Static Code Analysis
According to a recent study conducted by 7Safe on 64 real incidents, 86% of cyber attacks are performed on applications versus networks while only 11% of security spending is geared towards application hardening.
Applications are marginally protected by application firewalls. Methods like vulnerability detection using Dynamic Testing which are simulating attacks on the running applications cannot identify all the problems nor can it show how to fix them.
It comes as no surprise that Gartner’s 2011 Magic Quadrant for Static Application Security Testing (SAST) states that, “SAST should be considered a mandatory requirement for all IT organizations that develop or procure application”.
Why Static Code Analysis?
Static code analysis (SCA) delivers security and the requirement of incorporating security into the software development lifecycle (SDLC). It is the only proven method to cover the entire code base and identify all the vulnerable patterns using static code analysis tools. In static code analysis the entire code base is abstracted and all code properties and code flows are exposed. Checkmarx goes beyond all other static code analysis tools and store all these code properties in an open and query-able data base.
Cyber attacks have certain identifiable patterns and finger prints. A secure SDLC process integrates static code analysis in order to match suspicious patterns with code properties. The auditors and developers have immediate access to the problem and can mitigate it easily.
Checkmarx innovated an open platform using Static code analysis overcoming many shortcomings of other static code analysis tools. We provide user friendly, highly productive, flexible and accurate risk intelligence platform.
Supported languages
Checkmarx’s SAST technology is used to automatically scan non-compiled / un-built source code of any type to identify the exact locations of security vulnerabilities within the code that can be exploited by hackers. Checkmarx also provides a reference for recommended ways of modifying the source code to ensure cyber attacks at the application level are prevented.
Checkmarx is commited for maximum code coverage of its technology, to cater for the most common coding languages used by its clients.
The following coding languages are supported by Checkmarx’s source code analysis solution:
Java, C# / .NET, PHP, C, C++, Visual Basic 6.0, VB.NET, Flash, APEX, Ruby, Javascript, ASP, Perl, Android, Objective C, PL/SQL, HTML5.
Vulnerability Coverage
Software security vulnerabilities are well documented and standardized by bodies like SANS and OWASP that branded the OWASP Top 10 vulnerabilities. Checkmarx’s SAST solution supports all OWASP Top 10 and SANS standards out of the box, but full software vulnerability coverage goes above and beyond these lists. Checkmarx has built a platform that enables limitless coverage of the software vulnerability spectrum.
It has been achieved using our unique Open Architecture where all programs are converted into code abstract and are stored in a query-able persistent database. Security vulnerabilities are then detected using an open query language.
Out-of-the-box queries cover all known security software vulnerabilities listed in OWASP top 10, SANS and other standards. Furthermore, the auditor can adjust and write queries for further detection enabling broad coverage and infinite accuracy.