Today, we announced our Checkmarx One 3.0 release. With 1,200+ of our current customers, (hopefully 😊) future customers, and favorite partners joining our platform launch event, we’re both excited and humbled. Excited for the chance to share everything that we’ve been up to, as well as our vision for the future, and humbled that we’ve managed to hit such a nerve with so many of you.
Because what do you look for in an AppSec platform? Gartner published its latest Hype Cycle for Application Security, 2023 in July. What’s always fascinating with the Hype Cycle is the juxtaposition of market interest and customer adoption. For example, Application Security Posture Management (ASPM) is currently at the very Peak of Inflated Expectations. Everybody is talking about it. Vendors are positioning themselves. Customers are trying to understand what ASPM can do for them, because Gartner says it’s going to have a transformational business impact…in two to five years.
This challenges us to think about and evaluate AppSec platforms in a different way. Every enterprise has a technology roadmap of when they plan to purchase and deploy different technologies over the next five years, and AppSec is no different. Our customers typically start with SAST. Then, they move to SCA. Then, they move to API security, supply chain security, or Infrastructure as Code security. The purpose of a platform is to make it easier to integrate all these different solutions into your technology stack. But that means you’re also making a bet. Because it’s not just about which platform best meets your needs today, but also going forward. You’re making a bet that the platform you choose today will continue to meet your technology needs in the future when you’re actually ready to adopt.
That’s why the Checkmarx One 3.0 release is so exciting. There are always new features and capabilities. Now we can start talking about how those new features and capabilities connect us from where we started when we launched Checkmarx One almost exactly two years ago, to where we’re going, and how we’re building the AppSec platform of tomorrow.
AI-Powered Application Security
You don’t need me to tell you that AI is popping up everywhere. At Checkmarx, we’re focused on tackling the three grand challenges that AI brings to AppSec:
- AI is disrupting the developer workflow. In Stack Overflow’s 2023 Developer Survey, 72% of developers believe their workflow for writing code will be very or somewhat differently just one year from now, because of AI tools. For AppSec teams, the question is how to keep up with and adapt to that change.
- AI will introduce new threats. Change in application architecture or software development always has the potential to introduce new attack vectors. We’ve already seen examples of AI hallucination attacks, but these are just the beginning as developers increasingly embrace new ways to build applications.
- AI can democratize AppSec. AppSec has always been a challenge, with not enough resources or expertise. Today, responsibility is increasingly shifting to developers, which will exacerbate the problem. However, embracing AI in AppSec can enable and better support developers to build increasingly secure applications.
We’re building the AI-powered enterprise AppSec platform. With version 3.0, you’ll see new innovations across all our solutions and technologies that both leverage AI and help you better respond to the coming AI tsunami in your own organizations.
Seamless Developer Experience
Checkmarx One 3.0 includes many improvements to our overall developer experience, and also introduces a new way to approach it. When most vendors approach developer experience, they typically start with integrating AppSec into the developer workflow. At Checkmarx, we start even earlier with the accuracy of our solutions and the prioritization of our findings, because that reduces the noise that enters the developer workflow in the first place.
We’re especially excited about the new AI Query Builder. AppSec practitioners know that application security is hard. No AppSec solutions are 100% accurate out of the box. Every application is different, and every solution needs to be tailored to each application to minimize false positives and negatives. Checkmarx SAST has always provided 40+ presets to start tuning out of the box, as well as a custom query builder to further refine it. Now, AI Query Builder gives every customer the ability to tune their SAST, even if they have limited AppSec expertise.
Expanded Supply Chain Security
Checkmarx has always led the way in Software Supply Chain Security (SSCS). We were the first Software Composition Analysis (SCA) vendor to introduce malicious package detection. Checkmarx Labs inspects over 7.6 million open source packages for all kinds of threats as part of our open source security initiatives, and we’ve identified over 200k malicious packages to date.
For most of our customers, malicious package detection is an easy first step into SSCS because it takes advantage of their existing SCA product to manage malicious packages – in the same way they manage vulnerable packages today. As part of Checkmarx One 3.0, we’re excited to expand our vision, and portfolio, with secrets detection, project scorecard, and AI code generation to help our customers protect more and more of their software supply chain.
End-to-End API Security
Last August, Checkmarx introduced API Security as the industry’s only true shift-left API security solution. We started with the capabilities needed to discover and inventory APIs in source code, which was (and still is) a unique approach to combatting the problem of shadow or undocumented APIs. In April, we introduced Checkmarx DAST, which provided an opportunity to expand on what we launched and build an end-to-end API Security solution.
Like a Web Application Firewall (WAF) or API gateway, most DAST solutions require you to tell them where your APIs are, typically with some form of API documentation like a Swagger file, before they can test your APIs. This means that they can’t help with shadow or undocumented APIs. By integrating API Security and DAST together, Checkmarx One 3.0 now can discover every API in your source code, including shadow or undocumented APIs, and test them in live applications with DAST, allowing your enterprise to shift everywhere.
Get the Most Out of AppSec Consolidation
We’ve been talking about consolidation for as long there have been point solutions. Many of you have security technology stacks with hundreds of different tools, which presents a challenge for operational management, vendor management, and costs.
At Checkmarx, our vision is to be your enterprise AppSec platform and help you bring all your AppSec solutions under one roof, behind a single pane of glass, and with an additional correlation and prioritization layer to enable your teams actually reduce risk. With Checkmarx One 3.0, we’re building on our launch of Fusion last year, Application Risk Management this past June, and our recent Sysdig integration announcement to show you how this comes together in an extensible AppSec platform that helps you shifts everywhere from pre-production to production.
We’re excited to introduce these new capabilities as part of our Checkmarx One 3.0 launch. There’s just so much here that everything above feels like only the introduction. We’re just starting to unpack everything that’s in this release and what it can mean for you. To learn more about these capabilities, join us in our platform launch event today (or watch the recording after) or our deep-dive webinars into each of the topics above at the end of October. For Checkmarx customers, please reach out to your account team to learn more about these (and more).
 Source: Gartner, Hype Cycle for Application Security, 2023, Dionisio Zumerle, 24 July 2023