Recently, Checkmarx CTO Maty Siman filled me in on the new source code security scanner, Checkmarx Virtual Compiler. Designed to enable compiler-free, real-time source code vulnerability scanning, the tool promises to facilitate testing of code throughout the development process without compiler or operating system compatibility problems.
Virtual Compiler will be used by development teams “test uncompiled and unlinked code, their independent modules or any other application subsets in a desktop deployment that reinforces good security awareness and practices as the code is written,” said Siman.
Auditors and chief information security officers (CISOs) can benefit from being able to test code earlier in the software development lifecycle (SDLC), said Siman. They can also use Virtual Compiler to inspect legacy code.
Using source code analysis tools is a must for building secure software, according to SearchSoftwareQuality.com security expert Kevin Beaver. In his tip, The role of QA pros in software security, he wrote that source code vulnerability checkers “are essential for rooting out software vulnerabilities that would otherwise be next to impossible to find.” He names Checkmarx, QAInspect and Klocwork tools as good options.
Virtual Compiler solves some problems that static code analysis tools haven’t addressed previously, Siman said in our interview. Most major static code analyzers have only scanned post compilation and required buildable code. As a result, static code analysis required a complete, buildable project to run against. So, scans usually have to take place near the end of development, and repairs required going back and fixing code whose problems probably manifested themselves and possibly grew during development.
“Checkmarx Virtual Compiler eliminates the buildable code requirement by removing the dependency on compilation and linking for software testing,” said Siman. “It transforms code, whether freshly written or old legacy applications, into a form that contains structure and application flow properties. Testing is not dependent on having all modules complete, duplicating the development environment or creating a final build-test harness. Instead, scanning can take place early, and often, as the code is developed. Once scanning is complete, all code and flow properties are stored in a data base that can be interrogated for vulnerabilities.”
Checkmarx Virtual Compiler is part of a suite of products that can be purchased for onsite use or as a service. Prices for onsite usage start at $15,000.