Software application security firm Checkmarx launched its Runtime Application Self-Protection (RASP) solution, CxRASP, which uses unique two-point instrumentation technology to continuously observe an app’s bidirectional data flow.
Designed to enable the detection and defense against real-time attacks, CxRASP is the latest addition to the company’s Application Security Hub, which provides a range of solutions to ensure application security throughout the software development lifecycle as well as while in production.
“Any organization that sells software, be it Microsoft, SAP, Adobe or Salesforce.com, or uses software as part of its ongoing business operation and would like to protect its data—this could include most medium to large organizations,” Asaph Schulman, vice president of marketing at Checkmarx, told eWEEK.
Checkmarx’s technology listens at each interaction junction of the app, covering access points between the application and the user, the database, the network and the file system, respectively. As of now, CxRASP covers SQL injection, cross-site scripting (XSS) and file manipulation, and the list is expanding, Schulman said.
With visibility into the app’s input and output, the CxRASP solution tailors the protection mechanism to the specific flow within the application to achieve improved detection accuracy in real time.
The product flags suspicious activity when it enters the app, and then verifies if it is actually malicious at the output to minimize false positives and false negatives.
When an attack is identified, the organization is alerted and instructions are sent on how to fix the vulnerability.
The product is also integrated with the company’s Static Application Security Testing (SAST) CxSuite Solution and may be integrated with other SAST vendors, ensuring application protection both during and after the development process.
When it comes to application security technology, static code analysis is gaining a lot of momentum, and the company sees a huge trend of organizations looking to align quality-assurance testing alongside application security testing as an integral part of their software development lifecycle environment, Schulman said.
“This means integrating it with components like source repositories, build servers and bug-tracking tools, and a full automation of the testing process based on the organization’s security policy,” Schulman explained. “We also see a huge uptake of scripting languages, specifically JavaScript for both client-side and server-side programming (Node.JS), with an emphasis on the latter. JavaScript is very difficult to test and wasn’t designed for server-side development, so it inherently carries a lot of vulnerabilities.”
Schulman said Checkmarx static code analysis is excellent at detecting those vulnerabilities in both client/server-side JS, and at showing developers where and how to fix them. The company’s RASP solution will offer support for client/server side JavaScript protection in the second quarter of 2015.