CORPORATE

PRESENTATION
2016.
ABOUT US

Founded in Enterprise Grade Award winning 1,000 Happy Your AppSec

2006 Application Security unique Customers program trusted
Solutions Technology partner
CHECKMARX TOP CUSTOMERS

Hitech Retail Finance Health & Gov & Gaming Consulting Media Telecom
Insurance Defense

- Confidential -
WHAT ACTUALLY
MATTERS IN
APPLICATION
SECURITY
TESTING?
DEVELOPERS WANT TO CODE. APPSEC WANT TO
TEST
NO SECURITY SOFTWARE WORKS SITTING ON THE SHELF

DEVELOPERS’ ADOPTION
IS THE MOST IMPORTANT CRITERION OF SECURITY
TESTING
CHECKMARX – CHOOSE WHAT DEVELOPERS USE

CHECKMARX FITTING IN
MAKES SECURITY SEAMLESSLY WITH
TESTING HOW DEVELOPERS
EASIER TO WORK
SWALLOW
OUR OFFERING.
CHECKMARX OFFERING

OFFERING SOLUTION TYPE DELIVERY MODEL

Static Application Open Source SDLC Security Gate Client Operated Checkmarx as a
Security Testing (SAST) Analysis (OSA) Service (Fully
Managed service)

SOLUTIONS THAT FIT ANY BUSINESS NEED AND

OPERATION TYPE
FITTING IN
SEAMLESSLY WITH
HOW DEVELOPERS
WORK.
EASY FOR DEVELOPERS

IDE integration

Vulnerable
line of code

Where to fix

detailed ?
remediation
advice
FLUENT IN ALL MAJOR LANGUAGES

Supports 20 coding and scripting

languages and their frameworks

Coverage for the latest

development technologies

Zero configuration to scan any

language
EFFORTLESS SCAN = EASE OF USE

No complex command-line or
wizards required

No dependencies need to be
configured

No learning curve when switching

between languages

Just throw code at it !

FAST FEEDBACK LOOP

Incremental scan capability

only analyzes new or modified
code

Reduces scanning time by

more than 80%

Ideal for continuous

integration
FLEXIBLE RULES = HIGH ACCURACY

Adapt the rule set to your proprietary

code and minimize False Positives

Expand the rules to your own compliance

requirements and coding best practices

Understand the root cause for each

result
AUTOMATICALLY ENFORCE YOUR SECURITY POLICY

Seamlessly Integrates with IDEs, build

management servers, bug tracking
tools and source repositories

Becomes an integral part of the SDLC

Aligns security testing with

quality testing
SAVE PRECIOUS REMEDIATION TIME

Unique “Best Fix Location”

algorithm fixes multiple
vulnerabilities at a single point

Any developer can do it

Tons of time saved for developers !

OPEN SOURCE ANALYSIS

Inventory: which open source

components are used?

Security: which known open

source vulnerabilities exist and
how to fix them

Legal: ensure open-source license

usage compliance
NO DEVELOPER DOWNTIME

Scan on server instead of

developer’s workstation

No slowdown or lockup while

scans are running

Developers can continue working

on their machines with no
interruption
 EARLIER SCANNING. LESS
THE RESULT COSTS. MORE SECURE.
$7600

$960
Checkmarx
detects here

$240
$80

Development Build QA/Testing Production

COST OF A SECURITY BUG AT EACH DEVELOPMENT STAGE

Source: Ponemon Institute: National Institute of Standards and Technology
BOTTOM LINE

Developers love Checkmarx because it

fits how they work and scans code as
soon as it is created.
This leads to:
Less vulnerabilities
Lower costs
Far more secure applications
LOVED BY DEVELOPERS

“Using Checkmarx is easier than other tools.” “Checkmarx is loved by both our infosec
team and our developers.”
- Vitaly Osipov, Information Security Expert, Atlassian
- Kobi Lechner, Information Security Manager, Playtech

“…over 2.5 Billion LoCs scanned to date and “Checkmarx’s technology is highly accurate
over 2 Million vulnerabilities detected… , and easy to use.”

- Security Team, Salesforce.com - Yair Rovek, Security Specialist, LivePerson

THANK YOU.
BACKUP SLIDES.
 THE SOLUTION FOR APPSEC PROGRAM MATURITY

# Bugs/year

PenTesting
DAST

Security Gate
SAST

SAST integrated into

the SDLC

Timeline
Today +6 months +12 months

Based on Checkmarx experience of over 1,000 cutomers

METHODOLOGY FIT FOR YOUR ORGANIZATION

Existing AppSec Tools Existing Dev Tools

Tools

Appsec
Program
Skills Processes

Programming Developers’ AppSec Risk Development Code

Languages Knowledge Maturity Tolerance Practices Source
FROM DISCOVERY TO OFFERING

Development Landscape AppSec State

AppSec Offering

Delivery Models Solution Types

Products Security Gate
Services SDLC
Mix & Match Continuous Security
HELPING YOU GET FROM “A” TO “B”

Product Service

Security
Gate

SDLC
SOLUTION TYPES

AppSec

Develop Test Deploy

Security Gate
(Developers)

SDLC

Develop Test Deploy

(Developers)

Continuous Security: SDLC + CI

Develop & Test Deploy

DEPLOYMENT SERVICES – ALIGNING PEOPLE &
PRODUCTS

Checkmarx Academy Checkmarx Kick-Start

Advanced security training for AppSec team Define KPIs for success

Administration Course Set your AppSec workflow

Integration with your dev environment

Results review and remediation workshop

Open source scan

THE PATH TO APPSEC MATURITY

Remediation Advice
Written remediation advice
action + plan on next steps
Ticketing & Reporting
Automotive bugs reports
in tracking system and
integrate with external
SDLC dashboards
Automated scans as
part of a build process
Onboarding + Developer access to
results via IDE
Online project scan
results. Removal of
Installation main FP results.
Production ready. Project scan report
Configuration,
documentation and
administration training.
UNDER THE
HOOD
CHECKMARX SAST ARCHITECTURE

Open scan engine technology

Code &
Flow DB

Security Beyond
Query Security

Detection Engine
CHECKMARX SDLC INTEGRATION POINTS – AGILE

Develop
Developer IDE Plugins Build Servers

Bamboo CLI

Web Service API

Design Test
TFS
Ticketing
Dashboards /Bug Tracking
Systems

Data Export API

Build
Backlog
(self test) Scan Automation

SVN TFS
Release
Decision CLI, Web Services API
Security Gate Scanning
VULNERABILITY COVERAGE- COMPLIANCE

OWASP TOP 10 & Mobile SANS 25 CWE

PCI DSS HIPAA BSIMM

Mix and match existing presets or create your own policy

CHALLENGE #1: LACK OF SECURE CODING KNOWLEDGE

Developers Security Manager

?!?!
HUH..?

SQL..?
CHALLENGE #2: OUTNUMBERED

Developers Security Manager

CHALLENGE #3: LACK OF BUDGET
 THE COST OF DELAY

EVERY DELAY OF APPLICATION SECURITY TESTING

COSTS BIG $$$
$ Benefits Per Month

Checkmarx enables on-the-fly

scanning and on-the-spot fixing.
Delay Cost
This means less delay
and less time and money wasted

Time
Late Entry
DEMO.