You can't secure what you don't acknowledge.SM

Monday, September 20, 2010

With this tool there's no excuse to not analyze your source code

A few months back I wrote about Checkmarx's CxDeveloper source code analysis product. Well, I've had some more recent source code analysis experience with the tool and thought I'd write a follow up piece.

I'll start by saying that I can't stress how cost-effective this tool is for performing source code analysis...esp. when similar products cost MUCH more. Granted, I haven't performed my own run-off between CxDeveloper and the likes of Ounce, Fortify, and so on but I can vouch that the product does a good job. It has found code flaws such as the following that not even the best Web vulnerability scanners could find running against the same applications:
  • hard-coded cryptographic key and password string (ouch!)
  • SQL injection
  • cross-site scripting
  • file manipulation
  • path traversal
The tool will seek out more traditional source code quality issues like improper resource shutdowns, hard-coded paths, and so on as well. One of my favorite things in the product is the line counter that will tell you, in a matter of seconds, how many lines of code you have in your application.

CxDeveloper is not without its faults. I experienced some stability issues and there are various usability quirks that drove me nuts. The issues that I did have were responded to very quickly by several of the Checkmarx folks (thanks Maty, Barak, and Assaf!). I also ran into an issue where they didn't think I was going to have enough RAM in the machine I was running the tool on given the amount of code I was analyzing. The system had 1 GB and the Checkmarx folks told me I needed at least 3GB. I tried it anyway and the product ran just fine.

CxDeveloper simply finds stuff in your source code that you're not going to find otherwise at small fraction of the competition's licensing fees. And it's very simple to use...there's not much to it at all. Maybe I'm missing something but it seems like a winner to me - especially in a product segment that's struggled to get off the ground yet has so much to offer.

For further reading on source code analysis, here are some articles I've written on the subject:

Essentials of static source code analysis for Web applications

Eight reasons to do source code analysis on your web application


What to do after penetration testing: source code analysis

No comments:

Post a Comment