Finally, I’ve found an affordable and effective static source code analysis tool! It’s called CxDeveloper – a product Israel-based Checkmarx that’s distributed/supported by U.S.-based Security Innovation. Whew….it’s a little confusing but what can you do.
I’ve used CxDeveloper for over a year now and, like most products, it’s not perfect. It crashes unexpectedly every now and then, it generates false-positives, its licensing process is kludgy and old-fashioned, and its reporting capabilities are somewhat limited. But who cares! CxDeveloper, by and large, works!
With the future of HP’s DevInspect on the line (according to some of my clients, their HP reps are telling them they’re end-of-life-ing it), Compuware’s nice product SecurityChecker going away, and the other two “leaders” in this space (you know who they are) being so proud of their software that they price themselves out of the reach of many end users and consultants like myself, I can’t think of a better time for a static source code analysis product like CxDeveloper to be rising through the ranks.
Here are a few screenshots of CxDeveloper to show you what it looks like and just how simple it is to run a software source code analysis. It’s literally point to the source code, choose your scan options, and off you go. And, perhaps biggest of all, there’s no need to integrate the tool within an IDE such as Visual Studio!
Various scan policies you can select from:
A scan in action:
Findings showing specific problems and the source code creating them:
“Pretty” summary report that management can appreciate:
Detailed findings report that developers and QA analysts can appreciate:
Keeping in mind the realities of source code analysis, if it’s anywhere on your radar CxDeveloper is definitely worth checking out.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”