Pro�le :

The Requirements

Founded in 1995, LivePerson introduced its core chat technology to the world during an age when 1-800 numbers were the preferred customer service channel, and email was still a novelty. Today, LivePerson is an industry leader provider of chat-based services, with over 8,500 clients, and hosting over 13 Million chats per month LivePerson currently hosts more than 1.3 Billion consumer website visits each month.

Website: www.liveperson.com

Industry: online marketing, web analytics, and expert advice

Country: United States

Overview

CHECKMARX’S CASE STUDYCASE STUDY‘s

LivePerson is �rst and foremost a technology company. As such, it relies on its strong R&D team to continue to innovate and enhance its technology. LivePerson has multiple products as well as some legacy products it supports. In total the code base includes over 1 Million Lines of Code mostly in Java, C# and some in ASP. The development environment also includes diverse OS.LivePerson is committed to maintaining the highest possible coding standards. This includes application security best practices and methodologies. Due to the size of the code written and its complexity, a lot of thought and e�ort have gone into designing LivePerson’s continuous integration environment.

A few important source code analysis requirements for LivePerson were:

The ability to analyze incomplete code samples with missing dependencies in order to signi�cantly reduce the time & resources required to audit a code sample for vulnerabilities.Accuracy – to avoid precious developer time lost, the solution must be highly accurate.A way of managing the delta – The developer should be able to compare between the current scan and their last scan, to see what the delta is and handle that. (To ensure that the security vulnerability was �xed).Performance – by de�nition, due to the continuous integration environment, the performance was critical to avoid creating a bottleneck at the security scan stage. The requirement was to scan 30-40K LOC within a few minutes.Multiple concurrent scans – the source code analysis solution must support many concurrent scans of developers.Strong & dedicated support – to assist with the con�guration and implementation of the source code analysis solution into the continuous integration environment, LivePerson realized it requires a solution provider that can be �exible enough to help with any adaptations that may be required to suit its exact requirements. The solution must be open and �exible to support speci�c customization to LivePerson.

The Alternatives

The Bottom Line

performance and the ability to scan incomplete code samples. Checkmarx

and was the most sensible decision commercially.

Yair Rovek Security Specialist LivePerson

The Selection of Checkmarx

The Implementation

LivePerson conducted an extensive research and checked various Static Code Analysis security solutions in the market including some open source applications. In addition, LivePerson spoke to companies that are using source code analysis solutions to get their feedback.

After determining that Checkmarx best meets LivePerson’s requirements, LivePerson decided to run a proof of concept (POC) internally on their real source code with Checkmarx’s technology, to do some additional quali�cation of the solution.Checkmarx was highly responsive throughout the POC process – for any deployment assistance, �ne tuning related matters, etc. It was important for LivePerson to �nd a solution that is coupled with strong & dedicated support, to assist with the implementation & con�guration process into the continuous integration environment.Eventually due to the technological edge of Checkmarx and the commercial aspects (the ROI for Checkmarx was superior to alternative solutions for LivePerson’s needs), Checkmarx was selected to be LivePerson’s source code analysis technology.

LivePerson works in an agile / continuous integration mode and has 150+ developers. Therefore a secure code review was critical. The only way to do so was to implement an automatic process as part of the build creation.LivePerson’s secure SDLC works as follows:

Engineers write their code locally. The code is then checked into the SVN. That triggers an automatic system test. The code has to pass a few milestones. Before compilation begins, Checkmarx source code analysis is executed to identify security vulnerabilities. If there are medium / high issues, there won’t be a build. Developer is noti�ed that the build didn’t complete and receives a report specifying the reasons and how those vulnerabilities can be remedied.

The developer then has to �x the security issues and have their code re-scanned by Checkmarx.LivePerson created a dashboard within TeamCity which displays Checkmarx’s outputs using raw XML data reports exported by Checkmarx’s engine. The integration with TeamCity was developed in-house.