A few months back I wrote about Checkmarx’s CxDeveloper source code analysis product. Well, I’ve had some more recent source code analysis experience with the tool and thought I’d write a follow up piece.
I’ll start by saying that I can’t stress how cost-effective this tool is for performing source code analysis…esp. when similar products cost MUCH more. Granted, I haven’t performed my own run-off between CxDeveloper and the likes of Ounce, Fortify, and so on but I can vouch that the product does a good job. It has found code flaws such as the following that not even the best Web vulnerability scanners could find running against the same applications:
The tool will seek out more traditional source code quality issues like improper resource shutdowns, hard-coded paths, and so on as well. One of my favorite things in the product is the line counter that will tell you, in a matter of seconds, how many lines of code you have in your application.
CxDeveloper is not without its faults. I experienced some stability issues and there are various usability quirks that drove me nuts. The issues that I did have were responded to very quickly by several of the Checkmarx folks (thanks Maty, Barak, and Assaf!). I also ran into an issue where they didn’t think I was going to have enough RAM in the machine I was running the tool on given the amount of code I was analyzing. The system had 1 GB and the Checkmarx folks told me I needed at least 3GB. I tried it anyway and the product ran just fine.
CxDeveloper simply finds stuff in your source code that you’re not going to find otherwise at small fraction of the competition’s licensing fees. And it’s very simple to use…there’s not much to it at all. Maybe I’m missing something but it seems like a winner to me – especially in a product segment that’s struggled to get off the ground yet has so much to offer.
For further reading on source code analysis, here are some articles I’ve written on the subject:
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”