Friday 13 April 2012

Checkmarx database export, VistaDB in O2, Opening up Checkmark's rules, and more....

I just posted on the O2 Blog and TM Documentation the scripts I wrote during the PoC of integrating TeamMentor with Checkmarx:
Earlier today I had a call with Checkmarx to follow up the idea I talked with Maty (Checkmarx CTO) about the release of Checkmarx 'C# based rules' under an Open Source/CC license on GitHub.

I have to say that the Checkmarx camp seems really motivated to do this, and if they do it, it could be a big game changer (I offer to put those rules in GitHub since I already have the Query.xml file :), so lets see what happens next ).

Btw, if you are a Checkmarx customer (or are evaluating it - which if you are looking at SAST you should), drop them a line saying that it is a good idea :)

While preparing for the call, I quickly jotted thee following idea and topics for conversation.

Note that these are very raw notes written from my point of view (I posting them there because I want to store them in a location I can find them later):
  • Open sourcing their rules:
    • build community
    • use GitHub
    • help them to better manage the contributions 
    • big soft/viral marketing for Checkmarx
    • promote the creation of Rule Packs per framework
    • improve integration with other tools
    • allow the connection of WhiteBox rules and Blackbox
    • rules should be open since they need peer-review and validation
    • vheckmarx rules will be tied to their engine so Checkmark benefits from new material
    • grow the SAST market
  • Having easy access to their technology by Security Consultants and OWASP (sec teams are the channel to market, not the market)
    • What about a 'research licence for OWASP leaders'?
  • I already have a couple sec consultants that want to give Checkmarx a test drive (saw the videos on my blog), but they don't know who to talk to!
  • Get SI security team using Checkmarx
  • O2 Platform integration
    • increase support for Checkmarx
    • create multi-tool integrations like the ones I did for AppScan Standard and Source
    • take advantage of O2's powerful data analysis and browser automation capabilities
Btw, if you are from another SAST vendor/tool, I would say the same thing to you, since my plan is for O2 to integrate / consume / instrument / feed all tools :)