Organizations must take steps at every stage of the software supply chain to ensure developers’ environments. Enterprises must also make sure processes and secured, so you aren’t leaving your business vulnerable to next-generation SCS attacks, like AI package hallucinations, dependency confusion, typosquatting, and repojacking. 

Let’s dive into a brief history of how “supply chain security” has evolved to the point we are today, what organizations must consider when securing their software supply chain, and how Checkmarx is proactively building new solutions to address this complex and ongoing issue. 

Our mission to secure the entire software supply chain

For the past 10 years, security professionals have been trained that before you release code, all high vulnerabilities need to be identified and fixed. But over the last few years especially, the world has changed. According to GitHub, open source is now the foundation of more than 90% of the world’s software.  Organizations are now facing a shifting attack landscape, along with an overwhelming number of vulnerabilities. The attack landscape is moving from the application itself, to where there are new vulnerabilities and weaknesses – in the process surrounding your development, and the components you use to build your application. 

What software supply chain security really means

Traditionally, supply chain security was to a way to gain visibility and mitigate 3rd-party code vulnerabilities through SCA. But as time went on and as new attack types emerged. In a 2021 executive order, software bill of materials, or SBOMs, are required for all software sold to the US federal government. The mandate underscores the importance of an accurate list of all open-source software ingredients found in a software-based product. The market quickly realized that the scope of software supply chain attacks, and how we prevent these attacks, go way beyond SBOMs and malicious packages.  

Supply chain security is defined as a specific aspect of application security that focuses on protecting the software development process and the components used in that process. Software supply chain security is not a single solution; it is a discipline. 

Supporting the SLSA Framework

The Supply-chain Levels for Software Artifacts (SLSA) framework, developed in collaboration with the OpenSSF and Google, addresses the growing concern of software supply chain security, offering a structured approach to assessing and improving the integrity of software components used in development. 

SLSA introduces key concepts like artifacts, provenance, digests, immutable references, and build integrity, that provide a systematic way for the software industry to secure the development lifecycle and promote consistent security standards.

Understanding that the full scope of SCS is beyond a single tool, Checkmarx has implemented a broader strategy to cover things outside of your typical application security posture management, in full alignment with the SLSA framework. 

How Checkmarx is helping you secure your software supply chain

Today, Checkmarx is providing expert guidance and proven solutions to manage open-source risk, along with new and exciting solutions to start protecting your entire supply chain today. 

In the last few years, one of the biggest emerging threats have been malicious packages – notably different from vulnerable packages. In the SLSA framework, malicious packages are a form of dependency attack where attackers inject or contribute malicious code into open-source projects that your developers download and build into your applications. Once downloaded, the attacker’s malicious code is running within your applications, with whatever unknown intent the package carries. 

Checkmarx SCA, introduced in 2021,  was a major step in helping organizations identify and start reporting on their open-source vulnerabilities. We were the first vendor to include malicious package detection inside our SCA solution. Since then, our research team has inspected over 7.6 million open-source packages for all kinds of threats, finding 200,000+ malicious packages. We make that threat intelligence available to you, either in our SCA product, where findings are in the portal or directly in developers’ IDE, or through an API-based threat intelligence feed. 

Checkmarx SCA enables automated SBOM generation, and Checkmarx Container Security, which works with Checkmarx SCA, identifies vulnerabilities in open-source packages included in container images. Together with our partners at Sysdig, we recently announced runtime insights, so organizations can get the full picture of pre-production and deployment, gaining visibility into which container images are in-use and prioritize the ones that pose the most risk.

We realized customers need support in prioritization, especially with all these newly discovered vulnerabilities, so we released Exploitable Path. It’s a unique feature that allows our customers to prioritize vulnerabilities in open-source libraries.  

When you look at the SLSA framework, we also have always led the way in terms of identifying Infrastructure-as-Code (IaC) misconfigurations. We are the driving force behind the most downloaded open-source tool in this area – Keep Infrastructure as Code Secure, or KICS for short.

All of these are important tools in managing open-source risk, but we are not stopping there. 

Since GenAI  is becoming a popular resource for developers to generate code, a variety of new SCS attacks have recently emerged, such as: 

• AI hallucinations: These are false data points or patterns that AI models might “perceive” due to adversarial inputs or misinterpretations, which can be exploited by malicious actors.
• Prompt injections: Threat actors can manipulate AI models by introducing or “injecting” specially crafted prompts, tricking the system into undesired behaviors or outputs.
• AI secret leakage: There’s a potential risk of AI models inadvertently revealing confidential information they were trained on, offering a goldmine for cybercriminals.

In August, Checkmarx introduced the industry’s first plugin to detect and prevent attacks against ChatGPT-generated code. The plugin enables developers to easily scan their ChatGPT-generated code for vulnerabilities within the ChatGPT interface, receive instant feedback on potential vulnerabilities or validation of open-source packages, and employ protection against malicious open-source packages. 

Now, we’re leading the way again, and broaden the definition of software supply chain security, beyond just malicious packages, to every component in, and every tool used to build your applications. As part of the Checkmarx One 3.0 launch, we’re taking it  one step further, introducing two new capabilities –Secrets Detection and Project Scorecard.

Prevent secrets from leaking on external tools with Secrets Detection  

Secrets, such as passwords, API keys, cryptographic keys, and other confidential data, are a frequent target of a distributed supply-chain attack.  

Secrets can easily be mistakenly shared on external tools like slack, confluence, twitch, and documentation pages.

Secret detection isn’t new – we have one of the most popular open-source tools for secret detection. 2MS from Checkmarx has over 2 million downloads, and anyone can get started today by detecting secrets such as login credentials, API keys, SSH keys and more hidden in code, content systems, chat applications and more. 

If you are a Checkmarx One user, Secret Detection is now available directly in the Checkmarx One platform.  

Tackle the most vulnerable projects first with Project Scorecard 

One of the latest additions to the Checkmarx Supply Chain Security portfolio is Project Scorecard, which enables organizations to check their own projects quickly and see the most vulnerable or at-risk projects, allowing enterprises to prioritize which to tackle first.

Project Scorecard leverages the format from a popular tool, the OSSF Scorecard, which assesses open-source projects for security risks through a series of automated checks. 

These checks cover different parts of the software supply chain including source code, build, and dependencies, and assigns each check a score of 1-10. An auto-generated “security score” helps users as they decide the trust, risk, and security posture for their specific application. 

While an important tool in combating the uptick of open-source software attacks, open-source projects are only a portion of the projects in your application. Checking the process and components of owned projects is an important element in securing the total software supply chain.  

With Project Scorecard, users can auto-generate a security score for their own projects based on a series of checks, including: 

• Binary Artifacts – Is the project free of checked-in binaries? 
  • Branch Protection – Does the project use branch protection? 
  • CI Tests – Does the project run tests in CI, e.g., GitHub Actions, Prow? 
  • Code review – Does the project practice code review before code is merged? 
  • Dangerous workflow – Does the project avoid dangerous coding patterns? 
  • Vulnerabilities – Does the project have unfixed vulnerabilities? 

By utilizing the Project Scorecard, as part of the Checkmarx Supply Chain module, we allow enterprises to quickly see the most vulnerable or at-risk projects, and ultimately help prioritize which to tackle first. 

Taking the next step to secure your software supply chain  

It’s important to take steps to secure your software supply chain today; detecting supply chain attacks in code packages, securing your developer’s evolving workstations supports rapid development while reducing risk. 

Current Checkmarx One or Checkmarx SCA customers will have access to all these tools within the platform. 

If you’re not already a Checkmarx One customer, you can start securing your software supply chain today with too many secrets (2MS), available as an open-source project on GitHub.

We’re incredibly excited to announce these new features to help you secure your software supply chain, but we’re only getting started. The work of securing the software supply chain is never done, as bad actors identify innovative new ways to capitalize on gaps in process and components, so stay tuned for more exciting announcements. 

If you’d like to learn more register now to join us for our technical deep dive webinar on Nov 6th, “Secure your software supply chain”.

Making matters worse, while many API Security solutions may tout that they are “shifting left,” there’s a fundamental gap in their testing methodology, creating an opportunity for threat actors to capitalize on your zombie and shadow APIs. 

Many solutions today can’t identify zombie and shadow APIs, since they’re only scanning live traffic. 

Considering the rise of API Security attacks, it’s more important now than ever before to test during the API development process, as well as before they are pushed to production.  

What are zombie and shadow APIs

No matter how sophisticated a development team may be, undocumented APIs are likely hiding in your organization. Documented APIs are those APIs that development teams have provided the AppSec team with API documentation files, like RAML files, Swagger files, or OpenAPI files. These files describe what an API is, what it looks like, where it lives, and what parameters it has. 

Existing API security solutions like DAST, WAFs, and API gateways can only protect what they know. They must be configured per API to protect that API. What that means is that if the AppSec team doesn’t have the API documentation, or, if that documentation is incorrect, AppSec can’t configure the WAFs or gateways to protect those APIs. 

Shadow APIs are created under the radar—typically for a small use case, or they are created and deployed outside of an organization’s official API governance, visibility, and security controls. Shadow APIs may not have the proper authentication and access gates in place, or they may expose sensitive data improperly. Most importantly, with that lack of documentation, existing API security solutions can’t protect them.  

Zombie APIs arise in a slightly different way. For example, an organization could have a frontline API that was in production for some time, like an old version of a login API. When it’s time to update the application and login service, you have a new version of the same API. When developers create an updated API, they often don’t decommission the old version right away. Instead, the new API runs alongside the older API to ensure that the user experience isn’t impacted if any issues arise.

Eventually, you might forget about version one, since traffic is no longer going to the old login page, and your development team’s focus is now on version two. The problem is that the API is still lurking behind the scenes, leaving you potentially vulnerable to an attack. Since shadow and zombie APIs aren’t properly documented, a WAF doesn’t know about it, and can’t protect it accordingly. 

The problem with API discovery solutions today

There are new types of API threat protection solutions that have entered the market in recent years. Many API discovery solutions or threat protection solutions integrate with your WAFs, gateways, load balancers, and other network devices to analyze the traffic logs. By analyzing the traffic, they find all the API endpoints that that traffic is going to – they discover the APIs by looking at your live traffic going through these devices. 

It certainly helps, but it doesn’t solve the problem. 

The furthest left these solutions go is API documentation, but that doesn’t protect against undocumented APIs, or even worse, the APIs that are documented incorrectly. Many organizations don’t have a single choke point in application infrastructure that can integrate with, and see, all API traffic. 

So, while other solutions may say that they “shift left” in the SDLC, it’s often not the case.  WAFs say they shift left, but in reality, they only sit in front of production APIs. API threat protection solutions say they shift left, but they’re analyzing traffic to those live production APIs, on the far-right side of the SDLC. Instead, a shift left and integrate right approach is needed… 

Shift left, and integrate right, to protect your APIs

Instead of relying on API traffic, Checkmarx believes a shift left and integrate right approach for API Security is best, securing APIs as they’re being developed, as they’re being pushed into production, and helping you identify and protect against shadow and zombie APIs. 

Starting with the source code

Checkmarx API Security focuses on starting with the source code, understanding that there are likely gaps in API documentation. Checkmarx SAST identifies vulnerabilities, while Checkmarx API Security discovers the APIs in code, and builds a Global API inventory, along with API documentation risk by automatically scanning source code at check-in or code merge. 

For API-first organizations, that means you can easily validate API documentation in design, then compare against implementation to identify discrepancies. Checkmarx API Security of course scans API documentation (i.e., Swagger, RAML) files before your developers start coding to ensure that security is added into the design phase. This helps enforce API design best practices and assesses your overall API design for misconfigurations, identifying risks in path definitions, authentication schema, and transport encryption. For code-first organizations, it means you can discover and inventory every API in source code without requiring proper documentation, first. 

Change log to better leverage existing APIs

APIs allow developers to create modular software components that can be reused across different projects. Instead of rewriting the same code multiple times, developers can use an API to achieve the desired functionality. The problem we often see, is that without the full history or context behind a given API, developers may fear leveraging the API and modifying it for their needs. As a result, developers will often create a new API from scratch. 

The change log provides a full history of every change made to a given API, giving developers the full confidence they need to leverage existing APIs. Beyond developers having the full history at their fingertips, AppSec managers can also leverage the change log to quickly identify, for example, if a given public-facing API has a recent change adding sensitive data. As a result, developers and AppSec teams can better align with the true spirit of APIs; their agility, and ability to be repurposed, by finally having all the context they need to confidently leverage and repurpose existing APIs.   

A better developer experience

Checkmarx API Security integrates and automates scans in the tools developers use, enabling developers to remediate vulnerabilities in their favorite tools allowing them to kick off an application scan at any time using the CLI, and not wait until after code check-in to focus on security. It also provides guided remediation to help resolve vulnerabilities faster by prioritizing, recommending mitigation points, and surfacing just-in-time learning for discovered vulnerabilities. 

Single view to manage all API risk

Providing AppSec managers a full view of all APIs, Checkmarx aggregates and correlates the results from all the different scan engines for a more accurate picture of your application security. The Global API Inventory is where all of your APIs from all of the different projects are viewable in one place. This view helps AppSec teams focus on the most critical issues by prioritizing API vulnerabilities based on their real impact and risk.  

What’s new in Checkmarx 3.0

Brand new this fall, we now have pre-production testing of all the APIs in DAST.  This new capability complements our original shift-left approach with one that now also integrates right.The integration of DAST and API Security provides a more comprehensive view of API security risks, enabling customers to identify and remediate risks earlier in the development lifecycle. It works by DAST executing the API to evaluate the security risk. With a complete and up-to-date inventory, you can figure out the risk of the API before it goes into production.

Also new in the Checkmarx One 3.0 launch, Checkmarx API Security now automatically scans API documentation files, saving you time and effort vs. scanning API documentation files manually. This works when a user defines a rule in the project or globally using regex on the destination of the swagger files, so that every API security scan will scan the same swaggers without having to upload them manually. For example, a user could write a regex that scans all swagger files according to the *swagger.json regex. When someone adds a new swagger that matches this regex and pushes the code, the engine will run API Security with the new swagger.

You can’t secure what you can’t see

Checkmarx API Security provides complete API visibility, providing the most accurate and up-to-date view of the entire API attack surface, eliminating the problem of shadow and zombie APIs.  

A true shift-left approach means we discover APIs at the source, to find every API that’s written in the code, to identify and fix problems earlier and faster in the SDLC. 

Prioritized remediation helps developers and AppSec teams focus on the most critical issues. 

The total result is a holistic view of application security risk, scanning the entire application with a single solution, and removing the need for additional API-specific tools. 

While scanning source code and identifying shadow and zombie APIs is a big leap for API Security, we’re just getting started. Stay tuned for an upcoming announcement to correlate source code with runtime to better prioritize risk and improve accuracy.  If you’d like to learn more about Checkmarx API Security, register for the upcoming webinar  “Shift Everywhere to Secure APIs” on October 30^th, where you’ll hear from Checkmarx API Security Product Manager Liad Levy. 

We’re so excited to launch support for ServiceNow customers, given the growing need for streamlined, end-to-end vulnerability management. 

Let’s dive a bit deeper into what Checkmarx and ServiceNow customers can expect from the integration.   

Prioritize and remediate with a centralized dashboard  

ServiceNow is a leading cloud-based platform that offers comprehensive solutions for IT service management, human resources, customer service, security operations, and more. It enables organizations to automate workflows, optimize processes, and provide seamless digital experiences to users across multiple departments. 

The ServiceNow® Vulnerability Response application is an important tool within the ServiceNow ecosystem that AppSec managers can leverage to drive efficiencies within application security. 

This application imports and automatically groups vulnerable items according to group rules, which allows teams to remediate vulnerabilities quickly. Data is pulled from both internal and external sources, such as the National Vulnerability Database (NVD) and third-party integrations, like the new Checkmarx plugins. 

The ServiceNow Application Vulnerability Response dashboard displays trends and summaries of vulnerabilities from leading scan vendors like Checkmarx.  

The Checkmarx ServiceNow Vulnerability Integration is now available for Checkmarx SAST and Checkmarx SCA. The integration for Checkmarx SAST is available for both Checkmarx One and on-premise deployments, while SCA is available for Checkmarx One.  

The plugins enable enterprises to run the integrations required to import projects, scan summaries, and scan results within the ServiceNow platform, giving your application security managers a clear view and top-tier prioritization and triage powers. The latest vulnerabilities found for each scan are then inserted on the ServiceNow as Application Vulnerability Items (AVIs). 

The plugins do not scan code; instead, they pull data from Checkmarx and map the results into the ServiceNow tables.  

ServiceNow Vulnerability Solutions Management: View your organization’s most impactful remediation activities and monitor their completion. 

Every time Checkmarx provides updated scan results, the ServiceNow Vulnerability Response Application can automatically assign the found vulnerabilities to a specific person, or team, by building custom workflows and automation triggers. This process accelerates the security workflow, ensuring an efficient vulnerability management process. 

Use Application Vulnerability Response to follow the flow of information, from integration through investigation, and then on to resolution. 

After vulnerability data is imported, users can compare the data to applications identified in Application Vulnerability Response, relate a single third-party vulnerability to multiple CWE entries, and find the primary CWE for the vulnerability in determining risk. And, users can easily prioritize vulnerabilities by create assignment rules or using calculators to determine business impact.   

Getting started  

With the addition of ServiceNow to the growing list of Checkmarx integrations, we’re making our products as compatible as possible with business-critical applications, so organizations can optimize workflows and keep their own applications secure.  

For customers already using both ServiceNow + Checkmarx One or Checkmarx SAST, head over to the ServiceNow Store to download the app.  

Checkmarx One Vulnerability Integration with ServiceNow (Checkmarx SAST and Checkmarx SCA)  

Download the app  

View the documentation  

Checkmarx SAST On-Prem Vulnerability Integration with ServiceNow 

View the documentation  

For existing ServiceNow customers that would like to learn more about the accuracy and power of Checkmarx One, especially how to easily view and triage scan results within ServiceNow, contact us today.  

Wrap up  

Vulnerability risk management is crucial for organizations to protect their IT infrastructure from cyber threats and to comply with regulatory requirements.  

By integrating Checkmarx scan results into the ServiceNow Vulnerability Response Application, users can better manage vulnerabilities and ensure seamless communication with incident response tasks, change requests, and problem management.  

We’re so excited to announce this integration and can’t wait to hear from more customers about the day-to-day impact it makes on building smart and efficient workflows and the ability to better track, prioritize, and remediate the vulnerabilities in one centralized dashboard.  

This partnership combines Brinqa’s risk-based prioritization, automation, and reporting with Checkmarx’ application security detection and remediation capabilities.  Learn more about the Checkmarx and Brinqa partnership here.

The Power of Partnership 

Our industry-leading application security platform, Checkmarx One, offers comprehensive application security capabilities. It scans applications across all aspects of the software development lifecycle (SDLC), detecting security issues and vulnerabilities. 

While Brinqa was integrated into Checkmarx SAST in the past, we are excited to bring it to Checkmarx One with SAST, SCA, and IaC results feeding into Brinqa’s Attack Surface Intelligence Platform. 

Building on the power of the Checkmarx One platform, Brinqa brings risk-based prioritization using business context, the ability to orchestrate aspects of the remediation process, and role-based access control (RBAC) protected reporting capabilities. Brinqa serves as the user interface that shows centralized security findings and reports from Checkmarx, and other AST platforms and scanning tools. 

The collaborative solution allows organizations to rapidly detect, prioritize, and respond to threats and vulnerabilities using proper business contexts. Additionally, the role-based visibility and reporting capabilities make it possible to communicate to both technical and business audiences with a holistic view of your application landscape.  

Monitor and Communicate Application Security Posture 

With Brinqa, organizations can enforce Service Level Agreements (SLAs) and accelerate the remediation of software vulnerabilities via orchestrated workflows. This enhances ticketing and automates ownership assignment, allowing development and application teams to work in their comfort zone. Brinqa’s integration with all existing ticketing and issue-tracking systems also enables closed-loop tracking, providing a single location for managing all remediation and SLA tracking. 

Brinqa shifts AppSec program reporting from being tool-centric to application-centric. It offers comprehensive cyber-hygiene dashboards and reports, and application security scorecards. This not only gamifies the process, fostering competition among developers and app owners, but also communicates application risk in a language that all stakeholders and business leaders can understand. 

Connect Instantly 

The collaboration between Brinqa and the Checkmarx One team has resulted in an integration that enables Checkmarx One customers to quickly improve their application security posture using the Brinqa platform. The Brinqa connector for Checkmarx One creates a unified knowledge source for cyber risk, correlating Checkmarx One results with other tools and business context. 

Value for your Development Team   

By supporting multiple data integrations, including multiple instances of each, organizations can centralize risk-based decisions and workflows that cover applications, IT, and cloud assets, providing full-stack coverage of their attack surface.  

This unified approach consolidates findings from various testing and scanning data sources across the attack surface, correlating them with Threat Intel and business context. This continuous prioritization based on actual exposure and business importance feeds into the orchestration of remediation, enabling a comprehensive view of the application security (AppSec) landscape.  

Furthermore, this system allows for the consolidation, correlation, normalization, and prioritization of remediation according to asset risk attributes. While a given development team may or may not work directly within Brinqa, the prioritization output will certainly help them streamline their workloads to optimally remediate the risks most critical to the business. Complex remediation routing and management workflows, including approvals, remediation, and exception requests, can be configured, streamlining the AppSec process. 

Value for CISOs 

For CISOs, the Checkmarx and Brinqa integration helps establish and report on remediation Service Level Agreements (SLAs) for business units and third-party software providers. This not only ensures accountability but also promotes a proactive approach to managing security risks.  

Furthermore, the partnership helps equip security teams with the tools and language to communicate clearly across the organization. This involves guiding development teams on what they need to remediate, and helping business teams understand the potential impact of these risks on the business. By doing so, CISOs can foster a culture of transparency and collaboration, where every team understands their role in maintaining the organization’s security posture. 

Trusted, Innovative Security Leaders 

Top brands trust Brinqa to unify their cyber risk lifecycle. Checkmarx, a six-time leader in Gartner’s Magic Quadrant for Application Security Testing (AST), continues to be a trusted name in the industry. 

Bringing this powerful combination to market, cyber advisory and solutions leader Optiv will leverage the Brinqa-Checkmarx integration as their default prevention and protection AppSec solution to their customers. Optiv brings security practitioner expertise in designing and maturing application security programs, making it even easier for organizations to build world-class application security programs that meet the needs of today’s evolving threat landscape.  

In short, the partnership between Checkmarx and Brinqa offers a unified, comprehensive solution for managing the cyber risk lifecycle across your application attack surface. It’s time to elevate the security conversation, hold risk owners accountable, and manage all vulnerabilities in a single platform. 

For more information, get in touch with your Checkmarx account rep, or contact us today.  

Learn more about the Checkmarx and Brinqa partnership here.

IaC allows organizations to define and manage their infrastructure using machine-readable configuration files, which are typically version-controlled and treated as code. IaC misconfigurations are mistakes, or oversights, in the configuration of infrastructure resources and environments that happen when using IaC tools and frameworks.   

Misconfigurations in IaC can lead to security vulnerabilities, operational issues, and even potential breaches.  

Common types of misconfigurations 

Common misconfigurations include weak access controls, improperly exposed ports, insecure network configurations, or mismanaged encryption settings. Some of the most common types of IaC Security misconfigurations are: 

1. Access Controls: Misconfigurations related to access controls can result in unauthorized access to resources. This includes issues such as overly permissive access permissions, misconfigured role-based access control (RBAC), or incorrect security group rules. Attackers can exploit these misconfigurations to gain unauthorized access to sensitive data, or systems. 

2. Network Configuration: Misconfigurations in network settings can expose services or applications to unnecessary risks. For example, improperly configured firewall rules, open ports, or lack of network segmentation can lead to unauthorized access, network attacks, or data exfiltration. 

3. Encryption and Data Protection: Failure to implement proper encryption and data protection measures can result in data breaches. Misconfigurations may include not encrypting data at rest or in transit, using weak encryption algorithms or keys, or storing sensitive data in insecure locations. 

4. Logging and Monitoring: Misconfigurations related to logging and monitoring can hinder the ability to detect and respond to security incidents. This includes improper configuration of log collection, aggregation, and retention, or misconfigured monitoring rules, leading to missed alerts and delayed incident response. 

5. Secret Management: IaC misconfigurations can expose sensitive credentials or secrets, such as API keys, database passwords, or encryption keys. Storing secrets in plaintext, checking them into version control systems, or including them in IaC templates can lead to unauthorized access or misuse. 

6. Resource Permissions: Misconfigurations in resource permissions can result in excessive or insufficient privileges. Overly permissive permissions may allow unauthorized actions, while overly restrictive permissions can impede proper functionality or lead to operational disruptions. 

7. Cloud Provider-specific Misconfigurations: IaC misconfigurations can vary depending on the cloud provider being used. Each provider has its own set of services, configuration options, and security controls. Misconfigurations may involve misusing or misconfiguring specific services, not following best practices, or overlooking provider-specific security recommendations. 

8. Compliance and Governance: Misconfigurations can result in non-compliance with industry regulations, data protection laws, or internal governance requirements. Failure to configure resources in accordance with these guidelines can lead to legal and regulatory consequences. 

IaC misconfigurations can, of course, lead to security vulnerabilities, but they can also make infrastructure management and maintenance more challenging for AppSec managers and development teams. When misconfigurations are pervasive, it becomes harder to identify and rectify them during updates, scaling, or changing infrastructure requirements. This can result in longer deployment cycles, increased risk of errors during updates, and higher operational complexity.  

Beyond the challenges faced by the organization when misconfigurations are present, misconfigurations are often complicated for developers to troubleshoot. Identifying the root cause of misconfigurations can become increasingly time-consuming and complex if not addressed directly, and developers don’t always know exactly how to resolve misconfigurations, which can leave a development team frustrated and overwhelmed as they try to resolve the issue.  

Introducing AI Guided Remediation for IaC / KICS 

To make it easier for development teams to address the various types of IaC misconfigurations, Checkmarx is pleased to introduce AI Guided Remediation for IaC Security and KICS.

Security Platform, with KICS (Keeping Infrastructure as Code Secure) is a free, open source solution for static analysis of IaC files. KICS automatically parses common IaC files of any type to detect insecure configurations that could expose your applications, data, or services to attack.analysis of IaC files. KICS automatically parses common IaC files of any type to detect insecure configurations that could expose your applications, data, or services to attack.files. KICS automatically parses common IaC files of any type to detect insecure configurations that could expose your applications, data, or services to attack.files. KICS automatically parses common IaC files of any type to detect insecure configurations that could expose your applications, data, or services to attack. 

Powered by GPT4, AI Guided Remediation provides actionable remediation steps and advice to guide teams through the process of remediating IaC misconfigurations identified by Checkmarx IaC Security and KICS. This helps organizations address issues in their IaC files and deploy their applications faster and safer.  

IaC Security and AI Guided Remediation is a powerful combination that makes it faster and easier for developers to more deeply understand and quickly remediate misconfigurations.   

How it works  

Continuing the Checkmarx promise to make application security as easy and efficient as possible for developers and AppSec teams, the new AI Guided Remediation functionality is straightforward and easy-to-use, all within the integrated development environments (IDEs) where development teams are spending their time.   

When a given vulnerability is identified by Checkmarx IaC Security / KICS, an “Ask KICS” option is displayed on screen. Developers can simply click on the button to open a panel, where they have a couple of options.  

Developers can first select from common questions, with out-of-the-box prompts displayed on-screen.   

Alternatively, users can use the free-text field to ask specific questions.  

The tool will then deliver an AI-generated response, giving developers and AppSec managers actionable steps to remediate the misconfiguration.  

Providing actionable steps, AI Guided Remediation helps developers better understand IaC and API misconfigurations without additional resources. Developers do not need to know the details of exactly how to remediate all of the various types of misconfigurations; instead, they can lean on the power of AI to quickly harvest the plethora of resources, documentation, and community knowledge helps development teams identify actionable steps to quickly and easily remediate misconfigurations. 

With AI Guided Remediation, organizations can address issues in their IaC templates faster, reduce management overhead, boost developer adoption, and deliver more secure applications faster. 

Organizations wanting to leverage this functionality can rest assured knowing that their proprietary code is secure. Importantly, the organization’s code is not shared with AI tooling. 

Additionally, AI Guided Remediation detects and removes secrets before sending the code to the chat. Secrets, such as API keys, database passwords, or encryption keys, are sensitive pieces of information that should never be exposed or shared inadvertently. By integrating secret detection and removal into AI Guided Remediation, organizations can significantly enhance the security of their infrastructure as code (IaC) and protect against unauthorized access or misuse 

For Checkmarx users that would like to explore Checkmarx IaC Security / KICS, the addition of AI Guided remediation provides an exciting new opportunity to easily review and action vulnerabilities identified by Checkmarx IaC Security / KICS, all within the Checkmarx One Application Security Platform.  

It’s easy to get started  

For existing Checkmarx IaC / KICS users who want to explore the power of AI Guided Remediation, especially to see how it can create a better developer experience, the Checkmarx AI early access program is now available.  

Sign up now to be among the first to leverage AI Guided Remediation for IaC Security / KICS.  

Checkmarx Early Access program

Not already using Checkmarx IaC or KICS? Existing Checkmarx SAST users who want to explore the power of leveraging Checkmarx IaC / KICS and the AI Guided remediation are encouraged to learn more about all of the powerfully simple AI-driven features available within the Checkmarx One Application Security Platform, the industry’s most comprehensive platform for reducing risk within today’s complex, cloud-native applications.  

Contact your Checkmarx account manager, or contact Checkmarx today.