Company type | Private |
---|---|
Industry | Software Security, Application security |
Founded | 2006 |
Founder | Maty Siman (CTO), Emmanuel Benzaquen (Former CEO) |
Headquarters | Atlanta, Georgia, US |
Key people | Sandeep Johri (CEO) |
Website | checkmarx.com |
Checkmarx is an enterprise application security company headquartered in Atlanta, Georgia in the United States. [1] Founded in 2006, the company provides application security testing (AST) solutions that embed security into every phase of the software development lifecycle (SDLC), an approach to software testing known as "shift everywhere."
Checkmarx was founded in 2006 by Maty Siman, the company's CTO, and Emmanuel Benzaquen, former CEO (2006 – 2023), and has over 900 employees. [2] [1] Sandeep Johri has been serving as the CEO since February of 2023. The application security platform was designed for CISOs, AppSec managers, security advisors, and software developers.
On July 17, 2017, Checkmarx acquired Codebashing and started offering it as a service to help developers learn secure coding practices with gamified modules in their chosen programming language. [3] In 2018, it also acquired Custodela, a company that provides software security program development as well as consulting services. [4] [5]
Checkmarx was acquired in April 2020 by Hellman & Friedman, a private equity firm with headquarters in San Francisco.
In August 2021, Checkmarx acquired Dustico, a software that detects backdoors and malicious attacks in the software supply chain. [6]
In 2021, the company launched Checkmarx One, a cloud-native Enterprise Application Security platform, which became its most known product. It offers enterprises a full suite of application security testing tools to enable DevSecOps, including static application security testing (SAST), dynamic application security testing (DAST), Software Composition Analysis (SCA), supply chain security (SCS), API security, container security, infrastructure as code security (KICS), [7] as well as CheckMarx Codebashing. [1] [8]
Checkmarx One also offers Checkmarx Fusion, a scan correlation engine (83% of scans are currently cross-correlated in Checkmarx One deployments) and CheckAI.
In January 2022, the company launched AppSec Program Maturity Assessment (APMA), a service that helps users determine the exact phase of the AppSec program and the required steps to complete it. In the same month, Checkmarx Optimizer was also launched, which helps reduce application security testing alert fatigue.
On May 31, 2023, Checkmarx introduced CheckAI, the first set of GenAI solutions to help accelerate AppSec. It includes the AI Query Builder for SAST and IaC Security. In addition, on July 13, 2023, Checkmarx launched a plugin that helps users secure their code generated by GenAI, such as ChatGPT.
Checkmarx's research department is known for uncovering technical vulnerabilities in popular technologies, software, applications, and IoT devices. [2]
In November 2019, the company's security research team uncovered a number of vulnerabilities affecting Google and Samsung smartphones. The vulnerabilities allowed an attacker to take remote control of smartphone apps, giving them the ability to take photos, record video and conversations, and identify the phone's location. The research team submitted a report to the Android security team at Google and continued to provide feedback as the vulnerabilities were addressed. [9] [10]
In January 2020, Checkmarx detailed multiple security vulnerabilities with the Trifo Ironpie robot vacuum. [11] The company has also uncovered issues with Amazon Alexa, [12] [13] Meetup, [14] and Tinder, [15] [16] among others.
In August 2022, Checkmarx researchers found vulnerabilities in the Ring Android app, which could have allowed malicious applications to be installed on the user's phone to expose personal data, geolocation, and camera recordings. [17] The same year, Checkmarx uncovered malicious activity from the LofyGang [18] and RED-LILI.
In the first half of 2023, Checkmarx supply chain research team detected several open-source software supply chain attacks that specifically targeted the banking sector. These attacks showcased advanced techniques, including targeting specific components in web assets of the victim bank by attaching malicious functionalities.
Gartner named Checkmarx as a Leader for six consecutive years (2018 to 2023) in Gartner Magic Quadrant for Application Security Testing. It was also recognized by customers on Gartner® Peer Insights™ as a Customers' Choice for Application Security Testing for the fourth consecutive year.
In 2021, Checkmarx won three gold Cybersecurity Global Excellence Awards for 'Software,' [19] 'Application Security,' [20] and 'Best Cybersecurity Company (500-999 employees).' [21] Checkmarx was also named a Strong Performer in The Forrester Wave™: Software Composition Analysis, Q3 2021.
In 2022, Checkmarx earned a Fortress Cyber Security Award. [22]
In 2023, Checkmarx was recognized as market leader in The Forrester Wave™: Static Application Security Testing, Q3 2023 [23] and a Strong Performer in The Forrester Wave™: Software Composition Analysis, Q2 2023. [24] The same year, the Checkmarx One™ Platform received a 2023 DEVIES Award in the DevSecOps category. [25]
Checkmarx's early investors include Salesforce, which remains a partner as Checkmarx provides security reviews for the Salesforce AppExchange. [26] [27] [28] In 2015, U.S. private equity and venture capital firm Insight Partners acquired Checkmarx for $84 million. [28] [1] [2]
In April 2020, private equity firm Hellman & Friedman, alongside private investment firm TPG, [29] acquired Checkmarx for $1.15 billion. [1] [2] [30] After the acquisition, Insight Partners retained a minority interest in the company. [1] [31]
Synopsys, Inc. is an American electronic design automation (EDA) company headquartered in Sunnyvale, California, that focuses on silicon design and verification, silicon intellectual property and software security and quality. Synopsys supplies tools and services to the semiconductor design and manufacturing industry. Products include tools for logic synthesis and physical design of integrated circuits, simulators for development, and debugging environments that assist in the design of the logic for chips and computer systems. As of 2023, the company is a component of both the Nasdaq-100 and S&P 500 indices.
Trend Micro Inc. is an American-Japanese cyber security software company. The company has globally dispersed R&D in 16 locations across every continent excluding Antarctica. The company develops enterprise security software for servers, containers, & cloud computing environments, networks, and end points. Its cloud and virtualization security products provide automated security for customers of VMware, Amazon AWS, Microsoft Azure, and Google Cloud Platform.
Fortinet, Inc. is a cybersecurity company with headquarters in Sunnyvale, California. The company develops and sells security solutions like firewalls, endpoint security and intrusion detection systems. Fortinet has offices located all over the world.
The Open Worldwide Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security. The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations.
Application security includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.
UST, formerly known as UST GLOBAL, is a provider of digital technology and transformation, information technology and services, headquartered in Aliso Viejo, California, United States. Stephen Ross founded UST in 1998 in Laguna Hills. The company has offices in the Americas, EMEA, APAC, and India.
Splunk Inc. is an American software company based in San Francisco, California, that produces software for searching, monitoring, and analyzing machine-generated data via a web-style interface. Its software helps capture, index and correlate real-time data in a searchable repository, from which it can generate graphs, reports, alerts, dashboards and visualizations.
Veracode is an application security company based in Burlington, Massachusetts. Founded in 2006, it provides SaaS application security that integrates application analysis into development pipelines.
Sauce Labs is an American cloud-hosted, web and mobile application automated testing platform company based in San Francisco, California.
DevOps is a methodology in the software development and IT industry. Used as a set of practices and tools, DevOps integrates and automates the work of software development (Dev) and IT operations (Ops) as a means for improving and shortening the systems development life cycle. DevOps is complementary to agile software development; several DevOps aspects came from the agile way of working.
GitLab Inc. is an open-core company that operates GitLab, a DevOps software package that can develop, secure, and operate software. The open-source software project was created by Ukrainian developer Dmytro Zaporozhets and Dutch developer Sytse Sijbrandij. In 2018, GitLab Inc. was considered to be the first partly-Ukrainian unicorn.
Dynatrace, Inc. is a global technology company that provides a software observability platform based on artificial intelligence (AI) and automation. Dynatrace technologies are used to monitor, analyze, and optimize application performance, software development and security practices, IT infrastructure, and user experience for businesses and government agencies throughout the world.
XebiaLabs is an independent software company specializing in DevOps and continuous delivery for large enterprise organizations. XebiaLabs offers a DevOps Platform for application-release automation (ARO). These components include release orchestration, deployment automation and DevOps intelligence.
Perforce Software, Inc. is an American developer of software used for developing and running applications, including version control software, web-based repository management, developer collaboration, application lifecycle management, web application servers, debugging tools and agile planning software.
Tricentis is a software testing company founded in 2007 and headquartered in Austin, Texas. It provides software testing automation and software quality assurance products for enterprise software.
Sandeep Johri is the current CEO of Checkmarx, an application security company. He is the former CEO of Tricentis, an IT testing software company.
Code Dx, Inc. was an American software technology company active from 2015 to 2021. The company's flagship product, Code Dx, is a vulnerability management system that combines and correlates the results generated by a wide variety of static and dynamic testing tools. In 2021, the company was acquired by Synopsys.
Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers have existed, the technique spread to security in the late 90s and the first public discussion of SQL injection in 1998 when Web applications integrated new technologies like JavaScript and Flash.
Snyk is a cybersecurity company specializing in cloud computing. It was founded in 2015 out of London and Tel Aviv with headquarters in Boston.
Interactive application security testing is a security testing method that detects software vulnerabilities by interaction with the program coupled with observation and sensors. The tool was launched by several application security companies. It is distinct from static application security testing, which does not interact with the program, and dynamic application security testing, which considers the program as a black box. It may be considered a mix of both.