Or at least that was the case until a company from Israel named Checkmarx, a provider of Static Application Security Testing (SAST) solutions entered the ring. Founded in 2006 and headed by Emmanuel Benzaquen with the vision of providing comprehensive solutions for automated security code review, the company has pioneered the concept of a query language-based solution for identifying technical and logical code vulnerabilities.
“Checkmarx changed the common paradigm of closed-end code scanning and built a platform that enables consistent and in depth code risk exploration. Compared to other vendors, our company picks up where all other vendors stop,” says Emmanuel.
Today, all static analysis vendors do repeatable code scans and reports. By contrast, Checkmarx, however creates a persistent database that stores the analyzed code and all scans results which enables intelligent and accurate, risk analysis queries. In addition, Checkmarx takes the analysis to the next level, and not only provides findings, but more importantly, it identifies the best locations to fix the code, so all vulnerabilities can be eliminated with the minimal amount of developers hours.
All source code analyzers make use of common compilers and attempt finding vulnerabilities based on scanning a reconstruction of the code. This approach introduces inflexibility and imprecision. Checkmarx created a generic abstract model for all programming languages. It converts all languages code and flow into a single, common-language format stored in a persistent database. On top of the model Checkmarx developed a query language that can universally analyzeand find any code flaws–including security vulnerabilities.
The implication of Checkmarx’s technical approach is an unparalleled ability to accurately and effectively inspect and summarize application security risk.
Checkmarx does this by first scanning code without compilation using a patented Virtual Compiler (VC).
With its broad coverage of a wide range of the latest coding and scripting language as well as full support for mobile app security, Checkmarx is ideally positioned to see significant growth in the Application Security Testing space. Checkmarx's unique design means that it is fairly easy for it to support new coding languages, and indeed is adding 2-3 new languages every year. The ability to scan code fragments also makes Checkmarx's technology ideal for platforms such as Salesforce.com who encourage third party developers to create applications on top of salesforce.com. With Checkmarx's technology, such app marketplaces can automatically scan those third party Apps and ensure that it meets their security standard before those are introduced into the marketplace and used by customers.
2013 was an excellent year for Checkmarx, which now serves over 400 organizations from 25 countries, including the four of the world's top 10 software vendors, three of the world's top four consulting firms, and many Fortune 500 and government organizations.