| |April 201419CIOReviewIn an age where everything has ei-ther become or is in the process of becoming digital there is a software application for every function that is be-ing developed in some part of the world. This software app has evolved over the years and has now made its way from desktop computers to tablets and mobile apps, as well as to appliances and vari-ous connected devices such as cars. But through the evolution there is one thing that has remained unchanged and that is the chance of this application being ma-nipulated by hackers. Today, it has be-come very clear that whoever is develop-ing an application needs to ensure that it is tested for security vulnerabilities to ensure it can withstand cyber-attacks. To combat this delicate situation, many so-lutions have been developed to protect applications in various ways. Unfortu-nately, while many of those are able to identify vulnerabilities in the applica-tion, the vast majority of solutions are inaccurate, ineffective or simply provide a very low coverage, and miss many of the vulnerabilities leaving the applica-tions exposed. Or at least that was the case until a company from Israel named Checkmarx, a provider of Static Application Security Testing (SAST) solutions entered the ring. Founded in 2006 and headed by Emmanuel Benzaquen with the vision of providing comprehensive solutions for automated security code review, the company has pioneered the concept of a query language-based solution for iden-tifying technical and logical code vulner-abilities. Bringing the Change"Checkmarx changed the common para-digm of closed-end code scanning and built a platform that enables consistent and in depth code risk exploration. Compared to other vendors, our com-pany picks up where all other vendors stop," says Emmanuel. Today, all static analysis vendors do repeatable code scans and reports. By contrast, Checkmarx does not just scan and provide comprehensive vulnerabil-ity reports. Checkmarx, however creates a persistent database that stores the ana-lyzed code and all scans results which enables intelligent and accurate, risk analysis queries. In addition, Checkmarx takes the analysis to the next level, and not only provides findings, but more im-portantly, it identifies the best locations to fix the code, so all vulnerabilities can be eliminated with the minimal amount of developers hours.All source code analyzers make use of common compilers and attempt finding vulnerabilities based on scanning a re-construction of the code. This approach introduces inflexibility and imprecision. Checkmarx created a generic abstract model for all programming languages. It converts all languages code and flow into a single, common-language format stored in a persistent database. On top of the model Checkmarx developed a query language that can universally ana-lyze and find any code flaws­including security vulnerabilities.The implication of Checkmarx's technical approach is an unparalleled ability to accurately and effectively in-spect and summarize application secu-rity risk. Checkmarx does this by first scan-ning code without compilation using a patented Virtual Compiler (VC). This is in full contrast to other tools requiring a running application to perform applica-tion security testing. Not only does the Checkmarx VC find problems pre-com-pilation, but it allows for scanning across fragmented organizational structures due to geographic dispersion, outsourc-ing, and open sourcing and so on. This technology normalizes code, creating a universal representation and flow map that is optimized for risk analysis, unlike traditionally compiled code that is tuned for production.With its broad coverage of a wide range of the latest coding and scripting language as well as full support for mo-bile app security, Checkmarx is ideally positioned to see significant growth in the Application Security Testing space.Checkmarx's unique design means that it is fairly easy for it to support new coding languages, and indeed is adding 2-3 new languages every year. The ability to scan code fragments also makes Checkmarx's technology ideal for platforms such as Salesforce.com who encourage third party developers to create applications on top of salesforce.com. With Check-marx's technology, such app market-places can automatically scan those third party Apps and ensure that it meets their security standard before those are intro-duced into the marketplace and used by customers. 2013 was an excellent year for Check-marx, which now serves over 400 orga-nizations from 25 countries, including the four of the world's top 10 software vendors, three of the world's top four consulting firms, and many Fortune 500 and government organizations.20 Most Promising Enterprise Security Companies2014CIOEnterprise SecurityCheckmarx: Helping Developers Make Flawless ApplicationsEmmanuel Benzaquen, CEOBy Joe Philip
< Page 9 | Page 11 >