DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Migrate, Modernize and Build Java Web Apps on Azure: This live workshop will cover methods to enhance Java application development workflow.

Modern Digital Website Security: Prepare to face any form of malicious web activity and enable your sites to optimally serve your customers.

Kubernetes in the Enterprise: The latest expert insights on scaling, serverless, Kubernetes-powered AI, cluster security, FinOps, and more.

E-Commerce Development Essentials: Considering starting or working on an e-commerce business? Learn how to create a backend that scales.

Related

  • What Makes AI-Powered Mobile Apps Stand Out in Today's Market?
  • Demystifying APIs for Product Managers
  • Next.js vs. Express.js: What Are the Differences?
  • How To Integrate a Web Component Into a Mobile App While Preserving Native UX

Trending

  • Embeddings and Vector Databases: A Hands-On Guide!
  • Top 10 Software Development Trends for 2024
  • The Role of Metadata in Data Management
  • The Four Steps of Regression Testing

Checkmarx 8.6 Boasts New Features - Including Application Risk Management

Checkmarx has packed features/enhancements into their product suite, making it great for dev teams looking to include AppSec testing directly in the CI/CD pipeline.

John Vester user avatar by
John Vester
DZone Core CORE ·
Mar. 08, 18 · Review
Like (2)
Save
Tweet
Share
61.9K Views

Join the DZone community and get the full member experience.

Join For Free

Last month, the team at Checkmarx released a feature-packed update to their application security platform. I first became impressed with Checkmarx a little over a year ago, upon seeing their wide range of supported languages and tooling - including the force.com platform used to host the industry-leading Salesforce solution. As their product has matured, their well-designed interface and dedication to plugging into the CI/CD pipeline have further gained my respect for the space them aim to fill within the open range of application security.

With the 8.6 release, there were enhancements in two of their existing products and the introduction of a new product aimed at application risk management.

CxSAST Features and Enhancements

The CxSAST product is the heart of their solution set, providing source code analysis for uncompiled program code to identify hundreds of security vulnerabilities well before applications are deployed for use. With options for on-premises and cloud-based implementations, the CxSAST product is ready to analyze code with a majority of the mainstream programming languages in use today.

With the 8.6 release, support for the following languages and frameworks have been included:

  • TypeScript (Native)

  • Angular 4 (Compatible with 2+)

  • .NET Core 1.1

  • Google Guice - dependency injection framework

Additionally, the scan engine has been updated to include coverage for mobile device security (iOS and Android) and support for Object aliasing, Pointers, and References (Java, .NET, C#, C++).

Finally, CI/CD features continue to build upon the seamless experience of integrating Checkmarx into automated build processes. For Jenkins users, the 8.6 release of Checkmarx can fail a build when new SAST vulnerabilities are encountered. Jenkins credential manager support has been added, as well as updates to the scan report abilities. For Bamboo users, the Checkmarx plug-in can now globally enable/disable new project creation. From a command-line interface (CLI) perspective, support for exit codes and asynchronous runs have been added.

CxOSA Enhancements

The CxOSA product is geared toward the managing of security risks and legal implications for use of open-source components. In the past, vulnerabilities like OpenSSL, Heartbleed, and Bash ShellShock have found their way into corporations because a tool like CxOSA was not in place. CxOSA leverages the multi-language support found in CxSAST - covering the majority of languages utilized by development teams today.

The 8.6 update allows Checkmarx to extract compact elements before the scan process begins. This includes WAR and EAR files, along with Zip-nested archives - when using CxOSA as part of the build pipeline with Jenkins, Bamboo, CLI, and TeamCity. For Microsoft developers, the MS-VSTS plug-in introduces support for CxOSA - with the ability to initiate, scan, report results, and break on established thresholds.

CxARM Introduced

The CxARM product, introduced with the 8.6 release, provides an application security risk management solution - geared for development and application security managers. The product introduces a view into security risks at a macro level. Using a centralized console, AppSec policies can be defined and standards/thresholds can be established for all applications within an entity's portfolio.

As part of the initial CxARM release, an OData API can be utilized to query, aggregate, and filter resulting information obtained from CxSAST and CxOSA implementations. With this information readily available, custom dashboards can be created or enhanced to include data maintained by the Checkmarx product suite.

Conclusion

The Gartner Group listed Checkmarx as a leading challenger with a high ability to execute in their 2017 Magic Quadrant for Application Security Testing. Updates to the Checkmarx suite of products places this rising vendor on an equal stage with leading providers HPE, Veracode and IBM.

If you are looking for a static analysis tool that can plug into your current CI/CD pipeline and support a wide range of languages and tooling, Checkmarx should be on the short-list of products to review.

Have a really great day!

mobile app

Opinions expressed by DZone contributors are their own.

Related

  • What Makes AI-Powered Mobile Apps Stand Out in Today's Market?
  • Demystifying APIs for Product Managers
  • Next.js vs. Express.js: What Are the Differences?
  • How To Integrate a Web Component Into a Mobile App While Preserving Native UX

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: