Sunday, 2 December 2012

Would I recommend Checkmarx as a SAST engine?

I was asked this question twice in the last couple days, and my answer is YES!

Although CheckMarx is still not as open and easy to engage as I would like them to be, they are actually one of the best ones out there.

And there is one asset that CheckMarx SAST engine has that is REALLY GOOOOOOODDDDDDD!!!!

Their rules are written in C# and if you (like me) like to write custom rules, they have a nice REPL interface that can be used by power users (with access to a lot of the metadata and code-transformations created during the analysis phase)

I'm currently integrating TeamMentor with Checkmarx (for a joint customer) and I really like it. You can see our latest PoC at, which includes a view that shows a mapping between:

  • a security finding, 
  • it's CWE description
  • the TeamMentor landing page (for that finding)
  • the C# CheckMarx rule that triggered that finding
There are a number of posts in this blog about Checkmarx, namely the PoC of integrating TeamMentor with Checkmarx (with videos) and the Checkmarx database export, VistaDB in O2, Opening up Checkmark's rules, and more.... (with a bunch of ideas on what could happen next) 

Note: If you are looking at SAST products, here are the other main players:
Note 2: Veracode is currently publishing the Gartner SAST Magic Quadrant which is a good read