We are pleased to announce that we are building on our long-standing partnership and earlier integrations with JetBrains’ flagship, IntelliJ IDEA. This will deliver the full power of the Checkmarx One Application Security Platform into key JetBrains tools. Individual developers and teams will be able to boost their security performance while continuing to deliver applications at speed.

Partnering for Secure Code Productivity 

In 2022, Checkmarx and JetBrains first partnered by bringing Checkmarx SCA capabilities natively into IntelliJ IDEA Ultimate through the Package Checker. Using the pre-installed Packager Checker plugin, five million developers can use IntelliJ IDEA to initiate Checkmarx SCA scans directly from their development environment. This can be done for free, without the need to become a Checkmarx customer, with detailed results showing OSS vulnerabilities as soon as the scan is complete. Frictionless integration, with modern application development workflows, makes it easier to secure applications before they are compiled, instead of waiting for deployment to identify vulnerabilities. 

Building on this initial launch, the Checkmarx SCA plugin is also available for a wide range of JetBrains developer tools including WebStorm, PyCharm, Rider, ReSharper, Qodana, and GoLand.

Building #DevSecTrust 

The next phase of our partnership with JetBrains is now live. Checkmarx customers can now bring the full functionality of the Checkmarx One 3.0 application security platform, including SAST, SCA, and IaC security, to IntelliJ IDEA through the Checkmarx One JetBrains Plugin.  

We know that making security tools available to developers doesn’t automatically lead to more secure code. Fast, secure application development is the goal, but this is hard to achieve if security tools lack intuition and cause friction in developer workflows. To help developers, Checkmarx One doesn’t just provide detailed information on each vulnerability discovered, including remediation recommendations and examples. We also enable the developer to navigate with one click from the identified vulnerability directly to the best fix location in the source code, so no time is wasted.

Focusing on exploitable vulnerabilities is also critical to effective and efficient remediation. That’s why the newest releases of JetBrains’ IntelliJ IDEA, WebStorm, PyCharm, Rider, and ReSharper tools include Checkmarx’s Exploitable Path capabilities for Java, JavaScript, C#, and Python languages. This capability gives developers the ability to see whether there’s a path from the project code into the vulnerable package code through which the vulnerable packages could be exploited. Developer teams can focus on the remediation of actively exploitable vulnerabilities first so their time is spent on the most critical areas. 

Our #DevSecTrust approach can also be seen in reducing the number of irrelevant alerts. Checkmarx starts work before it is integrated into the IDE. It can be finely tuned by AppSec teams to ensure the accuracy of scans and effective prioritization of findings. Noise is reduced before it enters the workflow, so developers can be confident that the vulnerabilities they are being alerted to are genuine and they know what needs to be prioritized for fixing. This ultimately helps CISOs drive strategic initiatives to uplevel application security posture. 

Collaborative Development with Security in Mind

Checkmarx One 3.0 can also be integrated into TeamCity, a powerful CI/CD tool for DevOps teams of any scale, developed by JetBrains. This means organizations can normalize the inclusion of security scanning in team application development projects.

The Checkmarx One TeamCity plugin enables users to trigger SAST, SCA, IaC Security, and API Security scans directly from a TeamCity project. It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from a source code repository and uploads it to Checkmarx One for scanning. This plugin provides easy integration with TeamCity while enabling scan customization using the full functionality and flexibility of the Command Line Interface (CLI) tool.

Key features of the TeamCity plugin include:

• Automatically triggering CxSAST, CxSCA, IaC Security, and API Security scans from TeamCity projects.
• Use of CLI arguments to customize scan configuration.
• Automatic updates to the latest plugin version.
• Interface for viewing scan results summary and trends in the TeamCity environment.
• Direct links from within TeamCity to detailed Checkmarx One scan results and reports.
• Generating SBOM reports.

This helps teams enhance software security, governance, and reporting.

A Powerful Partnership

JetBrains and Checkmarx are recognized leaders in their fields, and this long-term partnership unites us in delivering a game-changing developer experience, raising the profile of AppSec without compromising productivity or workflows. This empowers CISOs to elevate code security and deliver more secure apps, faster.

Getting Started

It couldn’t be easier to get started with Checkmarx in JetBrains tools. Our dependency checker plugin is already a native part of all JetBrains IDEs, so developers can access advanced SCA right now.

The Checkmarx One 3.0 plugin can be easily installed by Checkmarx customers into the IntelliJ IDEA development environment from the Checkmarx marketplace. It is also available as an on-premises solution. Similarly, the TeamCity plugin can be installed for customers with a Checkmarx account and is also available on-premises if required.For more information, contact the Checkmarx Team or watch our latest joint webinar today.

Prefer not to read? You can watch a replay of our joint webinar where we go into more depth about the capabilities and demonstrate live within the Checkmarx One and Sysdig Secure products. Watch now ->

In the past several years containers have emerged as a favorable choice for deploying applications, due to their architecture they allow developers to overlook concerns about dependencies and environments. Everything essential for running an application is neatly encapsulated within the container, encompassing code, runtime, system tools, libraries, and dependencies.

In cloud-native environments, containers, when coupled with best practices and the appropriate tools, offer seamless scalability, ensuring optimal application performance and availability. This flexibility not only caters to peak demands but also frees processing power for various application components.

However, the challenge arises when cloud and application security functions operate in silos, creating fragmentation. This scenario leaves AppSec teams without the correlation or context to understand which container packages are running, which are not and prioritize associated risks effectively.

Imagine a scenario where developers, prompted by security alerts and new work items, invest their valuable time in remediation efforts, only to discover that the identified low-priority vulnerability pertains to an unused container package. Without the correlation between vulnerability and runtime data, frustration sets in for developers, and may cause alert fatigue, while AppSec teams find themselves handicapped without a comprehensive view of the critical vulnerabilities that truly matter.

The challenge for AppSec teams is not merely identifying vulnerabilities but prioritizing, and remediating the ones that pose the most risk. Establishing a connection between vulnerabilities and the running containers becomes crucial, enabling teams to prioritize critical vulnerabilities and remediating them effectively. This correlation goes beyond technical nuances; it forms the backbone for fostering trust and collaboration between developers and AppSec teams. 

Checkmarx & Sysdig; connecting the dots between pre-production and runtime

Sysdig enhances Checkmarx Container Security by providing vital runtime insights into container Open-Source Software (OSS) running within cloud-native environments. While Checkmarx excels in securing container images by detecting vulnerabilities during development, Sysdig’s real-time profiling enriches this process by analyzing containerized applications during runtime. Checkmarx crossmatches the list of OSS packages used at runtime with known vulnerable packages, enhancing the identification of security risks. By integrating with Sysdig, Checkmarx extends its container security capabilities beyond static image analysis, ensuring a comprehensive approach throughout the container lifecycle. 

The collaboration between Sysdig and Checkmarx streamlines overall security management by offering continuous runtime monitoring and analysis. Sysdig’s integration enhances Checkmarx’ ability to prioritize and address vulnerabilities effectively, delivering a unified solution covering static analysis and real-time package insights. This partnership strengthens the capability to identify and remediate security threats, fostering a resilient cloud-native environment while empowering security teams and developers with a more proactive security posture.

See the integration in action

Beginning in Checkmarx Container security, we look at the completed scans under the “Container” tab. 

Runtime insights for container packages are available at the container level and at the vulnerability level. 

Within the container level under the “Container Packages” tab, container scan results are sorted by default by the packages used at runtime, and by the packages with the most vulnerabilities.

In this view, you can easily see how easy it is to quickly jump in and tackle the container packages with the most vulnerabilities. But when users quickly cross reference the “Runtime Usage” column alongside the number of vulnerabilities found, it becomes clear which vulnerabilities should be prioritized.  

Users can also filter this view to only see the packages used at runtime. 

Runtime insights are also available at the vulnerability level. The ‘Container Vulnerabilities’ view displays vulnerabilities associated with containers and their criticality, bubbling up those vulnerabilities associated with containers found in runtime at the top of the list.  

In this view, you’ll see that the “Risk Factor” column highlights whether the vulnerability is associated with a package that is used at runtime. The results show 9 CVEs that are associated with a package used in runtime, and the last CVE was not within a package used in runtime. The risk factor of whether the vulnerability was associated with a package found in runtime is just the start; additional risk factors are coming soon. 

When users want to better understand a given vulnerability found, they can click into the CVE for more information, including the severity, CVSS Score, and attack vector. 

When users click into a given CVE, they’ll now see a new “Risk Factors” box, where they can quickly see that the vulnerability is associated with a package used in runtime.

Prioritize what’s running and reduce noise by up to 90%

Using runtime insights from Sysdig Secure, Checkmarx One or SCA standalone customers gain several benefits. 

• They can effectively prioritize remediation. Correlating pre-production and runtime surfaces the most impactful risk, dramatically reducing the time to detect and prioritize vulnerabilities associated with in-use packages first. 
• Build #DevSecTrust. Team alignment and trust are crucial for the success of an enterprise-scale AppSec program. Focusing their development team on the most critical vulnerabilities and filtering out the rest while reducing alert fatigue, builds trust with developers.  
• Improve your security posture. Runtime insights aid organizations in increasing their overall security posture, by providing the context your team needs to prioritize the most impactful vulnerabilities.  
• Reduce noise. AppSec teams can prioritize vulnerabilities based on in-use context, and eliminate 90% 

Whether you’re a CISO (Chief Information Security Officer) focused on your total application security posture, or part of an AppSec team focused on identifying and prioritizing vulnerabilities, or a developer focused on remediation and supporting the business where it matters most, Checkmarx and Sysdig help you better identify, prioritize, and remediate vulnerability risk.

The integration is available for users of both Checkmarx One or Checkmarx SCA standalone and Sysdig Secure. For current customers of both Checkmarx and Sysdig, or you wish to start gathering runtime insights Request a Demo, to get started.   

You can also watch a replay of our joint demonstration https://info.checkmarx.com/tech-partner/sysdig/bridging-code-and-cloud-security

Finding and fixing vulnerabilities is crucial, but traditional approaches often relegate security measures to the final stages of the software development lifecycle (SDLC).  A proactive approach to vulnerability management and remediation is not just a nice to have, but a requirement, to protect your SDLC. By prioritizing vulnerability management earlier in the software development lifecycle (shifting left), the practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities allows organizations stay one step ahead.

Vulnerability and risk management is an important part of the AppSec and developer toolkit, which is one of the reasons that Checkmarx partnered with Vulcan Cyber.

First to Market

Vulcan Cyber developed one of the first cyber risk management platforms which was built to help organizations reduce vulnerabilities and risks. The platform correlates, prioritizes, and manages vulnerability risk across all attack surfaces.  It consolidates all vulnerability and risk data, correlating and de-duping scan results.  It orchestrates risk mitigation workflows, delivers risk remediation intelligence, and enables developers and AppSec professionals to customize their risk compliance threshold and actively measure, track, and report risk reduction.

How it Works

While we have been partners with Vulcan Cyber for some time, we are pleased to announce a new integration with our Checkmarx One platform.  This means that Vulcan Cyber is now integrated with our traditional Checkmarx SAST on-prem solution, as well as Checkmarx One SAST, SCA and IaC.  

Checkmarx One is an application security platform used for scanning, prioritizing, and addressing security vulnerabilities in an organization’s applications, projects, or source code. Vulcan customers can bring vulnerability data from Checkmarx One into Vulcan Cyber to manage their application security and construct a more comprehensive view of their attack surface, thus strengthening their cybersecurity posture.

The Checkmarx One Vulcan Connector seamlessly integrates with the Checkmarx One platform to pull and ingest code project assets and vulnerability data in the Vulcan platform.  Once the integration is complete, the Vulcan platform scans the report findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priorities.  

Plenty of Synergies with Vulcan Cyber

Checmarx and Vulcan both have a pedigree in leading threat intelligence teams and first party research into active threat actors. In fact, the Vulcan research team, Voyager18, and Checkmarx collaborated around our GenAI capabilities including the CheckAI plugin for ChatGPT. This industry-first AI AppSec plugin enables developers to scan generated code within the ChatGPT interface and provides remediation guidance and protects against malicious open source packages targeting GenAI-generated code.

Identifying AI Hallucinations   

In particular, working with the Vulcan Cyber research team, we can collaborate to identify AI hallucinations, which is when ChatGPT provides customers with inaccurate information. We are now seeing such hallucinations being weaponized by hackers.

Attackers ask ChatGPT for coding help in common tasks. ChatGPT might provide a package recommendation that either doesn’t exist or isn’t published yet, in other words a hallucination. Then, the attackers create a malicious version of that recommended package and publish it so that when a developer asks ChatGPT for help on that problem, there is a package with a malicious payload waiting.  Our CheckAI Plugin enables developers and security teams to protect against these attacks caused by malicious open source packages and dependencies while working within the ChatGPT interface.

Getting Started 

Together, we are dramatically working to improve the end-to-end developer experience, while also continuing to expand the AI-driven security capabilities of our CheckAI Plug-in, by augmenting it with Vulcan Cyber AI research team.

For more information get in touch with your Checkmarx account rep or contact us today.

Uniting our expertise, Checkmarx and Mobb partnered more than a year ago, and our collaboration benefits developers, AppSec managers, and CISOs alike as we work to build #DevSecTrust and power the transition to DevSecOps. 

Checkmarx customers can now deploy Mobb’s auto-remediation solution for vulnerabilities identified during scans with CxSAST (on-prem solution) and the Checkmarx One platform. This partnership significantly reduces the time and cost involved in remediating vulnerabilities and bridges the gap between developers and security in two key ways:

1. Checkmarx’ industry leading SAST solution is highly tuned for accuracy and prioritizes findings to minimize the noise that enters the developer workflow in the first place. Developers trust that the alerts represent genuinely material, exploitable problems and they know what to fix first.
2. Mobb’s AI engine provides auto-remediation of the vulnerabilities identified by Checkmarx in just a few clicks – there’s no need for developers to review scan reports and search for fixes and fix locations. This means they can focus on innovation.

Auto-remediation can be easily integrated into the CI/CD pipeline or triggered as part of manual scans, guiding developers to fix vulnerabilities quickly and seamlessly.

How it works: AI-powered auto-remediation for code vulnerabilities

Mobb’s auto-remediation solution is provided by its AI engine and heuristics based on known best practices for the most common vulnerability types and the most common programming languages.

For example, a workflow can start when the developer commits their code changes to GitHub. A Checkmarx SAST scan is initiated as part of the CI/CD workflow. Once the scan is complete, Mobb analyzes the findings and identifies all instances of supported issues. It extracts all the information it needs to fix each finding automatically and then analyzes the vulnerabilities and the developer’s source code for essential contextual information on how the error was created. Mobb then matches its pre-prepared fix algorithms to each context and the algorithm builds the correct fix. The vulnerability and proposed fix is flagged to the developer, showing the fix side-by-side with the vulnerable code. Once the developer approves the fix, it is made automatically. Once the fixed code branch is merged with the main code, the Checkmarx scan can be re-run to verify that the fix is implemented. Watch how simple the process is here.

For the developer experience, this is game-changing. Instead of having to read and analyze a vulnerability report with details about the vulnerabilities and suggestions on how to fix it, they get an instant fix provided; a pull request is ready, and they just need to merge the fixed code and move on. The reduction in friction combined with trust in the accuracy of Checkmarx scans means they can incorporate security more easily into their workflow, so productivity stays high.

CISO, AppSec team, and business benefits

From a CISO perspective, auto-remediation offers a force multiplier in the reduction of vulnerability backlogs by allowing developers to  easily address them earlier in the development process. AppSec teams can streamline policies and processes and get code into production faster, without compromising on security.

Across the board, Checkmarx and Mobb save the business money, by identifying only material and  exploitable vulnerabilities while providing the fastest way to a recommended fix. This dramatically reduces the amount of time developers need to manage security responsibilities.
Checkmarx is committed to pushing the boundaries of the developer experience and this solution builds on Checkmarx’s existing auto-remediation solutions for SCA and IaC vulnerabilities. Together these help developers and AppSec teams deliver secure software fast.

Powerful partnerships drive secure software excellence

The Checkmarx partnership ecosystem is designed to bring Checkmarx customers the most advanced solutions to complement its industry-leading AppSec platform and help them secure the code base without compromising on productivity. 

Mobb is already making an impact in the market and won the Startup Spotlight competition at Black Hat USA in August 2023. Mobb’s deep understanding of the challenges of implementing DevSecOps makes it an ideal Checkmarx partner and we are looking forward to building further on our solutions together.

Getting started

Checkmarx customers can leverage Mobb’s auto-remediation solution by talking with their account team. 

For more information get in touch with your Checkmarx account rep or contact us today.

With Checkmarx One, you can easily extend the platform with a wide range of Tech Partner capabilities in the areas of SDLC tooling, Runtime & Cloud Security, Vulnerability Management, and Emerging Tech.

If you’re looking to build a unified AppSec posture or extract more value from your existing AppSec solutions to drive better security outcomes, we have partner solutions that deliver. 

The Need for a Single, Unified Platform

Modern application security is complex. From the initial stages of development to deployment and maintenance, every phase of the SDLC presents its unique challenges. Security tools often sprawl across these stages, and without proper integration, the consequences are clear, and unfortunately, far too common: inefficiencies, incomplete coverage, missed vulnerabilities, slowed development cycles, and increased risk.   

Enterprises require a platform designed to enable CISOs, AppSec, and development leaders to prioritize their teams’ focus on what impacts their business, because it’s no longer just about shifting left or right — it’s about shifting everywhere. And shifting everywhere requires integrating and automating security within, and beyond, your development pipeline.

Existing Partnerships and Integrations

The Checkmarx Tech Partnership Program was inspired by customer feedback about the importance of integrations across the entire SDLC, from development to deployment and reporting. We have always been at the forefront of offering meaningful integrations into CI/CD, IDE, SCM, ticketing, vulnerability management, and runtime tools. 

Checkmarx customers already know that Checkmarx has numerous integrations with industry leaders like JetBrains, Jira, Gitlab and countless others. 

With the program’s launch, we’re amplifying our commitment by bringing in more partners, including companies like  AWS, ServiceNow, and Sysdig. 

More Value for Checkmarx Customers

Confidence in integration quality. We’ve all been there – trying to use “integrations” that are smoke and mirrors that don’t have the true back-and-forth, full capability set that the independent, disjointed solution provides. And, in MVP-level integrations, it is often not clear who to contact, for example, if an integration isn’t working as it should. 

With the Checkmarx Tech Partnership Program, customers can trust that tools will work together seamlessly. Plus we will be your primary contact when you have questions or need support. With integrations through our tech partnership program, you can be assured of the integration quality, backed up with support and a single point of contact for all integration related queries. 

Drive better security outcomes. Many of our partner integrations help customers aggregate and see all vulnerabilities in one place, manage with one process, or connect the dots.

When AppSec teams can identify and prioritize vulnerabilities faster, developers can focus on the vulnerabilities that really matter, in the tools they already use, and AppSec leaders can extract analytics that deliver meaningful insight across various toolsets. 

For example, through the recent integration with Sysdig, Checkmarx users can now leverage runtime container insights to prioritize vulnerabilities associated with container packages that are actually running and that pose the most risk, reducing vulnerability noise by up to 95%.    

Want to Partner with Us?

We’re always looking to add new Tech Partner Program members to bring new and exciting functionality to our customers. 

Checkmarx Partners work collaboratively with our team to ensure full, seamless integration with the Checkmarx One platform, ensuring the solution is easily accessible to our more than 1,800+ customers, including 60% of the Fortune 100. 

Potential partners can learn more about the program and benefits and contact us today to start the conversation. 

Shift everywhere with the most extensible code-to-cloud AppSec ecosystem

The Checkmarx Tech Partnership Program was built to help you shift everywhere to identify risk throughout your Software Development Life Cycle (SDLC) and manage AppSec risk across your entire application footprint. As a result, organizations leveraging the Checkmarx Tech Partnership Program ultimately create efficiencies in your remediation processes and build trust between Security and Development teams along the way. 

To learn more about Checkmarx Tech Partnership Program members and integrations, check out the brand-new directory that puts the spotlight on featured partners. 

We’re so excited to launch the program today, but we’re only getting started. Stay tuned for more exciting partner announcements coming soon!  

The way we bank has changed beyond recognition. Where transactions once took place in person within the walls of impressive buildings, we now see mobile and online banking on the rise. Anywhere, anytime, palm-of-your-hand banking is the norm, and our expectations are shaped by the seamless, personalized app experiences that have become the default in the digital universe. At the same time, the global acceleration of digital banking licenses has created a new competitive landscape populated by fast-moving market entrants and born-in-the-cloud providers.

One thing that hasn’t changed, though, is the position of trust at the cornerstone of the banking system. Indeed, in today’s volatile economic and cybersecurity environment, building brand trust is more important than ever. Whether you are a legacy brand or a new market entrant, any lack of trust compromises your ability to succeed.

So financial services firms face a continuing challenge: how to innovate at the speed required without compromising customer safety and system security? Most are turning to the cloud for answers. Its flexibility and scalability are making it central to financial service organizations’ efforts to embrace new trends and deliver innovative services at pace.

AWS has some intriguing solutions to meet the challenge. The cloud leader provides a full suite of services to help banks achieve the agility to thrive in the digital age, while certified partners such as Checkmarx ensure the security of the applications and services banks develop.

Recently, the team at AWS identified seven key trends that are impacting the financial services industry. Here we take a deep dive into three areas where AppSec is highly relevant and explore what they mean for the sector.

Trend 1: Customer experience — speed and security must be dual priorities

Today, the economic power is passing to a digital-native generation with little loyalty to legacy banking brands and great expectations of how personal and business financial services should perform. This means customer experience is the modern commercial battleground. Banking must be hyper-personalized and service-led. Increasingly, banking is integrated into consumers’ day-to-day journeys through embedded financial services within trusted brands such as Starbucks and Uber.

Banks are leaning heavily on AI and machine learning to predict customer needs through analysis of internal and external datasets, while the omnichannel drive continues through solutions such as authentication based on voice recognition, real-time sentiment analysis of customer service calls, chatbot support, and automated self-service options.

AWS supports these initiatives and many more through cloud-powered big data analysis that allows banks to leverage AI and machine learning on a massive scale. It also, in its own words, “helps compress time to innovation and, ultimately, time to value, by facilitating rapid development, testing, and deployment to produce new ideas and customer propositions.”  

AWS allows banks to accelerate innovation through its cloud-native application development services, but they also need to ensure the code they create is secure and resilient. Achieving application security assurance without putting a brake on delivery speed is crucial. However, a recent Checkmarx survey of banking and insurance CISOs found that 84% of respondents undergoing digital transformation and implementing a cloud-native strategy were concerned about secure application development and deployment.

As an AWS accredited partner, Checkmarx understands that security must work at the speed of DevOps. The Checkmarx One Application Security Platform is designed for the cloud development generation and delivered from the cloud, bringing integrated one-click AppSec testing that allows financial services companies to deploy more secure code — fast.

Trend 2: Ecosystem-based banking and banking-as-a-service — APIs take center stage

The open banking era is unlocking the doors to greater innovation and collaboration. Providers can now seize new opportunities to develop products that blur the boundaries between different types of financial services. They are establishing solutions that offer their banking services, including fully managed banking propositions, to third parties securely via microservices and a common platform.

AWS identifies two key approaches to this trend. The “marketplace” approach sees banks providing “value-added and contextualized services to their customers such as ERP integrations or personal finance management.” The aim is to deepen the relationship with individual and business customers beyond basic service provision.

The “banking-as-a-service” approach sees banks offering a range of services — from standalone specific regulatory-driven services like Know Your Customer’s Customer (KYCC) to fully managed offerings that let any organization set up a branded banking service.

Center-stage in both approaches are the bank’s APIs, designed to allow banking products and services to be distributed to customers and third parties. Modernizing API architecture in the cloud accelerates the development and testing of APIs, making them easier to integrate as well as providing scalability.

Checkmarx API security offers banks and their customers and partners a crucial service that helps discover, control, and mitigate API security risk. It offers complete visibility into your API inventory and identifies vulnerabilities and misconfigurations. Controlling API risk is an essential component of developing financial marketplace ecosystems and banking-as-a-service solutions.

Trend 3: Cyber event recovery — reducing the attack surface and responding to regulatory requirements

Given its nature, it is not surprising that the financial services sector faces more cyberattacks than any other. On top of these external incursions comes the disruption of digital transformation, which can also create vulnerabilities including third-party and supply chain risk.

Banks are investing in a range of measures designed to manage and mitigate risk and accelerate recovery from any attack. Reducing the attack surface and minimizing vulnerabilities is an essential activity if the sector is to safeguard its reputation and maintain customer trust. Additionally, the growing library of regulations designed to ensure banks are meeting their security obligations means they need to adopt solutions that support compliance.

AWS offers a wealth of solutions to ensure client data is protected and banks can recover quickly from attacks. These include Amazon Simple Storage Service (Amazon S3), key management services, software-defined firewalls that facilitate network isolation, and geographic sovereignty solutions that meet compliance requirements.

These and many other offerings take care of Amazon’s part of the shared security bargain, however, banks are also responsible for securing the workloads they deploy in AWS. This is where Checkmarx steps in, providing comprehensive AppSec solutions that integrate seamlessly with AWS SDLC tools to secure the entire process. Checkmarx addresses all types of application risk, from custom code errors to open source component vulnerabilities, API risks, and infrastructure as code misconfigurations.

These are dynamic times for financial services firms, and AWS with Checkmarx are helping them capitalize on opportunities while defending against threats — both malicious and competitive.

Interested in learning more?

We’re exploring these trends in detail in our webinar on May 4, 2023, where AWS and Checkmarx will explain how you can turn AppSec into a competitive advantage as you continue your cloud transformation journey.

REGISTER FOR THE WEBINAR

But cloud adoption requires organizations to shift from provisioning and managing static infrastructure to deploying dynamic infrastructure across their environment. The implementation of dynamic infrastructure means IT operations and security teams must now provision and manage an infinite volume and distribution of services, embrace ephemerality, and deploy onto multiple target environments. 

A challenging environment

This leads to many challenges, including appropriately managing access permissions, being able to identify and prioritize risks, and then proactively mitigating cloud misconfigurations and vulnerabilities. At the same time organizations must facilitate greater collaboration between security, DevOps, and engineering teams, because in a cloud environment, lines of responsibility are not so clearly drawn.

In today’s heightened cyber-attack landscape, organizations must also work out how to reduce their cloud attack surface, while simplifying compliance requirements, and find new ways to innovate and scale their business in a secure manner.

This is easier said than done

One of the great benefits of cloud is how easy it is to spin up resources. Lines of business don’t have to request IT to allocate resources, they just click a button to run any Infrastructure as Code (IaC) template and they have an application running in minutes. However, every cloud account has thousands of entitlements that need to be managed and maintained. Unfortunately, many have excessive permissions that put cloud assets, the data stored, or the whole cloud account at risk. Analyst organization, Gartner, predicted: “By 2023, 75% of security failures will result from inadequate management of identities, access and privileges, up from 50% in 2020.”

An increase an IAM solutions

This has prompted an increase in IAM (identity and access management) solutions purporting to solve the problem of managing identities in cloud environments. However, modern tools like CIEM and CSPM are based on heuristic rules which means they often advise and detect when it is too late, and don’t offer a tailored solution based on the genuine risk to the application.

As a result, CISOs, AppSec, and DevOps teams are overwhelmed with notifications; they need help in identifying which alerts to prioritize. For example, they might be alerted to a misconfigured AWS Lambda function which doesn’t pose a serious threat to their application. They need accurate context to determine which risks to ignore and which to action. The reality is that they can’t fix every misconfiguration, therefore they must focus on the most important business critical risks. 

Alongside the problem of alert fatigue, there is often tension with Dev/Ops teams who just want to move fast and use all their admin and access privileges. Additionally, organizations are not always aware of all their data and sensitive resources in the cloud and many security permissions are not always necessary and can cause account and data leakage.

One size fits all approach doesn’t work

One option is to manually analyze the infrastructure layer and the applications running on it. This might work for smaller organizations, but for larger organizations with a dynamic environment, where developers create new cloud accounts for every dev team, a manual approach is nigh on impossible to scale. Additionally, when it comes to audits, it is hard for the organization to keep track and prove compliance. 

In a bid to get around these issues, organizations are creating repositories of standard policies to use. But these are generic; they don’t name the specific resource that every component needs to access. Some organizations use these same policies for all their cloud functions. Think about it, this is like using the same key to open every individual apartment door in an apartment block, how secure would that be?

How Checkmarx One can help

Reducing software risk and boosting developer and AppSec team productivity is central to Checkmarx’s mission. Our Checkmarx One Application Security Platform identifies code vulnerabilities and integrates seamlessly into the tools developers already use. Our aim is to help organizations improve software security without compromising their ability to innovate—making life easier for developers and application security teams at the same time.

Our partner Solvo shares our vision of a world running on secure code and we are pleased to announce a new Solvo integration into the Checkmarx One platform that will help our customers overcome many of the IaC security challenges outlined above. 

Hitting the IaC security sweet spot

Solvo is incredibly easy to onboard, and the outputs are actionable meaning this application-aware cloud security platform helps R&D, DevOps and security teams discover, monitor, and remediate misconfigurations.  

Solvo is an adaptive cloud infrastructure security platform that enables organizations to innovate at cloud speed and scale. Leveraging real-time monitoring and analysis across cloud infrastructure, applications, data and users, Solvo automatically creates customized, constantly updated least privileged access policies based on the level of risk associated with entities and data in the cloud. 

The prioritized findings deliver the remediation organizations need, uniquely created for every component, which is highly complementary to Checkmarx AppSec capability. Checkmarx One finds the IaC misconfiguration, and Solvo informs organizations not only how to remediate, but also how to do this in the best possible way, by automating IAM on a least-privileged basis.

Helping developers deliver secure code

Today we see a lot of responsibility shifting to developers, where they are becoming the single stakeholder for all things cloud. Therefore, they simply don’t have the time or the knowledge to understand the complexities of all these environments. As a result, developers often adopt a trial-and-error approach which can cause issues in production. One simple change in a code file can have the ripple effect of blocking user access to resources and causing production downtime. Or worse still they are bombarded with so many misconfigurations that they simply ignore them, which opens the attack surface for hackers. And while security should be everyone’s responsibility, unfortunately developers are measured on delivering the next feature, and not how secure the application is. 

This is why our partnership with Solvo is so important, because Solvo provides customers with an Infrastructure-as-Code template meaning developers can use Solvo’s integration recommendations seamlessly via the Checkmarx One platform. 

Learn more

To find out more, view the recoding of our recent webinar with Solvo, Teaming Up to Tackle Cloud Security Misconfigurations.