cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Checkmarx launches malicious open source software detection solution

Checkmarx has announced the launch of the Checkmarx Supply Chain Security solution to identify suspicious and potentially malicious open source packages across the modern application development lifecycle.

user iconReporter
Wed, 23 Mar 2022
Checkmarx launches malicious open source software detection solution
expand image

By 2025, 60 per cent of organisations will harden their software delivery pipelines to protect against supply chain security attacks, according to Gartner.

According to Checkmarx CEO Emmanuel Benzaquen, attackers are shifting their attention to the software supply chain by abusing open source software ecosystems, which have traditionally been trusted by the worldwide developer community.

“Checkmarx is bringing a developer-first approach to detecting supply chain attacks in code packages, leveraging a comprehensive suite of threat intelligence, behavioural intelligence and machine-learning models,” Benzaquen said.


Supply chain security research and thought leadership

Over the past few months, the Checkmarx security research team has identified hundreds of malicious open source packages. Research highlighted three main types – dependency confusion, typosquatting and chainjacking.

Working alongside Checkmarx Software Composition Analysis (SCA), Checkmarx Supply Chain Security identifies anomalies in the health and security of open source projects, analyses contributor reputation and also directly interrogates the behaviour of packages via analysis within a detonation chamber. The result is full-spectrum software supply chain insight and analysis that closes a significant gap in organisations’ application security.

Current solutions in the market are reactive in that they rely on community feedback to detect vulnerable code and analyse the code, but not the person behind it, said Tzachi Zornstain, head of supply chain security at Checkmarx.

The Checkmarx Supply Chain Security solution is built on the principle of ‘don’t take code from strangers’ and instead references our reputation database, which is like a credit score system for a code contributor.

Our goal is to support enterprises with rapid application development while maintaining the trust of their customers.

Comprehensive supply chain security for modern application development

Checkmarx Supply Chain Security is designed to enable organisations to accelerate modern application development using open source software safely and securely through a full suite of critical capabilities:

  • Health and wellness and software bill of materials (SBOM): Provides knowledge of the open source package and community, combined with SBOM creation.
  • Malicious package detection: Detects dependency confusion, typosquatting, chainjacking and other malicious activities and packages.
  • Contributor reputation: Restores trust in the provenance of open source packages by eliminating the need to manually analyse contributor activity across all projects that could impact an organisation.
  • Behaviour analysis: Incorporates static and dynamic analysis to observe how the code runs. The Checkmarx Supply Chain Security detonation chamber provides deep analysis of code packages and removes ambiguity to defend against stealthy threats.
  • Continuous results processing: Delivers constant updates on Checkmarx security research and threat hunting, maintaining a reputation and vulnerability database for customer usage.

[Related: Study finds Aussie security teams inundated with inaccurate cloud security alerts]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.