I'll start by saying that I can't stress how cost-effective this tool is for performing source code analysis...esp. when similar products cost MUCH more. Granted, I haven't performed my own run-off between CxDeveloper and the likes of Ounce, Fortify, and so on but I can vouch that the product does a good job. It has found code flaws such as the following that not even the best Web vulnerability scanners could find running against the same applications:
- hard-coded cryptographic key and password string (ouch!)
- SQL injection
- cross-site scripting
- file manipulation
- path traversal
CxDeveloper is not without its faults. I experienced some stability issues and there are various usability quirks that drove me nuts. The issues that I did have were responded to very quickly by several of the Checkmarx folks (thanks Maty, Barak, and Assaf!). I also ran into an issue where they didn't think I was going to have enough RAM in the machine I was running the tool on given the amount of code I was analyzing. The system had 1 GB and the Checkmarx folks told me I needed at least 3GB. I tried it anyway and the product ran just fine.
CxDeveloper simply finds stuff in your source code that you're not going to find otherwise at small fraction of the competition's licensing fees. And it's very simple to use...there's not much to it at all. Maybe I'm missing something but it seems like a winner to me - especially in a product segment that's struggled to get off the ground yet has so much to offer.
For further reading on source code analysis, here are some articles I've written on the subject:
Essentials of static source code analysis for Web applications
Eight reasons to do source code analysis on your web application
What to do after penetration testing: source code analysis
0 comments:
Post a Comment