Bridget Farrell

Category //

Bridget Farrell

That Smartphone Isn’t Secure Just Because It’s ‘New’

While the last couple of years has significantly altered smartphone usage patterns across the world, the increased use has brought with it alarming misapprehensions about mobile security, according to a recent survey. The McAfee survey found that although smartphones are increasingly replacing

Read More »

OWASP Top 10 Vulnerabilities

The Open Web Application Security Project (OWASP) is an open-source application security community whose goal is to spread awareness surrounding the security of applications, best known for releasing the industry standard OWASP Top 10. The OWASP community is powered by security knowledgeable volunteers … Read More

Read More »

What is DevSecOps?

In DevSecOps it comes to integrating IT security aspects as early as possible in the life cycle of application development. 

Read More »

YAML

YAML (a recursive acronym for “YAML Ain’t Markup Language”) is a human-readable data-serialization language. It is commonly used for configuration files and in applications where data is being stored or transmitted.

Read More »

Workload

A workload is the computational or transactional burden of a set of computing, networking, and storage tasks associated with an application. Similar apps with the same technology and tools can have radically different workloads under different circumstances or during different

Read More »

Terraform

Software from HashiCorp for creating infrastructure as code in a cloud service provider’s environment.

Read More »

Ticketing System

A ticketing system an application that manages and maintains lists of issues mostly related to a certain application. Tracking systems are generally used in collaborative settings—especially in large or distributed collaborations. A broader concept of a ticketing system can be referred to as

Read More »

Source Code Manager (SCM)

Source Code Manager, allows tracking of revisions of code base, each revision usually contains a timestamp, comment and the person who did it. Various revisions may be compared, stored, and merged with other revisions, this helps developers to collaborate on

Read More »

SCA

Software composition analysis the process of identifying the open source dependencies of a given code base, the vulnerabilities and risks they introduce to the product and it’s legal constraints (according to the open source packages’ licenses).

Read More »

SAST

SAST stands for Static Application Security Testing. In Checkmarx it also refers to CxSAST (see value) – our own SAST implementation. SAST enables developers and security officers to scan static code and find security vulnerabilities during the development phase, in hopes

Read More »

runC

The code module that launches containers. It is part of containerd and managed by OCI, which stands for Open Container Initiative

Read More »

Repository

In the context of containers, a repository is a set of container images. The repository can be shared with other users through a registry server, and the images in the “repo” can be tagged with labels.

Read More »

Refactoring

Re-architecting an application or modifying its code to improve it. An application, for example, might be refactored by decomposing it into microservices.

Read More »

RabbitMQ

An open source message broker, RabbitMQ implements the Advanced Method Queuing Protocol to give applications a common intermediate platform through which they can connect and exchange data.

Read More »

Public Cloud

Public Cloud is an environment in which services are consumed by individuals or companies to create an environment to develop and/or host their business applications. Cost of the these services are typically a per second billing model.

Read More »

Private Cloud

This is an environment in which the underlying infrastructure is managed by your internal IT team. The exposed services and functionality is managed by them. For example VMware is often used as the solution for Private Cloud. Typically, Private Clouds

Read More »

On Premises

On-premises software (also alternatively abbreviated “on-prem”) is installed and runs on computers on the premises of the person or organization using the software, rather than at a remote facility such as a server farm or cloud.

Read More »

Multi-tenant

The term multi-tenanted is used to describe a Software as a Service (SaaS) solution which can service, host and manage more than one customer..

Read More »

Microservices

This is a software architecture where the business application is broken down into self contained business services so that each microservice is independently deployable e.g. payment service, user registration, etc.

Read More »

Lambda Function

Function as a Service (Faas) is the idea of running your application code via a serverless architecture and is event driven. Your application code is deployed and executed on a platform hosted and managed by the cloud provider. In the

Read More »

Kubernetes (K8s)

Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. The name Kubernetes originates from

Read More »

KICS

The Checkmarx infrastructure-as-code engine (aptly named KICS for Keeping Infrastructure as Code Secure) finds security vulnerabilities, compliance issues, and infrastructure misconfigurations in following Infrastructure as Code technologies: Terraform, Kubernetes, Docker, AWS CloudFormation, and Ansible. As the engine is capable of

Read More »

Infrastructure-as-Code (IaC)

Infrastructure as Code is the process of provisioning and configuring an environment through code instead of manually setting up the required devices and systems. Once code parameters are defined, developers run scripts, and the IaC platform builds the cloud infrastructure

Read More »

Integrated Development Environment (IDE)

Integrated Development Environment (IDE) is a software application that combines all of the features and tools needed by a software developer. It’s graphical in nature, meaning that it uses windows and controls like buttons to display information and accept input from

Read More »

Function as a service

FaaS is a cloud computing model that lets you run and manage application functions without managing a traditional server as the application’s backend—giving rise to the nomenclature “serverless.” The functions typically respond to events, making FaaS a useful method of

Read More »

False Negative

A false negative, in the context of security testing, is a result which HAS NOT been highlighted by a security tool but the vulnerability does exist.

Read More »

False Positive

A false positive, in the context of security testing, is a result highlighted by a security tool but in fact it DOES NOT.

Read More »

Engine

A Checkmarx engine is where the magic happens (it’s also where a large part of our secret sauce resides). An engine could refer to any of the following products: CxSAST – A CxSAST engine is the part of the system

Read More »

Docker Swarm

Is the name of a standalone native clustering tool for Docker. Docker Swarm combines several Docker hosts and exposes them as a single virtual Docker host. It serves the standard Docker API, so any tool that already works with Docker

Read More »

Docker

Docker is a widely used container format. Docker defines a standard format for packaging and porting software, much like ISO containers define a standard for shipping freight. As a runtime instance of a Docker image, a container consists of three

Read More »

DevSecOps

DevSecOps means thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down. Selecting the right tools to continuously integrate security, like agreeing on an integrated development environment (IDE) with security

Read More »

DevOps

DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality.

Read More »

CI/CD

CI – Continuous Integration: is a development practice where developers integrate code into a shared repository frequently, preferably several times a day. Each integration can then be verified by an automated build and automated tests. While automated testing is not

Read More »

Correlation

Correlation, or a correlation engine is an engine which based on findings from different other engines (SAST, KICS, SCA, etc.) correlates between their findings in order to discover things which cannot be found by any engine alone. For example, a

Read More »

CNI

Container Network Interface. It is an open source project hosted by the CNCF to provide a specification and libraries for configuring network interfaces in Linux containers.

Read More »

CNCF

Cloud Native Computing Foundation. An open source project hosted by the Linux Foundation, the CNCF hosts Kubernetes and other key open source projects, including Prometheus, OpenTracing, Fluentd, and linkerd.

Read More »

Container

A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.

Read More »

Codebashing

Codebashing is Checkmarx’s is an in-context eLearning platform that sharpens the skills developers need to fix vulnerabilities and write secure code. Expanding on the “learn by doing” concept, Codebashing teaches developers the principals of secure coding, and helps them sharpen application security

Read More »

Cloud Native Development

The definition of Cloud Native is provided here by the Cloud Native Compute Foundation (CNCF). As such Cloud Native development is the use of technology and practices which supports the creation of a business service (application) inline with this definition.

Read More »

Cloud Native

Cloud native computing is an approach in software development that utilizes cloud computing to “build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds”. Technologies such as containers, microservices, serverless functions and immutable infrastructure,

Read More »

Cloud Infrastructure

Encompasses the servers, virtual machines, storage systems, networking, and other components required for cloud computing and infrastructure as a service. Cloud infrastructure provides the building blocks, or primitives, for creating hybrid and private clouds that deliver cloud computing services.

Read More »

Cloud Computing

Cloud computing is an umbrella term for elastic, on-demand, shared computing resources and services– such as computational power, storage capacity, database usage, analytics, and software applications– delivered as a service over the Internet, typically with metered pricing. The organizations that

Read More »

Build Server

A build server is a distinct concept to a Continuous Integration (CI) server. The CI server exists to build your projects when changes are made. By contrast a Build server exists to build the project (typically a release, against a

Read More »

Application Lifecycle Management (ALM)

Application Lifecycle Management systems, or simply management systems are systems in which the entire lifecycle of a certain product or project are being managed. Such systems include the requirements, definitions, backlog and bugs and issue tracking aspect of the developed

Read More »

API Security

APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible. API Security focuses on strategies and solutions to

Read More »

API

Application Programming Interface (API) are a set of functions and procedures allowing the exposure of the data and application services of a solution e.g. business application. APIs are commonly used to automate a series of tasks or operational activities.

Read More »

What the heck is IAST?

The application security testing (AST) world is made up of different solutions, all with one ultimate goal – to protect software from hackers, and their attacks.  SAST and DAST are perhaps the two most common and well-known solutions. In the

Read More »

Mobile Application Security (Android/iOS)

Mobile application security for Android and iOS doesn’t always receive the attention it deserves. Because smartphones have become more affordable and internet access improves, software development teams are increasing mobile application development. Mobile internet traffic today accounts for 61% of … Read More

Read More »

Gartner Magic Quadrant

Magic Quadrant The Gartner Magic Quadrant includes the Magic Quadrant for AST (Application Security Testing) report published by the advisory firm Gartner Group. The goal of this Gartner Magic Quadrant is to deliver qualitative analysis of Application Security Testing vendors … Read More

Read More »

Static Application Security Testing (SAST)

What is Static Application Security Testing? Static Application Security Testing, shortened as SAST and also referred to as White-Box Testing, is a type of security testing which analyzes an applications source code to determine if security vulnerabilities exist. SAST solutions looks at … Read More

Read More »

In House Legal Attorney

Checkmarx is looking for talented attorney to join our in house legal department focusing on IP and software licensing. Job Description: Draft and review software license agreements, reseller agreements, NDA’s, RFPs, Supplier’s Agreements. Ultimately lead and manage negotiations and work

Read More »

Group Manager R&D (182)

We are looking for a strong technology leader, to be part of the company technological leadership team. The Group Manager will report to the VP R&D in order to provide direction and leadership for the specific R&D component; the manager

Read More »

Field Sales Engineers (106)

Checkmarx is seeking talented Field Sales Engineers to support our Sales and Business Development activities worldwide! The Sales Engineer is critical to our success as we expand. This position will be primarily for responsible for actively driving and managing the

Read More »

Inside sales (163)

Checkmarx is seeking a talented inside sales person to work in a fast paced environment. Responsibilities Call and nurture outbound leads Respond to and qualify Incoming web, email, and phone inquiries Set up web ex meetings & develop the lead

Read More »

Field Sales Engineers- EMEA (186)

Checkmarx is seeking talented Field Sales Engineers to support its Sales and Business Development activities in the EMEA region. In this position, the primary responsibility would be to drive and manage the technological evaluation stage of a sales process. Any

Read More »

Secure SDLC

What exactly is the SDLC? Organizations developing applications have in-place a process by which each application is designed, developed, tested, and deployed. This sequence of stages that define these processes  is called the software development lifecycle, often referred to as the … Read More

Read More »

Spoofing Attack

What is a Spoofing Attack? A spoofing attack is when an attacker or malicious program successfully acts on another person’s (or program’s) behalf by impersonating data.   takes place when the attacker pretends to be someone else (or another computer, device, … Read More

Read More »

How to Avoid Wireless Sniffers

Wireless sniffers are customized packet analyzers specifically designed to capture data over wireless networks. Packet analyzers are software programs, occasionally hardware tools, which will detect, intercept and decode data over a wireless connection. Wireless sniffers are used for many legitimate … Read More

Read More »

Vulnerability Assessments

Why companies need vulnerability assessments Vulnerability discoveries are at an all-time high, while many more have not yet been exposed. Security scanning software is a great start, but it’s not enough. Web applications are becoming more complex and the threats … Read More

Read More »

Directory Traversal Vulnerability

Directory Traversal Defined Directory Traversal (DT) is a HTTP exploit that malicious hackers use in order to gain access to account directories and the data contained within. A successful exploit can result in the entire web server being compromised, including … Read More

Read More »

Ruby On Rails Security

Ruby Defined Ruby is an object-oriented programming language (OOPL) that was developed by Japanese developer Yukihiro “Matz” Matsumoto. Ruby is influenced by several other OOPLs including Perl, Lisp, Eiffel, Smalltalk and Ada. It is reflective and dynamic, with automatic memory … Read More

Read More »

Rootkit

Rootkit defined The term Rootkit is a combination of two words: “root” and “kit.” A rootkit allows malicious attackers to gain “root” or full administrator privileges on a computer in order to perform unauthorized actions. This exploit can result in … Read More

Read More »

Linux Hacking

Linux is an open-source operating system (OS) that shares many similarities with UNIX. It is the most popular OS used in mainframe, servers and super computers, thanks to its multiple-user functionality and multitasking capabilities. Linux, while not as common as … Read More

Read More »

Botnet Detection and Prevention

Botnet, a fusion of the words “robot” and “network”, is basically a group of computers that have been compromised by a malicious attacker and are under his control. Botnets are primarily used for executing Distributed Denial of Service (DDoS) attacks, … Read More

Read More »

Man-In-The-Middle (MiM) Attacks

A Man-in-the-Middle (MiM) attack is a unique type of session hijacking that many companies face during the flow of communication data between client and server. This occurs when a malicious attacker is able to trick the client into believing he … Read More

Read More »

Malware

Malware is any type of malicious software that can be used to threaten a network or computer. It is typically used to steal information and data that can be used for personal or financial gain. Malware can be implemented into … Read More

Read More »

LDAP Injection

LDAP Injection is a vulnerability that affects web applications. It can be exploited by sending requests that are not properly analyzed and revised by the web application due to the vulnerability. An attacker can then modify LDAP statements using a … Read More

Read More »

Keylogger: The Invisible Threat

What are keyloggers? A keylogger is a small, simple application that is typically designed to run “invisibly” on a computer so as to avoid detection by the actual computer user. A keylogger does exactly as its name implies—it logs all … Read More

Read More »

Insecure Cryptographic Storage

Storing encrypted files is critical for companies that offer sensitive information online. But improperly encrypted files can be an equally risky scenario as it leads to a false sense of security. The process of having improperly encrypted files in storage … Read More

Read More »

Facebook Security

Facebook is the largest social network in the world, currently boasting over 1.3 billion users. There are also over 9 million applications integrated into the Facebook platform. This has resulted in huge increase in spyware, malware and other security threats … Read More

Read More »

Application Vulnerability

Malicious attackers have now turned their focus towards application layer vulnerabilities. Approximately 90% of all security vulnerabilities found in software code are located in the application layer. Applications that are not properly tested have a risk of containing vulnerabilities that … Read More

Read More »

Internet Security

Why companies need internet security Online applications offer companies many benefits, but they also increase the risk of web attacks and vulnerability exploits. The internet by itself is a very insecure platform, but network security has improved drastically in recent … Read More

Read More »

Cross-Site Scripting (XSS) Attacks

Cross-Site scripting defined Cross-Site scripting, also known as XSS, is the most common application vulnerability exploit found in web applications today. This code is executed via the unsuspecting user’s web browser by manipulating scripts such as JavaScript and HTML. A … Read More

Read More »

How to Prevent Malicious Code

What is malicious code? Malicious code is created to intentionally harm computers, systems or other devices. Malicious code often takes the form of a legitimate action, often hidden in application code of a program that performs a legitimate task. This … Read More

Read More »

Cross-Site Request Forgery (CSRF) attacks

How CSRF affects companies Cross-Site Request Forgery (CSRF) is a vulnerability which can be exploited on vulnerable web applications. The exploit is successful when a web application accepts a malicious request that it would normally reject. In this case, the … Read More

Read More »

Flash Security

Flash is a popular Adobe platform frequently used for creating games,multimedia interaction, animated visualizations, videos and much more. Every time you visit a web page that loads a video, animation or interactive content, it is typically Flash that is the … Read More

Read More »

SQL Injection

What is SQL injection? SQL injection occurs when a malicious attacker submits a database SQL command which is then executed by the web application. This results in a security vulnerability that can expose the back-end database. This is typically due … Read More

Read More »

Vulnerability scanning

Any company that has a web presence faces threats on a daily basis. A well-prepared and executed security plan can prevent these attacks, but as new threats and vulnerabilities are found on a daily basis, it is critical that companies … Read More

Read More »

Penetration Testing For Company Security

A penetration test, also known as a pentest, is a form of network security probe to determine if there are any vulnerabilities, or areas that could possibly be penetrated by an unauthorized user. Basically, a penetration test is an authorized … Read More

Read More »

Ethical Hacking For Company Security

Ethical hacking explained Ethical hacking is typically an authorized attack on a system in order to determine flaws and vulnerabilities which could lead to unauthorized access of company data and assets if the flaws are not properly patched. An ethical … Read More

Read More »

Cybersecurity

Cybersecurity can be defined as the body of processes, practices, safeguards, and technologies an organization uses in the protection and defense of information systems. Along with information systems protection, cybersecurity is also concerned with protecting the software and hardware against attack. … Read More

Read More »

Vulnerability Scan of Software Code

The term Vulnerability Scan refers to an automated process of identifying security vulnerabilities in a network’s computing systems. The purpose of the scan is to determine whether a system or a program can be exploited or threatened. While servers are … Read More

Read More »

PHP Scanner

A PHP scanner is a security solution designed to assess vulnerabilities of networks or applications for weaknesses of code written in PHP. There are many types of vulnerability scanners available today that cater to different customers and market segments. … Read More

Read More »

.NET Scanner

.NET is one of the world’s leading programming languages. Secure coding in .NET ideally requires a capable .NET code review tool, which can identify today’s commonly exploited security vulnerabilities such as Cross-Site scripting (XSS), SQL injection, insecure server configurations and more. … Read More

Read More »

Multi-Platform JavaScript Code Analysis

The Source File Metrics application is an advanced JavaScript Code Analyzer. These codes calculate metrics like total files and lines, code lines for multiple formats and whitespace lines. Comment lines/files, average line length, code/whitespace ratio, code/comments ratio and code/ (comments/whitespace) … Read More

Read More »

SVN Static Code Analysis

Subversion (SVN) is designed to help software developers on collaborative development projects manage their source code. It tracks each commit and the changes within the code so that it’s easy to review the code and ensure that it’s in line … Read More

Read More »

Static Code Analysis with Eclipse

There are several options available for static code analysis within Eclipse and they all come in the form of plugins. Code coverage can be monitored using EclEmma with a straightforward traffic light warning system to deliver a simple report on whether … Read More

Read More »

Static Code Analysis for Java

With so many applications being developed in Java, there’s an acute awareness of the importance of application security, and the best way to integrate security into the software development life cycle is though static code analysis. When it comes to … Read More

Read More »

PHP Static Code Analysis

PHP static code analysis is necessary if you want to ensure that your PHP code will deliver secure applications. There are plenty of options on the market for PHP static code analysis. These include Klocwork, Atlassian, Checkmarx, etc. However, the … Read More

Read More »

Jenkins Static Code Analysis

Jenkins is a simple application designed to keep an eye on a series of executions in a software environment. For example – it works like ‘Cruise Control’ and offers a single simple use continuous system for integration. Developers can then … Read More

Read More »

JavaScript Static Code Analysis

During the development lifecycle, it’s easy for security vulnerabilities to creep into your code. The best way to head this off at the pass and ensure that security remains a priority during the development life cycle is to use static … Read More

Read More »

Hudson Static Code Analysis

Hudson is a Java based tool for continuous integration of software projects. It runs inside a servelet-based container such as GlassFish or Tomcat. It’s designed to deliver a development environment in which builds are quickly and easily compiled, and either

Read More »

GIT Static Code Analysis

GIT enables simultaneous revision of projects. It allows for multiple developers to work on the same fork or different forks of a code and then simultaneously return them all to the same branch when you need to deliver a change. … Read More

Read More »

CVS Static Code Analysis

CVS (Concurrent Versions System) is a system for managing the source code within a development team. It allows for collaborative development by supporting a means of tracking each change made to the source code over any period of time. CVS … Read More

Read More »

C++ Static Code Analysis

As one of the oldest “modern” programming languages, C++ is a relatively mature language and as such there are plenty of tools available for C++ static code analysis. In many cases the choice of which tool you use will be … Read More

Read More »

C# Static Code Analysis

C# is a well-established development language and as such there are many options for Csharp static code analysis. When you ask developers what they’re looking for in static code analysis, it almost always comes down to the quality of the … Read More

Read More »

Bamboo Static Code Analysis

Bamboo is a continuous integration server from Atlassian. Its purpose is to provide developers with an environment which quickly compiles code for testing so that release cycles can be quickly implemented in production, while giving full traceability from the feature … Read More

Read More »

CVE

What is CVE? CVE, which stands for Common Vulnerabilities and Exposures, is an encyclopedia of  unique, publicly known security vulnerabilities and exposures maintained by the MITRE Corporation. The database, which was launched in 1999, is free and available for public … Read More

Read More »

CWE

The Common Weakness Enumeration Specification, shortened as CWE, is an formal list of common, real-world software vulnerabilities to offer one common language to all the different entities developing and securing software. CWE’s ultimate goal is to help the security testing industry … Read More

Read More »

CERT

CERT is a non-profit program that was developed by the Carnegie Mellon University in their Software Engineering Institute. It focuses on the practices associated with online application security and vulnerability identification with the goal of helping to improve the security … Read More

Read More »

SAMATE

The Software Assurance Metrics and Tool Evaluation (SAMATE) is a project developed by the National Institute of Standards and Technology to allow for better methods to be developed and deployed for software assurance. The project has specific goals to develop … Read More

Read More »

DevOps Security

Research from the Gartner Group has demonstrated that nearly 75% of successful attacks made against an application are exploiting vulnerabilities which are already well understood, and for which a patch or remediation recommendation for is available. Some say that DevOps … Read More

Read More »

PCI DSS Compliance

Payment Card Industry Data Security Standards (PCI DSS) compliance can be a little daunting for development teams at first glance. These standards were last updated in May 2016, and they’re currently running on version 3.2. PCI DSS standards were developed to deliver … Read More

Read More »

Agile Security

Ideal application development involves fast builds and effective testing cycles. This is easily facilitated through the employment of agile development methods. However, if you use this development approach there is a potential pitfall – cycles/sprints are extremely short in duration (often 2-4 … Read More

Read More »

Security Vulnerability

A security vulnerability is a hole or weakness in an application’s code. The weak code could be a design flaw or an implementation bug. If discovered by a malicious actor, the weakness would allow an attacker to cause harm to the application … Read More

Read More »
Skip to content