2. About
Maty Siman, CISSP
CTO, Founder – Checkmarx:
Leading SAST (“Source Code Analysis”) Vendor
Hundreds of customers WW
Secures SalesForce AppExchange market
Title in white and bold
“Visionary” by Gartner
4. Issues at hand – size, complexity, volume
The biggest challenge of current source code
analysis solutions is size-
How to deliver:
1. Usable results
2. Automatically
Title in white and bold
3. Out-of-the-box
4. Actionable
for extra large code bases with thousands+ of
results
5. Issue
• Findings thousands accurate results, does not
make us happy …
• Webgoat, for example, has hundreds of XSS
• We’ll narrow this down to 10 fixing places
Title in white and bold
6. Current situation
• Each result has a data flow, presented
independently from other findings.
Title in white and bold
7. Single Data Flow Path - XSS
Request.QueryString*“param1”+;
String s = Request.QueryString*“param1”+;
…
s
Response.Write(s);
Response.Write(s);
Title in white and bold
22. Benefits
• Gives you the correlation between findings of
the same type (SQLi) and different types.
• You are not dealing with individual findings –
but with a complete system
•Title inyour time bold
Use white and better