Security Code Review

It is well known that eliminating software bugs and vulnerabilities at the requirements stage and early in the software development lifecycle (SDLC) can reduce the cost of repair over one hundred-fold compared to remedial action after go-live. The ideal is for code to be written under a secure development lifecycle which includes regular code review throughout the cycle, rather than as a one-off exercise just before going live. Unfortunately, the cost of true threat modelling is prohibitive for most organisations, other than the largest software vendors or financial institutions.

Not only is remedial action less costly the earlier it is addressed, but early review results in fewer fixes being required in the future. commissum’s blended approach, a combination of managed source code analysis and manual review, aligned to your organisation’s software development lifecycle, offers a cost-effective alternative approach that can run in parallel throughout the development cycle. commissum‘s service offers a comprehensive, accurate and targeted method of detecting potential security vulnerabilities while the code is still in the development stage.

commissum partners with Checkmarx

commissum’s partner for static code analysis is one of the leading innovators in this field, Checkmarx. Checkmarx was recognized as a Visionary in the Gartner Magic Quadrant for Static Application Security Testing; and was named Gartner Cool Vendor in Application Security intheir 2010-report.

The Checkmarx approach provides a comprehensive source code security analysis solution offering both hundreds of out of the box security queries and customisation capabilities, designed to cover the widest possible range of vulnerability checks. The patented Checkmarx query language (CxQL) is able to identify vulnerabilities in the code, with virtually zero false-positives, as well as allowing customers to tailor existing queries or design their own queries.

A unique feature of the Checkmarx’s offering is its ability to scan the source code at any stage of the development cycle using its innovative Virtual Compiler. The solution seamlessly integrates into the Software Development Life Cycle (SDLC), and provides a high degree of flexibility and configurability by supporting a wide range of vulnerability categories, OS platforms, programming languages and frameworks.

Features of the Checkmarx solution include:

  • Extremely accurate: Virtually zero false: positives provide an effective solution to include in SDLC.
  • Patented Virtual Compiler: Scan any code fragment even non-compiled or linked, enabling security testing at early stages of the development cycle.
  • Attack flow visualization: Attack path is fully presented for easy investigation providing full flaw reasoning.
  • Query language: An intuitive query language is available for tailoring checks to customer needs.
  • Vulnerability coverage: Hundreds of out-of-the-box security checks.
  • Business logic vulnerability review: Unmatched capability to investigate logical flaws that can lead to substantial business risk.
  • Wide coverage of languages: many programming languages including all Java & .NET families as well as cloud based languages like Apex and Visual Force.

When combined with the commissum wider Application Assurance Lifecycle Security approach, security is built in to the process, not merely added on. An approach that meets the requirements laid down by PCI DSS, as well as being best practice for any development project.

commissum partners with checkmarx website