SOURCE: Checkmarx

October 27, 2009 08:00 ET

Checkmarx Introduces Groundbreaking New Secure Coding Technology

Checkmarx Virtual Compiler™ Forever Changes Security Code Analysis: Developers and Auditors Can Now Scan Code at Any Time Without a Compiler

Checkmarx Offers Free Trial

TEL AVIV, ISRAEL--(Marketwire - October 27, 2009) - Checkmarx, the leading code analysis company, today announced a groundbreaking new innovation to secure coding: The Checkmarx Virtual Compiler for security static code analysis allows source code to be scanned in real time without using a compiler. This innovation gives developers, auditors and security professionals the ability to fulfill the promise of secure coding and fix flaws at the earliest stages of development. The Checkmarx Virtual Compiler is available today and in use by many leading companies worldwide.

Code vulnerabilities are behind most security issues. Historically, static code analysis tools have been used to combat software vulnerabilities, but they require an almost completed software project in order for scanning to take place. By forcing the execution of code analysis at the end of the development process, security repairs to code are costly and nullify the benefits of static analysis. For more information on the adoption challenges of static code analysis tools, please see http://blogs.gartner.com/neil_macdonald/2009/03/07/application-security-a-tool-cannot-solve-what-fundamentally-is-a-process-problem/.

These static analysis products rely on compilation, the process of converting source code into executable software that computers can understand, to conduct code analysis. Compilation is a technical bottleneck. The Checkmarx Virtual Compiler gives developers the ability to scan unbuilt code, enabling static analysis earlier in the development life cycle when it is most useful. For security auditors, virtual compilation means audits can be conducted at any time on any code base without having to emulate a developer's environment.

"The Checkmarx Virtual Compiler means developers can finally fix code on the assembly line instead of having to wait until the software is almost out the door," explained CTO and founder, Maty Siman. "The reliance on compiling means serious security issues can be missed. For example, a recent vulnerability in the Linux kernel was released into the wild due to an inability to build code properly," referring to a null pointer flaw (http://www.internetnews.com/security/article.php/3831716/Finding+Linux+Bugs+Before+ they+Become+Exploits.htm) uncovered in July 2009.

"Today, companies struggle to meet compliance mandates as well as eliminate the risk in applications. For source code analysis to succeed as a part of a robust application security initiative, it must take place as early in the development process as possible," said Neil MacDonald, Vice-President and Gartner Fellow.

The Checkmarx Virtual Compiler takes any source code and transforms it to a unified form that can then be scanned for vulnerabilities. It is significant because:

--  It is platform independent -- All you need is source code. It does not
    matter if the developer uses Linux, Windows, Apple or Solaris as the
    operating system. Today, Checkmarx supports a wide number of generic and
    proprietary languages including Java, .NET, C/C++ and salesforce.com's Apex
    and Visualforce.
--  It can be used at any phase in development -- Traditional code
    scanning means compiling and linking, forcing the system build to run
    first, followed by any other tests or automated activities. Should the
    system fail to build that night, the static security analysis will not
    happen, and any security issue that might have been discovered in the run
    is not logged in the morning's triage. With the Virtual Compiler, these
    obstacles go away.
    

Checkmarx is offering a free trial of its code analysis: http://www.checkmarx.com/CxDownloadRequest.aspx?id=3

Here is a white paper describing the Checkmarx Virtual Compiler technology: http://www.checkmarx.com/CxDownloadRequest.aspx?id=4

About Checkmarx

Checkmarx is the leading provider for source code analysis. Founded in 2006, Checkmarx provides comprehensive solutions for automated security code review. Its technology is used by large corporations and small and medium-sized organizations across all industries. Checkmarx pioneered the concept of a query language-based solution for tracking technical and logical code vulnerabilities, and continues to bring new innovative solutions to market to fulfill its vision for a hacker free world. www.checkmarx.com.