Checkmarx Tells Us Why App Developers Should Care About App Security
|Richard Harris in Security Thursday, August 18, 2016|
We recently had a conversation with Emmanuel Benzaquen at Checkmarx to talk about how they are able to scrutinize code with a fine-toothed comb and find vulnerabilities early and why other developers need to be doing the same. With clients such as Coca-Cola, SAP, and Salesforce, they seem to be carving out a niche for application security in the crowded tech-scene.
ADM: What is Checkmarx and how does it differ from other security software’s that are currently available for developers?
Benzaquen: Checkmarx is an Application Security software company, whose mission is to provide enterprise organizations with application security testing products and services that empower developers to deliver secure applications. For enterprise companies who want to minimize application security risks, Checkmarx provides products and services to detect and eliminate vulnerabilities early in the SDLC. Unlike other SAST solutions, CxSAST provides faster feedback loops and higher accuracy resulting in wider developer adoption.
For DevOps and AppSec professionals who want to embed security as part of the continuous integration flow, CxSAST provides the ability to eliminate vulnerabilities early in the SDLC. Unlike other SAST solutions, CxSAST seamlessly fits into the continuous integration tool chain, without imposing delays. For AppSec professionals who want developers to take ownership of application security, CxSAST provides the ability to eliminate vulnerabilities early in the SDLC. Unlike other SAST solutions, CxSAST can be easily adapted to the application code, resulting in higher accuracy and wider developer adoption.
ADM: Where do you see Checkmarx being in 5 years?
Benzaquen: Checkmarx bridges the gap between developers and application security specialists through its unique suite of products and solutions identifying, educating, and assisting in fixing security vulnerabilities throughout the software development lifecycle. While growing, we continue to empower the 20M developer’s community worldwide with everything they need to deliver secure applications. Over the next 5 years, security testing is becoming as important as functional testing to organization and Checkmarx is present to help developers and organizations minimize their risk of being breached.
ADM: In your opinion, what is the most effective way to educate developers about security issues?
Benzaquen: Developer application security skills is one of the major pain points for organizations when it comes to application security. Education is a need that many are trying to address however traditional methods just aren’t cutting it. There are a few rules of thumb required to ensure a successful training process:
1. The education has to address the specific need as soon as it appears. This is also known as in-context training.
2. It has to be engaging and preferably interactive. Short bite sized training courses achieve a much higher rate of success compared to long frontal presentations delivered to a large audience. Ensure the developers have a hands on experience as part of the training session.
3. Education is not a onetime thing. Developers move around very often and team members change quite frequently. A good education plan is available all the time and ensures that any new comer receives the same level of education as his peers.
4. Don’t break the developers flow of work. Shifting from one platform to another is time consuming and confusing. If you are addressing a problem via a specific platform, teaching the developer how to address the problem should be part of that same platform.
ADM: Why do you feel there is such a large disconnect between DevOps and Security teams?
Benzaquen: DevOps are based on speed of delivery. Security measures and specifically application security is often perceived as time consuming. Traditional application security solutions were not designed with continuous integration processes in mind. Therefore, it is natural for DevOps team to “fear” security procedures as they feel it may impact their release schedules and delay the process. Checkmarx is designed to address DevOps and AppSec Professionals who want to embed security as part of the continuous integration flow, CxSAST provides the ability to eliminate vulnerabilities early in the SDLC. Unlike other SAST solutions, CxSAST seamlessly fits into the continuous integration tool chain, without imposing delays.
ADM: You recently announced your partnership with TOYO, how will that affect your customers and potential new customers?
Benzaquen: Since Checkmarx’s founding in 2006, our commitment is to enable organizations to detect and remediate security vulnerabilities within their software application. TOYO's renowned services and measurement technology ties perfectly into our application security solutions, further extending our capabilities across the Software Development Lifecycle (SDLC). Together, our combined strength and experience will enable our customers to better measure the security posture of their application code. We’re absolutely thrilled for this new partnership with TOYO, and together we will support businesses and developers building and deploying secure software.
ADM: What is one thing you wish developers better understood about security?
Benzaquen: Developers are key in the application’s security posture. The code developers deliver is probably the main strategic advantage an organization has over the hackers because it is not easily accessible to the attacker. Therefore, delivering secure code is a critical step in securing both the company and the user’s data. While today, developers mainly concentrate on creating functionality and fixing bugs in the code it seems natural that developers would also address vulnerabilities considering the only difference between them and a functionality bug is the potential impact on the business, which in many cases may be much more devastating.
ADM: What are some other industry trends that developers need to be aware of?
Benzaquen: In a connected world, cyber-attacks are constantly increasing and organization are continuously on the hunt to improve their delivery’s security posture. With the understanding that implementing security has to start at the core of the software delivery namely the code, secure coding skills is becoming a requirement for organizations globally. Developer’s with security knowledge are an asset that organizations are looking for and these are still quite rare to find.
Emmanuel Benzaquen brings to Checkmarx more than 15 years of technology and business experience in the semiconductor, software and IT fields. Before joining Checkmarx in 2006, he was involved with several startups companies and the Israeli VC industry at large. Prior to that, he headed the Business Development Group at ARC in San Jose, CA, which completed its IPO in 2000 (LSE: ARK). While at ARC, Emmanuel took an active part with the acquisition and integration of Precise Software Technologies and MetaWare. In addition, Emmanuel occupied various technology and business development related positions with Embedded Performance Inc. (subsequently acquired by Mentor Graphics), Intellicourt, Integrity Systems, Illuminator (subsequently acquired by EMC), and X-Ample Technology. Emmanuel holds an MBA (ISM, California) in International Business and a M.Sc. in Electrical Engineering (Polytechnique Nantes, France). He is the author of many articles in leading industry publications including EETimes, Electronics Weekly, and InfoWeek.
Read more: https://www.checkmarx.com