New Research From Checkmarx Prompts Supply Chain Security Solution to Restores Trust in Open Source Packages

Now available for use with Checkmarx Software Composition Analysis (SCA), the solution restores trust in modern application development while letting developers embrace open source code

RAMAT GAN, Israel and ATLANTA, March 22, 2022 /PRNewswire/ — Checkmarx, the global leader in developer-centric application security testing (AST) solutions, today announced the launch of the Checkmarx Supply Chain Security solution to identify suspicious and potentially malicious open source packages across the modern application development lifecycle.

According to Gartner®i, “By 2025, 60% of organizations will harden their software delivery pipelines to protect against supply chain security attacks.”

“Attackers are shifting their attention to the software supply chain by abusing open source software ecosystems, which have traditionally been trusted by the worldwide developer community,” said Checkmarx CEO Emmanuel Benzaquen. “Checkmarx is bringing a developer-first approach to detecting supply chain attacks in code packages, leveraging a comprehensive suite of threat intelligence, behavioral intelligence and machine-learning models.”

Supply Chain Security Research and Thought Leadership
Over the past few months, the Checkmarx security research team has identified hundreds of malicious open source packages. Research articles highlighting three main types – dependency confusion, typosquatting and chainjacking – are available in the Checkmarx blog. An additional report highlighting three emerging trends in malicious open source packages is available here.

Working in concert with Checkmarx Software Composition Analysis (SCA), Checkmarx Supply Chain Security identifies anomalies in the health and security of open source projects, analyzes contributor reputation and also directly interrogates the behavior of packages via analysis within a detonation chamber. The result is full-spectrum software supply chain insight and analysis that closes a significant gap in organizations’ application security.

“Current solutions in the market are reactive in that they rely on community feedback to detect vulnerable code and analyze the code, but not the person behind it,” said Tzachi Zorenstain, head of supply chain security at Checkmarx. “The Checkmarx Supply Chain Security solution is built on the principle of ‘don’t take code from strangers’ and instead references our reputation database, which is like a credit score system for a code contributor. Our goal is to support enterprises with rapid application development while maintaining the trust of their customers.”

Comprehensive Supply Chain Security for Modern Application Development
Checkmarx Supply Chain Security enables organizations to accelerate modern application development using open source software safely and securely through a full suite of critical capabilities:

  • Health and Wellness and Software Bill of Materials (SBOM): Provides knowledge of the open source package and community, combined with SBOM creation.
  • Malicious Package Detection: Detects dependency confusion, typosquatting, chainjacking and other malicious activities and packages.
  • Contributor Reputation: Restores trust in the provenance of open source packages by eliminating the need to manually analyze contributor activity across all projects that could impact an organization.
  • Behavior Analysis: Incorporates static and dynamic analysis to observe how the code runs. The Checkmarx Supply Chain Security detonation chamber provides deep analysis of code packages and removes ambiguity to defend against stealthy threats.
  • Continuous Results Processing: Delivers constant updates on Checkmarx security research and threat hunting, maintaining a reputation and vulnerability database for customer usage.

Checkmarx Supply Chain Security is available now. For more information, visit this page.

Gartner, Predicts 2022: Modernizing Software Development is Key to Digital Transformation, by Manjunath Bhat, Mark Horvath et al., 3 December 2021. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

About Checkmarx
Checkmarx is constantly pushing the boundaries of Application Security Testing to make security seamless and simple for the world’s developers while giving CISOs the confidence and control they need. As the AppSec testing leader, we provide the industry’s most comprehensive solutions, giving development and security teams unparalleled accuracy, coverage, visibility, and guidance to reduce risk across all components of modern software—including proprietary code, open source, APIs, and infrastructure as code. Over 1,600 customers, including nearly half of the Fortune 50, trust our security technology, expert research, and global services to securely optimize development at speed and scale. For more information, visit the Checkmarx website, check out the blog or follow the company on LinkedIn.