Why Purchase Through AWS Marketplace?

In case you’re unfamiliar, AWS Marketplace is a curated, digital catalogue that helps customers around the globe find, buy, and use third-party software and services that run on AWS.
To purchase Checkmarx products via the Marketplace Private Offer, organizations can engage with a Checkmarx salesperson and receive product and pricing information not publicly visible on the Public Offer Marketplace. To purchase, all we need is the organization’s AWS Account Number to create a personalized quote. From there, acceptance, purchase, and deployment are just a few clicks away!
CxCodebashing, our developer application security training solution can be purchased both via Marketplace Private Offer and our public listing.

The benefits of purchasing Checkmarx solutions through AWS Marketplace include:

• Simplified billing: Transacting over AWS Marketplace accelerates the closing and procurement processes. All billing is handled directly on customers’ AWS invoices as a line item, helping to avoid procurement steps that typically accompany purchasing software from a new vendor.
• Retire EDP commitments: AWS’s Enterprise Discount Program (EDP) is AWS’ way to provide enterprises a discount based on a volume (consumption) purchase commitment. A simple example of how an AWS EDP might work is as follows: for the next three years, the customer would commit to spending $5MM on AWS services, and in exchange, receive a 13% discount. Even if the customer doesn’t spend $5MM, they would still owe AWS $5MM. For customers participating in the EDP program, purchasing Checkmarx over AWS Marketplace is an attractive proposition. For every dollar spent on Checkmarx, 50% of the purchase can be applied to their AWS spending obligations.

• Purchase in a time of limited budgets: Reduced budgets amidst current economic uncertainties can make it challenging to purchase solutions that address the ever-present cybersecurity and application security threat landscape. The ability to purchase Checkmarx using pre-allocated AWS budgets provides security departments the ability to acquire our best-in-class software security solutions that might otherwise have been stalled due to temporary budget constraints.

• Custom terms & pricing: Checkmarx can support custom terms, where applicable, and offers flexible options like multi-year contracts.

Why AWS Customers Should Consider Checkmarx

Checkmarx enables organizations to easily automate application security testing as part of their cloud-based software development process so they can improve the security and quality of their software without slowing down development, delivery, and deployment timelines. Checkmarx integrates with leading source code management tools like GitHub and GitLab to enable seamless code scanning within developers’ typical workflows.
Key features and benefits enjoyed by both developers and security teams include:

• Ability to scan raw source code before a build takes place, enabling greater efficiency between developers and AppSec teams;
• Prioritized SAST and SCA scan results to focus and expedite developer remediation efforts on vulnerabilities that pose the greatest threat;
• Automated results feedback loop to eliminate the need for manual intervention when opening and closing defects;
• Direct links into the Checkmarx Software Security Platform and access to its dedicated service and support resources for even more comprehensive results and coverage; and
• Links to just-in-time, lesson-specific training via Checkmarx Codebashing and online resources for remediation guidance to elevate developers’ secure coding skills.

What else sets us apart as an AWS partner?

Robust DevOps Integrations:
Checkmarx provides integrated support for AWS CodeStar services, allowing customers to initiate Checkmarx application security testing scans from AWS CodeBuild and AWS CodePipeline for code that is stored in CodeCommit. Additionally, we have integrations with the industry’s top source control repositories, CI/CD pipelines, defect tracking, and feedback channels. With our CLI & REST APIs, we can integrate into virtually any other tool with ease.

Trusted and Backed by AWS:
Checkmarx is an AWS Advanced Program Network (APN) partner, AWS’ highest-tier technology partner. Additionally, Checkmarx is the first and only AppSec solutions vendor to possess both the AWS Security Competency and DevOps Competency status. The competency process involves AWS vetting, validating, and verifying Checkmarx’s deep industry experience, expertise, and track record of customer success and delivering specialized software.

Industry Leader Amongst Analysts and Customers:
Checkmarx has been named a “Leader” in the Gartner Magic Quadrant for Application Security Testing for three consecutive years, a testament to the quality of our solutions and value they bring to customers. We have also been recognized with the Gartner Peer Insights Customers’ Choice for Application Security Testing for two years running due to our overall product capabilities, seamless integration into DevOps, and expert customer service.
Checkmarx is proud to work with over 1,400 customers across the globe – ranging from Salesforce to Samsung – helping to improve the security and quality of the software they build. Just take it from one of our valued customers:
“If your company’s developer workforce is not used to incorporating security standards into their builds, the Checkmarx stack of tools will do wonders for you in terms of integrating into your existing pipelines and providing the education via Codebashing that your developers will need.” Application System Analyst, Finance Industry [read full review]

Ready to Get Started?

If you’re an AWS customer interested in purchasing Checkmarx’s AST solutions via AWS Marketplace, or want more information and assistance, please visit here.

Stayin’ Put

GitLab’s users, whether they are Software Developers, DevOps, or AppSec engineers, want to consume as much of the application security scanner’s results as possible within GitLab. GitLab is already a complete DevOps platform from managing -> to planning -> to creating -> to releasing, so it is just common sense GitLab users would want to have security directly within GitLab. GitLab users can consume Checkmarx security-related vulnerability results at three different integration points:

• Merge Request Overviews
• GitLab Issues
• Security Dashboard (for GitLab Gold/Ultimate tier or public projects)

Every organization, even teams within the organization, will want to run security scanners at different points of the SDLC, but by best practice from Checkmarx, it is suggested to scan at the Merge Request stage. With security scanning completed at the Merge Request stage, an assessment can be performed with the scan results and the merge can be blocked, or GitLab Issues can be created. But, what kind of result data should be consumed?
Checkmarx provides:

• High level summary of CxSAST & CxSCA findings
• Data flow from source to sink within the source code
• Short summary of the specific vulnerability that was identified
• Links to just-in-time training (CxCodebashing) and online resources for remediation
• Links into Checkmarx platform for even more comprehensive results

CxFlow – Under the Hood

Checkmarx maintains a spring boot application called CxFlow, which acts as a scan and results orchestration tool to automate security scans and integrate the results into CI/CD tools such as GitLab. Some key features and capabilities include:

• Scan Initiation – CLI or Webhook Events
  • CxFlow can be configured in two different ways: using CxFlow from a command line interface or have CxFlow work as a server and listen for Webhook events. Once an event is triggered or received, the initiation of a Checkmarx scan will occur automatically.
  • Merge requests, or even commits of the source, will trigger an existing pipeline within GitLab’s CI/CD and initiate a scan via CxFlow; the existing pipeline just needs an edit to include a stage that will invoke CxFlow.
  • The scan initiation will either create a new project if it does not exist or update a current one.
• Results Management
  • As far as consuming results, the scan results are file based (csv, json, or xml) making it easy to import into defect tracking systems or dashboards.
  • CxFlow also drives a result feedback loop eliminating having to do manual intervention (opening and even closing defects).
  • You can always filter the results created based on any filtering criteria.
  • The results are easy to consume, in a way developers want to consume and most importantly, actionable.
• Defect Tracking
  • Consolidates issues of the same vulnerability type in the same file – instead of multiple issues, it is just one.
  • Once all references to the vulnerability type of that issue are fixed, the ticket will automatically close.
  • You can base it on policy – severity / CWE / vulnerability type or state (urgent / confirmed).
  • Defect tracking is also supported for both CxSAST and CxSCA results.
• Feedback Channels
  • Not only does it support GitLab Security Dashboard and GitLab Issues, but also Jira, Email, Service Now and Rally.
• Ease of Consuming the AST Service
  • Effortless option for the development teams to quickly scan projects.
  • There is no overhead when configuring and managing builds.
• Mass Effortless Scan Configuration
  • You can quickly automate the scan of multiple repositories.
  • Again, there is no overhead when configuring and managing builds of many repos.
• Automation with Developers’ Common Toolsets
  • In this case, GitLab.
  • You want to get the details of issues to those who must address them – the developers.
  • Drive security testing based on GitLab activity.
  • Publish issues to existing backlogs.
  • Keep developers within GitLab.
• Eliminate Unnecessary Manual Tasks with Checkmarx Automation Capabilities
  • Free up time to focus on things that matter.
  • Shift as far left as possible.
  • Constantly scanning the latest code.
  • Replaces need to scan in the IDE.

GitLab / Checkmarx Workflow

Below is a visual picture of the Checkmarx workflow with GitLab’s CI/CD.

Now let’s describe this flow in more detail: 

1. Setting Variables

Variables are needed to perform Checkmarx authentication and to define Checkmarx scan settings read by CxFlow. This can be set up per project or by “groups”. GitLab has an awesome feature where you can have a file as a Variable. We leverage this feature and have CxFlow’s yaml configuration file as a Variable.

2. Defining a Stage

Per GitLab best practice, application security testing should be done during the “test” stage of the pipeline. During the test stage of the pipeline, GitLab will pull the Checkmarx docker container where CxFlow CLI is stored. CxFlow CLI should then be invoked to initiate the scan based on the settings defined in the config file Variable.

3. CxFlow CLI Initiates the Scan

CxFlow receives the request with the Checkmarx project settings and the GitLab repository details. CxFlow performs the authentication into the Checkmarx server and then initiates a scan. It will wait for the scan to finish. 

4. Checkmarx Performs SAST & SCA Scans
   
5. CxFlow Parses Results and Updates GitLab

CxFlow waits until the scan is done, parses the results and will update the Security Dashboard, GitLab Issues, the Merge Request Discussion, or all three. If the issue has been fixed, it will automatically close it.