Most developers and AppSec pros understand the value of Application Security Testing. From running security scans early during software development to running a final scan after an application has been fully compiled, testing is no longer a nice-to-have – it’s a must-have. The challenge these pros really face is trying to make sense of all the scan results that often point to the fact that vulnerable lines of code may exist and need remediation before go-live. Deploying code that is secure as possible, without delaying a release, is a balancing act teams must manage daily.
Teams understand that testing the tens-of-millions of lines of code in the average modern application is going to result in lots of noisy results. They also understand that it is likely going to take hours, if not longer, to go through the results, remediate what is clearly vulnerable code, and mark other scan results as non-exploitable. As a result, teams likely want to either reduce scans altogether or tune-down the scan engines so they don’t deliver as many scan results. And if that isn’t shocking enough, teams often face the need for decisions to deploy known-vulnerable code in the hopes that no one discovers its weakness and exploits the known vulnerabilities. This clearly can be seen as a lose-lose situation.
What teams need now is a new approach to finally resolve this situation, especially in the context of the way modern applications are built. From application source code, microservices code, API code, and infrastructure as code, to container code, open source code, third-party code, etc. the average application today is built more like a model made up of sometimes hundreds of pieces and parts. This requires organizations to have multiple AppSec testing approaches, since no single approach can make sense of the various types of code just mentioned.
So here is the reality. Teams runs scans from the abundance of AppSec testing solutions they have, then they pore over the results and quickly discover something is sorely missing in their approach – a way to truly correlate the results from all of the testing solutions. And in the context of the definition of the word correlation, what they need is a process or solution that can establish a mutual relationship or connection between two or more things. Correlation is far different than aggregation, which simply means, “a cluster of grouping of things that have come or been brought together.” Clearly correlation has little to do with aggregation—overall.
Knowing that this has been the case, and will likely continue to be the case unless something drastically changes, today we [announced] Checkmarx FusionTM—the industry’s first and only true correlation engine for AppSec testing results. Checkmarx Fusion is part of Checkmarx OneTM, the industry’s most comprehensive application security platform.
Figure 1. Checkmarx One Application Security Platform
What is Checkmarx Fusion?
Fusion is a context-aware correlation engine that enables full visibility into applications, component interactions, and bills of materials. It leverages a holistic view of application security scan results across all stages of the software lifecycle to correlate and prioritize vulnerabilities, thereby guiding remediation of the most critical issues first.
Figure 2. Checkmarx Fusion Key Benefits
Checkmarx Fusion Key Benefits:
- Visibility: Provides threat modeling by mapping threats in a visual, intuitive graph containing all software elements, consumed cloud resources, and relationships between them. Checkmarx Fusion extrapolates potential vulnerabilities within two or more scans that might otherwise escape detection.
- Correlation: Adds context to the silo scanners by combining and correlating results from static code scans and runtime scans, effectively eliminating false positives.
- Prioritization: Focuses developers and AppSec teams on solving the most critical issues by prioritizing vulnerabilities based on their real impact and risk.
- Cloud-Native: Leverages cloud-native architecture including microservices, cloud resources, containers, and APIs while correlating insights from pre-deployment to runtime.
Daniela da Cruz, Checkmarx VP of SAST and Engines Engineering describes Fusion best. According to Daniela, “With the Checkmarx One Platform, we now have a platform that runs multiple [scan] engines and technologies under one location. Checkmarx Fusion, the correlation that sits on top of everything, delivers streamlined results from any relevant AST scan to provide additional value to customers. This is a market-changing engine that aggregates AND correlates results into a single view—which no one else in the AppSec industry does. The correlation engine will provide advanced AppSec and other insights on customers’ cloud-native applications through a visual topology view and improved prioritization.”
At the end of the day, Checkmarx is once again leading the Application Security Testing industry in a new direction, and that direction comes from delivering genuine correlation capabilities to organizations that develop their own software because the case for correlation in AST is easy to understand. Like my old drill sergeants used to say, “Some people lead, while others simply get out of their way.”