Embracing code to cloud is now much easier

There are three pillars leading this approach:

• Streamlined security posture management – Integrate security into every stage of the development lifecycle, offering unified view, automated risk analysis, and remediation guidance.
• Enhanced efficiency for teams – Achieve clear communication through integrated workflows, streamlined processes, and meeting development teams right where they work with the information they need.
• Actionable insights & prioritized remediation– Identify Kubernetes clusters, container images, code repositories and map them to Checkmarx One applications and projects with runtime data, for better risk management and to prioritize critical vulnerabilities effectively.

Understanding the Integration

The integration between Checkmarx and Wiz helps deliver actionable insights and prioritizes vulnerability remediation to our mutual customers. Checkmarx One correlates Wiz’s cloud asset inventory and network exposure with vulnerabilities and application security results, such as code repositories. This gives organizations the context needed to prioritize vulnerability remediation based on what is exploitable in the running application. This approach reduces the noise generated by non-critical vulnerability alerts by up to 90% and enables customers to focus their resources on addressing high-impact security issues.

This integration brings to life the “Shift Left, Shield Right” strategy, extending our Checkmarx One offering by adding runtime information to secure every stage of the Software Development Life Cycle (SDLC). This helps encourage collaboration between different teams and stakeholders throughout the entire process. Developers then gain access to actionable security insights directly within their IDE, which allows them to address vulnerabilities early in the development process. Then security teams can leverage runtime context and cloud asset inventory in order to provide developers with the most relevant security information and guidance. Ultimately, it accelerates the delivery of secure applications in a cloud-native environment.

As part of this partnership, we have also integrated our SAST scan results with the Wiz platform to correlate them with cloud security insights. This supports our combined vision of code to cloud and back – enabling greater security posture across an organization’s SDLC. With this new capability, our mutual customers can prioritize and address the most significant risks on the most business-critical assets. This partnership aims to streamline vulnerability detection and mitigation, transforming how enterprises secure their applications and cloud environments.

How Checkmarx enriches AppSec findings with Wiz runtime insights

Let’s see this in action.

In the Risk Management tab, we correlate all the Checkmarx scanner information and runtime data. We tie them back to their project, and their associated user. Adding the runtime context, and internet-facing information from the Wiz integration enables us to add another piece of the puzzle and modify the risk level to reflect what we know and prioritize them more effectively.

Runtime context allows us to understand whether vulnerabilities are exposed to the internet, which increases the risk of exploitation. Vulnerabilities that are exposed to the internet are prioritized due to their increased risk level

Let’s now look at the project level, where Checkmarx One connects all the dots. We can see all the building blocks of the project, code repos, and packages used within the project, including when they were scanned, how many vulnerabilities they have, the risk level and the runtime context.  This allows us to better prioritize the risk and escalate it as needed.

How Wiz enriches CNAPP with Checkmarx SAST findings

The integration of Checkmarx SAST scan results with the Wiz platform enhances application security directly on Wiz’s platform. Combining application security findings with Wiz’s own cloud security scan data, helps organizations identify, prioritize, and address the most significant risks to critical assets, at the development stage. This correlation provides a unified and actionable security visibility, improving the detection and mitigation of vulnerabilities across the entire software lifecycle.

Organizations then can navigate the complexities of modern cloud environments securely, with streamlined security posture management, actionable insights, and enhanced collaboration, can effectively mitigate risks and accelerate their cloud journey with confidence.

If you wish to start gathering runtime insights and see the magic happen Request a Demo, to get started.

Prefer not to read? You can watch a replay of our joint webinar where we go into more depth about the capabilities and demonstrate live within the Checkmarx One and Sysdig Secure products. Watch now ->

In the past several years containers have emerged as a favorable choice for deploying applications, due to their architecture they allow developers to overlook concerns about dependencies and environments. Everything essential for running an application is neatly encapsulated within the container, encompassing code, runtime, system tools, libraries, and dependencies.

In cloud-native environments, containers, when coupled with best practices and the appropriate tools, offer seamless scalability, ensuring optimal application performance and availability. This flexibility not only caters to peak demands but also frees processing power for various application components.

However, the challenge arises when cloud and application security functions operate in silos, creating fragmentation. This scenario leaves AppSec teams without the correlation or context to understand which container packages are running, which are not and prioritize associated risks effectively.

Imagine a scenario where developers, prompted by security alerts and new work items, invest their valuable time in remediation efforts, only to discover that the identified low-priority vulnerability pertains to an unused container package. Without the correlation between vulnerability and runtime data, frustration sets in for developers, and may cause alert fatigue, while AppSec teams find themselves handicapped without a comprehensive view of the critical vulnerabilities that truly matter.

The challenge for AppSec teams is not merely identifying vulnerabilities but prioritizing, and remediating the ones that pose the most risk. Establishing a connection between vulnerabilities and the running containers becomes crucial, enabling teams to prioritize critical vulnerabilities and remediating them effectively. This correlation goes beyond technical nuances; it forms the backbone for fostering trust and collaboration between developers and AppSec teams. 

Checkmarx & Sysdig; connecting the dots between pre-production and runtime

Sysdig enhances Checkmarx Container Security by providing vital runtime insights into container Open-Source Software (OSS) running within cloud-native environments. While Checkmarx excels in securing container images by detecting vulnerabilities during development, Sysdig’s real-time profiling enriches this process by analyzing containerized applications during runtime. Checkmarx crossmatches the list of OSS packages used at runtime with known vulnerable packages, enhancing the identification of security risks. By integrating with Sysdig, Checkmarx extends its container security capabilities beyond static image analysis, ensuring a comprehensive approach throughout the container lifecycle. 

The collaboration between Sysdig and Checkmarx streamlines overall security management by offering continuous runtime monitoring and analysis. Sysdig’s integration enhances Checkmarx’ ability to prioritize and address vulnerabilities effectively, delivering a unified solution covering static analysis and real-time package insights. This partnership strengthens the capability to identify and remediate security threats, fostering a resilient cloud-native environment while empowering security teams and developers with a more proactive security posture.

See the integration in action

Beginning in Checkmarx Container security, we look at the completed scans under the “Container” tab. 

Runtime insights for container packages are available at the container level and at the vulnerability level. 

Within the container level under the “Container Packages” tab, container scan results are sorted by default by the packages used at runtime, and by the packages with the most vulnerabilities.

In this view, you can easily see how easy it is to quickly jump in and tackle the container packages with the most vulnerabilities. But when users quickly cross reference the “Runtime Usage” column alongside the number of vulnerabilities found, it becomes clear which vulnerabilities should be prioritized.  

Users can also filter this view to only see the packages used at runtime. 

Runtime insights are also available at the vulnerability level. The ‘Container Vulnerabilities’ view displays vulnerabilities associated with containers and their criticality, bubbling up those vulnerabilities associated with containers found in runtime at the top of the list.  

In this view, you’ll see that the “Risk Factor” column highlights whether the vulnerability is associated with a package that is used at runtime. The results show 9 CVEs that are associated with a package used in runtime, and the last CVE was not within a package used in runtime. The risk factor of whether the vulnerability was associated with a package found in runtime is just the start; additional risk factors are coming soon. 

When users want to better understand a given vulnerability found, they can click into the CVE for more information, including the severity, CVSS Score, and attack vector. 

When users click into a given CVE, they’ll now see a new “Risk Factors” box, where they can quickly see that the vulnerability is associated with a package used in runtime.

Prioritize what’s running and reduce noise by up to 90%

Using runtime insights from Sysdig Secure, Checkmarx One or SCA standalone customers gain several benefits. 

• They can effectively prioritize remediation. Correlating pre-production and runtime surfaces the most impactful risk, dramatically reducing the time to detect and prioritize vulnerabilities associated with in-use packages first. 
• Build #DevSecTrust. Team alignment and trust are crucial for the success of an enterprise-scale AppSec program. Focusing their development team on the most critical vulnerabilities and filtering out the rest while reducing alert fatigue, builds trust with developers.  
• Improve your security posture. Runtime insights aid organizations in increasing their overall security posture, by providing the context your team needs to prioritize the most impactful vulnerabilities.  
• Reduce noise. AppSec teams can prioritize vulnerabilities based on in-use context, and eliminate 90% 

Whether you’re a CISO (Chief Information Security Officer) focused on your total application security posture, or part of an AppSec team focused on identifying and prioritizing vulnerabilities, or a developer focused on remediation and supporting the business where it matters most, Checkmarx and Sysdig help you better identify, prioritize, and remediate vulnerability risk.

The integration is available for users of both Checkmarx One or Checkmarx SCA standalone and Sysdig Secure. For current customers of both Checkmarx and Sysdig, or you wish to start gathering runtime insights Request a Demo, to get started.   

You can also watch a replay of our joint demonstration https://info.checkmarx.com/tech-partner/sysdig/bridging-code-and-cloud-security

Finding and fixing vulnerabilities is crucial, but traditional approaches often relegate security measures to the final stages of the software development lifecycle (SDLC).  A proactive approach to vulnerability management and remediation is not just a nice to have, but a requirement, to protect your SDLC. By prioritizing vulnerability management earlier in the software development lifecycle (shifting left), the practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities allows organizations stay one step ahead.

Vulnerability and risk management is an important part of the AppSec and developer toolkit, which is one of the reasons that Checkmarx partnered with Vulcan Cyber.

First to Market

Vulcan Cyber developed one of the first cyber risk management platforms which was built to help organizations reduce vulnerabilities and risks. The platform correlates, prioritizes, and manages vulnerability risk across all attack surfaces.  It consolidates all vulnerability and risk data, correlating and de-duping scan results.  It orchestrates risk mitigation workflows, delivers risk remediation intelligence, and enables developers and AppSec professionals to customize their risk compliance threshold and actively measure, track, and report risk reduction.

How it Works

While we have been partners with Vulcan Cyber for some time, we are pleased to announce a new integration with our Checkmarx One platform.  This means that Vulcan Cyber is now integrated with our traditional Checkmarx SAST on-prem solution, as well as Checkmarx One SAST, SCA and IaC.  

Checkmarx One is an application security platform used for scanning, prioritizing, and addressing security vulnerabilities in an organization’s applications, projects, or source code. Vulcan customers can bring vulnerability data from Checkmarx One into Vulcan Cyber to manage their application security and construct a more comprehensive view of their attack surface, thus strengthening their cybersecurity posture.

The Checkmarx One Vulcan Connector seamlessly integrates with the Checkmarx One platform to pull and ingest code project assets and vulnerability data in the Vulcan platform.  Once the integration is complete, the Vulcan platform scans the report findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priorities.  

Plenty of Synergies with Vulcan Cyber

Checmarx and Vulcan both have a pedigree in leading threat intelligence teams and first party research into active threat actors. In fact, the Vulcan research team, Voyager18, and Checkmarx collaborated around our GenAI capabilities including the CheckAI plugin for ChatGPT. This industry-first AI AppSec plugin enables developers to scan generated code within the ChatGPT interface and provides remediation guidance and protects against malicious open source packages targeting GenAI-generated code.

Identifying AI Hallucinations   

In particular, working with the Vulcan Cyber research team, we can collaborate to identify AI hallucinations, which is when ChatGPT provides customers with inaccurate information. We are now seeing such hallucinations being weaponized by hackers.

Attackers ask ChatGPT for coding help in common tasks. ChatGPT might provide a package recommendation that either doesn’t exist or isn’t published yet, in other words a hallucination. Then, the attackers create a malicious version of that recommended package and publish it so that when a developer asks ChatGPT for help on that problem, there is a package with a malicious payload waiting.  Our CheckAI Plugin enables developers and security teams to protect against these attacks caused by malicious open source packages and dependencies while working within the ChatGPT interface.

Getting Started 

Together, we are dramatically working to improve the end-to-end developer experience, while also continuing to expand the AI-driven security capabilities of our CheckAI Plug-in, by augmenting it with Vulcan Cyber AI research team.

For more information get in touch with your Checkmarx account rep or contact us today.

The highly popular NuGet package, Moq, with total downloads of 475M+, released a new versions 4.20.0 and 4.20.1 on August 8th with a new sub-dependency that has hidden executable code that reads the user’s local git config, extracting the developer’s email address, hashing it, and sending it to a cloud service.

This incident was reported yesterday by Reddit user u/DinglDanglBob and also reported on the project’s GitHub page as an issue.

About Moq

Moq is a highly popular open-source project to provide a mocking library for .NET applications. From the project’s GitHub page:

Moq (pronounced “Mock-you” or just “Mock”) is the only mocking library for .NET developed from scratch to take full advantage of .NET Linq expression trees and lambda expressions, which makes it the most productive, type-safe and refactoring-friendly mocking library available. And it supports mocking interfaces as well as classes. Its API is extremely simple and straightforward, and doesn’t require any prior knowledge or experience with mocking concepts.

Moq’s New Sub-Dependency – “SponsorLink”

Since version 4.20.0 of Moq, Devlooped.SponsorLink NuGet package has been added as a new dependency.

As it turned out, Devlooped.SponsorLink is a closed-source project, provided as a compiled dll with obfuscated code, which scans the git config and sends the hashed email of the current developer to a cloud service. This code is executed during the application build and if you are depends on Moq there is no option to disable this.

Obfuscated Code

User account d0pare commented and found that the library spawns an external git process to get the developer’s email from the command git config --get user.email , then does some hashing and sends the result to hxxps://cdn.devlooped[.]com/sponsorlink.

private static string u00a0(string P_0) {
  try {
    Process process = Process.Start(new ProcessStartInfo(
      // this is obfuscated value of "git"
      6FA47342-3716-4274-AF01-7A37793E0E97.u206f(), 

      // this is obfuscated value of "config --get user.email"
      6FA47342-3716-4274-AF01-7A37793E0E97.u3000()
    ) {
        RedirectStandardOutput = true,
        UseShellExecute = false,
        CreateNoWindow = true,
        WorkingDirectory = P_0
    });
    process.WaitForExit();
    if (process.ExitCode != 0) {
      return null;
    }
    return process.StandardOutput.ReadToEnd().Trim();
  } catch {}
  return null;
}

He later discovered that the library also loads settings from the URL hxxps://cdn.devlooped[.]com/sponsorlink/settings.ini and is evasive in case one of the following environment variable exists

CI
TF_BUILD
TRAVIS
BUDDY
TEAMCITY_VERSION
APPVEYOR
JENKINS_URL

Users Looking For Alternatives

And I don’t blame them. Many users seem concerned about GDPR compliance as their products are built using Moq. This user commented that he won’t be able to use this package any more:

This is a serious GDPR breach, and we won’t be able to continue using this lib.
Also, having an obfuscated package included means that we can’t (easily) know what is happening. It could harvest any other information from a developer’s machine without any user consent.

Another user, SefaOray also commented:

We are removing moq immediately due to this.

and many more similar comments in this GitHub thread..

The Maintainer’s Response

GitHub user account kzu, the author behind this, commented that it was simply part of testing, and he wonder “why so much anger over sponsoring which can be done with as little as $1”

After posting this message, kzu probably panicked and decided to revert and unpublish versions 4.20.0 and 4.20.1 while quickly publishing 4.20.2without the new dependency in Devlooped.SponsorLink NuGet package.

Summary

Yesterday the owner of the popular NuGet package Moq incorporated a new sub-dependency, which exfiltrates the user info without his consent to hxxps://cdn.devlooped[.]com — a domain owned by the author of the Moq.

This sparked a debate on Reddit and GitHub, leaving many concerned users accusing this action of GDPR violations and statements regarding the legitimacy of his action.

Many organizations that built software using those releases are exposed to GDPR compliance.

In my opinion, the author did not intend to cause any harm but ended up damaging the trust of his users. This could have been prevented if it had been open for discussion prior to publishing the new changes and accepting the content of his users.

We must understand that it’s our responsibility when we use open source. This is why we need to support open-source maintainers in order to have a healthy open-source ecosystem.

Timeline

2023–01–24: Author published a blogpost suggesting a new solution to open source sustainability using the SponsorLink service
2023–02–04: Devlooped.SponsorLink first release to NuGet
2023–08–08: Moq released new versions 4.20.0 and 4.20.1 with Devlooped.SponsorLink as a dependency
2023–08–09: Moq released version 4.20.2 removing the Devlooped.SponsorLink dependency

IOC

hxxps://cdn.devlooped[.]com/sponsorlink

Packages

Other NuGet Packages using Devlooped.SponsorLink

devlooped.cloudstorageaccount.source
devlooped.tablestorage
devlooped.cloudstorageaccount
devlooped.sponsorlink
isbn
gitinfo
thisassembly.assemblyinfo
thisassembly.constants
thisassembly.project
thisassembly.git
thisassembly.strings
thisassembly.metadata
thisassembly.resources
nugetizer
devlooped.credentialmanager
websocketeer
websocketchannel
devlooped.web
packagereferencecleaner
mvp.xml
devlooped.dynamically
thisassembly

We just returned from the 2023 Americas Partner Summit in Chicago, and — let’s just say — the Windy City did not disappoint!

The 2022 Americas Partner Summit in Miami set the bar high, but Chicago proved to bring the same energy and excitement. From July 26 – 28, we bonded and celebrated the spirit of partnership, collaboration, and cybersecurity excellence. With a focus on making shift happen in the application security landscape, we discussed how to boost growth, we shared valuable insights, and we developed exciting opportunities with our valued partners.  

Honoring Our Top AppSec Partners 

Partners, the true heart of the event, were honored for their achievements and excellence in AppSec. Through their dedication, vision, and expertise, these partners have contributed to the collective success of numerous organizations, bolstering the security of software and application development across the Americas market.  

Let’s shine the spotlight on those who have raised the bar and inspired us with their exceptional performance: 

Top certifications award — NOVA8  

Nova8 is a leading cybersecurity expert from Brazil that is celebrated for its coveted certifications. It’s a reflection of their relentless commitment to staying at the forefront of cutting-edge technologies and practices. The highly skilled team empowers organizations with fortified security and visionary expertise. 

Top customer retention award — GUIDEPOINT SECURITY     

Guidepoint Security‘s outstanding customer retention strategies exemplify their dedication to nurturing lasting partnerships. They specialize in delivering unmatched support, services, and solutions that resonate with customers across the United States. 

Top Checkmarx One award (tie) — ACCENTURE  

Accenture, a global powerhouse, achieves the prestigious Top Checkmarx One Award, embodying their mission to transform businesses with the comprehensive Checkmarx One Application Security Platform. Their expertise lies in elevating organizations to the pinnacle of secure software development and digital transformation. 

Top Checkmarx One award (tie) — LUGAPEL 

Lugapel, an influential cybersecurity leader covering Latin America (excluding Brazil and Mexico), is recognized for exceptional work in driving the adoption of Checkmarx One across the region. They are instrumental in fortifying Latin American organizations against cyber threats. 

Best marketing award — TD SYNNEX PUBLIC SECTOR (USA)  

TD SYNNEX Public Sector sets the gold standard in marketing excellence, reaching a niche audience with innovative campaigns. Their mission revolves around empowering public sector entities with secure and reliable solutions. Biweekly marketing calls with their team help us develop and execute an integrated, ABM marketing plan targeting federal buyers. Marketing activities include virtual and face-to-face events, email and call campaigns, content creation and syndication, social media, and podcasts. 

Outstanding partner achievement award — NOVA8  

Nova8‘s outstanding achievements go above and beyond, aligning seamlessly with the Checkmarx mission to secure the software development landscape. As a trusted partner from Brazil, they have empowered businesses with visionary solutions and unwavering support. 

Overall performance award  — OPTIV  

Optiv, a USA dynamo, earned our highest honor: the Overall Performance Award, showcasing their full dedication to application security excellence and best practices. They transform security challenges into opportunities for business growth and success. 

 
The Future  

The outstanding achievements of our partners leave a lasting legacy in the application security landscape. As we continue to make shift happen and build a stronger channel ecosystem with MSSPs, GSIs, VARs, VADs, Tech Alliances, and more, we look forward to new possibilities with all our partners, whether they are established or new. 

Embrace AppSec Success With Checkmarx

Ready to make your mark in the evolving landscape of application security? Check out our partner program and join us on a journey of strong growth, enhanced security, and exciting opportunities. 

Join our partner program today.