“Heartbleed is a bug in the basic implementation of open-source OpenSSL,” said Siman. “Many security problems, like Heartbleed, can be traced to the original code written by programmers — in which they added features without checking the security ramifications.”
Heartbleed is the name given to a bug that was discovered in early April in code widely used to implement the Internet’s Transport Layer Security (TLS) protocol, the open-source OpenSSL cryptography library. Apparently around for a few years, Heartbleed is believed to affect nearly 20 percent of secure web servers, those supposed to be safe to submit credit card information. According to some experts, Heartbleed may be the biggest, and worst, security breach ever to hit the Internet.
A fixed version of OpenSSL has since been issued, but who knows what other bugs await discovery? There may very well be more bugs in OpenSSL and many other programs and protocols widely used on the Internet today, according to Siman.
Had programmers used Checkmarx’s technology to check their work against security protocols when writing applications for secure websites with OpenSSL, the bug might have been caught before it caused any damage, according to Siman.
“One unchecked step can leave a program exploitable by hackers. Checkmarx provides an easy and effective way for organizations to introduce security into their software development by scanning source code, quickly identifying security vulnerabilities and regulatory compliance issues and showing developers and security auditors where and how to fix them.”
Programmers, said Siman, are naturally interested in programming, which means they try to insert more convenient features into their code. “Programmers are measured by the features they produce and the companies they work for are looking for them to produce those features. Unfortunately, due to the pressure of having to innovate those features, programmers often ignore their security implications.”
A recent study by 7Safe, an IT computer security consultancy and training firm, says that only 11% of security spending is geared towards hardening application and that application firewalls only marginally protect applications.
What’s needed is a system like Checkmarx’s, which lets programmers scan their code against a checklist of vulnerabilities using its Static Application Security Testing (SAST) tool, said Siman. The Checkmarx Source Code Analysis (SCA) system highlights any security issues in a given piece of code and gives programmers an opportunity to correct them before they are released.
On Wednesday, Checkmarx won a 2014 Red Herring Top 100 Europe Award. “Selecting start-ups that show the most potential for disruption and growth is never easy,” said Alex Vieux, publisher and CEO of Red Herring. “We looked at hundreds and hundreds of candidates from all across the continent, and after much thought and debate, narrowed the list down to the Top 100 winners. Each year, the competition gets tougher but we believe Checkmarx demonstrates the vision, drive and innovation that define a Red Herring winner.”
“We are thrilled to win this award,” said Emmanuel Benzaquen, CEO of Checkmarx. “It is confirmation that our technology is not only groundbreaking, but recognized as integral for securing applications that contain the personal information of millions of people. As the popularity of mobile and web applications rises, it is more urgent than ever to ensure consumer privacy and security. The best way to do this is by checking for vulnerabilities as the app is developed, before any consumer information is put at risk.”
Checkmarx has dozens of major enterprise customers around the world, including Salesforce.com, the US Army, Samsung, Deutche Telekom, Deloitte, PwC, Atlassian, LivePerson and Playtech. All of these firms use the company’s technology to check their in-house software, as well as the software used on their servers, preventing security debacles such as Heartbleed.
Had the OpenSSL coders checked their code, that debacle could have been prevented, according to Checkmarx. Heartbleed, the company said, “is a big wake-up call for developers. Source Code Analysis is a highly effective security solution. This method can be fully integrated into the Software Development Life Cycle (SDLC), which also paves the way for fully automated testing. Production costs and times are also reduced significantly.” Maybe next time, programmers will use Checkmarx’s SCA.
Click below to see Checkmarx explain their product themselves: