This could be the perfect ending to a cybersecurity film, but it’s even better—it’s the exciting reality of ZAP’s core team joining Checkmarx to deliver the best in Dynamic Application Security Testing (DAST)! ZAP project leaders Simon Bennetts, Ricardo Pereira, and Rick Mitchell are joining Checkmarx to help develop the next generation of our enterprise-grade DAST solution. They will continue to support the open-source project and grow the ZAP community. This transition allows them to focus fully on advancing DAST.

What is DAST?

For those unfamiliar, DAST is a technique used to test web applications by detecting vulnerabilities while they are running. Unlike static analysis, DAST doesn’t require access to source code, making it essential in identifying security risks that emerge in live environments. This widely adopted tool helps uncover vulnerabilities that may remain hidden during static analysis.

What is ZAP?

ZAP (Zed Attack Proxy) is the world’s most widely used web application scanner, having been downloaded millions of times. This popularity is one of the reasons Checkmarx initially integrated it into its DAST solution.

Simon Bennets, Ricardo Pereira and Rick Mitchell are ZAP’s project leaders and have been contributing, guiding and reviewing any contribution to the open-source project.

What does it mean for Checkmarx customers?

For users of Checkmarx DAST, our commercial offering, this collaboration means they will now benefit from the unmatched expertise of the ZAP core team. Checkmarx will continue to empower organizations to secure their applications from code to cloud. The ZAP team’s deep knowledge, gained from contributing to nearly every aspect of ZAP, adds tremendous value to Checkmarx’s already robust offering.

Checkmarx will gain unique insights and focus, enabling us to drive faster enhancements to Checkmarx DAST. The Checkmarx research team, working alongside ZAP’s leadership, will improve the accuracy of the engine, reducing false positives, and helping customers focus only on relevant findings. The team will also enhance key features like scan rules, automation, and authentication.

For customers already using our DAST solution, the usage will remain seamless. The new features developed with the ZAP core team will be integrated into our existing solution and available “out of the box” in Checkmarx DAST.

A unified view of vulnerabilities

By combining Static Application Security Testing (SAST), DAST, and API security testing into a single platform, Checkmarx provides a unified view of vulnerabilities, allowing for comprehensive analysis. This holistic approach to vulnerability management, which includes both static and dynamic analysis, along with API security, ensures better prioritization and more efficient remediation.

Integrating DAST in the Checkmarx One platform helps secure applications by detecting vulnerabilities in live environments and throughout the SDLC. Correlation between the different results adds a layer of  prioritization, making remediation more efficient. It’s a key part of our vision for managing application risk, spanning from development to runtime insights (code-to-cloud).

What does it mean for ZAP and the open-source community?

Moving forward, ZAP will be known as “ZAP by Checkmarx” and will continue as a separate, community-driven project under the Apache v2 license. As Simon noted in his blog, “This is by far the biggest investment any one company has made in ZAP and ensures that ZAP will continue to thrive.”

For the open-source community, this collaboration is great news. Checkmarx  has a proven track record with open source projects such as KICS, 2MS, CxFlow, Vorpal, ImageX and many others, contributing significantly to the community.

Personally, as the previous Product Manager for our open-source secret detection solution (2MS) and through my work with our research team identifying malicious packages, I’ve always felt a close connection to the open-source community. I’m happy to have another opportunity to contribute.

The ZAP community will benefit from our company’s expertise and resources, enabling the development of key features requested by the community. ZAP by Checkmarx will continue to be a community-driven, open-source DAST solution, while our enhanced Checkmarx DAST will build upon and improve on our existing solution.

This marks a significant step in expanding our dynamic application security testing capabilities and strengths our commitment to Checkmarx DAST, with the knowledge and support of the ZAP project leaders.

If you’d like to learn more, feel free to contact us.

You are a security professional who has been given the task of managing  and mitigating the wide array of vulnerabilities within the open-source software your organization uses. In an ideal world, you would have the time, energy, and resources necessary to immediately begin addressing and fixing each and every one of these vulnerabilities immediately – including all the new ones coming in.

However, reality is quite different. No one has all the necessary resources readily at their disposal. The number of vulnerabilities in open-source software is insurmountable. The reality is that it would take an unprecedented amount of time, manpower, and financial resources to tackle each and every vulnerability.
 

The only viable solution is to prioritize. So, how do you effectively prioritize your efforts?
Having the right tools in your vulnerability management toolbox is critical. This is where the Exploit Prediction Scoring System (EPSS) comes in.

Understanding EPSS: Enhancing Vulnerability Management

Developed by the Forum of Incident Response and Security Teams (FIRST) [1], EPSS [2] provides a data-driven approach to predicting the likelihood of a vulnerability being exploited in the wild within the next 30 days. By leveraging this industry-recognized standard, organizations can make informed decisions and allocate their limited resources much more efficiently.

At its core, EPSS is a probability score ranging from 0 to 1 (0 to 100%). A higher score indicates a greater likelihood of a vulnerability being exploited. But how is this score calculated, and what factors does it consider?

EPSS considers a wide range of information, including:

• Vendor
• Vulnerability age
• References
• Vulnerability description
• Common Weakness Enumeration (CWE)
• CVSS metrics
• Various exploit lists (e.g., CISA KEV, Google Project Zero, Trend Micro’s Zero Day Initiative)

By analyzing this data[LZ1] [RG2]  and monitoring exploitation activity through various methods, such as honeypots, IDS/IPS sensors, and host-based detection, EPSS provides a nuanced understanding of the urgency and impact of vulnerabilities. It uses machine learning to detect patterns and connections between vulnerability data and exploitation activities gathered over time.

Interpreting EPSS Scores

EPSS data is refreshed daily and offers two key metrics: probability and percentiles.
Probability represents the likelihood of a vulnerability being exploited in the wild within the next 30 days, while the percentile indicates the percentage of vulnerabilities that have a score equal to, or lower than, a particular vulnerability’s score.

For example, an EPSS probability of just 0.10 (10%) rests at about the 88th percentile – meaning that 88% of all CVEs are scored lower. These percentiles are derived from probabilities and offer insights into how a particular EPSS probability compares to all other scores – all the other CVEs.

The figure below shows the probability distribution of EPSS scores for over 170,000 vulnerabilities as of March 2022. It illustrates that most vulnerabilities score below 10%, indicating a global measure of vulnerability exploitation in the wild.

Limitations and Considerations

While EPSS is a powerful tool, it’s essential to understand its limitations and use it in conjunction with other exploitability metrics and threat intelligence. Some key points to keep in mind:

• EPSS scores are founded in gathered data, which means they can change over time which could introduce mistakes.
• If there is evidence that a vulnerability is being actively exploited, that information should supersede EPSS, as EPSS is pre-threat intel, and therefore may lag behind live incidents.
• The model only produces scores based on available data, which is based only on disclosed and known incidents – public availability for information the model itself are acknowledged limitations.
• EPSS is a risk management model – just because a vulnerability has been exploited in the past does not guarantee future exploitation and, conversely, just because a vulnerability has been known for a while and not actively exploited does not guarantee it will not surge soon.

EPSS Score vs. CVSS: Understanding the Difference

EPSS and CVSS (Common Vulnerability Scoring System) are both measures to help organizations manage vulnerabilities, but they serve different purposes.

EPSS aims to predict the likelihood of a vulnerability being exploited, using a forward-looking and probabilistic approach. In contrast, CVSS evaluates the severity of a vulnerability by assessing its characteristics and potential impact, with a descriptive and deterministic approach.

The graph below shows the comparison between CVSS and EPSS scores for a sample of CVEs.

EPSS Value in Prioritizing Remediation and Risk Management

EPSS should be treated as one aspect of the overall vulnerability management picture, complementing other factors like CVSS.

FIRST compares two strategies, one prioritizing CVEs with CVSS 7 and higher, and another prioritizing CVEs with EPSS of 0.1 and higher.

They compared:
Effort – The proportion of vulnerabilities being prioritized for remediation
Efficiency – How efficiently resources were spent by measuring the percent of prioritized vulnerabilities that were exploited.
Coverage – The percent of exploited vulnerabilities that were prioritized, calculated as the number of exploited vulnerabilities prioritized (TP – correctly prioritized) divided by the total number of exploited vulnerabilities (TP + FN – correctly prioritized + incorrectly delayed).

By prioritizing vulnerabilities with an EPSS of 0.1 and higher, organizations can significantly reduce their remediation effort while improving efficiency.

They also analyzed EPSS and CVSS scores to understand their correlation [3]. The analysis showed that attackers do not exclusively target the most impactful or easiest-to-exploit vulnerabilities, challenging the assumption that they only focus on the most severe ones. Therefore, it’s recommended to use a combination of factors to effectively prioritize which vulnerabilities to patch first.

EPSS at Checkmarx

At Checkmarx, we understand the importance of effective vulnerability management. That’s why Checkmarx Customers using the Checkmarx One Platform can leverage the integrated EPSS scores for quicker and more effective risk triaging and remediation.

EPSS complements our existing array of exploitability metrics which include but are not limited to:

• KEV (Known Exploited Vulnerability): A vulnerability cataloged by CISA as a Known Exploited Vulnerability, indicating that it poses a severe and imminent threat.
• POC (Proof of Concept): A Proof of Concept for exploiting the vulnerability is available in the wild, making it easy for threat actors to implement an exploitation of this vulnerability.
• Exploitable Path: This feature analyzes whether your source code provides a path that can be exploited by a specific vulnerability. Checkmarx SCA leverages SAST’s ability to scan the actual project code itself in parallel with scanning the manifest file, validating whether the vulnerable open-source packages are called from your proprietary code and whether the vulnerable methods are used by your code. This enables you to focus on the remediation of actively exploitable vulnerabilities. Exploitable Path also identifies which lines in your project code reach the vulnerable method in the vulnerable package and shows you the full path to the vulnerability.

By combining these tools, our customers can achieve a comprehensive view of their vulnerability landscape and take proactive measures to mitigate risks with high potential to be exploited by malicious actors.

The following displays how EPSS, and other exploitability metrics, are integrated into Checkmarx’ product.
 

 
Conclusion

Staying ahead of current threats requires a proactive and data-driven approach. EPSS offers organizations a valuable tool to prioritize their vulnerability management efforts effectively. By leveraging EPSS alongside other exploitability metrics, security professionals can make informed decisions, allocate resources efficiently, and strengthen their overall security posture.

At Checkmarx, we are committed to providing our customers with the most comprehensive and cutting-edge vulnerability management solutions and empowering organizations to navigate the complex landscape of open source vulnerabilities with confidence and precision.

References

[1] FIRST: https://www.first.org/
[2] EPSS: https://www.first.org/epss/
[3] EPSS: User Guide, Using EPSS and CVSS Together https://www.first.org/epss/user-guide

By 2029, more than 95% of global organizations will be running containerized applications in production, according to Gartner.  This is a significant increase from less than 50% in 2023. To address these challenges, Checkmarx has developed an innovative container security solution designed to secure your applications from development to deployment.

Let’s explore the real-world impact of our solution and highlight how it helped a leading cloud-based service provider enhance their own container security.

But first…What are containers

Containers are a type of virtualization technology that packages an application and its dependencies together. This allows the application to run consistently across different computing environments, regardless of the underlying operating system.  In simpler terms, imagine a container as a shipping container – it carries everything an application needs to run (code, libraries, settings), but remains isolated from the system it runs on (like the operating system on a server). This isolation ensures portability and security for the application.

While containers provide many benefits, they also introduce unique security challenges. For example, pulling container images from public registries can expose systems to malware and vulnerabilities. Using large base images is like carrying unnecessary baggage—they slow down operations and introduce extra vulnerabilities and limited visibility in managing containerized environments can hide security threats.

Containerization is popular when developing, deploying, and running microservices-based applications.  Microservices are small, independent applications that work together to form a larger application.    Containers are ideal for this because they isolate each service and make them easy to deploy and scale. Because containers offer efficient resource utilization and faster deployment times, it is easier for developers to build, test, and deploy applications rapidly.

Why securing containers is crucial

We know that it’s convenient to pull container images from public registries. Although it saves time, this practice can expose your systems to malware and vulnerabilities, since hackers often upload malicious images to exploit unsuspecting developers. Similarly, sensitive information like passwords or API keys can inadvertently find their way into container registries, leading to data breaches. Managing these secrets is crucial.

Another pitfall is relying solely on static image scanning tools. These tools are great for detecting known vulnerabilities, but often miss emerging threats or misconfigurations. This oversight can leave your containers exposed. The inherent nature of containers increases the attack surface compared to traditional applications. Developers must secure multiple layers, including container runtimes, orchestrators, and plugins, to mitigate these risks effectively.

Adopting minimal base images, updated regularly, can significantly reduce these risks. Limited visibility makes it challenging to detect and respond to issues in real time. Robust visibility and observability tools are essential in gaining deep insights into container workloads and implementing effective threat detection and response strategies.

While containers offer immense benefits, they also require security frameworks. Addressing issues like insecure image sources, exposed secrets, incomplete static scanning, an increased attack surface, bloated base images, and limited visibility can help secure your containerized environments. Staying ahead of threats ensures that you can harness the full potential of containerization without compromising on security.

Introducing our new Container Security solution

Checkmarx provides a new powerful container security solution that enhances team efficiency across the software development lifecycle. It empowers developers and security teams with the following benefits:

Comprehensiveness:  Checkmarx goes beyond static scanning, offering a rich set of features including image scanning, package inspection, vulnerability assessment, triage, remediation, results view, scan risk report, image breakdown, and Sysdig integration for runtime coverage.

Proactive Security: Early vulnerability identification and mitigation within the development process minimizes security risks in production.

Actionable Insights: Checkmarx provides detailed information about vulnerabilities, enabling developers to prioritize remediation efforts and act.

Ease of Use: The solution integrates seamlessly with existing workflows, minimizing disruption to development processes.

Diving into key container security capabilities

Let’s dive into some of our key container security capabilities:

Checkmarx’s container security approach starts with comprehensive image scanning. It examines every layer of an image—base image, software dependencies, and application code—to uncover vulnerabilities and threats. Constant updates to vulnerability databases ensure it identifies the latest threats.

Next, the solution inspects packages within container images. It performs checks like version control to confirm the use of latest secure versions and verifies licenses to avoid potential legal issues.

Finally, it offers detailed image breakdowns. Users can drill down into each layer of a container image to view vulnerabilities and package details. This granular view enables developers to pinpoint andaddress specific security issueseffectively. 

Vulnerability Assessment:  Checkmarx prioritizes vulnerabilities based on severity and provides detailed information about each one. This includes the CVE details, potential impact, and remediation guidance.

Triage:  This allows users to manage the severity, and status, of vulnerabilities for each project or application. They can update severity levels, change status (e.g., Verify, Not Exploitable), and maintain detailed audit trails for all actions taken.

Remediation: Checkmarx identifies vulnerabilities within container images and recommends alternative base images with a lower security risk profile. This approach helps developers choose more secure foundations for their applications.

Results View: This intuitive interface provides a detailed view of container image scan results. Users can see the distribution of vulnerabilities across different severities and analyze them based on runtime status.

Scan Risk Report:  Checkmarx generates comprehensive reports summarizing scan results, including the number of vulnerabilities and their severity. These reports can be downloaded in various formats (JSON, CSV, PDF) for further analysis and compliance purposes.

Final Thoughts

Checkmarx offers a comprehensive container security solution that empowers developers and security teams throughout the development lifecycle. By identifying and mitigating vulnerabilities early, Checkmarx helps organizations build secure and compliant containerized applications. The case study demonstrated how a cloud service provider achieved a significant reduction in vulnerabilities and improved security posture with Checkmarx.

As containerization continues to reshape software development, prioritizing container security is no longer optional. By leveraging solutions like the Checkmarx One Platform, organizations can unlock the full potential of this technology while ensuring the long-term security of their applications and data.

Ready to take the next step?

Visit our website to learn more about Checkmarx’s container security solution and download our free container security Enhancement guide. You can also request a demo to experience the solution firsthand and see how it integrates seamlessly into your development workflow.

Wondering what you should consider when picking a container security solution? These are six things important things you should keep in mind. 

Glossary of terms – Container Security

Attack Surface: The sum of all potential entry points that an attacker can use to gain access to a system. A larger attack surface means more vulnerabilities attackers can exploit.

Base Image: The foundation image upon which a container is built. It typically contains the operating system and essential libraries needed for your application to run. Choosing a minimal base image reduces the attack surface.

Container: A lightweight, self-contained unit of software that packages code and all its dependencies (libraries, configuration files) for deployment and execution. Imagine a shipping container for code, allowing it to run consistently across different environments.

Container Image: A template that defines the contents and configuration of a container. It’s like a blueprint for building a container with specific functionalities.

Container Registry: A repository that stores and manages container images. Developers can pull (download) images to create containers and push (upload) new images they’ve built. Think of it as a library for container images.

Container Security: The practice of protecting containerized applications and the infrastructure they run on from vulnerabilities, malware, and unauthorized access. It’s crucial to ensure the integrity and security of your containerized environment.

DevSecOps: An approach to software development that integrates security considerations throughout the entire development lifecycle (Dev), security operations (Sec), and IT operations (Ops). Container security is a key aspect of DevSecOps.

Exploit: A piece of code or script that takes advantage of a vulnerability to gain unauthorized access or cause harm. Exploiting vulnerabilities in containers can compromise your applications and data.

Runtime: The environment where containers are executed. Container security needs to consider both the security of the image and the runtime environment.

Static Image Scanning: A security analysis technique that examines container images for known vulnerabilities without running the container. It’s like checking the ingredients list of a meal for potential allergens before cooking.

Vulnerability: A weakness or flaw in software that can be exploited by attackers to gain unauthorized access or cause harm. Vulnerabilities in container images or underlying infrastructure pose a risk to container security.

Docker, an open-source platform that automates the deployment of applications in lightweight, portable containers, has impacted application development and deployment since its launch in 2013. Containers bundle an application with its dependencies, ensuring consistent operation across different environments. This addresses the common “it works on my machine” problem, making Docker an essential tool for developers and operations teams. Docker’s rise in popularity is due to its ability to simplify the deployment process, enhance scalability, and improve resource efficiency.

According to Gartner, by 2029, more than 95% of global organizations will be running containerized applications in production, which is a significant increase from less than 50% in 2023 (source: Sysdig 2023 Cloud-Native Security and Usage Report)

The Importance of Security in Containerization

Containers, by their very nature, package not just the application but also its dependencies, which can often include outdated or vulnerable software. Why does that matter? Vulnerable software can lead to a security breach, which could result in customer attrition, as clients might lose confidence in the company’s capacity to secure their information. Ensuring that these containers are free from vulnerabilities is critical to maintaining the integrity and security of the deployed applications. According to Red Hat, State of Kubernetes Security 2023 cloud-native technologies offer agility, faster time to market, and reliability. However, 67% of enterprises face deployment delays due to security concerns. Security incidents can lead to severe impacts, including employee terminations, fines, revenue loss, and eroded customer trust.

According to the same source, in the last 12 months, 66% of enterprises have experienced software supply chain security issues due to the usage of insecure container images
and ”more than 50% of respondents are worried about misconfigurations and vulnerabilities”
Recognizing these challenges, Checkmarx aims to meet developers where they are with our extension – Docker Desktop – which  empowers them to strengthen Docker image security posture early in the development lifecycle and adopt a proactive security approach.

What is Docker Desktop

With over 3.3 million installs, Docker Desktop is one of the most popular software platforms for developers. It allows them  to work locally on their workstations, and provides out-of-the-box containerization technology for building, running, and sharing applications.

This means that developers can build an application on one computer and then run it on another, without having to worry about installing all the dependencies that the application needs. This saves developers time and effort.

Checkmarx Docker Desktop Extension Overview

The Checkmarx Docker Desktop Extension is designed to enhance the security of your Docker images by proactively identifying and mitigating vulnerabilities. This extension integrates seamlessly with Docker Desktop, providing robust features such as comprehensive image scanning, package inspection, and vulnerability assessment.

Let’s dive deeper and understand how the Checkmarx Docker Desktop Extension works

Let’s begin with a common use case.

You want to ensure your container image’s security. In that case, you should utilize a container security engine to scan it for risks.

One you scan, you discover 632 vulnerabilities. Next, you must investigate them, assess their severities, and prioritize fixes accordingly.

You can then investigate the image scan results to upgrade to safer versions, if there are nay available, or look at specific CVEs.

Alternatively, opting for a more secure base image earlier in your development cycle can reduce vulnerabilities and risks. This is where Checkmarx Docker Desktop Extension comes in.

By seamlessly integrating this capability into Docker Desktop, developers can proactively identify and mitigate security issues much earlier, significantly reducing the risk of exposure in production environments.

Once you have assessed the security posture of the image you intend to use, based on the tool recommendation, you can continue to use it or select a different base image with a stronger security posture. In our example, you can see a decrease from 591 vulnerabilities to just two.

The extension uses Checkmarx’s proprietary database and  provides insights and recommendations to protect images from security risks, preserving the integrity of your containerized environments.

The key capabilities of the Checkmarx Docker Desktop Extension include:

1. Free Tool: No cost to use, with additional premium features coming soon.
2. No Checkmarx Account Required: Accessible without needing to sign up.
3. Image Scanning: Scan local images to obtain a detailed breakdown of image layers and identify security risks associated with dependencies
4. Package Inspection: Inspect packages within Docker images to ensure compliance with security best practices (package version, license,…)
5. Vulnerability Assessment: Identify vulnerabilities associated with packages within Docker images. You will find a detailed description of the CVE and its severity.
6. Recommendations and Remediation (Premium Feature): Receive suggestions for fixing vulnerabilities (coming soon).

The Checkmarx Docker Desktop Extension is a significant advancement in container security, empowering developers to strengthen their Docker images and align with industry best practices. With the integration of security into the development workflow, our extension enables developers to build and deploy secure containerized applications with confidence.

The Checkmarx Docker Desktop Extension is an important tool for developers and DevOps  professionals. By providing detailed insights into vulnerabilities along with offering robust scanning and inspection features, this extension helps maintain the integrity and security of containerized environments.

Install Checkmarx Docker Desktop Extension: Link to download.
You can find the detailed documentation here.

In March 2023, the White House published the National Cybersecurity Strategy. In July, the White House followed that up with the National Cybersecurity Strategy Implementation Plan.

As we wrote in a blog post earlier this year:

“With the introduction of the National Cybersecurity Strategy earlier this year, the US Government has started to use its influence and buying power to alter the behavior of all software producers. The US Government is the world’s largest consumer of IT products and services in dollars. It appears they will be using that buying power to add additional cybersecurity requirements for all software purchased. Companies will be faced with the options of changing their behavior or walking away from selling to the federal government.

The National Cybersecurity Strategy makes the case that there must be a shift of the burden for cybersecurity from the consumers of software to the producers of software. One of the requirements they are implementing is that all software vendors attest that they developed their software in accordance with NIST 800-218, the Secure Software Development Framework, or SSDF.”

Companies providing software to government customers need to certify that their development process meets certain standards known as the Secure Software Development Framework (SSDF).

The Secure Software Development Framework (SSDF) is composed of “fundamental, sound, and secure recommended practices based on established secure software development practice documents” and organized into four groups:

• Prepare the Organization (PO): Ensure that people, processes, and technology are prepared to perform secure software development at the organization level.
• Protect the Software (PS): Protect all components of the software from tampering and unauthorized access.
• Produce Well-Secured Software (PW): Produce well-secured software with minimal security vulnerabilities in its releases.
• Respond to Vulnerabilities (RV): Identify residual vulnerabilities in software releases and respond appropriately to address those vulnerabilities and prevent similar ones in the future.

What CEOs Need to Do Right Now

1. Understand the Requirements: Familiarize yourself with NIST 800-218 and the SSDF.
2. Designate a Responsible Leader: Assign a high-level leader, such as the CISO, to oversee SSDF compliance.
3. Conduct an Internal Audit: Ensure your software development lifecycle (SDLC) aligns with SSDF practices.
4. Leverage Tools: Use tools like Checkmarx One and Codebashing to meet SSDF standards.
5. Sign the Attestation Form: Verify the security practices and sign the Secure Software Development Attestation Form.

Taking these steps will help secure your software development processes and maintain your business relationship with the federal government.

What NIST 800-218 Requires

NIST 800-218 is not strictly a compliance requirement but rather a set of best practices. The Secure Software Development Framework (SSDF) Is a core set of high-level secure software development practices that can be integrated into each SDLC implementation.

So, it isn’t a compliance framework—it’s a set of principles that should be followed. This is an important distinction since Checkmarx supports the implementation of many of those practices.

Why Now?

On March 11th, the Cybersecurity and Infrastructure Security Agency (CISA) released a critical form—the Secure Software Development Attestation Form. This stems from government mandates (OMB memorandums M-22-18 and M-23-16) aiming to improve software security for government use.

The form requires a signature from a high-level leader within your software company, potentially the CEO. The deadline is coming up fast!

Submitting false information is a crime. Simply checking “yes” to all questions without truly adhering to secure development is a risky strategy.

This is the opportunity for CEOs to verify with their teams if they are managing their SDLC securely and maturing their security practices.

The Attestation Form has a short list of basic software security requirements which are a small subset of the NIST Secure Software Development Framework (SSDF). It has examples for each task to simplify the requirements, which are sometimes less straightforward for CEOs.

CEOs and CISOs should audit their requirements, replacing the examples in the Attestation Form with their own material.

This form signifies a growing focus on secure software development within the government sector. Understanding these requirements and taking them seriously is crucial for companies doing business with the American federal government.

According to the press release from CISA, this is “a critical step towards ensuring software producers who work with Government provide securely developed products” and “furthers the President’s National Cybersecurity Strategy, which made clear that the “most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem.””

How Checkmarx One Can Help Achieve Compliance

Checkmarx products and services help organizations meet the requirements of the SSDF.

Checkmarx’s Assessment and Advisory services, in particular the APMA framework, can help identify gaps and create an actionable workplan to improve your AppSec program.

We have mapped where specific requirements of NIST 800-218 align with the APMA framework, so you can be confident that your AppSec program meets the SSDF standards. The practices are implemented through a combination of tools such as Checkmarx One, in conjunction with the relevant processes and procedures being put into place.

We previously laid out which of these requirements are supported by Checkmarx.

Checkmarx One supports many of these regulations with a comprehensive AppSec platform that provides differentiated users and roles, full records and audits of activities, and comprehensive security controls across the entire SDLC—from SAST and SCA to API Security, Container Security, Infrastructure as Code, and more.

Here are just a few examples of how Checkmarx helps organizations meet SSDF’s requirements:

• PO.2.2: Role-based training for personnel with responsibilities that contribute to secure development. Checkmarx Codebashing directly supports PO.2.2 by offering developers constantly updated secure code training.
• PS.3.2: Collecting, safeguarding, maintenance, and sharing of data for all components in each software release, such as in a software bill of materials (SBOM). Checkmarx supports this with Checkmarx SBOM, designed to meet these compliance challenges head-on and provide an automated and efficient solution for generating and maintaining SBOMs.
• PW.5: Source code adherence to secure coding practices. Checkmarx SAST can automatically scan your application’s source code, identify vulnerabilities, and even automatically remediate it at a click of a button. Developers can get real-time feedback on their code to ensure it meets secure coding practices.

If you have any questions or would like to have a deeper discussion on implementation in support of SSDF, please contact us.

In this blog, I’ll discuss the concept of Infrastructure as Code (IaC) and its security implications. We’ll explore the common security challenges faced by organizations implementing IaC and discuss strategies for securing their infrastructure through IaC security measures.

What is Infrastructure as Code (IaC) Security

IaC manages the configuration of cloud infrastructure through automated code, ensuring consistency when deploying applications. Tools like Terraform and CloudFormation automate tasks, simplifying configuration and deployment. IaC security focuses on addressing vulnerabilities and misconfigurations in code-based provisioning (with IaC templates) to prevent security breaches from compromising data integrity.

Types of IaC: Declarative vs. Imperative Approaches

Two main approaches govern IaC implementation: declarative and imperative. Declarative IaC defines the desired system state, without detailing the steps to achieve it, while the system handles the process of achieving and maintaining the desired state. An example of a declarative tool is Terraform. Imperative IaC specifies the commands required to achieve the desired configuration. For example, AWS SDK. Each approach presents its unique security challenges, underscoring the need for security measures throughout the development and deployment process.

Example of Declarative IaC using terraform

terraform {version = “0.11.13”}

provider “aws” {

  region = “eu-central-1”

}

resource “aws_s3_bucket” “your_new_bucket” {

  bucket = “my-first-website-cloud-native-website”

  acl    = “public-read”

  website {

    index_document = “index.html”

  }

}

Example of imperative IaC

Simple line of code to create an S3 bucket with the AWS CLI tool
aws s3api create-bucket –bucket my-first-website-cloud-native-website –region eu-central-1

IaC: Challenges

1. The declarative approach: The declarative approach must know whether the infrastructure already exists, to know whether to create it or not. One of the biggest challenges is the loss of control over individual provisioning steps, this approach is less suitable for small fixes, potentially complicating and slowing down processes.

2. The imperative approach: The imperative approach has no idea if the infrastructure exists. The imperative example also cannot be easily re-run and doesn’t include the ability to update or delete.The most significant challenge introduced by this approach is the need for advanced programming skills, specifically for teams new to DevOps. Due to the explicitness of the imperative approach, scripts are less editable and that results in less flexibility due to a varied outcome across environments. Errors in one step can disrupt the entire process.

3. Credential/Secret Disclosure: Sensitive information, like access keys, may be mistakenly hardcoded and wind up in version control systems, risking exposure. This occurs when sensitive information such as passwords, API keys, or other types of credentials are inadvertently exposed in plain text within code repositories or configuration files. Such exposure could result in data loss, financial liabilities, or even reputational damage to the organization.

4. Misconfiguration: Misconfigurations in IaC templates pose a serious security threat. Misconfigurations that can lead to exploitable vulnerabilities include improper access controls, overly permissive networks, and insecure storage settings. These challenges are compounded by the imperative approach, which demands advanced programming skills and lacks flexibility which can lead to unauthorized data access, service interruptions, or data breaches.

5. Elevated Privileges: IaC automation often relies on high-privilege identities, making them lucrative targets for attackers for example granting overly permissive permissions to a service account or user role, allowing it to access sensitive resources or perform actions beyond its intended scope, which can lead to security breaches or data leaks.

6. CI/CD Infrastructure: CI/CD systems, vital for deploying IaC changes, face security risks such as weak authentication and authorization. Without proper access controls, unauthorized users may access sensitive resources or execute malicious actions, causing security breaches or deployment disruptions.

Securing IaC: Best Practices

1. Declarative programming is the favored method in IaC, it defines the desired end-state, ensuring repeatable execution and adaptability to configuration drift, unlike the imperative programming method that requires scripting expertise, as it needs commands for each provisioning step, offering precise control for fine-tuning, optimization, and addressing software specific needs.
2. IaC template Analysis: IaC template analysis tooling involves leveraging application security testing tools specifically designed to scan IaC source code for potential security vulnerabilities – including sensitive values such as passwords, API keys, or other credentials. These tools utilize static analysis techniques to parse through the codebase, identifying patterns or syntax that indicate the presence of sensitive information. For example, they may look for strings that match known patterns of API keys or AWS access keys within Terraform or CloudFormation templates. By flagging these instances during the scanning process, developers and security teams can promptly address and remediate such exposures before they lead to security incidents.
3. Policy Engine: A policy engine within the context of IaCin volves implementing a robust set of granular policies that dictate the configuration and behavior of cloud resources provisioned through code. These policies are typically defined based on security best practices, compliance requirements, and organizational standards. The policy engine acts as a centralized control mechanism, allowing administrators to enforce rules and constraints on various aspects of cloud infrastructure provisioning, such as network configurations, access controls, encryption settings, and resource tagging. For example, policies may specify that all storage buckets must be encrypted at rest. By implementing policy-based controls, organizations can reduce the risk of misconfigurations and unauthorized access.
4. Securing CI/CD Pipeline: Securing the Continuous Integration/Continuous Deployment (CI/CD) pipeline involves implementing a multi-faceted approach to protect the entire workflow from potential security threats. Role-based access controls (RBAC) are essential for ensuring that only authorized individuals have permission to view, modify, or execute pipeline tasks. Additionally, isolating the CI/CD infrastructure from other systems and environments helps mitigate the risk of unauthorized access or tampering. Securing the CI/CD pipeline requires a combination of proactive measures, including RBAC, infrastructure isolation, and continuous monitoring, to safeguard the integrity and reliability of the software delivery process.
5. Credential and Secret Management: Securing credentials and secrets is critical when implementing Infrastructure as Code (IaC). Organizations must implement processes and tools to prevent exposure of sensitive information in version control systems and other repositories. This means using secure storage methods like encrypted key vaults or reliable credential management systems to protect this information from unauthorized access. Using environment-specific config files can also help reduce the chance of accidental exposure by keeping sensitive data separate from the IaC templates. Regular audits and automated scans are essential for promptly spotting and fixing any instances of exposed credentials.
6. Misconfigurations: To address this challenge, organizations must implement rigorous validation processes and automated checks to ensure that IaC templates adhere to security best practices. Additionally, leveraging infrastructure security scanning tools can help identify and remediate misconfigurations before they are deployed into production environments. Embracing the declarative programming approach has its advantages as well, by defining the desired end-state and automated provisioning, it inherently reduces the likelihood of misconfigurations by minimizing manual intervention and human errors, providing a proactive solution to the misconfiguration challenge.

Our Approach to IaC Security

Checkmarx provides a comprehensive IaC security solution that is integrated into the Checkmarx One platform correlating data from the entire software development life cycle (SDLC). This enables the platform to prioritize risks based on context from the different security engines, providing developers with actionable insights and allowing them to focus on addressing critical vulnerabilities efficiently.

1. IaC template code Analysis: Checkmarx’s IaC Template analysis tool integrates with the developers’ environment to automatically scan IaC templates for vulnerabilities and misconfigurations, providing actionable insights to developers and security teams. By identifying security issues early in the coding stage of the development lifecycle, organizations can proactively mitigate risks and ensure the integrity of their infrastructure.
2. Policy Enforcement: Checkmarx enables organizations to enforce preventive security policies and stop the build process at the coding stage preventing vulnerable or misconfigured code from making it into production ensuring compliance with industry regulations and internal security standards. Customizable policies allow organizations to tailor their security controls to meet their specific requirements and mitigate potential threats effectively.
3. Seamless Integration: Checkmarx seamlessly integrates into existing workflows, ensuring minimal disruption to development processes. Its compatibility with popular IDEs enables developers to manually scan templates during development, while CI/CD integrations automate scans later in the process. This streamlined approach ensures security checks occur at every stage of the development lifecycle, enhancing overall security posture.
4. Education and Training: Education and Training: Checkmarx provides educational resources and training programs to help organizations build and maintain a strong security culture. By educating developers and security professionals on best practices for IaC security, Checkmarx empowers organizations to proactively address security challenges and protect their cloud environments effectively.

Final Thoughts

As organizations embrace Infrastructure as Code, prioritizing security becomes imperative to prevent potential vulnerabilities and misconfigurations. With Checkmarx, organizations can embark on their IaC journey with confidence, knowing that their infrastructure remains protected against potential threats. Infrastructure as Code security is not a choice; it’s a strategic imperative. By embracing a proactive approach to security and leveraging cutting-edge solutions like Checkmarx, organizations can unlock the full potential of IaC while protecting their assets against threats.

CNAPPs are often presented as the go-to tool for cloud security, promising comprehensive protection for cloud-native applications. However, these platforms have built-in limitations that may leave organizations exposed to security risks and breaches – a fact that is not always emphasized. 

1. Designed for the cloud…only 

CNAPPs are tailored for cloud-native environments, often overlooking security needs in traditional on-premises environments. A cloud-only approach presents hurdles for organizations operating in both cloud and on-premises environments, due to lack of comprehensive coverage across diverse development landscapes. Without security measures for hybrid environments, organizations must either contend with heightened security risks and compliance issues or manage separate tools lacking integrated and correlated security insights. 

2. The focus is on runtime 

CNAPPs prioritize addressing threats and risks during the runtime phase. While they excel at identifying runtime threats, vulnerabilities introduced during the coding and testing phases of the Software Development Life Cycle (SDLC) may go unnoticed. This delayed increases the likelihood of security issues going unaddressed until they become critical problems in production, putting the business at risk for security breaches and data compromises. 

3. Infrastructure vs. Application Security 

By prioritizing the protection of cloud infrastructure, CNAPPs fall short by offering limited capabilities for identifying and mitigating vulnerabilities within the application code itself, making them an incomplete solution. Securing infrastructure is essential, but it must be complemented by robust application code security for comprehensive protection. 

4. Limited code-level visibility 

CNAPPs face a significant challenge detecting vulnerabilities at the code level due to their limited visibility into application code. Unlike more comprehensive AppSec solutions that can cover hybrid environments, CNAPPs often rely on third-party tools for code analysis. These tools are often not in-depth and can result in challenges when identifying and managing vulnerabilities. As a result, security teams have a tough time spotting risks in the application code or tying vulnerabilities in production to their location in code for developers to remediate. 

5. Incomplete API security coverage 

CNAPPs lack comprehensive coverage for API vulnerabilities. API security is vital for securing modern applications relying on APIs for communication. CNAPPs often develop their own API security features in-house, but these are seen as ad hoc at best. Due to their focus on runtime, they frequently miss crucial aspects of securing APIs.  

6. No developer focus 

Developers were never part of the CNAPP plan. Their emphasis on infrastructure security has little developer involvement, which means CNAPP vendors are not focused on developers – their needs or integrating with their workflows and tooling.  CNAPPs often fail to provide developer-friendly capabilities, impacting the developer experience and collaboration in software development.  

7. Inadequate IDE integration 

Developers rely on IDEs for coding. However, if these IDEs are not integrated with, and able to, bring insights directly into the developer working environment, developers will not receive real-time feedback on security concerns, making it difficult to fix them quickly. Since CNAPPS integrate in at the runtime stage, there is a major delay in vulnerability discovery. This increases the chance of undiscovered vulnerabilities until runtime, potentially exposing applications to malicious actors. 

8. Limited remediation guidance 

Without clear guidance, prioritizing and resolving security risks becomes difficult. CNAPPs offer insufficient guidance for remedying identified vulnerabilities in code. Any remediation advice provided tends to lack specificity from a developer’s perspective, making it hard for them to enact effective fixes.  

9. Detection vs Prevention 

CNAPPs primarily focus on monitoring and responding to security risks, rather than proactively preventing. This limitation hampers organization’s ability to effectively prevent application-specific vulnerabilities and security challenges from going live. Without the ability to enforce preventive security policies and stop the build process at the coding stage, CNAPPs struggle to provide comprehensive protection against vulnerabilities in code making it to production.   

By integrating Checkmarx with a CNAPP solution, organizations can overcome the built-in limitations of CNAPPs. We offer advanced security tools to support the entire development life cycle for hybrid cloud environment. This integration enhances developer workflows by delivering real-time security feedback during coding, enabling early detection and remediation of vulnerabilities. With our proactive security approach, vulnerabilities are addressed throughout the software development lifecycle, correlating runtime insights from CNAPPs for better risk prioritization and reducing alert noise by up to 90%. By enforcing customizable security policies and mitigating API-related threats, we bridge the gap between cloud infrastructure security and application security, providing a comprehensive solution for securing cloud-native applications. 

Embracing code to cloud is now much easier

There are three pillars leading this approach:

• Streamlined security posture management – Integrate security into every stage of the development lifecycle, offering unified view, automated risk analysis, and remediation guidance.
• Enhanced efficiency for teams – Achieve clear communication through integrated workflows, streamlined processes, and meeting development teams right where they work with the information they need.
• Actionable insights & prioritized remediation– Identify Kubernetes clusters, container images, code repositories and map them to Checkmarx One applications and projects with runtime data, for better risk management and to prioritize critical vulnerabilities effectively.

Understanding the Integration

The integration between Checkmarx and Wiz helps deliver actionable insights and prioritizes vulnerability remediation to our mutual customers. Checkmarx One correlates Wiz’s cloud asset inventory and network exposure with vulnerabilities and application security results, such as code repositories. This gives organizations the context needed to prioritize vulnerability remediation based on what is exploitable in the running application. This approach reduces the noise generated by non-critical vulnerability alerts by up to 90% and enables customers to focus their resources on addressing high-impact security issues.

This integration brings to life the “Shift Left, Shield Right” strategy, extending our Checkmarx One offering by adding runtime information to secure every stage of the Software Development Life Cycle (SDLC). This helps encourage collaboration between different teams and stakeholders throughout the entire process. Developers then gain access to actionable security insights directly within their IDE, which allows them to address vulnerabilities early in the development process. Then security teams can leverage runtime context and cloud asset inventory in order to provide developers with the most relevant security information and guidance. Ultimately, it accelerates the delivery of secure applications in a cloud-native environment.

As part of this partnership, we have also integrated our SAST scan results with the Wiz platform to correlate them with cloud security insights. This supports our combined vision of code to cloud and back – enabling greater security posture across an organization’s SDLC. With this new capability, our mutual customers can prioritize and address the most significant risks on the most business-critical assets. This partnership aims to streamline vulnerability detection and mitigation, transforming how enterprises secure their applications and cloud environments.

How Checkmarx enriches AppSec findings with Wiz runtime insights

Let’s see this in action.

In the Risk Management tab, we correlate all the Checkmarx scanner information and runtime data. We tie them back to their project, and their associated user. Adding the runtime context, and internet-facing information from the Wiz integration enables us to add another piece of the puzzle and modify the risk level to reflect what we know and prioritize them more effectively.

Runtime context allows us to understand whether vulnerabilities are exposed to the internet, which increases the risk of exploitation. Vulnerabilities that are exposed to the internet are prioritized due to their increased risk level

Let’s now look at the project level, where Checkmarx One connects all the dots. We can see all the building blocks of the project, code repos, and packages used within the project, including when they were scanned, how many vulnerabilities they have, the risk level and the runtime context.  This allows us to better prioritize the risk and escalate it as needed.

How Wiz enriches CNAPP with Checkmarx SAST findings

The integration of Checkmarx SAST scan results with the Wiz platform enhances application security directly on Wiz’s platform. Combining application security findings with Wiz’s own cloud security scan data, helps organizations identify, prioritize, and address the most significant risks to critical assets, at the development stage. This correlation provides a unified and actionable security visibility, improving the detection and mitigation of vulnerabilities across the entire software lifecycle.

Organizations then can navigate the complexities of modern cloud environments securely, with streamlined security posture management, actionable insights, and enhanced collaboration, can effectively mitigate risks and accelerate their cloud journey with confidence.

If you wish to start gathering runtime insights and see the magic happen Request a Demo, to get started.

There are two key challenges around AI that make this an essential area for AppSec platforms to address. 

The first is that AI is disrupting the developer workflow that AppSec teams have worked hard to integrate with. We know that AI Large Language Models (LLMs) do not understand secure coding practices, however developers are increasingly relying on them to maximize their coding output. This results in a flood of insecure code being directed at already resource constrained AppSec teams. AppSec teams are finding themselves in an increasingly untenable situation, especially since many developers don’t understand or practice security coding, nor prioritize AppSec. 

This brings us to the second challenge: AppSec is already hard! AppSec teams are generally under-resourced; they rely on working with cross-functional teams with often opposing incentives; and they face an increasingly complex code environment. Analysis and prioritization of vulnerabilities has already been difficult, and they have long given up on the idea of getting their vulnerability count to zero. 

AppSec teams require cutting edge tools to keep pace – and Checkmarx delivers. Last year Checkmarx pioneered a strategic approach to help AppSec organizations get the most out of AI.  Today, we are excited to announce the second wave of AI Security features from Checkmarx!  

Checkmarx’ AI Vision

Checkmarx has a clear vision for the future of AI in supporting AppSec, and sees 3 key opportunities where we can provide meaningful assistance to our customers:

1. The Developer Workflow: Developers are, and will continue to use, AI for code generation. By plugging AppSec tools directly into the AI tools, Checkmarx aims to help secure code from the first line written, while also securing the software supply chain.
2. Accelerate AppSec Teams: AppSec teams want to use GenAI as a productivity tool in the same way that everyone else does. Checkmarx is creating tools and platform features to simplify AppSec management and increase daily efficiency for AppSec teams .
3. AI-Based Attacks: The use of new technology always brings new risks, and AI tools are no different. Checkmarx will help customers protect against risks targeting AI tools in the new developer workflow.
   

Building towards this vision, Checkmarx has already supplied developers with core features to help support the changing developer workflow experience that AI has created.  These include our AI Security Champion for Infrastructure as Code (IaC), our AI Query Builder for reducing false positives, and our Checkmarx GPT integration that helps developers understand the open-source risks of generated code.  

Our newly launched features build on that momentum with more ways that allow developers to embrace AI in a way that is both comfortable to their workflow, and is mindful of the business’s responsibility to their (and their customers) data. 

Auto Remediation for SAST

Resolving security vulnerabilities is a necessary evil for developers. It is often time consuming and involves significant research and context-switching.  Each vulnerability has its own background that needs to be understood before a meaningful solution can be drawn up and implemented. 

Our new auto remediation for SAST functionality, part of our AI Security Champion plugin, aims to significantly shorten the time and effort needed for developers to remediate vulnerabilities. Now developers can get meaningful recommendations presented to them, directly in their IDE, on how to resolve specific SAST vulnerabilities, making (not just finding but) resolving vulnerabilities much more practical and reasonable. 

Want to learn more? Read about it here.

Checkmarx GPT

Code is code, regardless of if it is written by a developer, or copied and pasted from OSS, or generated by AI.  It all needs to be scanned, and if you want to scan AI generated code successfully then you need to do it in real time.  Checkmarx demonstrated how to do this with our initial Checkmarx GPT integration for ChatGPT, which allowed Checkmarx to analyze the generated code for malicious packages, hallucinations, and potential versioning and licensing challenges.  We have further extended the Checkmarx GPT functionality by including the ability to perform a SAST scan as part of the process.  Now, developers using ChatGPT can leverage a full security check of the generated code in real  time and get remediation advice for specific vulnerabilities.

GitHub Copilot Integration

In the spirit of our Checkmarx GPT plugin, we know that many developers are using Copilot to drive their code generation needs. Many developers have Copilot integrated directly into their IDE, and just as we did with ChatGPT, we knew we needed to provide a real-time scan for Copilot-generated code.  Our VS Code Plugin for Checkmarx now supports real-time IDE scanning for all types of code, including Copilot generated code, which allows developers to get a super fast SAST scan of the code, as it’s being created. 

Read this blog post to get more details.

Prompt Security

Checkmarx cares about your data.  We understand that for many organizations considering leveraging Generative AI, the risk of your data being accidently leaked is a tough to weigh out. Checkmarx is partnering with Prompt Security to help secure all uses of Generative AI in an organization: from tools used by your employees to customer facing applications. Checkmarx and Prompt are working together to help AppSec understand what is being passed to a Large Language Model, and providing ways to sanitize and block unwanted data from being shared. 

AI in Your AppSec Program

It can get overwhelming trying to keep track of all the developments around AI. We are convinced they need to be integrated into your existing AppSec program purposefully, with a defined strategy and plan. So, we incorporated AI into our AppSec Maturity Model  – APMA. When we discuss and assess your AppSec program with you, we will also consider your organization’s AI strategy. We will then work with you to build a way to leverage AI opportunities, while protecting against AI-related risks, using our AppSec AI solutions and best practices.

Learn More

As the adoption of generative AI in software development continues to grow, Checkmarx remains dedicated to guiding organizations through their AppSec journeys. By focusing on enhancing the developer experience, reducing false positives, and addressing the unique threats posed by AI, Checkmarx is paving the way for a more secure digital future. Our investment in advanced solutions reflects our commitment to not just identifying problems but also providing the solutions that empower developers to build safer, more secure software in the age of AI.

We’re at RSA this week and we encourage you to stop by our booth to see and participate in live demos of our most recent announcements, and check out the additional blogs linked within this blog post for more details! 

The pressure to deliver quickly and efficiently is pervasive. Speed often comes at the expense of security. To address this, the “shift left” philosophy has gained traction among development teams. This emphasizes the importance of integrating security measures early in the development lifecycle, rather than as an afterthought. We have also spoken about the need for security to be integrated throughout the entire SDLC –  allowing you to secure your applications from the very first line of code, to runtime and deployment in the cloud.

The rationale behind this strategy is straightforward: identifying and resolving security issues during the initial stages of development is significantly more cost-effective and less risky than making changes after deployment. By addressing security considerations earlier in the development process teams can prevent future headaches. This can also help get software to production faster, as it’s easier to fix in the development cycle.

The best way to secure applications is to bake security into the code from the start. Developers play a critical role in securing the software by adopting security best practices. However, that’s easier said than done. There is a gap between theoretical best practices and truly embedding security into development.

The security gap in software development

Software developers aren’t security experts. According to the Forrester report, “Show, Don’t Tell, Your Developers How To Write Secure Code,” none of the top 50 undergraduate computer science programs in the United States require a secure coding or secure application design class.

Bridging the skills gap and fostering security awareness among developers is critical. This is why Checkmarx offers security training such as Codebashing. However, training doesn’t equal  instant changes. As a result, developers are relying on AI-generated coding due to the speed it provides and the mistaken belief that AI-generated code is somehow more secure. 

The new frontier of AI-generated code

Traditional software development workflows are being reshaped with the proliferation of AI-generated code. GenAI tools, such as GitHub Copilot or Amazon CodeWhisper, fundamentally alter the coding process by providing suggestions, autocompleting code, and automating repetitive tasks. This shift represents a significant advancement in the field, with AI-driven assistants seamlessly integrated into coding workflows, enhancing human capabilities, and expediting development cycles.

AI-generated code is a double-edged sword. While it offers the potential of productivity boosts and tapping into collective knowledge, there are potential risks.  Research into the increasing prevalence of AI-generated code and its potential to redefine software engineering practices, has also identified the potential of reduced code quality and security risks.

Often ignored by developers, AI tools can generate insecure code. According to research, “Participants with access to an AI assistant were also more likely to believe they wrote secure code, suggesting that such tools may lead users to be overconfident about security flaws in their code.”

Introducing real-time scanning in the IDE

Real-time scanning in the IDE offers a security best practice for developers that complements Checkmarx SAST. It analyzes and provides real-time insights for:

• Human-generated code as it’s being written by software developers
• AI-generated code using tools such as GitHub Copilot

This is a plugin for Visual Studio Code, and it scans in milliseconds, providing instant responsiveness in the IDE and even can scan source code repositories. In internal tests, we scanned over 1 million lines of code in under 10 seconds – much faster than other “developer-friendly” solutions. 

Security best practices

Real-time scanning in the IDE provides the first step to ensure that source code follows security best practices. It’s not intended to replace thorough testing by your application security team or that undertaken by Checkmarx SAST, but rather to ensure that code – particularly AI-generated code – follows secure coding best practices. It does not test an entire application, but rather code snippets – a specific line of code plus the nearby lines of code. The scope of the analysis is a relevant short piece of code. By providing a few lines of code, the scanner provides a security review and points to potential issues that a developer should consider. 

Unlike a complete SAST scan, it doesn’t find attack vectors such as SQL injection. It works by analyzing the adjoining lines of code so, unlike complete SAST solutions, it is not fully application aware.  It looks at the “micro” — a few lines of code and provides suggestions for remediating the code snippets. 

 This makes it easy for developers to fix their code as they are writing it. 

This is a win-win for security. By giving developers the opportunity to implement security best practices, it produces less and more accurate SAST results for the AppSec team.

How to get it

Real time insights are available in a freemium model. Users can get real time insights within a command line interface (CLI) executable available for free.

Additional features and real-time in-IDE scanning are available for customers with the “AI Security“ package. If you’re an existing customer, contact your account manager for more details. Not yet a customer?  Get a free demo.