You can't secure what you don't acknowledge.SM

Monday, June 29, 2009

Great source code analysis tool

Finally, I've found an affordable and effective static source code analysis tool! It's called CxDeveloper - a product Israel-based Checkmarx that's distributed/supported by U.S.-based Security Innovation. Whew....it's a little confusing but what can you do.

I've used CxDeveloper for over a year now and, like most products, it's not perfect. It crashes unexpectedly every now and then, it generates false-positives, its licensing process is kludgy and old-fashioned, and its reporting capabilities are somewhat limited. But who cares! CxDeveloper, by and large, works!

With the future of HP's DevInspect on the line (according to some of my clients, their HP reps are telling them they're end-of-life-ing it), Compuware's nice product SecurityChecker going away, and the other two "leaders" in this space (you know who they are) being so proud of their software that they price themselves out of the reach of many end users and consultants like myself, I can't think of a better time for a static source code analysis product like CxDeveloper to be rising through the ranks.

Here are a few screenshots of CxDeveloper to show you what it looks like and just how simple it is to run a software source code analysis. It's literally point to the source code, choose your scan options, and off you go. And, perhaps biggest of all, there's no need to integrate the tool within an IDE such as Visual Studio!

Various scan policies you can select from:

A scan in action:

Findings showing specific problems and the source code creating them:

"Pretty" summary report that management can appreciate:

Detailed findings report that developers and QA analysts can appreciate:

Keeping in mind the realities of source code analysis, if it's anywhere on your radar CxDeveloper is definitely worth checking out.

No comments:

Post a Comment