Angkana Sawatwutthiphong – Regional Sale Manager TH / VN / Indochina (Angkana.sa@checkmarx.

com)
Richard Lee – ASEAN Channel Technical ([email protected] )
Edwin Lee – ASEAN Director ( [email protected] )
 Checkmarx Overview
Who Checkmarx
Checkmarx Software Security Platform Solution
On premise & Private Cloud
- Cx SAST (Static Application Security Testing )
Agenda - Cx SCA (Software Composition Analysis )
- Cx CB ( Codebashing)
- Cx IAST (Interactive Application Security Testing
On SaaS
- Cx ASP ( Application security Platform )
Product and Licensing
Demo
Open Discussion & Next step
/ Company History
Founded in 2006 by Emmanuel Benzaquen (CEO) and Maty
Siman (CTO). Acquired by Hellman & Friedman in 2020

Approximately 750+ Employees Worldwide as of January

2021… and growing!

Offices in North America, EMEA and APAC (Singapore,

Mumbai and Shanghai)

Started in 2015, APAC HQ since 2017.

22 Personnel – SG (20), JKT (1), BKK (1)

Fun Fact: We have changed logos 6 times since our founding:

Proprietary & Confidential | All Rights Reserved 3

2020

Since 2015: While…

 8 vendors eliminated  Four Years in a row as a

Leader
 11 vendors downgraded
 Only Leader to win Gartner’s
 0 SAST vendors emerged Customer Choice

“Checkmarx performs best in DevSecOps and cloud-native

environments, or where SAST is a high priority.”

Gartner, May 2021

Proprietary & Confidential | All Rights Reserved 4

/ Checkmarx Named a SAST Leader by Forrester

RATED #1 IN STRATEGY
for strength of product vision, planned enhancements,
execution roadmap and market approach.

“Customers embracing modern

development methodologies
will benefit from Checkmarx’s
API support and deep
integrations with CI/CD tooling.” 1

1 – The Forrester Wave™: Static Application

Security Testing, Q1 2021 by Sandy Carielli, Amy
DeMartine, Melissa Bongarzone, and Christine
Turley, January 11, 2021
/ Deployed by 1,600+ Customers in more than 70 Countries
Health & Gov &
Technology Retail Finance Consulting Media Telecom Other
Insurance Defense

- Confidential -
Proprietary & Confidential | All Rights Reserved | 6
Checkmarx Software Security Solutions
/ On-Premise & Private / Hosted
Cloud

8
/ The Traditional Software Security Couple

SAST DAST
White Box Black Box
Security Testing Security Testing

• Scans all codebase • Attacks application from

the outside
• Examines application
from the inside • Can only detect reflective
vulnerabilities
• Doesn’t require a
deployed application • Requires dedicated
security testing

Proprietary & Confidential | All Rights Reserved | 9

 / Checkmarx Software Security Platform

Management, Correlation & Aggregation Platform

SDLC Integration &

Orchestration
CxSAST CxSCA Codebashing CxIAST

AppSec Accelerator (Checkmarx Managed Service)

www.checkmarx.com Proprietary & Confidential | All Rights Reserved 10

/ How CxSAST Works? How different teams use it
Developer IDE Security Team DevOps Team

Programming

Scan / Result Report / Review / Scan Schedule builds

Developers
Team

Build / Scan

Scan by Zip / Shared drive /

Command Line / Portal
Open Issue Build Servers
tickets

Manage
Code Issue
Check-in Schedule scans tickets

Source Control Bug Tracking QA Team

Proprietary & Confidential | All Rights Reserved 11

/ CxSAST: Enterprise-class, Developer-friendly
CxSAST is a high-speed, fully-automated, flexible, and accurate static analysis solution used to identify hundreds of security
vulnerabilities in custom code components.

IDE Integration
Vulnerable Line of
Code

Where to Fix

Detailed
Remediation ?
Advice

Proprietary & Confidential | All Rights Reserved 12

/ Easy for Developers
\bookstore\BookDetail.cs

Describe Attack
Vector

Point to
Place in Code

Identify
Language and
Vulnerabilities

Best Fix
Location

Proprietary & Confidential | All Rights Reserved | 13

Proprietary & Confidential | All Rights Reserved 13
/ Fluent in All Major Languages

Supports 25 coding and

scripting languages and
their frameworks

Coverage for the latest

development technologies

Zero configuration to scan

any language

Proprietary & Confidential | All Rights Reserved | 14

/ Sample Report : SAST

Proprietary & Confidential | All Rights Reserved | 15

/ Overview of CxSCA Checkmarx's next-generation
SaaS open source security
solution empowering
customers to:

 Gain insight into their open source

risks posture
 Prioritize risks that matter most, and
triage easily
 Automate SCA workflows and
streamline operations
 Based on comprehensive database
of known (CVE) vulnerabilities and
unique (non-CVEs) ones

Proprietary & Confidential | All Rights Reserved 16

/ Prioritize Remediation Efforts – Exploitable Path
Leveraging Checkmarx core IP – a
leading code scanning technology
Not scanning open source code;
we indicate where open source is
called
Also available as part of CxSCA
SS1
standalone offering

Your Code

Open Source
Code

Vulnerable
Function

Proprietary & Confidential | All Rights Reserved | 17

Proprietary & Confidential | All Rights Reserved 17
Slide 17

SS1 when would it not be? the implies it's part of something else. also i thought standalone was problematic?
Susan StClair, 5/24/2020
Sample Report : SCA

Proprietary & Confidential | All Rights Reserved 18

/ Supporting Common Languages and Package Managers

Objective C
/ Swift

Cathage SwiftPm CocoaPods

Proprietary & Confidential | All Rights Reserved 19

/ SAST and SCA
SAST: The code you write SCA: The code you use
Focus on Weaknesses in proprietary Vulnerabilities in open source
code components

• SAST strengths SCA strengths

• Pinpoints flaws in proprietary code • Reliably detects and maps known open
• Finds weaknesses early in the SDLC, source vulnerabilities that cannot be found
when they are much less expensive by other methods
to fix • Provides a full accounting of the open
• Detects weaknesses before code source in use
goes into production (i.e., before • Monitors for new vulnerabilities that are
they become vulnerabilities) discovered

Combine SAST and SCA to get a more complete picture

Proprietary & Confidential | All Rights Reserved 20

/ The New Power Couple in the DevSecOps Era
SAST IAST
White Box Grey Box
Security Testing Security Testing

• Scans all codebase • Leverages existing functionality

testing, eliminating the need for
• Examines application separate security testing
from the inside • Analyzes the entire application
stack, including 3rd party
• Doesn’t require a libraries
deployed application • Real-time feedback
• No operational overhead

DevOps-Ready

DAST Remains as an ad-hoc process,

leveraging pen testing

Proprietary & Confidential | All Rights Reserved 21

/ Introducing CxIAST

 Designed for DevOps – fits into QA and CxIAST is a dynamic testing

functional testing cycles, eliminating the need solution that
for separate security testing monitors vulnerabilities in
 Industry’s only IAST to fully integrate with running applications while in
a best-of-breed SAST solution - Provides testing (UAT) environments
meaningful correlations that increase
confidence levels in vulnerability findings and
enables quicker remediation
 Ease of customization - Custom query
creation and tuning for optimized results
 Flexible deployment option – on premises
in a private datacenter or hosted in a private
tenant in AWS

Proprietary & Confidential | All Rights Reserved 22

/ CxIAST in Action

Events Database
CxIAST Agent
Application Under Test
CxIAST
Security Handler
(query Language)

1 2 3 4
Monitoring of Event-collection Security-queries execution Pushing vulnerabilities
application during testing (real-time & post-mortem) to the Dashboard
under test

Proprietary & Confidential | All Rights Reserved 23

/ Identify Vulnerabilities on Running Application in Real-time

Proprietary & Confidential | All Rights Reserved 24

/ Visualizing the Value & Synergy – Correlation With CxSAST Results

CxSAST Scan CxIAST Scan

Proprietary & Confidential | All Rights Reserved 25

Sample Report : IAST

Proprietary & Confidential | All Rights Reserved 26

 Programming language specific

/ CxCB in a
Nutshell
 Awareness is an ever-lasting need. In
most cases, training is constrained to a
limited time period.
 CxCodebashing is a game-ified training
& awareness learning platform that
delivers fun & interactive learning in 5-8
minutes, for specific vulnerability types
See all moving Real Interactive by language.
parts of Vulnerable Course tutor
application stack Apps!

Proprietary & Confidential | All Rights Reserved 27

 100+ modules over multiple programming languages

Top 25 vulnerabilities per language

Content updates

Scalable AppSec training for 10 - 10,000+ Developers

Management Dashboard for Analytics and Reporting

SAML/SSO integration option for frictionless user onboarding

THE WORLD RUNS ON CODE. WE SECURE IT.

Checkmarx integration
/ What it looks like?

Which
vulnerability is
presented in
the following
code?

Proprietary & Confidential

Proprietary | All Rights
& Confidential Reserved
| All Rights | 29 | 29
Reserved
Proprietary & Confidential | All Rights Reserved 29
 Integrate Remediation and Education
THE WORLD RUNS ON CODE. WE SECURE IT.
/ Security in a Secure SDLC & DevOps Environment
IDEs

Source Code Dev

Management Solutions
CLI, Web Services API Ops

Build/CI Solutions Dashboarding

Data Export API

Defect Tracking
Proprietary & Confidential | All Rights Reserved | 31
/ Software as a Service (SaaS)

32
 Checkmarx Introduces

Where security speaks in a language

developers understand

Built for cloud generation One click cloud application Based on Checkmarx
development security platform industry-leading technology
Tech stack and architecture, processes, Single stakeholder, single process, single With the widest coverage and best
vulnerabilities product, no installations, no servers accuracy out there
< / > C h e c k m a r x A ST C l o u d – S o f t w a re a s a S e r v i c e
S e c u r e D i g i t a l Tr a n s f o r m a t i o n

SDLC Integration & Orchestration

Unified Dashboard & Reporting

Correlation layer

Statis Code Open-Source Infrastructure Just in time

Supply Chain API Security
Analysis Security as Code Training

Public Cloud ( SaaS)

World-Class Professional Services

 </>Multiple Scan Engines
API security SAST Supply chain

App Code

5
Microservices A Microservices B

External Services

3rd Party

IaC AWS

SCA KICS IAST

 Seamless integration with Dev tools

Checkmarx natively integrates with popular developer tools

SCM IDEs

integration capabilities can

extend across any SDLC
command line interface
CI/CD Pipelines Feedback Channels/ Advanced Reporting

Actions* Webhooks*
/ 6 Main Reasons Why Customers Approach
Checkmarx
Organizational Needs Minimizing The Risk Time to Market

Compliance Breach/Hack Fast Paced Environment

Pain Points of Our Customers

(Agile/DevOps)
PCI, HIPAA, ISO, etc. Either in response to a recent
breach/hack; or they are in fear of Business depends on its ability to
being breached/hacked. release versions through its
CI/CD pipeline. Organizations
can’t let Security Testing get in
the way of release.

Customer SLA Legacy SAST Pain Too Many AST Products

Customer insisting that they Customer is unhappy with their Too many products from different
improve the security of the current AST solution/s’ insufficient vendors are too confusing to
software. security testing coverage. remediate

Proprietary & Confidential | All Rights Reserved 37

/

Proprietary & Confidential | All Rights Reserved | 38

Proprietary & Confidential | All Rights Reserved 38
/ Product Packages and License
Item Description License charge & Package
Full SDLC Packages : Base on user / project
Component In package : 1 Cx-Server + 1 Cx-ConcurrentScans* + 1
Cx-Auditor

SAST solution including support languages and formworks, all out of Intro Package : 12 users & 10 projects
CXSAST / Checkmarx Static Application Security Testing
box ava integration , CLI and API, no limit on lines of code , no limit on
(On cloud & On premise)
number of scans Advance Package : 24 users & 20 projects

Professional Package : 50 users & 35 projects

A-lacarte : User& Project

Volume : User & Project
A Standalone product to detect and manage security vulnerabilities for By Users [ Minimum 10 users ]
open-source libraries : can be sold with CXSAST A user who uses one of the product’s user interfaces (Web, IDE
plugin, etc) - must be provisioned as a named user.
CXSCA / Checkmarx Software Composition Analysis ( on OR a user who consumes scan data extracted from the system in
cloud ) order to review/track or fix vulnerabilities.
Projects/Scanned units = 2x of the number of Users

Provide dynamic vulnerability detection without impacting development

CxIAST / Checkmarx Interactive Application Security Testing
cycle times By applications
(On cloud &On premise)
Minimum 5 app / volume : 5-19 Application
Provide an in-context elearning platform that sharpens the skills
Cxcodebashing ( on cloud ) developers need to fix vulnerabilities and write secure code ByUser
minimum user volume : 1-49

components : SAST + SCA + IAC (KICS )

Cx ASP / Checkmarx Application Sec Platform ByUser
Umlimited Scan for SAST , SCA , Containers KICS
( SaaS ) Minimum 5 user
Concurrent Scans : 1 Scan per 10 developers

Proprietary & Confidential | All Rights Reserved 39

/ Licensing – Charging Mechanism
3 Projects

Cx-Projects iBanking App Java/JS

Defined as “A single code base,
being maintained and changed
over time.”, scanned in a single iOS
scan operation Mobile App
Monolithic or Micro-services
Android

Cx-Users
Named User who uses the
product’s user interfaces
(Web/Plugins)
Devs who commit code to SCM
integrated with Cx

Proprietary & Confidential | All Rights Reserved | 40

/ Summary and Next step
More detail
Checkmarx Knowledge Center :
https://checkmarx.atlassian.net/wiki/spaces/KC/overview

Next step :
- POC with YIP

Proprietary & Confidential | All Rights Reserved 41

 42
Proprietary & Confidential | All Rights Reserved 42