• With this tool there’s no excuse to not analyze your source code

    20 Sep 2010

    A few months back I wrote about Checkmarx’s CxDeveloper source code analysis product. Well, I’ve had some more recent source code analysis experience with the tool and thought I’d write a follow up piece.

    I’ll start by saying that I can’t stress how cost-effective this tool is for performing source code analysis…esp. when similar products cost MUCH more. Granted, I haven’t performed my own run-off between CxDeveloper and the likes of Ounce, Fortify, and so on but I can vouch that the product does a good job. It has found code flaws such as the following that not even the best Web vulnerability scanners could find running against the same applications:

    • hard-coded cryptographic key and password string (ouch!)
    • SQL injection
    • cross-site scripting
    • file manipulation
    • path traversal

    The tool will seek out more traditional source code quality issues like improper resource shutdowns, hard-coded paths, and so on as well. One of my favorite things in the product is the line counter that will tell you, in a matter of seconds, how many lines of code you have in your application.

    CxDeveloper is not without its faults. I experienced some stability issues and there are various usability quirks that drove me nuts. The issues that I did have were responded to very quickly by several of the Checkmarx folks (thanks Maty, Barak, and Assaf!). I also ran into an issue where they didn’t think I was going to have enough RAM in the machine I was running the tool on given the amount of code I was analyzing. The system had 1 GB and the Checkmarx folks told me I needed at least 3GB. I tried it anyway and the product ran just fine.

    CxDeveloper simply finds stuff in your source code that you’re not going to find otherwise at small fraction of the competition’s licensing fees. And it’s very simple to use…there’s not much to it at all. Maybe I’m missing something but it seems like a winner to me – especially in a product segment that’s struggled to get off the ground yet has so much to offer.

    For further reading on source code analysis, here are some articles I’ve written on the subject:

    Essentials of static source code analysis for Web applications

    Eight reasons to do source code analysis on your web application

    What to do after penetration testing: source code analysis

Resources

view all

Client Testimonials

“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.

His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”

(IT managed services firm)
Read More

 

I’ve written/co-written 12 books on information security including:

 

Tags

application security appsec basics books careers censorship CISO CISSP cities compliance coronavirus covid-19 cybersecurity data breaches hacking Hacking For Dummies heads in sand health incident response information risk keynote speaker leadership macOS networked cameras passwords patching racing resilience Russian hacking SDLC security culture security leadership security program management security speaker selling security social engineering speaking engagements spec miata sql injection tiktok time management training vulnerability and penetration testing web security

© Copyright 2001-present, Principle Logic, LLC - All Rights Reserved.

For your convenience I accept