Checkmarx: Helping Developers Make Flawless Applications

Emmanuel Benzaquen, CEO In an age where everything has either become or is in the process of becoming digital there is a software application for every function that is being developed in some part of the world. This software app has evolved over the years and has now made its way from desktop computers to tablets and mobile apps, as well as to appliances and various connected devices such as cars. But through the evolution there is one thing that has remained unchanged and that is the chance of this application being manipulated by hackers. Today, it has become very clear that whoever is developing an application needs to ensure that it is tested for security vulnerabilities to ensure it can withstand cyber-attacks. To combat this delicate situation, many solutions have been developed to protect applications in various ways. Unfortunately, while many of those are able to identify vulnerabilities in the application, the vast majority of solutions are inaccurate, ineffective or simply provide a very low coverage, and miss many of the vulnerabilities leaving the applications exposed.

Or at least that was the case until a company from Israel named Checkmarx, a provider of Static Application Security Testing (SAST) solutions entered the ring. Founded in 2006 and headed by Emmanuel Benzaquen with the vision of providing comprehensive solutions for automated security code review, the company has pioneered the concept of a query language-based solution for identifying technical and logical code vulnerabilities.
Bringing the Change

“Checkmarx changed the common paradigm of closed-end code scanning and built a platform that enables consistent and in depth code risk exploration. Compared to other vendors, our company picks up where all other vendors stop,” says Emmanuel.

Today, all static analysis vendors do repeatable code scans and reports. By contrast, Checkmarx, however creates a persistent database that stores the analyzed code and all scans results which enables intelligent and accurate, risk analysis queries. In addition, Checkmarx takes the analysis to the next level, and not only provides findings, but more importantly, it identifies the best locations to fix the code, so all vulnerabilities can be eliminated with the minimal amount of developers hours.

All source code analyzers make use of common compilers and attempt finding vulnerabilities based on scanning a reconstruction of the code. This approach introduces inflexibility and imprecision. Checkmarx created a generic abstract model for all programming languages. It converts all languages code and flow into a single, common-language format stored in a persistent database. On top of the model Checkmarx developed a query language that can universally analyzeand find any code flaws–including security vulnerabilities.

The implication of Checkmarx’s technical approach is an unparalleled ability to accurately and effectively inspect and summarize application security risk.

Checkmarx does this by first scanning code without compilation using a patented Virtual Compiler (VC).
This is in full contrast to other tools requiring a running application to perform application security testing. Not only does the Checkmarx VC find problems pre-compilation, but it allows for scanning across fragmented organizational structures due to geographic dispersion, outsourcing, and open sourcing and so on. This technology normalizes code, creating a universal representation and flow map that is optimized for risk analysis, unlike traditionally compiled code that is tuned for production.

With its broad coverage of a wide range of the latest coding and scripting language as well as full support for mobile app security, Checkmarx is ideally positioned to see significant growth in the Application Security Testing space. Checkmarx's unique design means that it is fairly easy for it to support new coding languages, and indeed is adding 2-3 new languages every year. The ability to scan code fragments also makes Checkmarx's technology ideal for platforms such as Salesforce.com who encourage third party developers to create applications on top of salesforce.com. With Checkmarx's technology, such app marketplaces can automatically scan those third party Apps and ensure that it meets their security standard before those are introduced into the marketplace and used by customers.

2013 was an excellent year for Checkmarx, which now serves over 400 organizations from 25 countries, including the four of the world's top 10 software vendors, three of the world's top four consulting firms, and many Fortune 500 and government organizations.

Company
Checkmarx

Headquarters
New York, NY

Management
Emmanuel Benzaquen, CEO

Description
A provider of application security testing product, static code analysis, and secure SDLC solutions.