Organizations are facing unprecedented complexities in securing their applications and cloud environments due to multiple cloud service providers, complex infrastructure configurations, and numerous security vendors.
The nature of cloud-native applications requires solutions that can quickly adapt, mitigate risks effectively and secure critical assets. Traditional vulnerability and risk management solutions frequently fail in the cloud. Traditional solutions are designed for static environments and lack the ability to add relevant context to alerts and rely on outdated risk-scoring methods. Today, organizations need a simple way to address this complex issue.
Checkmarx Cloud Insights offers actionable insights to solve these challenges, because it correlates data across your entire software development lifecycle and runtime environments. Through smart prioritization mechanisms and Attack Path Analysis, Cloud Insights empowers organizations to streamline their security operations, mitigate risks effectively, and safeguard critical assets in the cloud.
Why integrating with runtime is critical
Traditionally, by the time a vulnerability is discovered, AppSec teams struggle to pinpoint the developer responsible for the code that needs to be fixed. This can be even more daunting with large codebases that have frequent contributions. The delay hinders timely fixes. Additionally, developers often lack visibility into the application’s real-world behavior, making it hard to gauge the true impact of vulnerabilities and prioritize fixes. For today’s enterprises, integrating with runtime is crucial for effective vulnerability and risk management.
Integrating with runtime
Checkmarx is revolutionizing cloud-native application security, by integrating with AWS, Sysdig, Wiz and other leading CNAPP vendors. These integrations provide organizations with actionable insights by correlating data across the entire software development lifecycle (SDLC) and runtime environments.
Correlating context from runtime with pre-deployment data has several benefits:
- Reduces noise and alert fatigue by prioritizing internet-facing vulnerabilities and filtering out non-runtime vulnerabilities. This ensures critical issues are addressed promptly to protect applications from external threats.
- When a vulnerability is found in runtime, it pinpoints the vulnerability’s location in the source code and identifies the relevant developer. This is valuable for incident response and general vulnerability management, since it allows for faster remediation and accountability.
- Verifies that code fixes make their way through every step of the SDLC, including in the container image, any running containers, and clusters.
Cloud Insights offers a holistic view of vulnerabilities and risks across the software lifecycle, enhancing risk mitigation practices. This integration ensures that security insights are seamlessly gathered and analyzed, regardless of the existing environment.
How do we do it?
When integrating with Sysdig, queries the Sysdig API for a list of open source packages per container image in use. We then scan the images and extract the static packages and their vulnerabilities. Then we cross match the list of static packages with the ones identified in the containers in runtime and associate them with current Checkmarx One projects.
When integrating with Wiz, we establish a secure connection with Wiz’s API endpoints. Through this connection, we send API requests to Wiz’s GraphQL endpoints, specifically inventory, runtime-related data such as clusters, pods, containers, and network exposures. Wiz’s API processes these queries, executing them against its data sources, and returns the results to us in JSON format.
With the AWS integration, the customer provides their IAM role that can read clusters, and other metadata, from AWS EKS. We then authenticate and execute the AWS APIs and connects to the cluster. Using the K8S API, we receive a list of images under each connected cluster. Then we leverage the AWS Network Analyzer to add a public exposure flag to all relevant mapped container images. This way we know which resources are publicly exposed and determine the risk level for better prioritization.
After getting the information from Wiz or AWS, we use a heuristic algorithm to match container image names with the Checkmarx One project name and corresponding source code repo. We then correlate runtime data to the risk calculation based on detected vulnerabilities and misconfigurations from earlier in the SDLC. This process helps reduce alert noise by prioritizing critical internet-facing vulnerabilities and focusing the user on projects that are already deployed.
Prioritizing Risk with Runtime Insights
Cloud Insights empowers your security teams to make informed decisions by prioritizing exploitable risks within running applications – whether it’s a cross-site scripting vulnerability or a potential SQL injection. It eliminates the “noise” of alerts triggered by vulnerabilities present in unused code or non-deployed configurations, which allows your teams to focus on the most business-critical issues. This data is integrated into the ASPM Risk Management dashboard, offering a new input that provides an at-a-glance view of application risk. This targeted approach streamlines the remediation process, reduces wasted effort, and ultimately enhances the organization’s overall application security posture.
Attack Path
Attack Path analysis identifies and visualizes the exposure path of vulnerabilities, showing the sequence of attack steps that attackers could use to harm cloud applications.
- Visibility: Integrates data across various stages, spanning from code to runtime, including vulnerability analysis in the codebase, examination of misconfigurations during build and deployment, and identification of vulnerabilities in running applications and environments. This integration ensures a unified understanding of security risks across the development lifecycle, providing crucial insights for risk prioritization
- Path to Vulnerability Exploitation: Shows the path to exploit container images from the internet through the cluster and pod. This improves security by identifying potential exploit paths, revealing security gaps, and helping prioritize remediation
- Efficiency and Accuracy: Simplifies identifying container images needing updates, improving efficiency and accuracy in addressing security vulnerabilities, implementing new features, and maintaining application stability and performance.
Enhancing Cloud Security with Checkmarx Cloud Insights
Checkmarx Cloud Insights combines and correlates information about vulnerabilities, misconfigurations, code repositories, and matched projects across the SDLC and runtime, providing businesses with a comprehensive view of potential risk. Attack Path analysis improves security operations by helping teams proactively address risks and strengthen cloud application defenses against cyber-attacks.
By combining our industry-leading scanners with runtime information provided by Cloud Insights, organizations can achieve unparalleled visibility and control over their cloud-native applications. This integrated approach enables security and development teams to identify vulnerabilities within Checkmarx One projects and prioritize them based on their exposure in runtime, ensuring that critical issues are addressed promptly and effectively.
To learn how Cloud Insights can help you identify, prioritize, and remediate vulnerabilities and misconfigurations effectively, and strengthen your security posture request a demo today.