About LivePerson | Founded: 1995 | www.liveperson.com

Introduced its core chat technology to the world during an age when 1-800 numbers were the preferred customer service channel, and email was still a novelty. Today, LivePerson is an industry leader provider of chat-based services, with over 8,500 clients, and hosting over 13 Million chats per month LivePerson currently hosts more than 1.3 Billion consumer website visits each month

LivePerson is first and foremost a technology company. As such, it relies on its strong R&D team to continue to innovate and enhance its technology. LivePerson has multiple products as well as some legacy products it supports. In total the code base includes over 1 Million Lines of Code mostly in Java, C# and some in ASP. The development environment also includes diverse OS. LivePerson is committed to maintaining the highest possible coding standards. This includes application security best practices and methodologies. Due to the size of the code written and its complexity, a lot of thought and effort have gone into designing LivePerson's continuous integration environment. A few important source code analysis requirements for LivePerson were:

The ability to analyze incomplete code samples with missing dependencies in order to significantly reduce the time & resources required to audit a code sample for vulnerabilities.

Accuracy - to avoid precious developer time lost, the solution must be highly accurate.

A way of managing the delta - The developer should be able to compare between the current scan and their last scan, to see what the delta is and handle that. (To ensure that the security vulnerability was fixed).

Performance - by definition, due to the continuous integration environment, the performance was critical to avoid creating a bottleneck at the security scan stage. The requirement was to scan 30-40K LOC within a few minutes.

Multiple concurrent - scans the source code analysis solution must support many concurrent scans of developers

Strong & dedicated support - to assist with the configuration and implementation of the source code analysis solution into the continuous integration environment, LivePerson realized it requires a solution provider that can be flexible enough to help with any adaptations that may be required to suit its exact requirements. The solution must be open and flexible to support specific customization to LivePerson.

LivePerson conducted an extensive research and checked various Static Code Analysis security solutions in the market including some open source applications. In addition, LivePerson spoke to companies that are using source code analysis solutions to get their feedback.

After determining that Checkmarx best meets LivePerson's requirements, LivePerson decided to run a proof of concept (POC) internally on their real source code with Checkmarx's technology, to do some additional qualification of the solution. Checkmarx was highly responsive throughout the POC process - for any deployment assistance, fine tuning related matters, etc. It was important for LivePerson to find a solution that is coupled with strong & dedicated support, to assist with the implementation & configuration process into the continuous integration environment. Eventually due to the technological edge of Checkmarx and the commercial aspects (the ROI for Checkmarx was superior to alternative solutions for LivePerson's needs), Checkmarx was selected to be LivePerson's source code analysis technology.

LivePerson works in an agile / continuous integration mode and has 150+ developers. Therefore a secure code review was critical. The only way to do so was to implement an automatic process as part of the build creation. LivePersons secure SDLC works as follows

1

Engineers write their code locally.

2

The code is then checked into the SVN.

3

That triggers an automatic system test. The code has to pass a few milestones.

4

Before compilation begins, Checkmarx source code analysis is executed to identify security vulnerabilities. If there are medium / high issues, there won't be a build

5

Developer is notified that the build didn't complete and receives a report specifying the reasons and how those vulnerabilities can be remedied.

6

The developer then has to fix the security issues and have their code re-scanned by Checkmarx.

About Playtech | Founded: 1999 | www.playtech.com

Playtech is the world's largest online gaming software supplier traded on the London Stock Exchange Main Market, solutions to the industry's leading operators. Since Playtech's inception in 1999, its approach has been centered on the continual development of best-of-breed gaming products and content, and its success built upon strong partnerships with our licenses.

As a leader in its field, Playtech continuously acquires new companies and integrates new technologies into its platform. As a result, the company has a diverse code base consisting of millions Lines of Code (LoC) across a wide range of products. With over 1,000 developers in its R&D team and practically all major coding languages being used by its developers (e.g .NET, Java, Python, Perl, C++, HTML5, Objective C) the task of performing code analysis has become a challenge.

Playtech places a lot of emphasis on application security. The company implements a structured Secure Development Lifecycle (SDL) methodology, whereby software security is taken into consideration in every step of the SDLC – namely –during the requirements, design, implementation, development & QA phases. Playtech has been using automated code analysis from the very early days of the company with security bugs being given equal importance and treatment as any other bug.

Due to the complex software development environment Playtech operates, an automatic Static Application Security Testing (SAST) solution must be used during the development phase to scan the entire code base. The tool must be flexible enough to enable Playtech to enforce its security policy and various regulatory requirements. Each scan consists of a minimum of hundreds of thousands LoC and “results accuracy” and “scan time performance” are key considerations so the critical development work is not interrupted.

Playtech developed its own application security standard which is an extension of the OWASP Top 10 & SANS 25 standards. The company is also certified to ISO 27001 & PCI DSS standards and complies with hundreds of rigorous regulations set by the countries it operates in which audit Playtech frequently.

Playtech has numerous code analysis solutions in place and is familiar with the capabilities of the solutions in the marketplace. The biggest disadvantage of other tools was the requirement to scan compiled code. Playtech wanted a solution that was capable of running the scans during the development lifecycle in order to achieve a true SDL and none of the other solutions supported that. The ability to easily customize the rule sets to enforce Playtech’s security policy was another thing that proved difficult with other solutions and was a non-issue using Checkmarx’s open query language.

The security team at Playtech loves Checkmarx because of the flexibility and independence it provides them to do their job. Being a small security team within such a large company, the task of staying up to date with the ever growing code base is a great challenge. Using compilation based SAST tools required achieving a build and compilation errors in the process of achieving a build consumed a lot of precious time of the security team and often required assistance from the R&D team. Checkmarx automatically charts the data flow in the application and suggests the optimal remediation points, which significantly reduces the mitigation efforts of the R&D. In addition, the ability to write custom queries for the Playtech’s various purposes (no necessarily all security related) is priceless. Another excellent byproduct of implementing a true SDL is that the developers are automatically trained in writing secure code because they get immediate feedback detailing the security vulnerabilities found in their code. The developers say they find it is more effective than any other training they’ve done.

Playtech started small. Their objective was to start scanning a few smaller projects using Checkmarx. Running on a few projects for a few months, Playtech saw the outcome was successful. Both the security team and the developers are finding the solution useful and easy to use so the implementation was expanded to larger projects. At the moment Checkmarx scans more than 90% of the projects and keeps growing. Every developer has the IDE plugin suitable for them (Visual Studio, Eclipse) and are a lot more cooperative because they get the security findings while everything is still fresh in their mind. It’s very easy to use. Even new developers don’t need any training. It’s all in their IDE which they are used to anyway. Every medium / high severity bug is automatically entered into JIRA bug tracking.

About Global Financial Services | Founded: 1890 |

For more than 125 years, the Company has helped its customers from around the world better connect, interact and transact with their customers. More than 23 billion consumer self-service transactions are processed globally using the Company's products and services.

The Company, a fast-paced global financial services company, was looking to change an older SAST product to a newer Source Code Analysis tool. The Company requirements included:

Be able to scan Visual Basic 6.0

Be easily integrated in to the SDLC

Allow developers to scan and view results from their desktop

Minimize False Negative and False Positive reporting

Full compliance with PCI DSS 3.0

Engineers at the Company were using dierent code review products to run security scans for each coding language. These products did not deliver the benets of a one stop shop solution thus calling for a change of strategy.

The Company received and installed a full version of Checkmarx in 30 minutes which it used to conduct an internal analysis of its source code for security vulnerabilities. After realizing that Checkmarx is very easy to use, highly accurate, covers multiple languages and can support the high security and QA standards required by the Company much better than the existing platform, a decision was made to procure the technology.

The Company’s initial implementation model of Checkmarx was a central one, where senior developers would install the scanners on their machines, scan the software and analyze the reports. At a later stage, the Company implemented a distributed Software Development Lifecycle (SDLC) methodology where the engineers themselves are responsible for running scans using the visual studio / Eclipse plug-ins on their machines. This has proven to be very effective.  

About Navitas | Founded: | www.navitas.com

Navitas is a global tertiary education provider specializing in educating international students. The company helps students from non-English speaking countries get their Australian/American degree. Their web based student management system, all written in PHP, is maintained by a team of 11 developers.

Being a cloud hosted operation; Navitas was very specific about its needs. Checkmarx was asked to provide a customized security solution that included:

PHP support and compatibility with Zend framework

Full GIT and Github Integration

Jenkins continuous integration server

Travis CI / Coveralls coverage (code coverage)

Navitas previously tried to implement open source security solutions, namely RIPS, an open source PHP tool. But the results were largely unsatisfactory, with the program not detecting all critical loopholes. These problems made Navitas understand that a more comprehensive and effective solution is needed.

Navitas opened a trial account in Checkmarx to check its effectiveness. Navitas immediately noticed and appreciated the user-friendly and easy-to-use UI. The level of customization on offer was very useful, with CX Cloud syncing directly with Github for optimal results.

The scan was performed at speeds of 100,000 LoC per 10 minutes, as requested by Navitas. The CI server used an API to initiate the static analysis and compile the report. Lots of high-risk issues, including hard-coded passwords, were located and eradicated with pin-point accuracy.

About Wiredrive | Founded: 1999 | www.wiredrive.com

Wiredrive (www.wiredrive.com) is the cloud media sharing service of choice for the world’s largest advertising, entertainment and consumer marketing companies. Production, sales and marketing teams trust Wiredrive to simplify the logistics of creativity and securely manage their most important media assets. Wiredrive brings people and media together in a shared space where hard work and great ideas blossom into amazing things. Wiredrive is a fast-growing, profitable and privately-owned company founded in 1999. The Wiredrive team consists of 35 employees and has offices in the media capitals of Los Angeles, New York, San Francisco and London.

Wiredrive is preparing for SSAE16 compliance and needed a suite of tools to validate secure coding best practices. Wiredrive’s Enterprise clients required recurring penetration tests and static code scans to audit the platform’s security. Wiredrive needed an internal solution that integrates with its Continuous Integration (CI) SDLC process, which uses Atlassian’s Bamboo and GIT as the source repository. The solution needed to scan a large web application consisting of PHP, JavaScript, and Python.

During the evaluation process, Wiredrive reviewed several open source solutions that failed to locate known vulnerabi