You Can Have It All: Speed & Security – Introducing Our New SAST Engine

4 min.

February 12, 2024

Checkmarx is a pioneer and leader in the Application Security space. Our commitment to our customers and best of class technology has led us to become the industry leader in Application Security, as recognized in consistent recognition in the Forrester Wave: Static Application Security Testing and Gartner Magic Quadrantand has allowed us to secure the applications driving our world.

Keeping Up with the Changing Pace of Development

In the past, software development mainly followed a waterfall approach- releasing software only once or twice a year. But the world has changed. Nowadays, cloud-native development often means releasing updates multiple times a day. This change in pace of application development has made speed a more important consideration. Sometimes, this comes at the expense of security. In Checkmarx’s upcoming survey on the state of application security, 91% of respondents even admitted to deploying vulnerable code to production. It’s no longer about finding everything but finding and fixing what matters most.

Up until now, companies had to choose — a developer-oriented SAST tool that risked false negatives – vulnerable code never being identified and unknowingly released into production – or security-oriented solutions which found everything, but often at the expense of speed and had false positives, making it difficult for developers to know what to fix before the next sprint.

Either/Or. Not both.

This led to further solution sprawl, as companies sometimes used an array of tools for their team – a “good enough” solution for less mature teams and enterprise-grade solution for their enterprise teams.

Until now. 

We are pleased to announce that our new SAST scanning engine will further improve an individual’s ability to customize their scanning capabilities, and experience speed, accuracy, and security.

Risk Reduction vs Ease of Use – Do I Have To Choose One?

Traditional SAST offerings force customers to choose between maximum risk reduction and ease of use (which finds less risk). 

With this new release, Checkmarx is the only solution that offers both in a single package, providing enterprises with the power and flexibility to secure their entire application footprint, and enabling a better developer experience

The new engine offers both in-depth security (to find maximum risk) and fast scanning (to cover every application with minimum overhead and noise). Users can choose the most appropriate configuration for each application based on that application’s requirements:

  • Fast scanning to cover more applications to showcase relevant results faster
  • In-depth scanning to find the maximum risk in critical applications with high business risk

I Already Have Checkmarx SAST. How do I Take Advantage of This?

If you already use Checkmarx’s SAST (whether on-prem or Checkmarx One), you can take advantage of these new capabilities today. It’s very easy to set this up (here’s how on the account and project level in Checkmarx One /  project level on CxSAST) Contact your account manager for more help or to have them walk through this with you.

The Best of Both Worlds: Development and Security Approved

This fast scan mode allows developers more flexibility in their fast-paced environment where they are constantly writing and updating code. They need scanning capabilities that can keep up with short sprints and continuous deployment by providing scanning that is exceptionally fast and provides only the most relevant results. Different apps have different risk-levels and criticality. Our new fast scan mode allows developers the ability to scan more frequently while highlighting the most relevant results so that they can focus on remediating the most important vulnerabilities. But, for mission critical apps, organizations can pick in-depth scan mode and get deeper scans and stronger correlation.

To further increase alert fidelity and reduce false positives, the Checkmarx team has developed another enhanced component: a base preset . The base preset focuses on the highest priority vulnerability queries to provide high fidelity results with reduced noise. As a result, it reduces total findings by up to 70%. The base preset was designed to boost scanning efficiency, prioritizing the swift retrieval of results with pertinent and impactful vulnerabilities. The preset can also be used as a starting point and customized to meet your specific requirements. It is available regardless of which mode – fast or in-depth – you use. 

The newly released scanning engine is used to optimize the SAST scans that are being executed to reduce overall scan time. This scanning engine further reduces scan times by tuning query parameters. 

The new scanning engine provides results that will support developers in their fast-paced development lifecycle. Through development and testing we have been able to provide up to a 90% reduction in scan time. This time saved is valuable and provides results that have shown to be higher fidelity. 

The Bottom Line

Up until now, users have had to choose – speed or security. This often led to sprawl, with multiple tools being used throughout an organization to meet the need of teams’ varied goals. Now, they can have both all in a single package – one vendor to deal with, one tool to learn, full transparency between security and development, and the flexibility to adapt as needs change. Checkmarx is the only solution that offers both in a single package.

Providing an application security solution that focuses on flexibility and high-fidelity results is what we are striving for at Checkmarx. This new release will provide reduced scan times with high quality results so that all members of your team can be successful – from the developers to the CISOs.