Checkmarx database export, VistaDB in O2, Opening up Checkmark's rules, and more....

I just posted on the O2 Blog and TM Documentation the scripts I wrote during the PoC of integrating TeamMentor with Checkmarx:

• VistaDB API and GUI (as used by Checkmarx SAST engine) - O2 Blog
• Exporting Checkmarx SAST Database into XML files - O2 Blog
• Case Study – Creating a CWE Library from CheckMarx data - TM Documentation

Earlier today I had a call with Checkmarx to follow up the idea I talked with Maty (Checkmarx CTO) about the release of Checkmarx 'C# based rules' under an Open Source/CC license on GitHub.

I have to say that the Checkmarx camp seems really motivated to do this, and if they do it, it could be a big game changer (I offer to put those rules in GitHub since I already have the Query.xml file :), so lets see what happens next ).

Btw, if you are a Checkmarx customer (or are evaluating it - which if you are looking at SAST you should), drop them a line saying that it is a good idea :)

While preparing for the call, I quickly jotted thee following idea and topics for conversation.

Note that these are very raw notes written from my point of view (I posting them there because I want to store them in a location I can find them later):

• Open sourcing their rules:
• build community
• use GitHub
• help them to better manage the contributions 
• big soft/viral marketing for Checkmarx
• promote the creation of Rule Packs per framework
• improve integration with other tools
• allow the connection of WhiteBox rules and Blackbox
• rules should be open since they need peer-review and validation
• vheckmarx rules will be tied to their engine so Checkmark benefits from new material
• grow the SAST market
• Having easy access to their technology by Security Consultants and OWASP (sec teams are the channel to market, not the market)
• What about a 'research licence for OWASP leaders'?
• I already have a couple sec consultants that want to give Checkmarx a test drive (saw the videos on my blog), but they don't know who to talk to!
• Get SI security team using Checkmarx
• O2 Platform integration
• increase support for Checkmarx
• create multi-tool integrations like the ones I did for AppScan Standard and Source
• take advantage of O2's powerful data analysis and browser automation capabilities

Btw, if you are from another SAST vendor/tool, I would say the same thing to you, since my plan is for O2 to integrate / consume / instrument / feed all tools :)