Checkmarx One
Identify – and eliminate the dangers of – malicious and suspicious open source packages throughout the software development lifecycle (SDLC).
Leverage Checkmarx’ automated scanning technologies and massive proprietary database of malicious packages to identify and remediate dangerous open source code in your applications.
Deep Malicious Package Detection
Checkmarx detects all open source packages in use, including dependencies of other packages, to identify those known to contain malware or exhibit suspicious behavior.
Unparalleled Malicious Packages Database
Checkmarx’ multi-layered package analysis methodologies have identified more than 385,000 malicious packages to date.
From Pre-Production to Runtime
Checkmarx detects malicious packages in manifest files, binaries, and containers – and correlates runtime usage data available from Sysdig to prioritize remediation efforts.
Package Reliability Metrics
Checkmarx rates the trustworthiness of each open source package included in your applications, by package legitimacy, behavioral integrity and contributor reputation.
Automated Policy Actions
Defined policies automatically take effect when malicious packages are detected. This can include sending alerts, generating incident reports, preventing pull requests and breaking builds.
Learn how leading enterprises use Checkmarx to eliminate the threats of malicious packages and other open source software (OSS) dangers.
What’s in it for you
Reduce OSS security threats and improve your overall security posture by ensuring that no malicious or suspicious third-party packages are putting your organization at risk.
A malicious package is a piece of code disguised as a legitimate software component but designed to harm systems or steal data. Unlike packages that only contain unintentional security weaknesses (vulnerabilities) that can potentially be exploited by bad actors, malicious packages are designed and propagated with malevolent intent.
The threat level to organizations of supply chain attacks in general, and malicious packages in particular, has been rapidly rising over the past few years. The numbers tell a disturbing story: Checkmarx’ AppSec research team has discovered more than 385,000 publicly available malicious packages (as of July 2024). 76% of CISOs are concerned about the dangers of malicious packages (Checkmarx survey, 2024). The average cost of a software supply chain compromise was $4.63 million, which is 8.3% higher than the average cost of a data breach due to other causes (IBM, 2023). It is imperative that CISOs and AppSec teams place more focus on this critical threat vector.
Checkmarx combines proprietary technology with a team of expert security researchers to effectively identify malicious packages. Our threat intelligence system performs automated tests to identify suspicious package behaviors, author reputation, and additional checks (secrets, code scanning, static analysis, etc.). When a package is flagged as potentially malicious, our security research team conducts a thorough manual review to confirm its malicious nature, and avoid false positives, before adding it to our database (and reporting it externally, when appropriate). On average, Checkmarx scans nearly 2 million OSS packages every month.
A few examples include data exfiltration (stealing sensitive information), harmful file download, network connection to domain address known to be used by attackers, crypto-mining software, repojacking (takes control of the repository of a legitimate package), typosquatting (mimics the name of a popular package, inducing users to inadvertently use this package), chainjacking (stores a package in a renamed GitHub repository), and protestware (software that includes functionality which aims to protest an issue).
The most effective way to prevent harm to your organization from malicious packages is to validate each package before it is installed. Beyond this, it is important to frequently scan all the OSS packages used in your applications and container images, to identify and remove/update any package versions that may have been flagged as containing malicious or suspicious code (note that most SCA solutions check for packages with vulnerabilities, but do not identify malicious packages). Other best practices include only using trusted repositories, only using OSS from reputable authors/maintainers, and keeping packages updated to the latest versions (so that you are benefiting from the most recent security patches). Learn more about Checkmarx’ SCA scan technology.
Bad actors tend to focus on widely used packages and widely used repositories. Prominent examples include distributing JavaScript npm malicious packages via the npm Registry, Python malicious packages via the Python Package Index (PyPI), .NET NuGet malicious packages via the NuGet Gallery, and all types of malicious software packages via GitHub Packages.
Checkmarx One
Checkmarx One delivers a full suite of enterprise AppSec solutions in a unified, cloud-based platform that allows enterprises to secure their applications from the first line of code to deployment in the cloud. Get everything your enterprise needs to integrate AppSec across every stage of the SDLC and build a successful AppSec program.
Application Security Posture
Management (ASPM) Consolidated, correlated, prioritized insights to help your team manage risk
Code
AI PoweredConduct fast and accurate scans to identify risk in your custom code.
Eliminate shadow and zombie APls and mitigate API-specific risks.
Identify vulnerabilities only seen in production and assess their behavior.
Supply Chain
AI PoweredEasily identify, prioritize, remediate, and manage open source security and license risks.
Catalog and track all software components to enhance security and ensure compliance.
Detect and remediate malicious or suspicious third-party packages that may be endangering your organization.
Cloud
AI PoweredScan container images, configurations, and identfy open source packages and vulnerabilities preproduction and runtime.
Automatically scan your laC files for security vulnerabilities, compliance issues, and infrastructure misconfigurations.
Dev Enablement
Secure code training to upskill your developers and reduce risk from the first line of code.
Built to accelerate AppSec teams and help developers secure applications from the first line of code.
Services
Maximize ROI with prioritized technical support, metrics monitoring, and operational assistance.
Augment your security team with Checkmarx services to ensure the success of your AppSec program.
Assess the current state of your AppSec program, benchmark against peers, and get actionable next steps for improvement.
Unified Dashboard & Reporting
Application Security Posture
Management (ASPM)
AI Powered
Code
Static Application Security Testing (SAST)
Conduct fast and accurate scans to identify risk in your custom code.
API Security
Eliminate shadow and zombie APls and mitigate API-specific risks.
Dynamic Application Security Testing (DAST)
Identify vulnerabilities only seen in production and assess their behavior.
Supply Chain
Software Composition Analysis (SCA)
Easily identify, prioritize, remediate, and manage open source security and license risks.
Software Bill of Materials (SBOM)
Catalog and track all software components to enhance security and ensure compliance.
Malicious Package Protection
Detect and remediate malicious or suspicious third-party packages that may be endangering your organization.
Cloud
Container Security
Scan container images, configurations, and identfy open source packages and vulnerabilities preproduction and runtime.
IaC Security
Automatically scan your laC files for security vulnerabilities, compliance issues, and infrastructure misconfigurations.
Get a Demo
See how easy it is to ensure that malicious and suspicious OSS packages do not put your business at risk.
Trusted By: