A Secure Hand-Off to the Cloud

AWS ensures the cloud itself is secure, while Checkmarx secures the code organizations deploy to the cloud. In more detail, AWS is responsible for the security of the cloud, such as the router, switches, hubs, and so on.  While organizations are responsible for security in the cloud, in other words, they are ensuring that data, hosts, containers, serverless infrastructure, networks, user credentials, and resource configurations are secure. Upholding their side of the cloud security bargain means organizations must empower their developers to build security into applications and infrastructure configuration from the start. This shared responsibility is one of the key reasons why AWS customers should also be looking at Checkmarx because we help organizations ensure that code vulnerabilities never reach production.

A Vetted AWS Security, DevOps, and Public Sector Partner

Additionally, not only is Checkmarx one of the highest tier-technology partners (AWS Advanced Program Network partner), but we are also the first and only AppSec solution vendor to earn both the AWS Security Competency and DevOps Competency status. Public Sector agencies can also leverage our AST solutions as we are a member of the AWS Public Sector Partner Program. The competency and partner program qualification process involves AWS vetting, validating, and verifying Checkmarx’s deep industry experience, expertise, and track record of customer success in delivering specialized software.

A Shared Dev-Centric Approach to Industry-Leading Tech

Again named a “Leader” in the 2021 Gartner Magic Quadrant for Application Security Testing, Checkmarx enables organizations to easily automate application security testing as part of their cloud-based software development process without slowing down the development, delivery, and deployment timeline. The unique combination of the baked-in security that AWS delivers – enabling customers to get up and running in the cloud quickly, efficiently, and securely – combined with Checkmarx automated application testing safeguards organizations with end-to-end security so end users can feel a sense of ease.

Integration, Automation, and Orchestration

However, if a company’s developer workforce is not accustomed to incorporating security standards into their software development pipelines, Checkmarx’s developer-centric integrations will help. Developers can seamlessly embed security scans and reports, remediation guidance, and developer education into their existing workflows.
Checkmarx also has extensive integrations throughout the SDLC, like source code repositories and CI/CD tools like GitHub and GitLab. Checkmarx provides integrated support for AWS CodeStar services, allowing customers to initiate Checkmarx application security testing scans from AWS CodeBuild and AWS CodePipeline for code stored in CodeCommit. Checkmarx can integrate into virtually any other developer tool with ease, so regardless of the development environment, there’s automated and seamless code scanning within developers’ typical workflows before AWS cloud deployment.
Developers can scan different kinds of code at different stages in the development pipeline: raw, uncompiled source code before a commit; at the time of a commit or merge request; or during a code build, enabling greater efficiency between developers and AppSec teams, allowing them to scale.

Enabling Teams to Scale

Of equal importance in any cloud environment is the ability to scale and AWS Lambda combined with Checkmarx helps organizations to achieve this.  AWS Lambda automatically runs your code without requiring you to provision or manage infrastructure.  It automatically scales the application by running code in response to each event.
Watch a recap of our Checkmarx MeetUp to learn how to autoscale your Checkmarx scanning engines on AWS. >>
Likewise, Checkmarx’s unified platform delivers a single pane of glass which creates a host of efficiencies and time savings such as exploitable paths and automated feedback loops.  It eliminates the need for manual interventions and provides remediation guidance and recommendations as well as best fix locations. And if required, Checkmarx also provides support and education for just-in-time, vulnerability-specific lessons in Codebashing. This allows teams to build their knowledgebase with low impact on overall productivity.

Marketplace Procurement and Enterprise Discount Program

Finally, Checkmarx also enables customers to utilize their AWS Enterprise Discount Program (EDP) commitments. EDP provides enterprises with a discount based on volume or consumption purchase commitments. Let me give you a simple example of how an AWS EDP might work: for the next three years, the customer would commit to spending $5M on AWS services, and in exchange, receive a 13% discount. Even if the customer doesn’t spend $5M, they would still owe AWS $5M. This commitment model gives AWS customers a strong incentive to find strategically valuable ways to achieve their spending commitment. For those customers, purchasing Checkmarx over AWS Marketplace is an attractive proposition. For every dollar spent on Checkmarx, 50% of the purchase applies to their AWS spending obligations.
With the growth in cloud application development, the whole SDLC has accelerated once again, and security must scale at the same rate if organizations are to fulfill their part of the joint cloud security bargain. The speed of releases paired with modern application development trends could signal increased attack surfaces, so organizations need to know that they are building and deploying secure code.
However, it is not just the application source code that needs scanning. As mentioned, modern application development also drives the heightened use of third-party and open-source components, which organizations need to vet and evaluate with Checkmarx scans. This intersection is where the partnership between AWS and Checkmarx delivers the heavy lifting so that organizations can concentrate on building, testing, and deploying secure applications at the demanding speed of DevOps.
Want to learn more?
AWS Partnership Microsite
Related Resources:
Webinar: Autoscale Your Checkmarx Engines on AWS
Codebashing on the AWS Marketplace
Application Security | AWS Marketplace (amazon.com)

Stayin’ Put

GitLab’s users, whether they are Software Developers, DevOps, or AppSec engineers, want to consume as much of the application security scanner’s results as possible within GitLab. GitLab is already a complete DevOps platform from managing -> to planning -> to creating -> to releasing, so it is just common sense GitLab users would want to have security directly within GitLab. GitLab users can consume Checkmarx security-related vulnerability results at three different integration points:

• Merge Request Overviews
• GitLab Issues
• Security Dashboard (for GitLab Gold/Ultimate tier or public projects)

Every organization, even teams within the organization, will want to run security scanners at different points of the SDLC, but by best practice from Checkmarx, it is suggested to scan at the Merge Request stage. With security scanning completed at the Merge Request stage, an assessment can be performed with the scan results and the merge can be blocked, or GitLab Issues can be created. But, what kind of result data should be consumed?
Checkmarx provides:

• High level summary of CxSAST & CxSCA findings
• Data flow from source to sink within the source code
• Short summary of the specific vulnerability that was identified
• Links to just-in-time training (CxCodebashing) and online resources for remediation
• Links into Checkmarx platform for even more comprehensive results

CxFlow – Under the Hood

Checkmarx maintains a spring boot application called CxFlow, which acts as a scan and results orchestration tool to automate security scans and integrate the results into CI/CD tools such as GitLab. Some key features and capabilities include:

• Scan Initiation – CLI or Webhook Events
  • CxFlow can be configured in two different ways: using CxFlow from a command line interface or have CxFlow work as a server and listen for Webhook events. Once an event is triggered or received, the initiation of a Checkmarx scan will occur automatically.
  • Merge requests, or even commits of the source, will trigger an existing pipeline within GitLab’s CI/CD and initiate a scan via CxFlow; the existing pipeline just needs an edit to include a stage that will invoke CxFlow.
  • The scan initiation will either create a new project if it does not exist or update a current one.
• Results Management
  • As far as consuming results, the scan results are file based (csv, json, or xml) making it easy to import into defect tracking systems or dashboards.
  • CxFlow also drives a result feedback loop eliminating having to do manual intervention (opening and even closing defects).
  • You can always filter the results created based on any filtering criteria.
  • The results are easy to consume, in a way developers want to consume and most importantly, actionable.
• Defect Tracking
  • Consolidates issues of the same vulnerability type in the same file – instead of multiple issues, it is just one.
  • Once all references to the vulnerability type of that issue are fixed, the ticket will automatically close.
  • You can base it on policy – severity / CWE / vulnerability type or state (urgent / confirmed).
  • Defect tracking is also supported for both CxSAST and CxSCA results.
• Feedback Channels
  • Not only does it support GitLab Security Dashboard and GitLab Issues, but also Jira, Email, Service Now and Rally.
• Ease of Consuming the AST Service
  • Effortless option for the development teams to quickly scan projects.
  • There is no overhead when configuring and managing builds.
• Mass Effortless Scan Configuration
  • You can quickly automate the scan of multiple repositories.
  • Again, there is no overhead when configuring and managing builds of many repos.
• Automation with Developers’ Common Toolsets
  • In this case, GitLab.
  • You want to get the details of issues to those who must address them – the developers.
  • Drive security testing based on GitLab activity.
  • Publish issues to existing backlogs.
  • Keep developers within GitLab.
• Eliminate Unnecessary Manual Tasks with Checkmarx Automation Capabilities
  • Free up time to focus on things that matter.
  • Shift as far left as possible.
  • Constantly scanning the latest code.
  • Replaces need to scan in the IDE.

GitLab / Checkmarx Workflow

Below is a visual picture of the Checkmarx workflow with GitLab’s CI/CD.

Now let’s describe this flow in more detail: 

1. Setting Variables

Variables are needed to perform Checkmarx authentication and to define Checkmarx scan settings read by CxFlow. This can be set up per project or by “groups”. GitLab has an awesome feature where you can have a file as a Variable. We leverage this feature and have CxFlow’s yaml configuration file as a Variable.

2. Defining a Stage

Per GitLab best practice, application security testing should be done during the “test” stage of the pipeline. During the test stage of the pipeline, GitLab will pull the Checkmarx docker container where CxFlow CLI is stored. CxFlow CLI should then be invoked to initiate the scan based on the settings defined in the config file Variable.

3. CxFlow CLI Initiates the Scan

CxFlow receives the request with the Checkmarx project settings and the GitLab repository details. CxFlow performs the authentication into the Checkmarx server and then initiates a scan. It will wait for the scan to finish. 

4. Checkmarx Performs SAST & SCA Scans
   
5. CxFlow Parses Results and Updates GitLab

CxFlow waits until the scan is done, parses the results and will update the Security Dashboard, GitLab Issues, the Merge Request Discussion, or all three. If the issue has been fixed, it will automatically close it.