Checkmarx

--> Checkmarx One enterprise AppSec platform now correlates cloud insights from Wiz to deliveractionable insights and prioritization of critical vulnerabilitiesPARAMUS, N.J. – MARCH 26, 2024 – Checkmarx, the leader in cloud-native application security, has integrated its enterprise application security platform, Checkmarx One, with leading cloud security provider Wiz and has joined the Wiz Integrations (WIN) program. The integration allows enterprise customers to approach application security (AppSec) from code to cloud and transform the way that AppSec and development teams prioritize and remediate cloud-native vulnerabilities by enriching their AppSec findings with runtime insights.Wiz’s Cloud-Native Application Protection Platform (CNAPP) provides comprehensive coverage of cloud environments. Checkmarx One correlates cloud security context from runtime environments with application security results to prioritize and deliver actionable insights on which vulnerabilities are most critical. This unique approach allows teams to focus on what impacts the business most, thereby improving developers’ productivity and efficiency.“With over 90% of enterprises knowingly pushing vulnerable code to production, there is a strong demand to change how we approach AppSec in a cloud-native environment,” said David Dewaele, Senior Product Partnership Manager at Checkmarx. “Infusing cloud security insights into every step and level of AppSec allows security and development teams to focus on their most critical vulnerabilities first while also driving actionability to cloud security teams.”“We’re thrilled to welcome Checkmarx into the WIN platform,” said Oron Noah, Head of Product Extensibility and Partnerships at Wiz. “Together with Checkmarx, we’re providing customers security insights across the development and cloud lifecycle. Checkmarx provides us with unparalleled expertise in application security, which, combined with Wiz’s CNAPP solution, enables us to offer a comprehensive approach to securing applications and infrastructure in the cloud.”The partnership between Checkmarx and Wiz introduces a “Shift Left, Shield Right” strategy, promising a holistic security posture that spans from code to cloud. Wiz contributes by providing an extensive inventory of cloud assets and crucial runtime context, while Checkmarx identifies and facilitates the remediation of software application vulnerabilities. Together, they offer a unified solution that aligns Wiz’s cloud assets inventory with Checkmarx’ assessment of applications and source code repositories, providing runtime context during development and actionability while applications are being monitored in production.To learn more about the Checkmarx and Wiz integration, visit this page. To book a demo of the integration, visit this page.About CheckmarxCheckmarx is the leader in application security and ensures that enterprises worldwide can secure their application development from code to cloud. The company’s consolidated Checkmarx One platform and services address the needs of enterprises by improving security and reducing TCO, while simultaneously building trust between AppSec, developers, and CISOs. Checkmarx believes it’s not just about finding risk but remediating it across the entire application footprint and software supply chain with

Use the SCA scanner will identify whether or not there is an exploitable path from your source code to the vulnerable 3rd party package. Learn more about Exploitable Path.Exploitable Path ConfigurationRadio button selectionThe Exploitable Path feature uses queries in the SAST scan of your project to identify exploitable paths to vulnerable 3rd party packages. Therefore, it is always necessary to run a SAST scan on the project in order to get results for Exploitable Path. Whenever you run a Checkmarx One scan with both the SAST and SCA scanners selected, Exploitable Path uses the results of the current SAST scan for analysis. When you run a Checkmarx One scan with only the SCA scanner selected, Checkmarx One can either use results from a previous SAST scan or it can initiate a new SAST scan (using default settings) that runs the Exploitable Path queries. Select one of the following configurations:Use SAST scans for past _ day/s - specify the number of days for which results from a historic SAST scan will be used for Exploitable Path. If no scan was run within the specified period, then a new scan will be triggered.WarningNot fully supported in all environments. The default value of one day may be applied automatically.Do not use existing SAST scans - Whenever you run a Checkmarx One scan with only the SCA scanner selected, a SAST scan will be triggered automatically in order to run the Exploitable Path queries.API Security Scanner ParametersThe parameters that will be defined for the

False, SAST will perform a full scan. Full scans are more comprehensive but take longer to complete and use more resources. recommendedExclusionstrue / falseDetermines whether the system should automatically exclude certain files and folders from the scan.When set to true, SAST applies predefined exclusions, allowing developers to scan faster andfocus on the most relevant code areas.SAST will include all files and directories in the scan when set to false.languageModeprimary / multiFor more information, see:Specifying a Code Language for ScanningSupported Code Languages and Frameworks:Click Engine Pack Versions and Delivery Model.Select the latest EP (Engine Pack) Supported Code Languages and Frameworks.NoteBy default, the languageMode is Multi.folder/filterAllow users to select specific folders or files to include or exclude from the code scanning process.Including a file type - *.javaExcluding a file type - !*.javaUse “,” sign to chain file typesfor example: *.java,*.jsThe parameter also supports including/excluding folders.regex is not supported.engineVerbosetrue / falsetrue = Enables PRINT_DEBUG mode.false = Enables PRINT_LOG mode.ASA Premium PresetASA Premium Preset is a part of the SAST collection of presets.This Preset is available only for Checkmarx One. Its usage is described in the table below.PresetUsageIncludes vulnerability queries for.... ASA PremiumThe ASA Premium preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program.The preset might change in future versions. The AppSec Accelerator team will remove old/deprecated queries or include new and improved queries in a continuously manner.Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin (non-mobile only), Perl, PHP, PLSQL,

Checkmarx DocumentationCheckmarx OneCheckmarx One User GuideAnalyticsThe Analytics module is a tool for executives and AppSec administrators, providing valuable and actionable insights into their data in Checkmarx One. With the ability to switch between Totals and Over Time modes, users can clearly understand their application security landscape. Whether analyzing Scans or Vulnerabilities, this module offers various informative charts for better decision-making.Vulnerabilities KPIs offer actionable insights, allowing users to directly access vulnerability details with one click. This feature speeds up remediation, reduces exposure, and bridges the gap between AppSec and development teams.To help you with data analysis, the module also features a flexible tag filtering system.The Analytics module is a user-friendly tool for making informed decisions, enhancing security practices, and optimizing your organization's application security posture.PermissionsTo execute various actions in the Analytics feature, a user needs to be assigned one of the following permissions:analytics-reports-admin - View all analytics dashboards and reports.analytics-scan-dashboard-view - View scan dashboard.analytics-vulnerability-dashboard-view - View vulnerability dashboard.analytics-executive-overview-view - View executive overview dashboard.manage-reports - Export, share the dashboard, and generate a report.FilteringThe Analytics module offers advanced data filtering options, allowing users to customize their analysis to specific criteria. The available filters can be accessed from the drop-down menu at the top-right corner.The following logic is applied to filtering:The filter will not be applied if no values are selected or entered for a particular attribute.Within a single filter, selected values are combined using an OR operator. For instance, if you choose the values SAST and SCA for the Scanners filter, Checkmarx One will display issues associated with SAST or SCA scanners.Different filters are combined using an AND operator. For example, if you select SAST for the Scanners filter and a specific project for the Projects/Apps filter, Checkmarx One will only display issues that match both criteria: SAST severity and the selected project.Specific filters are described below.RangeUsers can define custom date ranges to analyze data within specific timeframes, such as hourly, daily, weekly, monthly, or annually. This is particularly useful for identifying trends and evaluating the impact of changes in security practices over time.ScannersThis filter lets you narrow your analysis to data generated by specific scanners. By selecting particular scanners, you can assess their performance and effectiveness in identifying vulnerabilities and securing your applications.TagsThis filter type allows you to focus your analysis on subsets of your data by choosing the existing project and application tags for filtering and categorization. Each tag in the list is labeled as project or application to indicate its level.SAST VulnerabilitiesThis filtering option is available only in the Vulnerabilities tab. It allows you to select a specific vulnerability by name from a dropdown list. Filtering by SAST vulnerabilities impacts two widgets: the "Top 20 Vulnerabilities" and the "Top 20 Oldest Vulnerabilities." The data displayed in these widgets will be adjusted according to the selected vulnerability.All Proj./AppsThis filter allows you to toggle between viewing Projects or Applications and searching for specific applications or project names in the selected category.Data presentation modesIn the Analytics module, users can choose between two modes

Python, Ruby, Scala, VB6, VbNet, Cobol, RPG and VbScript coding languages.ASA Premium MobileThe ASA Premium Mobile preset is a dedicated preset designed for mobile apps.The ASA Premium Mobile preset contains a subset of vulnerabilities that Checkmarx AppSec Accelerator team considers to be the starting point of the Checkmarx AppSec program.The preset might change in future versions. The AppSec Accelerator team will remove old/deprecated queries or include new and improved queries in a continuously manner.Apex, ASP, CPP, CSharp, Go, Groovy, Java, JavaScript, Kotlin (non-mobile only), Perl, PHP, PLSQL, Python, Ruby, Scala, VB6, VbNet, Cobol, RPG and VbScript coding languages.Fast Scan ConfigurationFast Scan configuration aims to find the perfect balance between thorough security tests and the need for quick and actionable results. There’s no need to choose between speed and security. Alongside the Base Preset, we are thrilled to announce a new scan mode designed to speed up the scan: Fast Scan mode.Fast Scan mode decreases the scanning time of projects up to 90%, making it faster to identify relevant vulnerabilities and enable continuous deployment while ensuring that security standards are followed. This will help developers tackle the most relevant vulnerabilities.While the Fast Scan configuration identifies the most significant and relevant vulnerabilities, the In-Depth scan mode offers deeper coverage. For the most critical projects with a zero-vulnerability policy, it is advised also to use our In-Depth scan modeWarningTo expedite the results retrieval, the scanning process has been optimized to reduce the number of stages and flows involved in the scan. With this

Checkmarx DocumentationCheckmarx SASTSAST Release NotesEngine Pack Versions and Delivery ModelPrevious Engine Pack VersionsRelease Notes for Engine Pack 9.5.5CautionThe Checkmarx certificate used for application code signing has been updated since the previous one has expired.This might result in error messages depending on the environment settings, but these errors can be safely ignored.Installation NotesCautionIn a distributed environment, the relevant Engine Pack must also be installed on the CxManager host to update the SQL database.NoticeEngine Packs are cumulative and include previous Engine Pack updates.For more information about Engine Pack installation, see Engine Pack Versions and Delivery Model.CxSAST Engine Pack EnhancementsEngine Pack 9.5.5 introduces significant language and framework enhancements:Languages and FrameworksAll supported code Languages & Frameworks versions are on the dedicated page.The content includes the following:CSharp (GA)The C# 11 support introduced in 9.5.4 was improved and is now available as GA.New Query SSRFA new query to flag the SSRF vulnerability was added as part of this version:CSharp_Medium_Threat --> SSRFAccuracy ImprovementsA set of CSharp high queries has been reviewed to improve the accuracy of the results and reduce the noise by decreasing false positives..Net Core.Net Core support was updated to version 7.PythonThe support of the Comprehensive list in Python language has been improved.TypeScriptTypeScript language support was updated to version 5.0 and includes the following features:Extends constraints on inferring type variables.Optional Variance Annotations for Type Parameters.Resolution Mode.Instantiation Expressions.Inference for inferring Types in Template String Types.Auto-Accessors in Classes.Satisfies Operator.Const Type Parameters.Export type *.AngularAngular support was updated to version 15, which includes the following features:Component directivesSyntax for Route