Checkmarx brings software security solutions to AWS Marketplace, earns AWS DevOps Competency status

Checkmarx announced major milestones in its relationship with Amazon Web Services (AWS), bringing its software security solutions to AWS Marketplace and earning AWS DevOps Competency status.

With these moves, Checkmarx is delivering greater simplicity, flexibility, and confidence to customers looking to deploy application security testing (AST) solutions into their AWS CI/CD pipelines.

Checkmarx provides automated solutions that simplify and speed up the process of security testing in fast-paced DevOps environments. Checkmarx SAST, IAST, SCA, and Codebashing integrate seamlessly with developer workflows and tools to quickly find and remediate vulnerabilities in both custom and open source code before software is released into production.

Of note, Checkmarx’s availability in AWS Marketplace follows the company’s recent string of partnership activity with premier software development platforms including GitHub and GitLab.

The AWS DevOps Competency recognizes that Checkmarx provides a proven technology with deep expertise in helping organizations implement application security within continuous integration and delivery practices on AWS.

With this latest certification, Checkmarx becomes the only AST solutions provider to possess both the AWS Security and DevOps Competencies, underscoring its commitment to helping organizations move their DevOps initiatives to the cloud.

“Checkmarx empowers cloud-first organizations to enhance the security of the software they release while providing a seamless experience for developers,” said Robert Nilsson, VP of Product Management, Checkmarx.

“Bringing our solutions to AWS Marketplace, as well as achieving both the AWS Security and DevOps Competencies, demonstrate our dedication to the AWS community and our customers in helping them strategically and securely navigate their cloud and digital transformation journeys.”

AWS enables scalable, flexible, and cost-effective solutions for banking and payments, capital markets, and insurance organizations, from startups to global enterprises.

To support the seamless integration and deployment of these solutions, AWS established the AWS Competency Program to help customers identify AWS Consulting and Technology Partners with deep industry experience and expertise.

Three best practices for responsible open source usage in the COVID-19 era

COVID-19 has forced developer agility into overdrive, as the tech industry’s quick push to adapt to changing dynamics has accelerated digital transformation efforts and necessitated the rapid introduction of new software features, patches, and functionalities.

open source code

During this time, organizations across both the private and public sector have been turning to open source solutions as a means to tackle emerging challenges while retaining the rapidity and agility needed to respond to evolving needs and remain competitive.

Since well before the pandemic, software developers have leveraged open source code as a means to speed development cycles. The ability to leverage pre-made packages of code rather than build software from the ground up has enabled them to save valuable time. However, the rapid adoption of open source has not come without its own security challenges, which developers and organizations should resolve safely.

Here are some best practices developers should follow when implementing open source code to promote security:

Know what and where open source code is in use

First and foremost, developers should create and maintain a record of where open source code is being used across the software they build. Applications today are usually designed using hundreds of unique open source components, which then reside in their software and workspaces for years.

As these open source packages age, there is an increasing likelihood of vulnerabilities being discovered in them and publicly disclosed. If the use of components is not closely tracked against the countless new vulnerabilities discovered every year, software leveraging these components becomes open to exploitation.

Attackers understand all too well how often teams fall short in this regard, and software intrusions via known open source vulnerabilities are a highly common sources of breaches. Tracking open source code usage along with vigilance around updates and vulnerabilities will go a long way in mitigating security risk.

Understand the risks before adopting open source

Aside from tracking vulnerabilities in the code that’s already in use, developers must do their research on open source components before adopting them to begin with. While an obvious first step is ensuring that there are no known vulnerabilities in the component in question, other factors should be considered focused on the longevity of the software being built.

Teams should carefully consider the level of support offered for a given component. It’s important to get satisfactory answers to questions such as:

  • How often is the component patched?
  • Are the patches of high quality and do they address the most pressing security issues when released?
  • Once implemented, are they communicated effectively and efficiently to the user base?
  • Is the group or individual who built the component a trustworthy source?

Leverage automation to mitigate risk

It’s no secret that COVID-19 has altered developers’ working conditions. In fact, 38% of developers are now releasing software monthly or faster, up from 27% in 2018. But this increased pace often comes paired with unwanted budget cuts and organizational changes. As a result, the imperative to “do more with less” has become a rallying cry for business leaders. In this context, it is indisputable that automation across the entire IT security portfolio has skyrocketed to the top of the list of initiatives designed to improve operational efficiency.

While already an important asset for achieving true DevSecOps agility, automated scanning technology has become near-essential for any organization attempting to stay secure while leveraging open source code. Manually tracking and updating open source vulnerabilities across an organization’s entire software suite is hard work that only increases in difficulty with the scale of an organization’s software deployments. And what was inefficient in normal times has become unfeasible in the current context.

Automated scanning technologies alleviate the burden of open source security by handling processes that would otherwise take up precious time and resources. These tools are able to detect and identify open source components within applications, provide detailed risk metrics regarding open source vulnerabilities, and flag outdated libraries for developers to address. Furthermore, they provide detailed insight into thousands of public open source vulnerabilities, security advisories and bugs, to ensure that when components are chosen they are secure and reputable.

Finally, these tools help developers prioritize and triage remediation efforts once vulnerabilities are identified. Equipped with the knowledge of which vulnerabilities present the greatest risk, developers are able to allocate resources most efficiently to ensure security does not get in the way of timely release cycles.

Confidence in a secure future

When it comes to open source security, vigilance is the name of the game. Organizations must be sure to reiterate the importance of basic best practices to developers as they push for greater speed in software delivery.

While speed has long been understood to come at the cost of software security, this type of outdated thinking cannot persist, especially when technological advancements in automation have made such large strides in eliminating this classically understood tradeoff. By following the above best practices, organizations can be more confident that their COVID-19 driven software rollouts will be secure against issues down the road.

GitHub envisions a world with fewer software vulnerabilities

After five months in beta, the GitHub Code Scanning security feature has been made generally available to all users: for free for public repositories, as a paid option for private ones.

GitHub code scanning

“So much of the world’s development happens on GitHub that security is not just an opportunity for us, but our responsibility. To secure software at scale, we need to make a base-level impact that can drive the most change; and that starts with the code,” Grey Baker, GitHub’s Senior Director of Product Management, told Help Net Security.

“Everything we’ve built previously was about responding to security incidents (dependency scanning, secret scanning, Dependabot) — reacting in real time, quickly. Our future state is about fundamentally preventing vulnerabilities from ever happening, by moving security core into the developer workflow.”

GitHub Code Scanning

The Code Scanning feature is powered by CodeQL, a powerful static analysis engine built by Semmle, which was acquired by GitHub in September 2019.

The engine can analyze code written in C, C++, C#, Java, JavaScript, TypeScript, Python and Go, but since the Code Scanning feature built on the open SARIF standard, it can also work with third-party analysis engines available from the GitHub Marketplace.

“We want developers to be able to use their tools of choice, for any of their projects on GitHub, all within the native GitHub experience they love. We’ve partnered with more than a dozen open source and commercial security vendors to date and we’ll continue to integrate code scanning with other third-party vendors through GitHub Actions and Apps,” Baker noted.

GitHub Actions

Among the third parties that offer automated security scans via GitHub Actions are Checkmarx and DefenseCode.

GitHub code scanning

“The major value add here is that developers can work, and stay within, the code development ecosystem in which they’re most accustomed to while using their preferred scanning tools,” explained James Brotsos, Senior Solutions Engineer at Checkmarx.

“GitHub is an immensely popular resource for developers, so having something that ensures the security of code without hindering agility is critical. Our ability to automate SAST and SCA scans directly within GitHub repos simplifies workflows and removes tedious steps for the development cycle that can traditionally stand in the way of achieving DevSecOps.”

Checkmarx’s SCA (software composition analysis) help developers discover and remedy vulnerabilities within open source components that are being included into the application and prioritizing them accordingly based on severity. Checkmarx SAST (static application security testing) scans proprietary code bases – even uncompiled – to detect new and existing vulnerabilities.

“This is all done in an automated fashion, so as soon as a pull request takes place, a scan is triggered, and results are embedded directly into GitHub. Together, these integrations paint a holistic picture of the entire application’s security posture to ensure all potential gaps are accounted for,” Brotsos added.

Leon Juranic, CTO at DefenseCode, said that they are very excited by this initiative, as it provides access to security analysis to over 50+ million Github users.

“Having the security analysis results displayed as code scanning alerts in GitHub provides an convenient way to triage and prioritize fixes, a process that could be cumbersome usually requiring scrolling through many pages of exported reports, going back and forth between your code and the reported results, or reviewing them in dashboards provided by the security tool. The ease of use now means you can initiate scans, view, fix, and close alerts for potential vulnerabilities in your project’s code in an environment that is already familiar and where most of your other workflows are done,” he noted.

A week ago, GitHub also announced additional support for container scanning and standards and configuration scanning for infrastructure as code, with integration by 42Crunch, Accurics, Bridgecrew, Snyk, Aqua Security, and Anchore.

The benefits and future plans

“We expect code scanning to prevent thousands of vulnerabilities from ever existing, by catching them at code review time. We envisage a world with fewer software vulnerabilities because security review is an automated part of the developer workflow,” Baker explained.

“During the code scanning beta, developers fixed 72% of the security errors found by CodeQL and reported in the code scanning pull request experience. Achieving such a high fix rate is the result of years of research, as well as an integration that makes it easy to understand each result.”

Over 12,000 repositories tried code scanning during the beta, and another 7,000 have enabled it since it became generally available, he says, and the reception has been really positive, with many highlighting valuable security finds.

“We’ll continue to iterate and focus on feedback from the community, including around access control and permissions, which are of high priority to our users,” he concluded.

New infosec products of the week: October 9, 2020

Checkmarx provides automated security scans within GitHub repositories

Checkmarx announced a new GitHub Action to bring comprehensive, automated static and open source security testing to developers. It integrates the company’s application security testing (AST) solutions – Checkmarx SAST (CxSAST) and Checkmarx SCA (CxSCA) – directly with GitHub code scanning, giving developers more flexibility and power to work with their preferred tools of choice to secure proprietary and open source code.

infosec products October 2020

Apricorn announces 18TB version of its Aegis Padlock DT FIPS desktop drives

Consistent with the Apricorn line of secure drives, all passwords and commands are entered by way of the device’s onboard keypad. One hundred percent of the authentication and encryption processes take place within the device itself and never involve software or share passwords / encryption keys with its host computer.

infosec products October 2020

Venafi Zero Touch PKI: Eliminating the effort, expense and risk of traditional PKI

Many internal and legacy PKI solutions require massive consulting investments to implement and maintain. Venafi’s new solution is a simple and fast way to replace these antiquated systems. Venafi Zero Touch PKI creates and integrates root and intermediate certificate authorities (CAs) and maps them to an organization’s needs.

infosec products October 2020

APIsec now provides detailed pen-test reports that can be automated and published automatically

APIsec provides a 100% automated and continuous API security testing platform that eliminates the need for expensive, infrequent, manual pen-testing. With this latest release, APIsec now produces certified and on-demand penetration testing reports required by the compliance standards, enabling enterprises to stay compliant at all times at a fraction of cost.

infosec products October 2020

Raytheon Intelligence & Space provides a virtualized environment to evaluate and reduce cyber threats

DejaVM enables system-level cyber testing without requiring access to the limited number of highly specialized physical hardware assets. The tool creates an emulation environment that virtualizes complex systems to support automated cyber testing. DejaVM focuses on improving software development, testing and security via its advanced analysis features.

infosec products October 2020

Checkmarx provides automated security scans within GitHub repositories

Checkmarx announced a new GitHub Action to bring comprehensive, automated static and open source security testing to developers.

Checkmarx GitHub

As enterprises look to differentiate themselves through digital innovation, recent research found that nearly two-thirds will be prolific software producers, with code deployed daily, by 2025.

However, this increased emphasis on speed and volume comes at a price, as vulnerable software and applications are now the leading cause of security breaches.

With development cycles accelerating and software becoming more complex due to the evolution of APIs, microservices, containers, and more, automated solutions that are purpose-built for DevOps and enable developers to find and fix flaws more quickly and easily are required.

Checkmarx’s new GitHub Action integrates the company’s application security testing (AST) solutions – Checkmarx SAST (CxSAST) and Checkmarx SCA (CxSCA) – directly with GitHub code scanning, giving developers more flexibility and power to work with their preferred tools of choice to secure proprietary and open source code.

By automatically triggering SAST and SCA security scans in the event of a pull request, and embedding results directly into the GitHub CI/CD pipeline, Checkmarx streamlines developer workflows and empowers them to code more confidently without sacrificing speed and security.

“Checkmarx and GitHub share a similar mission in that we’re both focused on helping developers strike a balance between software development speed and security,” said Robert Nilsson, VP of Product Management, Checkmarx.

“The key to this lies within the power of automation, which helps to simplify the implementation and process of security testing in today’s fast-paced DevOps environments. We’re excited to bring our best-in-class, automated SAST and SCA solutions to the GitHub community and are confident this will enhance developers’ experience and ability in finding and fixing code-borne vulnerabilities.”

Key features and benefits include:

  • Ability to scan raw source code before a build takes place, enabling greater efficiency between developers and AppSec teams when using GitHub Actions
  • Prioritized SAST and SCA scan results to focus and expedite developer remediation efforts on vulnerabilities that pose the greatest threat
  • Automated results feedback loop to eliminate the need for manual intervention when opening and closing defects
  • Direct links into the Checkmarx Software Security Platform and access to its dedicated service and support resources for even more comprehensive results and coverage and
  • Links to just-in-time, lesson-specific training via Checkmarx Codebashing and online resources for remediation guidance to elevate developers’ secure coding skills.

“GitHub is dedicated to providing open source and enterprise developers with the best possible software development experience,” said John Leon, VP of Business Development, GitHub. “Checkmarx’s new GitHub Action further enables the community to develop secure software, without compromising speed or quality, all within the native GitHub experience.”

How do I select an application security testing solution for my business?

Software-related issues continue to plague organizations of all sizes, so IT leaders are turning to application security testing tools for help. Since there are many types of programs available on the market, choosing one is not a straightforward process.

To select the perfect application security testing solution for your business, you need to think about an array of details. We’ve talked to several industry professionals to get insight to help you get started.

Leon Juranic, CTO, DefenseCode

select application security testing solutionChoosing the right application security testing solution for your business can be a daunting task for any organization. On the surface, they all appear to function similarly and provide a list of vulnerabilities as part of the results.

Prospective users need to look beyond the superficial and closely examine a couple of important factors and capabilities of any application security testing solutions. Clients should focus on True Positive and False Positive (low noise levels) rates to determine how usable a vendor’s product is in the real world.

Having to spend hours triaging the results to determine if they are real is an expensive overhead for any business and undermines confidence in the results also increases the workload of development teams unnecessarily, ultimately even rejection of an AST product.

Secondly, understanding if your workflow can be supported is essential, otherwise, a standalone security product will never be used effectively by development teams. The best approach would be to invest upfront and evaluate a shortlist of vendors to determine if they are a good fit for your business.

Ferruh Mavituna, CEO, Invicti Security

select application security testing solutionThe most important thing is getting real value from your solution in a short time. The goal of application security testing is to get measurable security improvements, not just find issues.

There is no point spending money on a solution that will take months to deploy and get the first results. When selecting your application security solution, time to value in the real world should be your #1 consideration.

Every organization is different, so for web application security, the only approach that works for all sorts of environments is dynamic application security testing. DAST tools scan web applications and APIs by finding vulnerabilities regardless of programming languages, frameworks, libraries, and so on, so it’s much easier to deploy. It doesn’t require the application to be in an active development pipeline and you don’t need to install anything on the server.

To get value from your DAST product, you need results that directly lead to security improvements. This requires accuracy, so the scanner finds all the vulnerabilities that you really have, but also confidence in your results, so you don’t waste time on false alarms. You get a list of real, actionable vulnerabilities and you can start fixing them. Then you can see real value from your investment in days, not months.

James Rabon, Director of Product Management, Micro Focus

select application security testing solutionDuring the software development lifecycle, there are several approaches that should be followed in order to maintain the speed needed to keep up with releases today. These approaches, which are crucial for any application security testing tool are testing early, often and fast.

SAST identifies the root causes of security issues and helps remedi­ate the underlying security flaws. An effective SAST tool identifies and eliminates vulnerabilities in source, binary, or byte code, allows you to review scan results in real-time with access to recommendations, line-of-code navigation to find vulnerabilities faster and enable collaborative auditing and is fully integrated with the popular Integrated Developer Environments.

DAST simulates attacks on a running web application. By integrat­ing DAST tools into development, quality assurance and production, it can offer a continuous holistic view. A successful DAST tool offers an effective solution by quickly identifying risk in existing applications, automating dynamic application security testing of any technology, from development through production, validating vulnerabilities in running applications, prioritizing the most critical issues for root-cause analysis and streamlining the process of remediating vulnerabilities

Successful tools should be flexible to modern deployment by being available both on-premise and as a service.

Richard Rogerson, Managing Partner, Packetlabs

select application security testing solutionApplication security testing solutions can be delivered in various ways including as a tool/technology or as a professional service. Automation alone is often not enough because it misses critical areas of applications including business logic, authorization, identity management and several others. This is why professional services are the most comprehensive approach.

  • Qualifications: Successful consulting engagements have long relied on experience, but it’s difficult to assess experience before selecting a solution which is why certifications are often the best method to ensure a baseline level of knowledge or practical experience. Certifications to ask for include: GWAPT, GXPN, GPEN, OSWE, OSCE, OSCP.
  • Methodology: Having a methodical approach to assessing applications is important as it plays heavily into the consistency and thoroughness of the assessment. There are several open-source and industry-standard testing methodologies including the OWASP Testing Methodology, NIST, PTES, ISSAF and OSSTMM. It is also important to review a checklist of all potential vulnerabilities that your application will be tested for and for this – transparency is key.
  • Technology: Technology is important in reducing effort requirements and maximizing code coverage. Technologies include DAST, SAST, and IAST. DAST or dynamic Application security testing is the most common. It evaluates your applications while they’re running over the HTTP protocol. SAST or static application security testing evaluates applications at the line-of-code level. IAST or Interactive application security testing is an evolving technology that combines both approaches. Tools used must include both automated and manual testing capabilities to help the consultant evaluate vulnerabilities directly from the HTTP request or line of code.
  • Reporting: The deliverable of an assessment is a report. When evaluating solutions, it is worthwhile to review sample reports and ensure they meet your requirements and offer sufficient information to understand the discovered findings, and more importantly how to fix them.

Dr. Thomas P. Scanlon, Data Science Technical Manager, CERT Division, Software Engineering Institute, Carnegie Mellon University

select application security testing solutionThere is no universal, best tool for application security testing (AST). The most appropriate tool for one business environment may not be as suitable for another. When selecting an AST solution for a business, four of the most pertinent factors are budget, technology stack, source code availability, and use of open-source components.

  • Budget – There are many quality open-source AST tools available for little or no cost. Commercial tools typically have more features and capabilities, so they are worth the investment if they fit the budget. A wise approach is to use an open-source tool first to gain domain experience, then shop and compare commercial tools.
  • Technology stack – Large commercial AST tools support multiple programming languages, which may save costs when a business uses many technologies. Some smaller AST tools support only one or two languages but provide much deeper coverage, often best if you only need to support those languages.
  • Source code availability – If the applications are developed in-house or the developer provides application source code, testing should use static code analysis tools. Without source code, testing should use dynamic analysis tools.
  • Use of open-source components – If the application was developed with many third-party, open-source components, a software composition analysis (SCA) tool is a must. SCA tools detect the versions of all such components in use and list all their known vulnerabilities and, often, mitigations.

Susan St. Clair, Senior Cybersecurity Strategist, Checkmarx

select application security testing solutionApplications are what drive the vast majority of organizations today, so keeping them secure really means keeping your broader business and customers secure. However, before diving head-first into adopting a new AST solution, it’s important to look at what you already have in place.

Do you have established AppSec security policies or a standard that you’d like to adopt? Do you have an established CI/CD process? Are you already using SAST and looking to add more advanced tools like IAST and SCA into the mix? How closely do your AppSec, DevOps, and development teams work together? What are your developers hoping to get out of an AST tool? How about your AppSec team? Having a solid understanding of where you stand in your AST journey is just as important as the solution(s) you use.

At a minimum, ensure that the tools you choose:

  • Work with DevOps to automatically trigger security scans and reduce remediation cycles
  • Seamlessly integrate into your DevSecOps and CI/CD pipelines
  • Are compatible with the framework and databases you’re already working with
  • Offer a one-stop shop model so you can get SAST, IAST, SCA, etc. all in one place without needing to mix-and-match across vendors, ultimately reducing TCO

Making AST a priority can set your organization apart, not only in your ability to build better, more secure applications and code, but also by letting your customers know that you place the utmost importance on delivering an end product they can feel confident in using.

How to secure software in a DevOps world

The COVID-19 pandemic and its impact on the world has made a growing number of people realize how many of our everyday activities depend on software.

We increasingly work, educate ourselves, play, communicate with others, consume entertainment, go shopping and do many other things in the digital world, and we depend on software and online services/apps to make that possible. Software is now everywhere and embedded within just about everything we touch.

The pandemic has also significantly accelerated companies’ digital transformation efforts and the proliferation of new software, and has stressed two undeniable facts:

  • Software security is more necessary than ever before
  • Automated application testing solutions that support developer workflows are the only way to achieve software security at such an intense pace and scale

Problems to solve when aiming for sofware security

When we talk about software security, we talk about proactively making an effort to create software that is nearly impenetrable to cyberattacks. We talk about working with that goal in mind during each phase of the software development lifecycle (SDLC) and finding and fixing security vulnerabilities before they have a chance of becoming a problem.

At a surface level, it sounds like a no-brainer, but there are a number of challenges organizations face when it comes to putting the idea in practice in the form of a true DevSecOps program.

Many traditional software security approaches are also falling short, either due to a lack of SDLC and developer workflow integration, a failure to cover all stages of the SDLC holistically, a disregard of developer needs, or a lack of testing automation.

Embedding security into DevOps

Slowly but surely, DevOps has become the software delivery methodology of choice for many organizations.

By aligning all the people/departments involved in software development and delivery and empowering them to work in tandem, organizations that choose the DevOps culture and implement it well are able to deliver high quality software faster. And those that choose to embed security into DevOps (DevSecOps), make the whole proposition less risky for everybody involved, including the customer.

But how to do it so that everybody involved is enthusiastically on board and satisfied? The answer is: make security testing intrinsic with the software development and delivery processes by integrating it into existing pipelines, make it automated, and embed AppSec training and awareness on top of all developer operations to ensure continuous education.

With its Software Security Platform, which merges static application security testing (SAST), software composition analysis (SCA), interactive application security testing (IAST) and in-context developer awareness and training (aka “Codebashing”), Checkmarx has all those requirements covered.

secure software DevOps

In fact, the company’s platform has recently been named by Gartner as the “best fit” for DevOps, and the company as a 2020 Gartner Magic Quadrant Leader for Application Security Testing for the third year in a row.

To them, that’s no surprise, as they are constantly working to be on the bleeding edge of software security by constantly innovating their fleet of AST solutions.

Matt Rose, Checkmarx’s Global Director of Application Security Strategy, says that they’ve seen a lot of changes in the industry throughout the years, but that their product was really designed ahead of its time and fits “unbelievably well” with the modern DevOps processes.

Not one of the aforementioned facts has gone unnoticed by private-equity firm Hellman & Friedman, which, in the midst of the COVID-19 pandemic, finalized a $1.15 billion acquisition of Checkmarx – the largest AppSec vendor acquisition to date.

The acquisition cements the company’s place in the industry as somebody that is not going away, Rose noted, and the investment will allow them to continue the forward momentum and prepare for the future in terms of providing the best application security testing platform in the world.

Developer-focused security and automation

There are a few recent additions to Checkmarx’s Software Security Platform that solve industry challenges:

  • How to identify vulnerable open source components in applications and quickly remediate vulnerabilities, and
  • How to simplify the automation of application security testing to reduce the friction and latency between developer and security teams.

The former comes in the form of a new SaaS-based software composition analysis (SCA) solution (CxSCA) that can be used as part of the platform or independently of it. Featuring a unique “exploitable path” capability, CxSCA leverages Checkmarx’s leading source analysis technologies to identify vulnerable open source components that are in the execution path of the vulnerability, allowing AppSec teams and developers to focus their remediation efforts on the greatest risks. This dramatically reduces time spent from the point of vulnerability detection to triage and increases developers’ productivity.

The latter is solved by Checkmarx’s unique automation capabilities via an orchestration module (CxFlow) for the platform. With this, Checkmarx enables automated scanning earlier in the code management process by integrating directly into source code management systems (think GitHub, GitLab, BitBucket, Azure DevOps), as well as providing extensive integrations with leading CI/CD tools. With developer and AppSec teams being asked to build and deploy software – that is secure – faster than ever before, the ability to automate testing within developers’ work environment is critical.

“A common way of thinking is that CI orchestration is the best place to automate application security testing capabilities. However, multiple implementation barriers – ranging from lengthy set up times to inflexible CI processes – usually accompany this approach,” Rose noted.

“With Checkmarx, we can automate the testing of the software earlier by focusing on the source code management systems. In doing so, when a developer pushes code into the source code management system when they’re done, we listen when that push or pull request is made and then automate the scanning all the way through tickets being created. Developers really benefit from this as it simplifies AST automation within DevOps, without interrupting their workflow.”

Looking ahead, Checkmarx continues to advance its offering to address the needed security for software and development trends like cloud native, microservices and containers. “DevOps is still evolving, a lot of the tooling is still evolving, and our capabilities will evolve with them,” Rose said.

Securing the application prior to release

There’s no doubt about it (and customers demand it): application security testing technologies must be automated to be effective in the modern software development arena, and Checkmarx is setting the standard. Their customers back this claim, with reviews on Gartner Peer Insights including:

  • “The Checkmarx products are invaluable to our organization. They are a key element of our AppSec strategy and implementation.”
  • “If your company’s developer workforce is not used to incorporating security standards into their builds, the Checkmarx stack of tools will do wonders for you in terms of integrating into your existing pipelines and providing the education via Codebashing that your developers will need.”

Other important requirements for effective AppSec testing tools include the ability to be fitted into developers’ toolchains, to cover all phases of SDLC (from coding through check-in and CI), to provide rapid feedback, and to be flexible, i.e., to allow for many different ways of implementing the technology based on the way an organization is developing software and to offer different deployment options.

Checkmarx offers all that to help organizations achieve the ultimate goal: flagging potential security vulnerabilities and risk early on, when remediation is considerably easier.

Drupal fixes three vulnerabilities, including one RCE

Drupal’s security team has fixed three vulnerabilities in the popular content management system’s core, one of which (CVE-2020-13663) could be exploited to achieve remote code execution.

CVE-2020-13663

Drupal is a free and open-source web content management system (CMS), and over a million sites run on various versions of it.

The most recent stable version is 9.x, released earlier this month.

About the most recently fixed vulnerabilities

Three security holes have been plugged with the latest versions of Drupal core (9.0.1):

CVE-2020-13664 is the most critical one, but can be only triggered under certain circumstances.

“An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability,” Drupal’s security team explained, and added that Windows servers are most likely to be affected.

CVE-2020-13665 is an access bypass flaw that can be exploited only on sites that have the read_only set to FALSE under jsonapi.settings configuration. (By default, JSON:API works in a read-only mode.)

Both of these flaws affect Drupal versions 8.8.x, 8.9.x and 9.0.x. The third one – CVE-2020-13663 – also affects Drupal 7.x, the most widely used Drupal version (both according to Drupal and W3Techs).

CVE-2020-13663 is a document object model-based cross-site scripting (DOM XSS) vulnerability that was unearthed by Checkmarx researcher Dor Tumarkin.

“This type of XSS attack is achievable if a web application enters data to the DOM without being appropriately sanitized. In this case, an attacker can manipulate their input data to include XSS content on the web page, for example, malicious JavaScript code, which in-turn would be consumed by Drupal Core itself,” the company explained.

“An attacker abusing this vulnerability can take over the administrator role of a Drupal-based website and get full control that allows changing of content, creating malicious links, stealing sensitive or financial data, or whatever else comes to mind.”

What to do?

Admins of Drupal-based sites are advised to upgrade to Drupal v7.72, 8.8.8, 8.9.1 or 9.0.1.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Drupal v7.x is still maintained and receives security updates, but it will reach end-of-life in November of 2021, so admins that use it are urged to start planning the upgrade to a newer version, preferably 9.x.

New infosec products of the week: June 5, 2020

Checkmarx SCA: New SaaS-based software composition analysis solution

CxSCA leverages Checkmarx’s source code analysis and automation capabilities, empowering security and development teams to identify vulnerabilities within open source software that present the greatest risk and enable developers to focus and prioritize remediation efforts accordingly.

infosec products June 2020

Zyxel launches USG FLEX series of mid-range firewalls for SMBs

Zyxel’s new USG FLEX 100, USG FLEX 200 and USG FLEX 500 firewalls feature upgraded hardware and software power that level up SMB security with up to 125 percent of firewall performance and up to an additional 500 percent Unified Threat Management performance.

infosec products June 2020

New BitSight capabilities enable more effective third-party cyber risk management

BitSight announced several new, innovative capabilities within its BitSight for Third-Party Risk Management solution that provide intelligent recommendations, operational guidance, and risk prioritization to enable more effective third-party cyber risk management.

infosec products June 2020

Nyxeia helps you manage assets and data privacy protection requirements

Nyxeia announced new releases of its Information Governance Suite products. These releases include major updates to the .discover and .policy products used for information search, enhancement, and full lifecycle governance. Also included is a new product called .preserve for digital asset preservation, legal hold, and defensible disposition.

infosec products June 2020

Lumu helps security teams minimize alert fatigue, prioritize response, and accelerate remediation

Lumu announced a new Compromise Context capability that offers robust contextual intelligence around confirmed compromise instances, enabling security teams to deploy accelerated incident response efforts with precision. This new contextual functionality is included as part of the Lumu Insights platform, a cloud-based solution.

infosec products June 2020

Cooking up secure code: A foolproof recipe for open source

The use of open source code in modern software has become nearly ubiquitous. It makes perfect sense: facing ever-increasing pressures to accelerate the rate at which new applications are delivered, developers value the ready-made aspect of open source components which they can plug in where needed, rather than building a feature from the ground up.

secure software open source

Indeed, this practice has become so common that today the average application is composed mostly of open source libraries, with these components making up more than 80% of the average codebase.

But the widespread use of open source code has certain consequences. As with custom or home-grown code, open source libraries can contain vulnerabilities, and those vulnerabilities may be exploited by cybercriminals targeting these components as attack vectors to gain access to networks, intercept sensitive data, and influence or impede an application’s functionality. Open source code is distinct from custom code, however, in that its vulnerabilities – and many exploits for them – are published online, making it a particularly attractive target for malicious actors.

Calling all “chefs”

Any software developer knows that sometimes solving a problem is as simple as changing one’s perspective on the approach – which is why I’d like to introduce the “chef” analogy. It is often said that building software is like cooking fine cuisine. When cooking in your kitchen, you probably use some of your own know-how, a combination of recipes you’ve researched, and some premade ingredients that would simply be impractical to make on your own when you can get a better version right off-the-shelf. Building software that uses open source code follows much the same formula.

With this understanding, we can better visualize an approach to how to secure software in the age of open source, as a combination of selecting the right recipe, understanding your ingredients, and having the right tools and utensils in your “kitchen” to get the job done.

Finding the recipe

When getting ready to make a new dish, or in this case application, a common practice is to research a “recipe” as a starting point. Not all ‘recipes’ are created equal, and some will yield better results than others. The same applies to open source components.

Even if two components have the same name, they can be very different depending on which organization or developer community has created them, or the various iterations and forks which they have experienced. While they might share similar purpose or functionality, these components might contain slight changes that reflect the needs or preferences of the people who influenced their evolution. A good example of this is the difference between Red Hat Enterprise Linux and Ubuntu. In practice, these slight differences can add up to create a significant impact on functionality, compatibility, and security, and thus must be considered when researching which “recipe” to follow.

Choosing the best ingredients

As mentioned, vulnerabilities in open source components mean vulnerabilities in the software that leverages them. Therefore, just as it is important to know that the ingredients you’re using when cooking have not spoiled, it is essential to understand any existing vulnerabilities in the open source components being used. Ingredients that have gone bad can ruin what would otherwise be a perfectly good dish and, likewise, vulnerable open source components can ruin an otherwise secure application.

As with ingredients and food products, some vendors will issue recalls for bad batches. When using open source libraries from known organizations like Red Hat or Apache, for example, developers may receive “recall” notices by way of alerts to new vulnerabilities or patches which address security risks in the software they provide. It is quite possible, however, that a developer may need a community-driven component rather than one supported by large enterprises.

In this instance, the responsibility to identify and fix vulnerabilities falls on the developers. This is much easier said than done, as it is one thing to bear the burden of identifying and resolving these vulnerabilities by developing a new component version, and it is another to communicate the need to address the vulnerabilities to everyone using the vulnerable component version. Getting this done efficiently ultimately comes down to having the right equipment on hand.

Let “utensils” help

Just as some recipes will call for the use of a mixer while specifying that a whisk can be substituted at the cost of time, efficiency, and effectiveness, software being developed with open source code calls for its own tools to maximize quality. The equipment in a developer’s software “kitchen” is a key factor in whether or not the code they produce is secure and of high quality. When open source code is in use, Software Composition Analysis (SCA) tools are preferred for this.

SCA refers to the process of analyzing software, detecting the open source components within, and identifying associated risks, including security risks and license risks. Security risk refers to vulnerabilities that can be tracked in publicly available databases such as the National Vulnerability Database (NVD) or discovered by private security research teams. License risk can be a function of unfavorable license requirements associated with a particular component, the failure to comply with license requirements, or conflicts between unique licenses for different components within the same software project.

SCA solutions help developers by detecting open source components, giving insights into any associated vulnerabilities, and providing actionable information around risk and remediation. They also need to work well with other “appliances,” such as other security, development, and issue management tools. With the right SCA tool on hand, developers leveraging open source code can be sure that the software they ship will be much more secure.

Secure software and open source: Cooking up a masterpiece

It is always important to acknowledge that there is no silver bullet when it comes to software security, and open source is no exception. Keeping software secure is always going to take diligence and careful attention. Applications must be reviewed, then reviewed again to ensure that nothing has been missed.

Even if a developer follows all best practices, vulnerabilities can still persist, or new vulnerabilities may emerge for previously released software for where there had been no vulnerabilities. By following the advice laid out above, developers using open source code have a greater chance to be able to approach the challenge with a fresh perspective and understanding, increasing their open source security and serving software masterpieces in no time.

Checkmarx SCA: New SaaS-based software composition analysis solution

Checkmarx announced the launch of Checkmarx SCA (CxSCA), the company’s new, SaaS-based software composition analysis solution.

Checkmarx SCA

CxSCA leverages Checkmarx’s source code analysis and automation capabilities, empowering security and development teams to easily identify vulnerabilities within open source software that present the greatest risk and enable developers to focus and prioritize remediation efforts accordingly.

This dramatically reduces time spent from the point of vulnerability detection to remediation and increases developers’ overall productivity.

Existing approaches to securing open source within software often produce lengthy vulnerability reports riddled with inaccuracies, making it difficult for developers to understand where best to allocate their time and attention.

CxSCA alleviates these challenges with its unique automatic triage capabilities, generating scan results with the greatest possible accuracy and delivering these findings directly to developers.

With this insight, development teams can prioritize remediation efforts based on the level of risk presented by found vulnerabilities and accelerate remediation processes to deliver high-quality, more secure software faster.

CxSCA delivers industry-leading open source security risk awareness, visibility, and prioritization capabilities, while also increasing operational efficiency for DevOps and AppSec teams.

When coupled with Checkmarx SAST (CxSAST), organizations can secure both custom and open source code with one powerful, cohesive solution that provides unified management for project creation and scans, including the ability to run automated scans in source code repositories, such as GitHub, GitLab, and BitBucket, among others.

According to Gartner, “the combination of SAST and SCA can help deliver higher-fidelity results. The addition of SCA capabilities within an existing suite of testing tools can simplify installation, integration, administration, and maintenance.”

“While the open source vulnerability landscape continues to expand, organizations are also increasingly shifting security responsibilities onto developers, creating a dire need for innovative SCA solutions that accelerate developer remediation cycles,” said Nir Livni, VP of Products, Checkmarx.

“With CxSCA, Checkmarx enables development organizations to address open source vulnerabilities earlier in the SDLC and cut down on manual processes by reducing false positives and background noise, so they can deliver secure software faster and at scale.”

CxSCA can be used independently or as part of the broader Checkmarx Software Security Platform that also includes SAST, IAST, and integrated developer AppSec training and awareness, giving development teams a single, unified approach to managing their application security posture.

Additional CxSCA features include:

  • Extensive database of open source libraries and vulnerabilities: Cultivated by the Checkmarx Security Research Team, CxSCA’s exclusive database of open source libraries and vulnerabilities – even those with no corresponding CVE at the time of discovery – provides greater security and risk awareness above and beyond the National Vulnerability Database (NVD).
  • Seamless DevOps integration: CxSCA easily integrates into the entire SDLC offering relevant, actionable open source vulnerability insight and remediation guidance to streamline developer workflows and expedite delivery timelines.
  • Scalability & flexibility: CxSCA’s secure, SaaS-based flexible deployment model gives developers the scale and speed needed to meet their most demanding requirements, allowing them to remain focused on developing secure software rather than managing infrastructures.

Ron Kormanek joins Checkmarx’s executive management team

Checkmarx, a global leader in software security solutions for DevOps, announced that Ron Kormanek, vice president of North America sales, has been appointed to the company’s executive management team as it continues to drive rapid customer adoption and set the new standard for secure software development and delivery.

In this role, Kormanek will report directly to Checkmarx CEO, Emmanuel Benzaquen and continue to oversee all North America customer-facing sales functions, while also helping to set the company’s strategic direction as it breaks into new and emerging vertical industries.

“Since joining Checkmarx nearly six years ago, Ron has been instrumental in both growing our customer portfolio by being at the forefront of some of our largest deals and cementing our status as the North American market leader in software security,” said Benzaquen.

“As organizations increasingly look to embed security into every step of their DevOps processes, they’re turning to our AST solution suite due to its flexibility, ease of deployment, and reliability.

“We’re excited for Ron’s continued contributions as he joins our executive management team and further delivers the highest levels of customer success and profitable growth.”

Since joining the company in 2014, Kormanek has propelled Checkmarx’s sales to an annual growth rate of 50% – 100%. Most recently in 2019, he and his team helped lead Checkmarx to 50% year-over-year revenue growth, highlighted by 18 seven-figure deals, a company record.

Additionally, under his leadership, Checkmarx now serves 42 of the Fortune 100 companies, as well as half of the Fortune 50, as customers.

“Today’s organizations and development teams are being asked to deliver higher volumes of software at a faster pace than ever before, which is leading to concerning security gaps,” added Kormanek.

“Checkmarx is uniquely positioned to help customers of all sizes address this challenge, empowering them to push secure applications and software into production more quickly at scale.

“After our record-setting 2019, momentum remains on our side, and I’m excited for what lies ahead as I expand my role and we continue to prioritize customer success and our channel partnerships in everything we do.”

Kormanek possesses more than 20 years of sales and management experience at large technology companies. Prior to joining Checkmarx, he served as VP of Sales for HP’s Enterprise Security division.

Security pitfalls to avoid when programming using an API

OWASP’s API Security Project has released the first edition of its top 10 list of API security risks.

API security risks

The most common and perilous API security risks

API abuse is an ongoing problem and is expected to escalate in the coming years, as the number of API implementations continues to grow.

The OWASP API Security Project aims to provide software developers and code auditors with information about the risks brought on by insecure APIs.

Earlier this month, they’ve published the official OWASP API Security Top 10 list, which looks like this:

1. Broken Object Level Authorization
2. Broken User Authentication
3. Excessive Data Exposure
4. Lack of Resources & Rate Limiting
5. Broken Function Level Authorization
6. Mass Assignment
7. Security Misconfiguration
8. Injection
9. Improper Assets Management
10. Insufficient Logging & Monitoring

Each of the risks comes with an explanation, example attack scenarios and advice on how to mitigate it it. It also includes links to helpful free resources (education material, guides, cheat sheets, etc.) for developers and DevSecOps practitioners.

The document can be downloaded from GitHub.

“There are issues that look simple, but are critical, like good housekeeping and documenting APIs. There are also complex issues of access control that might require some attention from the design phase,” Erez Yalon, director of security research at Checkmarx and co-lead on the OWASP API Security Project, told Help Net Security.

“To put it simply, follow this list closely – OWASP has done the groundwork for development teams and security professionals to improve their knowledge around security risks to look out for when implementing APIs. Understanding the vulnerabilities outlined within will help teams to mitigate against API security risks and to put systems into place moving forward.”

Future plans

This first version of the list has been based on publicly available data about API security incidents, security experts’ contributions, and discussion with security practitioners.

“We are planning another version of the OWASP API Security Top 10 in 2020,” he noted.

“This time, in addition to using the knowledge of the AppSec community, we will also use a public call for data that will enable us to fine-tune the list. Additionally, we will be working on a cheat sheet that will be a more practical guide for developers, pen-testers, and auditors.”

As adversaries set their sights on this emerging target, awareness and education around the security pitfalls outlined in the OWASP API Security Top 10 list will be key to the development of secure applications in the future, he concluded.

Android camera apps could be hijacked to spy on users

A vulnerability in the Google Camera app may have allowed attackers to surreptitiously take pictures and record videos even if the phone is locked or the screen is off, Checkmarx researchers have discovered. In addition to this, attackers would have also been able to eavesdrop on and record phone conversations, silence the camera shutter, transfer captured photos, video and data to their C&C server, and pull GPS location based on photo’s metadata. Android camera spy: … More

The post Android camera apps could be hijacked to spy on users appeared first on Help Net Security.