Checkmarx

Checkmarx's primary product is its Software Security Platform which helps organizations analyze and test custom code to be included in their applications and services.

The company says its enterprise grade unified platform "bind" Security with DevOps culture, identifying, triaging, prioritizing, and remediating security risk exposure across the software development lifecycle.

The security platform is comprised of four components: static application security testing (CxCAST), open source analysis (CxOSA), interactive application security testing (CxIAST), and developer application security training (CxCodebashing).

Checkmarx says its software security platform can help evaluate software risks, awareness risks, and adoption risks.

The company sites a number of benefits to using its software security platform:

• Full visibility into security exposures in code
• Unified central management
• Helps to optimize and scale vulnerability remediation efforts
• Implementation flexibility, allowing customers to select and use only the Checkmarx services they need

Checkmarx SAST (CxSAST) is an enterprise-grade static analysis solution used to identify hundreds of security vulnerabilities in custom code. It is used by development, DevOps, and security teams to scan source code early in the software development lifecycle, identify vulnerabilities and provide actionable insights to remediate them. CxCAST supports over 25 coding and scripting languages and their frameworks.

The companies frameworks support a number of languages and technologies including: Python, Scala, Ruby, PHP, Swift, TypeScript, Pearl, iOS and Android, Kotlin, COBOL, and VBScript, among others.

The company highlights a number of advantages to using its static application security testing framework, including:

• Simplifying application security testing automation with tight integration into agile planning tools, IDEs, build management servers, bug tracking tools, and source repositories
• Allowing companies to manage security of scale by letting teams set and use policies to cover an application security. The platform allows security teams to enforce these policies through build tool integrations as well as manage remediation efforts through IT workflow support
• Accelerating time to remediation by allowing developers to fix multiple vulnerabilities at a single point in the code by using the companies unique "best fix location" algorithm.
• Finding vulnerabilities sooner because the company's application testing framework scans uncompiled code and does not require a complete build. The company says that there are no dependency configurations and no learning curve when switching languages

Checkmarx Software Composition Analysis (CxSCA) Is a code analysis and review framework which helps companies and their security teams analyze and evaluate open source components and third-party library's used in custom code.

CxCSA is compatible with a number of programming languages and frameworks including Java, JavaScript, Python, PHP, Node JS, F-Sharp, Scala, C#, Kotlin, and others.

The company says that CxSCA Is the most effective software composition analysis solution designed to help development team ships secure software while giving application security teams the insight and control needed to ensure software security and minimize exposure to vulnerabilities introduced by open source software components.

The company sites a number of advantages to using its software composition analysis tools:

• The software helps companies identify open source library's in their code bases including direct and transitive dependencies. CxCSA identifies These specific versions in use as well as any associated vulnerabilities and licenses. The tools were designed to minimize false positives, which the company says saves time spent on parsing through inaccurate results.
• Checkmarx says CxCSA minimizes open source security and licensing risks by accessing metrics and breakouts of security risks resulting from vulnerable open source software component versions, visualizing potential risks to intellectual property or copyright resulting from open source license conflicts. Additionally, the tools help evaluate potential risks to operations resulting from shifts in community activity for a given component.
• Accelerate remediation by getting detailed guidance from the companies security research team, and triage vulnerabilities based on verified exploit ability. CxCSA features automatic dependency path visualization to filter out libraries that are used for development but not in production.
• Measure and report risks of using open source software by generating and exporting reports detailing risks in open source components that comprise custom software, or by extracting data directly via integrations and APIs. The tool helps companies track software security risk over time to monitor improvement.

Checkmarx Codebashing is an application security education and information product from Checkmarx.

Codebashing provides application security training for major programming languages and frameworks including Java, Objective C, NodeJS, Swift, Scala, Python, Ruby, C++, Kotlin, Groovy, and others.

Codebashing Trains developers on how to identify a number of vulnerabilities including:

• SQL injection
• XXE injection
• Command injection
• Session fixation
• Reflected XSS
• Use of insufficiently random values
• Persistent (stored) XSS
• DOM XSS
• Directory traversal
• Privileged interface exposure
• Authentication credentials past in URLs
• Session exposure within URLs
• User enumeration
• Horizontal and vertical privilege escalation
• Cross site request forgery (POST)
• Cross site request forgery (GET)
• Click jacking
• Insecure URL redirect, TLS validation, and object deserialization
• Use of open source components with known vulnerabilities

With Codebashing, security teams can keep developers up to date on general application security news, organization-wide security announcements, and specific Codebashing activities. Examples include, a weekly security best practice tip, a monthly training reminder, a quarterly security challenge and an annual company secure development guideline.

Codebashing is compatible with regulatory standards such as the PCI-DSS that requires either "role based security training" or more specifically "developer security training".