In organizations that encourage the usage of modern application development techniques to expedite the development, delivery, and deployment of custom software applications, the likelihood of open source libraries, components, modules, etc. being pulled into a code base by developers is extremely high. In fact, according to Forrester, “Open source usage has only accelerated as development teams strive to produce high-quality applications quickly. Almost 99% of audited codebases contain some amount of open source, and the average percentage of open source in those code bases has almost doubled — from 36% in 2015 to 70% in 2019.”1 Today, there are excellent rationales to incorporate open source code into an organization’s own applications.
Open source is usually free, it can help developers implement functionality faster than they could if they had to write all of the code from scratch, and it’s often supported by a flourishing community that is constantly updating and improving the code. However, amidst all the benefits, open source has widened the risk landscape for organizations, and in order to narrow the risk, Software Composition Analysis (SCA) solutions are imperative in modern application development. Organizations who utilize open source in their code base must effectively manage vulnerability risk, license risk, and operational risk that open source presents.
As what we consider to be a testament of our efforts of delivering the highest quality AST solutions to market, today we announce that we have been positioned as a Strong Performer in “The Forrester Wave™: Software Composition Analysis, Q3 2021.” Based on Forrester’s evaluation of the 10 most significant SCA solution providers, we achieved the highest possible scores in the market approach, open source vulnerability detection, actionable remediation, and infrastructure-as-code scanning criteria. We are extremely proud of being recognized as a Strong Performer in the Forrester Wave for a solution that has been in market for just over a year.
Beyond SCA, Checkmarx was also recognized as a Leader in The Forrester Wave™: Static Application Security Testing, Q1 2021. Of the 12 most significant SAST vendors Forrester analyzed, Checkmarx ranked highest in the ‘strategy’ category, with the highest scores possible in the product vision, planned enhancements, execution roadmap, and market approach criteria.
Security in the Open Source Supply Chain
Since launching CxSCA, we have elevated the standard for open source security. Leveraging our deep knowledge of software development, and being built by developers - for developers, CxSCA empowers organizations to easily identify open source software in a code base that present the greatest risk, and enables developers to focus and prioritize remediation efforts accordingly.
As organizations worldwide rightfully become more concerned with open source supply chain risks and subsequent attacks , software composition analysis can be a game changer in protecting this supply chain. As a result, visionary SCA vendors like Checkmarx have put greater focus on protecting organizations from these developing risks. For example, with our recent acquisition of Dustico, Checkmarx customers will be able to gain deeper visibility into the open source supply chain by combining our AST capabilities with Dustico’s behavioral analysis technology to evaluate the trustworthiness, health, and potentially malicious behavior of open source packages.
CxSCA + CxSAST Delivers a Better Approach
Being a renowned leader in the SAST market for over 15 years, with thousands of organizations gaining tremendous benefit from performing security testing at the source code level, Checkmarx SAST is one of the most widely accepted solutions available today. Projecting that open source would increasingly be incorporated into today’s code bases, we capitalized on our unique code analysis engine in our CxSAST solution. The reasoning behind this approach and the benefits it delivers is as follows.
One of the truly unique capabilities of CxSCA is how CxSAST underpins the solution. For example, by using CxSAST to statically analyze a project’s source code and the source code of all its used packages, when examining the call graphs and data flows, the exploitability and risk of the discovered open source code can be truly evaluated. We call this the exploitable path.
To be able to determine if an exploitable path exists, we use our CxSAST engine. CxSAST breaks down the code of every major language into an Abstract Syntax Tree, which provided us with much of the needed abstraction. Imports, call graphs, method definitions and invocations – all becomes a tree.
By using CxSAST with queries written in CxQuery, we create an abstraction layer to statically detect vulnerabilities that are actually exploitable. A single algorithm can detect exploitable path across multiple programming languages, and unlike other solutions on the market, CxSCA can easily extend support for more languages.
With CxSCA, we enable organizations to address open source vulnerabilities that are exploitable and highlight ones that are not. This significantly reduces triage and remediation efforts since developers won’t be spending time addressing non-critical issues. This capability is a significant differentiator when compared to other SCA solutions. To learn more about why exploitable path is imperative, we suggest starting with these blogs:
https://checkmarx.com/blog/software-composition-analysis-why-exploitable-path-is-imperative/
https://checkmarx.com/blog/exploitable-path-how-to-solve-a-static-analysis-nightmare/
https://checkmarx.com/blog/exploitable-path-advanced-topics/
With CxSCA, we enable organizations to address open source vulnerabilities earlier in the development lifecycle and reduce manual processes by decreasing false positives and background noise, so you can deliver secure software faster and at scale.
For a free demonstration of CxSCA, please contact us here.
1 The State of Application Security, 2021, Forrester Research, Inc., August 2, 2021
