Introducing Enhanced Security and Customization with Azure OpenAI

We are excited to announce that AI Query Builder is now integrated into Azure OpenAI. 

This update provides our customers with Microsoft Azure’s top-tier security capabilities while also enabling the use of OpenAI’s advanced models. Our new infrastructure ensures that the code snippet is routed through a managed Checkmarx gateway to a secure and supported AI system.

This is truly the best of both worlds. 

Why Azure OpenAI?

By using Azure OpenAI, users get the following benefits:

• Security: Azure OpenAI leverages Microsoft Azure’s security features, ensuring a fortified environment for AI-powered applications. It also ensures network isolation and robust security measures, safeguarding sensitive data and maintaining high standards of data protection.  This means that Azure OpenAI Service is fully controlled by Microsoft. Microsoft hosts the OpenAI models in Microsoft’s Azure environment and the Service does NOT interact with any services operated by OpenAI (e.g. ChatGPT, or the OpenAI API) and therefore is not used to improve OpenAI models or any Microsoft or third-party products and services.  

• Enterprise focus: Specifically tailored for business needs, it offers advanced conversational AI capabilities to facilitate more efficient and effective interactions. 

What are the benefits of its integration with Checkmarx? 

• Managed security gateway: All AI queries are routed through a managed Checkmarx gateway. Our new infrastructure routes through a managed Checkmarx gateway before connecting to Azure AI. This extra layer of security ensures future services and model updates. 

• Future security services: This new setup paves the way for additional and future security services, ensuring our customers benefit from any new services and  advancements. 

• Seamless access to AI benefits: The integration allows for seamless access to AI model changes without compromising on security.

Checkmarx AI Query Builder: Making Custom Queries Accessible

The Checkmarx AI Query Builder for SAST enables users to harness AI to automatically generate new custom queries or modify existing ones. This simplifies the process of tailoring the SAST solution to specific application needs.  

The AI Query Builder has also gotten a UI refresh, along with the rest of the Query Editor and the Checkmarx One platform, further improving the user experience. 

Why use AI to write queries? 

• Enhanced efficiency: Saves time and effort by allowing developers to generate tailored queries quickly, reducing the manual workload involved in query development. 

• Start now: CxQL is a proprietary query language. While it’s easy to learn, by using AI, developers can get started immediately without taking the time to learn a new language. 

• User-friendly: This tool enables all Checkmarx One users to finetune their SAST solution without needing expert query writing knowledge. Simply provide a prompt and the AI will generate a custom query tailored specifically to your needs. 

Get Started Today

Still not on Checkmarx One? Contact us to discuss how to get Checkmarx One and take advantage of AI Query Builder today. 

One of the big challenges of Static Application Security Testing (SAST) has long been accuracy.  All SAST solutions struggle with accuracy, generating either false positives (unfounded alerts) or false negatives (missed vulnerabilities). This will always be a concern, so choosing the best SAST solution boils down to measuring accuracy.  

At Checkmarx, our SAST tools improve accuracy. Our SAST solution uses queries to facilitate search customization and provide an adaptive scanning engine, real time scanning, AI tools, and auto-remediation. 

What Are Queries and Why Are They Important?

Queries are the secret sauce of SAST scans. What exactly is a query? A query is a vulnerability rule.  All SAST engines use queries to find vulnerabilities and achieve greater fidelity. 

“Queries are building blocks for identifying potential vulnerabilities and critical for filtering through the noise to avoid sending false positives and false negatives to your developers. Understanding queries enables AppSec teams and developers to prioritize your efforts, and promptly address the most critical issues.”   

All SAST engines use queries to find vulnerabilities. However, most SAST solutions don’t let you customize the rules or modify queries. In those cases, users are chained to the vulnerabilities that the solution chooses to look for. The lack of customization leads to more false positives or missed vulnerabilities.  

Checkmarx SAST is the only solution that provides the flexibility to customize queries, resulting in lower false positives without creating false negatives for more accurate results. 

“Checkmarx SAST includes pre-built queries (and presets) written in the Checkmarx Query Language (CxQL). These identify common security issues such as SQL injection, cross-site scripting, and insecure access controls, providing an easier way to start securing applications out of the box.” 

See how queries work. 

Checkmarx SAST empowers you to customize queries according to your specific needs. As we described in a previous post: 

A common use case that neatly highlights the benefits of customizing queries can be found in cross-site scripting (XSS) vulnerability findings where a false positive may be occurring due to the use of an in-house sanitizer method that is not included in the Checkmarx One default out-of-the-box query. We can simply add this method to the appropriate CxQL query and rescan the project to remove the FP. 

Introducing the Improved Checkmarx Query Editor

Long time Checkmarx users are probably familiar with CxAudit, our query editor for CxSAST. Our updated Checkmarx Query Editor brings features of CxAudit that were previously missing to Checkmarx One! Built with customer experience in mind, this powerful tool is designed to make query editing even easier.  

What’s New

Our updated Query Editor focuses on enhancing usability and improving workflow efficiency. Here’s a closer look at what’s new: 

• Friendly and intuitive user interface – We’ve revamped the look and feel of the Query Editor, making it easier to navigate and understand and intuitive to use. The design is modular, allowing users to customize their workspace to suit their needs. You can focus on specific elements or get a broader view of your project. This flexibility ensures that you can work in a way that’s most comfortable for you.

• Language-specific query view (Edit mode) – Navigating through projects to find specific queries can be time-consuming. That’s why we’ve introduced a language-specific view. Now, you can select a programming language and instantly access all queries related to that language across all projects. This eliminates the need to search through each project individually, saving you valuable time. 

• Hide empty queries– To further streamline your workflow, we’ve added a new mode that hides empty queries.  This removes any queries that didn’t return results. This will help to declutter your workspace and let you concentrate on the queries that need your attention.  

• Scan history – Understanding the history of your scans is crucial for tracking progress. Our new scan history feature provides a comprehensive log of past scans. You can easily review past scans, compare results, and identify patterns that inform future decisions.  

How to Access and Use It

Query Editor is accessible and seamlessly integrated into Checkmarx One. Simply navigate to the queries section and start! You can open the Query Editor associated with a project or open it independent of any project. Get the full documentation here. 

Get Started Today

The new Checkmarx One Query Editor simplifies the process of customizing security scans. With an intuitive interface and features like language-specific views and scan history, it helps you prioritize your focus. By reducing false positives and negatives, the Query Editor helps your complete your work and secure your applications more efficiently. Start using the Checkmarx Query Editor today and enhance your application security with ease and precision. 

Still not on Checkmarx One? Contact us to discuss how to migrate from CxSAST or another vendor to Checkmarx One today.

In March 2023, the White House published the National Cybersecurity Strategy. In July, the White House followed that up with the National Cybersecurity Strategy Implementation Plan.

As we wrote in a blog post earlier this year:

“With the introduction of the National Cybersecurity Strategy earlier this year, the US Government has started to use its influence and buying power to alter the behavior of all software producers. The US Government is the world’s largest consumer of IT products and services in dollars. It appears they will be using that buying power to add additional cybersecurity requirements for all software purchased. Companies will be faced with the options of changing their behavior or walking away from selling to the federal government.

The National Cybersecurity Strategy makes the case that there must be a shift of the burden for cybersecurity from the consumers of software to the producers of software. One of the requirements they are implementing is that all software vendors attest that they developed their software in accordance with NIST 800-218, the Secure Software Development Framework, or SSDF.”

Companies providing software to government customers need to certify that their development process meets certain standards known as the Secure Software Development Framework (SSDF).

The Secure Software Development Framework (SSDF) is composed of “fundamental, sound, and secure recommended practices based on established secure software development practice documents” and organized into four groups:

• Prepare the Organization (PO): Ensure that people, processes, and technology are prepared to perform secure software development at the organization level.
• Protect the Software (PS): Protect all components of the software from tampering and unauthorized access.
• Produce Well-Secured Software (PW): Produce well-secured software with minimal security vulnerabilities in its releases.
• Respond to Vulnerabilities (RV): Identify residual vulnerabilities in software releases and respond appropriately to address those vulnerabilities and prevent similar ones in the future.

What CEOs Need to Do Right Now

1. Understand the Requirements: Familiarize yourself with NIST 800-218 and the SSDF.
2. Designate a Responsible Leader: Assign a high-level leader, such as the CISO, to oversee SSDF compliance.
3. Conduct an Internal Audit: Ensure your software development lifecycle (SDLC) aligns with SSDF practices.
4. Leverage Tools: Use tools like Checkmarx One and Codebashing to meet SSDF standards.
5. Sign the Attestation Form: Verify the security practices and sign the Secure Software Development Attestation Form.

Taking these steps will help secure your software development processes and maintain your business relationship with the federal government.

What NIST 800-218 Requires

NIST 800-218 is not strictly a compliance requirement but rather a set of best practices. The Secure Software Development Framework (SSDF) Is a core set of high-level secure software development practices that can be integrated into each SDLC implementation.

So, it isn’t a compliance framework—it’s a set of principles that should be followed. This is an important distinction since Checkmarx supports the implementation of many of those practices.

Why Now?

On March 11th, the Cybersecurity and Infrastructure Security Agency (CISA) released a critical form—the Secure Software Development Attestation Form. This stems from government mandates (OMB memorandums M-22-18 and M-23-16) aiming to improve software security for government use.

The form requires a signature from a high-level leader within your software company, potentially the CEO. The deadline is coming up fast!

Submitting false information is a crime. Simply checking “yes” to all questions without truly adhering to secure development is a risky strategy.

This is the opportunity for CEOs to verify with their teams if they are managing their SDLC securely and maturing their security practices.

The Attestation Form has a short list of basic software security requirements which are a small subset of the NIST Secure Software Development Framework (SSDF). It has examples for each task to simplify the requirements, which are sometimes less straightforward for CEOs.

CEOs and CISOs should audit their requirements, replacing the examples in the Attestation Form with their own material.

This form signifies a growing focus on secure software development within the government sector. Understanding these requirements and taking them seriously is crucial for companies doing business with the American federal government.

According to the press release from CISA, this is “a critical step towards ensuring software producers who work with Government provide securely developed products” and “furthers the President’s National Cybersecurity Strategy, which made clear that the “most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem.””

How Checkmarx One Can Help Achieve Compliance

Checkmarx products and services help organizations meet the requirements of the SSDF.

Checkmarx’s Assessment and Advisory services, in particular the APMA framework, can help identify gaps and create an actionable workplan to improve your AppSec program.

We have mapped where specific requirements of NIST 800-218 align with the APMA framework, so you can be confident that your AppSec program meets the SSDF standards. The practices are implemented through a combination of tools such as Checkmarx One, in conjunction with the relevant processes and procedures being put into place.

We previously laid out which of these requirements are supported by Checkmarx.

Checkmarx One supports many of these regulations with a comprehensive AppSec platform that provides differentiated users and roles, full records and audits of activities, and comprehensive security controls across the entire SDLC—from SAST and SCA to API Security, Container Security, Infrastructure as Code, and more.

Here are just a few examples of how Checkmarx helps organizations meet SSDF’s requirements:

• PO.2.2: Role-based training for personnel with responsibilities that contribute to secure development. Checkmarx Codebashing directly supports PO.2.2 by offering developers constantly updated secure code training.
• PS.3.2: Collecting, safeguarding, maintenance, and sharing of data for all components in each software release, such as in a software bill of materials (SBOM). Checkmarx supports this with Checkmarx SBOM, designed to meet these compliance challenges head-on and provide an automated and efficient solution for generating and maintaining SBOMs.
• PW.5: Source code adherence to secure coding practices. Checkmarx SAST can automatically scan your application’s source code, identify vulnerabilities, and even automatically remediate it at a click of a button. Developers can get real-time feedback on their code to ensure it meets secure coding practices.

If you have any questions or would like to have a deeper discussion on implementation in support of SSDF, please contact us.

The pressure to deliver quickly and efficiently is pervasive. Speed often comes at the expense of security. To address this, the “shift left” philosophy has gained traction among development teams. This emphasizes the importance of integrating security measures early in the development lifecycle, rather than as an afterthought. We have also spoken about the need for security to be integrated throughout the entire SDLC –  allowing you to secure your applications from the very first line of code, to runtime and deployment in the cloud.

The rationale behind this strategy is straightforward: identifying and resolving security issues during the initial stages of development is significantly more cost-effective and less risky than making changes after deployment. By addressing security considerations earlier in the development process teams can prevent future headaches. This can also help get software to production faster, as it’s easier to fix in the development cycle.

The best way to secure applications is to bake security into the code from the start. Developers play a critical role in securing the software by adopting security best practices. However, that’s easier said than done. There is a gap between theoretical best practices and truly embedding security into development.

The security gap in software development

Software developers aren’t security experts. According to the Forrester report, “Show, Don’t Tell, Your Developers How To Write Secure Code,” none of the top 50 undergraduate computer science programs in the United States require a secure coding or secure application design class.

Bridging the skills gap and fostering security awareness among developers is critical. This is why Checkmarx offers security training such as Codebashing. However, training doesn’t equal  instant changes. As a result, developers are relying on AI-generated coding due to the speed it provides and the mistaken belief that AI-generated code is somehow more secure. 

The new frontier of AI-generated code

Traditional software development workflows are being reshaped with the proliferation of AI-generated code. GenAI tools, such as GitHub Copilot or Amazon CodeWhisper, fundamentally alter the coding process by providing suggestions, autocompleting code, and automating repetitive tasks. This shift represents a significant advancement in the field, with AI-driven assistants seamlessly integrated into coding workflows, enhancing human capabilities, and expediting development cycles.

AI-generated code is a double-edged sword. While it offers the potential of productivity boosts and tapping into collective knowledge, there are potential risks.  Research into the increasing prevalence of AI-generated code and its potential to redefine software engineering practices, has also identified the potential of reduced code quality and security risks.

Often ignored by developers, AI tools can generate insecure code. According to research, “Participants with access to an AI assistant were also more likely to believe they wrote secure code, suggesting that such tools may lead users to be overconfident about security flaws in their code.”

Introducing real-time scanning in the IDE

Real-time scanning in the IDE offers a security best practice for developers that complements Checkmarx SAST. It analyzes and provides real-time insights for:

• Human-generated code as it’s being written by software developers
• AI-generated code using tools such as GitHub Copilot

This is a plugin for Visual Studio Code, and it scans in milliseconds, providing instant responsiveness in the IDE and even can scan source code repositories. In internal tests, we scanned over 1 million lines of code in under 10 seconds – much faster than other “developer-friendly” solutions. 

Security best practices

Real-time scanning in the IDE provides the first step to ensure that source code follows security best practices. It’s not intended to replace thorough testing by your application security team or that undertaken by Checkmarx SAST, but rather to ensure that code – particularly AI-generated code – follows secure coding best practices. It does not test an entire application, but rather code snippets – a specific line of code plus the nearby lines of code. The scope of the analysis is a relevant short piece of code. By providing a few lines of code, the scanner provides a security review and points to potential issues that a developer should consider. 

Unlike a complete SAST scan, it doesn’t find attack vectors such as SQL injection. It works by analyzing the adjoining lines of code so, unlike complete SAST solutions, it is not fully application aware.  It looks at the “micro” — a few lines of code and provides suggestions for remediating the code snippets. 

 This makes it easy for developers to fix their code as they are writing it. 

This is a win-win for security. By giving developers the opportunity to implement security best practices, it produces less and more accurate SAST results for the AppSec team.

How to get it

Real time insights are available in a freemium model. Users can get real time insights within a command line interface (CLI) executable available for free.

Additional features and real-time in-IDE scanning are available for customers with the “AI Security“ package. If you’re an existing customer, contact your account manager for more details. Not yet a customer?  Get a free demo.

But what if you could get reliable guidance and a suggested fix for those vulnerabilities? You can now – using Generative AI.  

We previously announced AI Guided Remediation for IaC, and now we’re happy to now introduce AI Security Champion with auto-remediation for SAST. 

This  solution goes beyond mere identification by offering actionable fixes alongside each finding.

These recommendations, tailored to the specific vulnerability, allow developers to:

• Deepen their understanding of the issue’s nature and impact.
• Navigate the remediation process with confidence, saving time and resources.
• Make the fix as quickly and easily as possible.

Introducing AI Security Champion for SAST

AI Security Champion for SAST uses the power of GenAI to propose code to fix each vulnerability.

The AI Security Champion goes beyond simply identifying vulnerabilities. While guided remediation provides AI-generated assistance, suggestions, explanations, and other guidance in human-readable language, auto-remediation provides the actual code that can be used directly within the development workflow. 

This empowers developers to confidently navigate the remediation process, saving valuable time and resources, enabling developers to review and then automatically implement the fix. It’s as simple as copy and paste (and soon, we will also add the ability to automatically implement it at the touch of a button)!

This integration signifies a significant advancement in the realm of application security testing. By harnessing the power of artificial intelligence, we are excited to offer a streamlined and efficient approach to vulnerability remediation, enabling organizations to achieve their security goals without compromising development velocity.

How It Works

AI Security Champion with auto-remediation is an integral part of the Checkmarx One platform, which makes it easy to adopt and implement. The new AI Security Champion function meets developers where they are – within the integrated development environments (IDE) that developers are already using. 

Initial Setup

To set it up, select the “AI Security Champion” plugin from the plugins menu within Checkmarx One.

Then connect to ChatGPT. 

Make AI Your Newest Security Champion

Once it’s set up, this is where to start moving forward. Everything takes place in the IDE as Checkmarx is fully integrated. Developers stay in their natural environment. 

After set up, select a vulnerability from Checkmarx One results.

Select the “AI Security Champion” tab from the Checkmarx One results and click Start Remediation.

AI Security Champion shows the developer the following:

1. Confidence score –  On a scale of 0 (low)-100 (high), indicates the degree of confidence of how exploitable the vulnerability is in the context of your code.
2. Explanation – An OpenAI-generated description of the vulnerability. 
3. Proposed remediation –A customized code snippet, generated by OpenAI, that can be used to remediate the vulnerability in your code. 
4. “Ask a question” – A further prompt to ask AI Security Champion about the vulnerability or proposed code.

How to Get Started

Checkmarx SAST users on Checkmarx One can get started straight away. Simply enable AI Security Champion.

Taking advantage of the capabilities presented by AI are just another reason to use Checkmarx One. Existing CxSAST users can work with their customer success manager to migrate to Checkmarx One.

Existing customers can contact their account manager to learn more. Everyone else, contact Checkmarx today.  

The Future of AppSec

The million-dollar question: what’s next?

2023 saw the rise in AI, with excitement and a rush to release AI-driven solutions. Consequently, AI experienced substantial adoption in a short time, with over 50% of respondents saying that they use it.

Applications mean something quite different than what they did even just a few years ago. Applications used to be simply made up of proprietary source code. Today, even source code may come from multiple sources, such as open-source code or be AI-generated, which introduces both security and legal risks. Developers can’t keep up with all of this, hence the push into secure code training and DevSecOps.

Applications have also extended from a local system or closed on-premises data center into the cloud or even multiple cloud environments. We’ve been migrating to the cloud for years, but as more of our apps are in the cloud and cloud-native development goes mainstream, this pushes interests in API Security, AppSec Posture Management (ASPM), and Cloud Native Application Protection Platforms (CNAPP).

It’s also important for all stakeholders to be able to unify and consolidate on a single platform that has something for everyone. CISOs need executive, high-level dashboards, to provide a holistic view of the entire application security posture. Developers need tools that integrate seamlessly into their existing workflow, and don’t slow them down. 

Read the report to learn more.

The Importance of Developer Experience

Security must not impede development. 61% of developers are concerned about security getting in the way of development and 38% of AppSec managers claim “improving the developer experience” is a key reason for selecting their recent AppSec solution.  What does developer experience really mean?  Ultimately, it means that developers can spend their time focusing on developing innovative applications rather than getting bogged down by security minutia – developers are software experts, not security experts. This means making it easy for them to know exactly what to fix first – prioritizing for the greatest business impact, seamlessly integrating into their workflow and existing toolchain, not interrupting the development workflow – meeting developers where they live and providing them the education and training needed to write secure applications – equipping developers with the tools and knowledge to fix critical vulnerabilities.

How does this work? Automation so scans happen automatically through integration with Source Code Management (SCM) and CI/CD tools. It means providing security findings back into the IDE and development tools, so developers don’t have to use different tools. 

Read the report to see the full list of what developers are looking for.

Start Planning For 2025

It’s a cliché but true: application security is constantly changing. It’s important to slow down and look at the current state of application security, understand where you stand compared to your peers, and consider whether you are considering the roles and responsibilities of all your core stakeholders: AppSec managers, CISOs, and developers.

The result is The Future of AppSec. Get it now and see where you stack up.

Keeping Up with the Changing Pace of Development

In the past, software development mainly followed a waterfall approach- releasing software only once or twice a year. But the world has changed. Nowadays, cloud-native development often means releasing updates multiple times a day. This change in pace of application development has made speed a more important consideration. Sometimes, this comes at the expense of security. In Checkmarx’s upcoming survey on the state of application security, 91% of respondents even admitted to deploying vulnerable code to production. It’s no longer about finding everything but finding and fixing what matters most.

Up until now, companies had to choose — a developer-oriented SAST tool that risked false negatives – vulnerable code never being identified and unknowingly released into production – or security-oriented solutions which found everything, but often at the expense of speed and had false positives, making it difficult for developers to know what to fix before the next sprint.

Either/Or. Not both.

This led to further solution sprawl, as companies sometimes used an array of tools for their team – a “good enough” solution for less mature teams and enterprise-grade solution for their enterprise teams.

Until now. 

We are pleased to announce that our new SAST scanning engine will further improve an individual’s ability to customize their scanning capabilities, and experience speed, accuracy, and security.

Risk Reduction vs Ease of Use – Do I Have To Choose One?

Traditional SAST offerings force customers to choose between maximum risk reduction and ease of use (which finds less risk). 

With this new release, Checkmarx is the only solution that offers both in a single package, providing enterprises with the power and flexibility to secure their entire application footprint, and enabling a better developer experience

The new engine offers both in-depth security (to find maximum risk) and fast scanning (to cover every application with minimum overhead and noise). Users can choose the most appropriate configuration for each application based on that application’s requirements:

• Fast scanning to cover more applications to showcase relevant results faster
• In-depth scanning to find the maximum risk in critical applications with high business risk

I Already Have Checkmarx SAST. How do I Take Advantage of This?

If you already use Checkmarx’s SAST (whether on-prem or Checkmarx One), you can take advantage of these new capabilities today. It’s very easy to set this up (here’s how on the account and project level in Checkmarx One /  project level on CxSAST) Contact your account manager for more help or to have them walk through this with you.

The Best of Both Worlds: Development and Security Approved

This fast scan mode allows developers more flexibility in their fast-paced environment where they are constantly writing and updating code. They need scanning capabilities that can keep up with short sprints and continuous deployment by providing scanning that is exceptionally fast and provides only the most relevant results. Different apps have different risk-levels and criticality. Our new fast scan mode allows developers the ability to scan more frequently while highlighting the most relevant results so that they can focus on remediating the most important vulnerabilities. But, for mission critical apps, organizations can pick in-depth scan mode and get deeper scans and stronger correlation.

To further increase alert fidelity and reduce false positives, the Checkmarx team has developed another enhanced component: a base preset . The base preset focuses on the highest priority vulnerability queries to provide high fidelity results with reduced noise. As a result, it reduces total findings by up to 70%. The base preset was designed to boost scanning efficiency, prioritizing the swift retrieval of results with pertinent and impactful vulnerabilities. The preset can also be used as a starting point and customized to meet your specific requirements. It is available regardless of which mode – fast or in-depth – you use. 

The newly released scanning engine is used to optimize the SAST scans that are being executed to reduce overall scan time. This scanning engine further reduces scan times by tuning query parameters. 

The new scanning engine provides results that will support developers in their fast-paced development lifecycle. Through development and testing we have been able to provide up to a 90% reduction in scan time. This time saved is valuable and provides results that have shown to be higher fidelity. 

The Bottom Line

Up until now, users have had to choose – speed or security. This often led to sprawl, with multiple tools being used throughout an organization to meet the need of teams’ varied goals. Now, they can have both all in a single package – one vendor to deal with, one tool to learn, full transparency between security and development, and the flexibility to adapt as needs change. Checkmarx is the only solution that offers both in a single package.

Providing an application security solution that focuses on flexibility and high-fidelity results is what we are striving for at Checkmarx. This new release will provide reduced scan times with high quality results so that all members of your team can be successful – from the developers to the CISOs.

We are thrilled to announce that we have been recognized as a Leader in The Forrester Wave: Static Application Security Testing, Q3 2023. We believe this is a testament to our commitment to continuing to provide innovative best-of-breed solutions to the world’s largest enterprises. 

You can see the full report here. 

According to Forrester’s report, “Checkmarx started as a SAST specialist vendor and has grown to offer pre-release testing portfolio. The new Checkmarx One cloud platform enhances the different scan types for a better together story.” This follows last quarter’s publication of The Forrester Wave: Software Composition Analysis, Q2 2023. According to that report, “Checkmarx’s execution is impressive; it’s brought all the products under one cloud platform while also enhancing SCA and launching software supply chain security. The new platform unlocks product synergies….” 

We believe that this reflects a critical market change and realization — point solutions are not enough. Enterprises need an AppSec partner that understands the challenges that they face. It’s no longer good enough to have just a strong SAST or SCA solution. Enterprises need an AppSec platform can do it all (SAST, SCA, supply chain security, API security, DAST, IaC security, and container security) and do it all well.  

Forrester evaluated eleven of the top SAST providers against 26 criteria, in three different categories: Current Offering, Strategy, and Market Presence.  

The report recommends that SAST customers should look for SAST solutions that: 

• Increase developer velocity. 
• Secure new and emerging technologies. 
• Automate the remediation process.   

“Customers see fast time to value with the Checkmarx One platform,” noted the report.  We are proud to be recognized for our innovation and fast time to value.   

So, who should use Checkmarx? According to the report, “Checkmarx is well suited for medium to large enterprises using emerging tech in their software development.”  

Checkmarx SAST received the highest possible score (5.0) in eleven criteria:    

• Incremental findings 
• Language and framework support
• Support for new development approaches 
• Rules and policy management (consisting of native and custom rules, policies, policy enforcement – all sub-criteria that Checkmarx received a score of 5.0) 
• IDE integration 
• Ticketing tool integration 
• Innovation 
• Roadmap 
• Revenue 

We recently launched a new Developer Experience site, showcasing how we increase developer velocity by prioritizing teams on business impact, meeting developers where they live, and equipping developers with the tools and knowledge they need. 

The Forrester Report reflects what we currently have, but there’s more to come! Join our Checkmarx One 3.0 Enterprise AppSec Platform Launch event, where we will showcase even more of the innovative technologies that we have recently launched and showcase what’s to come across our entire enterprise application security platform. 

Today, Checkmarx SAST provides tremendous flexibility  to scan applications based on how they are built. This is done using two constructs:

• Queries: essentially a rule that identifies a potential vulnerability. 
• Presets: a collection of queries optimized for a specific type of application (for example, a mobile app) that defines the scope of the SAST scan. We’ve written elsewhere about working with presets. 

Queries are building blocks for identifying potential vulnerabilities and critical for filtering through the noise to avoid sending false positives and false negatives to your developers. Understanding queries enables AppSec teams and developers to prioritize your efforts, and promptly address the most critical issues.  

Checkmarx SAST includes pre-built queries (and presets) written in the Checkmarx Query Language (CxQL). These identify common security issues such as SQL injection, cross-site scripting, and insecure access controls and provide an easy way to start securing applications out of the box.  

Customizing queries for your unique applications 

Checkmarx is the only solution in the market that allows for queries to be customized – either by creating new custom queries or customizing existing queries.  

Custom queries provide a uniquely flexible and powerful mechanism to tailor your SAST tool solution to specific application requirements. They provide the freedom to explore unique or specific code structures that pre-built rules may not cover adequately.  

For example, as we wrote in an earlier post: 

A common use case that neatly highlights the benefits of customizing queries can be found in cross-site scripting (XSS) vulnerability findings where a false positive may be occurring due to the use of an in-house sanitizer method that is not included in the Checkmarx One default out-of-the-box query. We can simply add this method to the appropriate CxQL query and rescan the project to remove the FP. 

AI enters the room 

Unless you’ve been living under a rock, you’ve probably heard about AI and the impact that it’s having across every industry. In tech, many developers have embraced AI and are already using AI to generate their code. But even more so, according to a recent IDC survey(1) , developers believe that software quality and testing (22.5%) and security testing and vulnerability management (21.5%) have the most potential to benefit from Generative AI. 

Making custom queries more accessible with AI 

Today, Checkmarx introduced AI Query Builder for SAST. This feature lets Checkmarx One users harness the power of AI to automatically generate new custom queries or modify existing ones. AI Query Builder builds on the custom query capability, allowing AI to help any AppSec team write new or edit existing custom queries. This allows every organization to tune SAST more easily for your applications, increasing accuracy and minimizing false positives and false negatives. 

AI Query Builder is an expert in the ins and outs of CxQL. You no longer need to be an expert in building a query when an AI can do the work for you! With this feature, a simple prompt such as, “Help me generate a Checkmarx query that will detect an authentication issue,” will immediately generate a new custom query.  

Benefits of AI-Generated Custom Queries 

 Some benefits of using artificial intelligence to generate custom queries include: 

• Comprehensive coverage: AI Query Builder can use existing public SAST documentation and security best practices to generate custom queries that cover a broader range of potential vulnerabilities. This reduces the risk of making mistakes or missing critical issues. 
• Enhanced efficiency: Save time and effort – instead of manually crafting queries, AppSec managers and developers can engage with AI Query Builder to generate tailored queries, reducing time spent on query development. 
• Fewer false positives: False positives are always a challenge for any AppSec solution, but AI-generated custom queries can improve accuracy and reduce false positives.  

• Everyone can use it : No longer are custom queries reserved for power users, but now every Checkmarx One user can now better tune their SAST solution using AI.  

Try it yourself.  

Interested in seeing for yourself?  

Join the Checkmarx Early Access program.  

We’re just beginning. Check in next week when we’ll have a new blog post taking us through AI Query Builder for IaC Security. 

(1) Source: IDC, Generative AI Adoption and Attitudes: A Survey of U.S. Developers, Doc #US50655123, May 2023