Review: Automated Code Scanners
Posted by
Justin Schuh
April 13, 2007
|
|
We brought three popular static source-code analyzers into our Chicago Neohapsis Real-World Labs®: Fortify Source Code Analysis (SCA) Suite 4.0, Ounce Labs' Ounce 4.1, and Klocwork K7 7.5. Coverity declined to send us its Prevent analyzer.
We approached these products from the perspective of a development team, focusing on the top five features that most directly relate to the successful detection and remediation of vulnerabilities, and that most affect the development team's productivity. Foremost is the breadth of languages, platforms and development environments supported. If you have applications in multiple languages, you'll want a single analyzer to cover them all.
Fortify's SCA was a standout here, with the broadest range of technology support across the board. SCA's expansive platform support includes IBM AIX, Linux, Microsoft Windows, Sun Solaris and Mac OS X, primarily due to Fortify's use of the Eclipse IDE as a base platform, though it fully supports Visual Studio 2003 and 2005. Fortify SCA's real technology advantage becomes apparent in the wide array of languages supported by the analyzer; these include Java, JSP, C/C++, ASP.Net (C# and VB.Net), SQL procedural languages (TSQL and PLSQL), and XML. Fortify was the only product we tested to provide such broad language support, including support for data-tier languages like SQL.
Ounce Labs' Ounce also has an impressive range, supporting analysis on AIX, Linux, Windows and Solaris platforms and integration with Visual Studio 2003 and 2005, along with Eclipse and its derivatives, including IBM's Rational environment. Although its language roster isn't as broad as SCA's, Ounce still includes an impressive lineup of Java, JSP, C/C++, and ASP.Net (C# and VB.Net).
