Checkmarx Adds Vulnerability Correlation Engine to AppSec Portfolio
At the RSAC 2022 conference, Checkmarx this week announced it has added a correlation engine to its application security portfolio that delivers the results of multiple static code and runtime scans in a single graph.
Razi Sharir, chief product officer for Checkmarx, said Checkmarx Fusion not only provides more context but also reduces the number of false-positive alerts that are generated because results from multiple scans are correlated. The graph that gets created maps all the vulnerabilities discovered and the relationships between applications and the cloud resources being consumed. It is an extension of the open source Keeping Infrastructure as Code Secure (KICS) that Checkmarx makes available to scan the code used to provision infrastructure.
The overall goal is to make it easier for cybersecurity teams to prioritize vulnerability remediation efforts as they collaborate with developers within the context of a DevSecOps workflow, added Sharir.
Establishing a DevSecOps workflow is challenging for many reasons, one of which is because the security teams that use scans to discover vulnerabilities tend to package them in a spreadsheet that is then passed on to developers. However, there’s not a lot of context provided with regard to the severity of the vulnerability or vulnerabilities discovered. Developers only have a limited amount of time available to work on patching applications, so they need to focus their efforts on the most severe vulnerabilities discovered rather than merely working through a list.
Sharir said Checkmarx is leveraging a modern cloud-native environment based on microservices to provide this capability in a way that scales up and down. Going forward, Checkmarx will add support for other critical assets that need to be regularly scanned for vulnerabilities, including application programming interfaces (APIs), he added.
Checkmarx is moving to provide a holistic view of vulnerabilities as organizations review their software supply chains in the wake of a series high profile breaches. The challenge they face is the number of vulnerabilities that need to be addressed within application environments is overwhelming. In fact, a recent report from Checkmarx detailed how cybercriminals use the same techniques to implant malware across applications developed using different programming languages.
It’s not clear how much organizations are embracing DevSecOps best practices to improve application security. The challenges to adopting DevSecOps are as much cultural as they are technical. For the most part, cybersecurity teams aren’t integrated within application development and deployment workflows. The tools cybersecurity teams use to discover vulnerabilities are not easily integrated with the DevOps workflows that many organizations use to build applications.
It may be just a matter of time before the cultural divide that exists between cybersecurity and application development teams is finally bridged, especially as tools that address the needs of both teams become more available. In the meantime, cybersecurity teams would be well advised to spend some time reviewing how applications are actually developed. At the very least, it should prove to be an eye-opening experience that may lead to more empathy all around.
