Checkmarx CxSAST is a unique source code analysis solution that provides tools for identifying, tracking, and repairing technical and logical flaws in the source code, such as security vulnerabilities, compliance issues, and business logic problems.
Without needing to build or compile a software project's source code, CxSAST builds a logical graph of the code's elements and flows. CxSAST then queries this internal code graph. CxSAST comes with an extensive list of hundreds of preconfigured queries for known security vulnerabilities for each programming language. Using the CxSAST Auditor tool, you can configure your own additional queries for security, QA, and business logic purposes.
CxSAST provides scan results either as static reports, or in an interactive interface that enables tracking runtime behavior per vulnerability through the code, and provides tools and guidelines for remediation. Results can be customized to eliminate false positives, and various types of workflow metadata can be added to each result instance. These metadata are maintained through subsequent scans, as long as the instance continues to be found.
The input to CxSAST's scanning and analysis is the source code, not binaries, so no building or compiling is required, and no libraries need to be available. The code doesn't even need to be able to compile and link properly. Consequently, CxSAST can run scans and generate security reports at any given point in a software project's development life cycle.
CxSAST supports Open Source Analysis (CxOSA) enabling licensing and compliance management, vulnerabilities alerts, policy enforcement and reporting. CxOSA supports all the most common programming languages, enabling organizations to secure all their open source components in addition to the in-house developed code analysis coverage.
You can integrate CxSAST into several aspects of your development cycle, such as with software build automation tools (Apache Ant and Maven), software development version control systems (GIT), issue tracking and project management software (JIRA), repository hosting services (GitHub), application vulnerability management platforms (ThreadFix), continuous integration platforms (Bamboo and Jenkins), cloud based source code analysis tools (Salesforce), continuous code quality inspection platforms (SonarQube) and source code management tools (TFS).
CxSAST scans can be manually activated, periodically scheduled, or initiated upon build by one of our integrated build systems.
CxSAST also supports a wide range of OS platforms, programming languages and frameworks.
CxSAST is deployed on a server and accessed by users via our web interface or one of our IDE plugins (Eclipse, Visual Studio and IntelliJ).
more info on checkmarx web site or contact us
AppSec Coach™ is an in-context eLearning platform that sharpens the skills developers need to fix vulnerabilities and write secure code. With AppSec Coach, access to secure coding training is one click away - increasing both training engagement and learning effectiveness. AppSec professionals realize that in order to keep up with the development pace, companies have to empower developers to take ownership of application security – and prioritize vulnerabilities like any other software defect. But more often than not, developers lack application security skills while existing training solutions are ineffective and slow them from accomplishing their main task – writing code. Even if there is periodic security training it is usually boring and detached from the developer’s normal work routine, so any knowledge gained fades quickly rendering the training experience ineffective.
LEARN BY DOING
AppSec Coach™ teaches developers the principals of secure coding, and helps them sharpen application security skills in the most efficient way. AppSec Coach is fully integrated into CxSAST so when developers encounter a security vulnerability they can activate the appropriate learning module at a single click. Once they have run through the hands-on training they get straight back to work equipped with the new knowledge to resolve the problem.
Key benefits include:
Engaging – contextual training is available when and where the developer needs to fix the code.
Fast learning curve: Interact with live vulnerable applications that show how exploits work behind the scenes.
Effective: the right content, at the right time continuously improves developer secure coding skills.
Fun - hack it, step-by-step!
more info on checkmarx web site or contact us