DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

How does AI transform chaos engineering from an experiment into a critical capability? Learn how to effectively operationalize the chaos.

Data quality isn't just a technical issue: It impacts an organization's compliance, operational efficiency, and customer satisfaction.

Are you a front-end or full-stack developer frustrated by front-end distractions? Learn to move forward with tooling and clear boundaries.

Developer Experience: Demand to support engineering teams has risen, and there is a shift from traditional DevOps to workflow improvements.

Related

  • Integrating OpenAI/GPT Models Into Your Web and Mobile Apps
  • How to Build Scalable Mobile Apps With React Native: A Step-by-Step Guide
  • Scaling Mobile App Performance: How We Cut Screen Load Time From 8s to 2s
  • Interrupt Testing: Bulletproof Your App for the Real World

Trending

  • Monitoring and Managing the Growth of the MSDB System Database in SQL Server
  • How Docker Desktop Enhances Developer Workflows and Observability
  • Converting List to String in Terraform
  • Automating Sentiment Analysis Using Snowflake Cortex

Checkmarx 8.6 Boasts New Features - Including Application Risk Management

Checkmarx has packed features/enhancements into their product suite, making it great for dev teams looking to include AppSec testing directly in the CI/CD pipeline.

By 
John Vester user avatar
John Vester
DZone Core CORE ·
Mar. 08, 18 · Review
Likes (2)
Comment
Save
Tweet
Share
62.2K Views

Join the DZone community and get the full member experience.

Join For Free

Last month, the team at Checkmarx released a feature-packed update to their application security platform. I first became impressed with Checkmarx a little over a year ago, upon seeing their wide range of supported languages and tooling - including the force.com platform used to host the industry-leading Salesforce solution. As their product has matured, their well-designed interface and dedication to plugging into the CI/CD pipeline have further gained my respect for the space them aim to fill within the open range of application security.

With the 8.6 release, there were enhancements in two of their existing products and the introduction of a new product aimed at application risk management.

CxSAST Features and Enhancements

The CxSAST product is the heart of their solution set, providing source code analysis for uncompiled program code to identify hundreds of security vulnerabilities well before applications are deployed for use. With options for on-premises and cloud-based implementations, the CxSAST product is ready to analyze code with a majority of the mainstream programming languages in use today.

With the 8.6 release, support for the following languages and frameworks have been included:

  • TypeScript (Native)

  • Angular 4 (Compatible with 2+)

  • .NET Core 1.1

  • Google Guice - dependency injection framework

Additionally, the scan engine has been updated to include coverage for mobile device security (iOS and Android) and support for Object aliasing, Pointers, and References (Java, .NET, C#, C++).

Finally, CI/CD features continue to build upon the seamless experience of integrating Checkmarx into automated build processes. For Jenkins users, the 8.6 release of Checkmarx can fail a build when new SAST vulnerabilities are encountered. Jenkins credential manager support has been added, as well as updates to the scan report abilities. For Bamboo users, the Checkmarx plug-in can now globally enable/disable new project creation. From a command-line interface (CLI) perspective, support for exit codes and asynchronous runs have been added.

CxOSA Enhancements

The CxOSA product is geared toward the managing of security risks and legal implications for use of open-source components. In the past, vulnerabilities like OpenSSL, Heartbleed, and Bash ShellShock have found their way into corporations because a tool like CxOSA was not in place. CxOSA leverages the multi-language support found in CxSAST - covering the majority of languages utilized by development teams today.

The 8.6 update allows Checkmarx to extract compact elements before the scan process begins. This includes WAR and EAR files, along with Zip-nested archives - when using CxOSA as part of the build pipeline with Jenkins, Bamboo, CLI, and TeamCity. For Microsoft developers, the MS-VSTS plug-in introduces support for CxOSA - with the ability to initiate, scan, report results, and break on established thresholds.

CxARM Introduced

The CxARM product, introduced with the 8.6 release, provides an application security risk management solution - geared for development and application security managers. The product introduces a view into security risks at a macro level. Using a centralized console, AppSec policies can be defined and standards/thresholds can be established for all applications within an entity's portfolio.

As part of the initial CxARM release, an OData API can be utilized to query, aggregate, and filter resulting information obtained from CxSAST and CxOSA implementations. With this information readily available, custom dashboards can be created or enhanced to include data maintained by the Checkmarx product suite.

Conclusion

The Gartner Group listed Checkmarx as a leading challenger with a high ability to execute in their 2017 Magic Quadrant for Application Security Testing. Updates to the Checkmarx suite of products places this rising vendor on an equal stage with leading providers HPE, Veracode and IBM.

If you are looking for a static analysis tool that can plug into your current CI/CD pipeline and support a wide range of languages and tooling, Checkmarx should be on the short-list of products to review.

Have a really great day!

mobile app

Opinions expressed by DZone contributors are their own.

Related

  • Integrating OpenAI/GPT Models Into Your Web and Mobile Apps
  • How to Build Scalable Mobile Apps With React Native: A Step-by-Step Guide
  • Scaling Mobile App Performance: How We Cut Screen Load Time From 8s to 2s
  • Interrupt Testing: Bulletproof Your App for the Real World

Partner Resources

×

Comments

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • [email protected]

Let's be friends: