Reducing software risk and boosting developer and AppSec team productivity are central to our mission here at Checkmarx. We’ve designed the Checkmarx One™ Application Security Platform to be the best in the business at identifying code vulnerabilities and integrating seamlessly into the tools developers already use. Our aim is to help organizations improve software security without compromising their ability to innovate—making life easier for developers and application security teams at the same time.
To do that, we’ve built Checkmarx Fusion, a context-aware correlation engine that enables full visibility into applications, component interactions, and bills of materials. It leverages a holistic view of application security scan results across all stages of the software lifecycle to correlate and prioritize vulnerabilities, thereby guiding remediation of the most critical issues first. Checkmarx Fusion empowers developers and AppSec teams with these four pillars:
- Visibility: Provides threat modeling by mapping threats in a visual, intuitive graph containing all software elements, consumed cloud resources, and relationships between them. Checkmarx Fusion extrapolates potential vulnerabilities within two or more scans that might otherwise escape detection.
- Correlation: Adds context to the silo scanners by combining and correlating results from static code scans and runtime scans, effectively eliminating false positives.
- Prioritization: Focuses developers and AppSec teams on solving the most critical issues by prioritizing vulnerabilities based on their real impact and risk.
- Cloud-Native: Leverages cloud-native architecture including microservices, cloud resources, containers, and APIs while correlating insights from pre-deployment to runtime.
However, even if Checkmarx encompasses application security, the security ecosystem comes in more layers. There is a wide range of tools that manage other elements such as security misconfigurations, pen-testing results, and other vulnerabilities that generate huge numbers of alerts clamoring for inspection, triage, and remediation.
Manually handling all these alerts intensifies pressure on already stretched security teams and leads to a concerningly long gap between identifying a problem and getting it fixed.
Bringing the future of work to security teams.
That’s why we are delighted to introduce Seemplicity as a new partner. Seemplicity is a risk reduction and productivity platform with a philosophy that aligns exactly with Checkmarx: making life easier, better, and happier for security professionals.
Seemplicity collates findings from tools like Checkmarx One, AWS security hub, GCP Security Command Center – in fact, it can integrate any tool teams are using into the platform. It means there are no more silos of data needing to be manually collated for action. Seemplicity normalizes and aggregates the findings into a single list, de-duplicating data, and prioritizing results so teams can find the signal through the noise.
The Seemplicity platform automatically identifies and notifies remediation owners, eliminating a large part of the administrative load for security teams. It creates automated workflows within teams’ preferred workflow tools, such as Jira, Trello or ServiceNow, offering great visibility over the remediation progress. Security teams can view all remediation activity and updates in a single place, which reduces the risk of issues slipping through the gaps, as often happens when different team members are copy/pasting information from one tool to another.
From a strategic perspective, Seemplicity monitors improvements in security posture over time through reporting against KPIs such as mean time-to-remediation and other bespoke SLAs used within the business.
We are already seeing the partnership pay dividends for our joint customers, who tell us that they have accelerated their average time-to-remediation by 10x and reduced the number of open findings by around 60% over the same time frame. They are also reporting that they need around three fewer full-time equivalent employees to achieve these results. That’s a huge win for resource-limited teams, who can then focus on higher value activities. It also means customers get maximum value from their investment in Checkmarx.
Four ways the Seemplicity and Checkmarx partnership strengthens security programs
Together we have identified four key use cases where Checkmarx and Seemplicity amplify productivity and risk reduction.
- Full visibility and remediation for the entire enterprise business application: Teams can see all the relevant security alerts from Checkmarx and complementary solutions such as AWS native tools in a single dashboard. This gives a more strategic picture of enterprise application security and highlights instances where vulnerabilities are regularly arising, which could indicate training or policy update requirements.
- Rapidly reduce fix backlogs: Backlogs are a huge issue for security teams. The bigger they get, the greater the pressure and the higher the risk of burnout for AppSec professionals. By aggregating and deduping similar issues reported by multiple products, the volume of alerts is reduced. Then, by creating custom risk scores based on the organization’s risk profiling and applications dependencies, the most urgent issues can be automatically assigned to the right fixers fast, helping clear the backlog quicker.
- Prioritize fixes based on severity and workload: Seemplicity automatically assigns urgency to fixes based on risk appetite and allocates them to the best-placed remediators based on their current workload. This avoids negotiation over task priority and ensures the business is taking the fastest route to a stronger security posture. It simply means you are fixing what needs to be fixed and the right people are doing the work.
- Provide SDLC compliance verification for SOC2, ISO27001: Seemplicity provides a clear, auditable overview of the organization’s fault remediation process. All issues are automatically recorded and tracked from identification to remediation, so compliance with defined internal remediation SLAs and eternal standards can be demonstrated.
Another great feature of Seemplicity is how it deals with false positives and retired code. Checkmarx already minimizes the volume of false positives that create alerts, but Seemplicity does this across the security ecosystem, really cutting down the amount of time wasted on removing them from the data set. It also allows you to manage the process of “not fixing” either if there’s a compensating control in place that can be used or no actual need to take an action. Security teams as well as development teams that are responsible for remediation accelerate their joint work, making the organization more secure, faster.
With Checkmarx and Seemplicity in place, security teams can be confident that not only are they finding all the vulnerabilities, but that they can get the fix done fast and efficiently. The partnership really accelerates performance and lays an excellent foundation to scale the security function to keep pace with the business.
Find it with Checkmarx, fix it with Seemplicity. To learn more about our new partnership, join our webinar on 4 August. Register here.
To learn more about how Checkmarx One™ Application Security Platform can help you secure your applications, request a 14-day free trial here.