Last month, the team at Checkmarx released a feature-packed update to their application security platform. I first became impressed with Checkmarx a little over a year ago, upon seeing their wide range of supported languages and tooling - including the force.com platform used to host the industry-leading Salesforce solution. As their product has matured, their well-designed interface and dedication to plugging into the CI/CD pipeline have further gained my respect for the space them aim to fill within the open range of application security.

With the 8.6 release, there were enhancements in two of their existing products and the introduction of a new product aimed at application risk management.

CxSAST Features and Enhancements

The CxSAST product is the heart of their solution set, providing source code analysis for uncompiled program code to identify hundreds of security vulnerabilities well before applications are deployed for use. With options for on-premises and cloud-based implementations, the CxSAST product is ready to analyze code with a majority of the mainstream programming languages in use today.

With the 8.6 release, support for the following languages and frameworks have been included:

• TypeScript (Native)

• Angular 4 (Compatible with 2+)

• .NET Core 1.1

• Google Guice - dependency injection framework

Additionally, the scan engine has been updated to include coverage for mobile device security (iOS and Android) and support for Object aliasing, Pointers, and References (Java, .NET, C#, C++).

Finally, CI/CD features continue to build upon the seamless experience of integrating Checkmarx into automated build processes. For Jenkins users, the 8.6 release of Checkmarx can fail a build when new SAST vulnerabilities are encountered. Jenkins credential manager support has been added, as well as updates to the scan report abilities. For Bamboo users, the Checkmarx plug-in can now globally enable/disable new project creation. From a command-line interface (CLI) perspective, support for exit codes and asynchronous runs have been added.

CxOSA Enhancements

The CxOSA product is geared toward the managing of security risks and legal implications for use of open-source components. In the past, vulnerabilities like OpenSSL, Heartbleed, and Bash ShellShock have found their way into corporations because a tool like CxOSA was not in place. CxOSA leverages the multi-language support found in CxSAST - covering the majority of languages utilized by development teams today.

The 8.6 update allows Checkmarx to extract compact elements before the scan process begins. This includes WAR and EAR files, along with Zip-nested archives - when using CxOSA as part of the build pipeline with Jenkins, Bamboo, CLI, and TeamCity. For Microsoft developers, the MS-VSTS plug-in introduces support for CxOSA - with the ability to initiate, scan, report results, and break on established thresholds.

CxARM Introduced

The CxARM product, introduced with the 8.6 release, provides an application security risk management solution - geared for development and application security managers. The product introduces a view into security risks at a macro level. Using a centralized console, AppSec policies can be defined and standards/thresholds can be established for all applications within an entity's portfolio.

As part of the initial CxARM release, an OData API can be utilized to query, aggregate, and filter resulting information obtained from CxSAST and CxOSA implementations. With this information readily available, custom dashboards can be created or enhanced to include data maintained by the Checkmarx product suite.

Conclusion

The Gartner Group listed Checkmarx as a leading challenger with a high ability to execute in their 2017 Magic Quadrant for Application Security Testing. Updates to the Checkmarx suite of products places this rising vendor on an equal stage with leading providers HPE, Veracode and IBM.

If you are looking for a static analysis tool that can plug into your current CI/CD pipeline and support a wide range of languages and tooling, Checkmarx should be on the short-list of products to review.

Have a really great day!