomon | The Android platform has taken the world by storm in recent years. It was announced at Google’s recent 2014 I/O developer conference that over 538 million Android devices are currently in use worldwide. Android has now leapfrogged Apple’s iOS in the US, where it currently has almost 52% of the smartphone market share.
Read More »
Sokols-Security-Takeaways-1-300x300

Risks and Rewards in Security: An Interview with Josh Sokol, InfoSec Program Owner and Creator of SimpleRisk

Sep 23, 2014 By Sarah Vonnegut | When you’re in the midst of a security issue, getting to the point of feeling on top of security again can seem a million miles away. Because in the end, security is about being aware of what’s going on in your environment and having a proactive approach to dealing with the threats. Being able to prioritize the severity of those threats and vulnerabilities that could impact the business is key to any security practitioner’s job. It’s in that vein that we recently spoke with Josh Sokol, an OWASP leader and the creator of SimpleRisk, an open source risk management tool he released to the community to help take some of the ‘obscurity’ out of security. With a background in computer science, a deep understanding of OWASP principles and as the owner of a security program at a large company, Sokol has a lot of great advice on how to do application security as well as security in general.
Read More »
Photo

Swift Vulnerabilities: What the New Language Did Not Fix

Aug 20, 2014 By Sharon Solomon | Swift is a new language developed by Apple for iOS and OS X development. Introduced at Apple’s developer conference WWDC 2014, the language is designed to eventually replace Objective-C and provide several important benefits, one of which is greater resilience against erroneous code. This research, published originally on Dr.Dobb’s, covers how Swift compares with Objective-C from the security perspective.   The Checkmarx researchers based the comparison on Apple’s Secure Coding Guide, examining the various vulnerabilities stated in the document and checking if they can be exploited in Swift. It’s important to mention that only loopholes that exist in Objective-C were explored and not new ones that may exist in Swift. In each case, typical classifications  including the category, the severity and also the likelihood of exploitation were used.  
Read More »
SC-Mag

Ensuring your developers love – or at least don’t hate – security

Aug 14, 2014 By Sarah Vonnegut | This post originally appeared on SCMagazine.com.  By Maty Siman, Checkmarx Founder & CTO
When it comes to an organization’s software security, there’s been a chronic disconnect between the developers who write and build the code and the security teams who audit and enforce the code’s security. This divide historically arose from common misunderstandings: programmers believe that security hinders their productivity, while security folks are frustrated that security is not at their top-of-mind.
Read More »

Building Secure Applications: How Mature Are You?

Jul 29, 2014 By Sarah Vonnegut | Dave Ferguson is back with another guest blog! Make sure you check out his blog here, and read his original post, ‘Keeping Up With The Hackers: Where to Practice Your Web Hacking Skills,’ here. Testing your software for vulnerabilities is important.  There’s no doubt about it, but if there’s something I’ve learned over the years when it comes to application security, is that you can’t test yourself secure.  The reason is that development teams are writing new code all the time and if your main approach to securing the code is testing, it quickly becomes a never-ending cycle of testing –> fixing –> repeating. This is a lot like treating the symptoms of malady. What you really want is a cure for the malady.
Read More »
Osanda-Swag-300x297

Hacking It Forward

May 30, 2014 By Sarah Vonnegut | How do security researchers stay motivated and interested? For some of us, it seems like one XSS flaw or SQL injection would look exactly like the next, but the thrill of discovering these security vulnerabilities is more than enough to keep the fire going for some researchers. Osanda Malith Jayathissa, a security researcher and graduate student from Sri Lanka, is among that group, helping to make the web apps we use on a daily basis more secure. We spoke with Osanda recently to talk about why he does what he does and what keeps him in the field.
  “I find it interesting to find solutions and learn by making mistakes. Each scenario is different from the next, so I learn something new each time,” Osanda says.
Read More »
eBay-Small

eBay Data Breach: A Big Wake-Up Call for e-Commerce Giants

May 27, 2014 By Sharon Solomon | eBay, the world’s largest and most used eCommerce platform, has suffered a major security breach. More than 100 million users have been affected in what has become this year’s biggest cybercrime so far. It’s still not clear how the intruders gained access to the eBay databases, but this is definitely the right time to bolster application security.
Identity/data theft has become serious problem in recent years. The aforementioned eBay breach is still creating waves as millions of usernames, passwords, phone numbers and physical addresses have been stolen.
“Cyber-attackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” eBay recently commented. “The company is aggressively investigating the matter.”
Read More »

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.