The presentation used by Maty Siman, the Founder and CTO of Checkmarx, during the webinar that discussed the benefits of being able to scan partial code samples (uncompiled / unbuilt code) as part of a static application security testing solution.
2. Checkmarx Application Understanding
Enter
void main()
{
int j = 0;
int i = 0;
j=0 i=0 while (i<10) Printf (j) Printf (i)
while (i < 10){
if (i == 3){
j=j*2;
} Abstraction
j = j + i; If (i==3) i=i+1 j=j+I
i = i + 1;
}
printf ("%dn", j);
j=j*2
printf ("%d,n", i);
}
Use queries to pick the brain
DB
on security, quality & performance
3. Enabler: The Virtual Compiler
Java .Net C, C++ VB/ASP PHP Apex Ruby Android
Virtual Compiler
Language Adaptor
Syntax Compensator Linkage Resolver
Code Enhancer
Common Language Form
Exhaustive Flow Scanner
Detection Code & Flow
Engine
Data base
4. Partial Scanning Enables:
Security Testing Throughout The SDLC
CHECKMARX patented and revolutionary technology allows reviewing
uncompiled code throughout the SDLC
Time &
Cost
Static analysis tools find System Testing
defects and design flaws
“in phase”
Integration Testing
Unit Testing
Cost to find/fix a defect
Code Inspection during integration/system test
is 15-90 times higher than at
design/coding
very difficult to
run compiled code scans
Design Coding QA Production
[Escalating cost to find and fix a defect or design flaw as it is discovered late in the Software Development Life Cycle (IDC, 2005)]
6. Case Study 1: salesforce.com’s Gatekeeper
•135,000 custom applications
•200,000 developers growing community
• Proprietary Scripting language
Powered by
Partner/Customer Source code