Partial Code ScanningSource Code Analysis For The Masses

Maty Siman, CISSPCheckmarx CTO

Checkmarx Application Understanding

void main() { int j = 0; int i = 0;

while (i < 10){ if (i == 3){ j=j*2; } j = j + i; i = i + 1; }

printf ("%d\n", j); printf ("%d,n", i);}

Enter

i = 0

j = j * 2

j = 0

j = j + I i = i + 1If (i==3)

while (i<10) Printf (j) Printf (i)

Abstraction

DBUse queries to pick the brain on security, quality & performance

Enabler: The Virtual Compiler

Code & Flow Data base

RubyApex.Net C, C++Java

Virtual Compiler

Language Adaptor

Syntax Compensator Linkage Resolver

Common Language Form

Exhaustive Flow Scanner

DetectionEngine

Code Enhancer

VB/ASP PHP Android

Partial Scanning Enables: Security Testing Throughout The SDLC

[Escalating cost to find and fix a defect or design flaw as it is discovered late in the Software Development Life Cycle (IDC, 2005)]

CHECKMARX patented and revolutionary technology allows

reviewing uncompiled code throughout the SDLC

Cost to find/fix a defect during integration/system test is 15-90 times higher than at design/coding

Time & Cost

Code Inspection

Integration Testing

System TestingStatic analysis tools find defects and design flaws “in phase”

Unit Testing

Design Coding QA Production

very difficult torun compiled code scans

Partial Scan Benefit Summary

Scan source code = Easy setup

Compile unnecessary = Full SDLC

Analyzed for security = High accuracy

Flexible Architecture = Scan anytime,

anywhere

Try Checkmarx immediately at:

www.cxprivatecloud.com

Case Study 1: salesforce.com’s Gatekeeper

• 135,000 custom applications• 200,000 developers growing community

• Proprietary Scripting language

Partner/Customer Source codePowered by

Mandatory certification: salesforce.com

The first on-demand source code analysis tool solely built for a platform as a service.

Case Study 2: Large ISVFully Automated Vulnerability Lifecycle

Case Study 3: Large ISV with ~20,000 customers WWSupports Clients Plug-ins

Eclipse Plugin – Enables Partial Code Scanning

Thank you !

Maty SimanCTO, Checkmarxmaty@checkmarx.com

To learn more, please visit www.checkmarx.com