Although CheckMarx is still not as open and easy to engage as I would like them to be, they are actually one of the best ones out there.
And there is one asset that CheckMarx SAST engine has that is REALLY GOOOOOOODDDDDDD!!!!
Their rules are written in C# and if you (like me) like to write custom rules, they have a nice REPL interface that can be used by power users (with access to a lot of the metadata and code-transformations created during the analysis phase)
I'm currently integrating TeamMentor with Checkmarx (for a joint customer) and I really like it. You can see our latest PoC at http://checkmarx.teammentor.net, which includes a view that shows a mapping between:
- a security finding,
- it's CWE description
- the TeamMentor landing page (for that finding)
- the C# CheckMarx rule that triggered that finding
There are a number of posts in this blog about Checkmarx, namely the PoC of integrating TeamMentor with Checkmarx (with videos) and the Checkmarx database export, VistaDB in O2, Opening up Checkmark's rules, and more.... (with a bunch of ideas on what could happen next)
Note: If you are looking at SAST products, here are the other main players:
- Cat.Net 1.1 (free from Microsoft) (see these O2 Cat.Net posts)
- IBM AppScan Source (see these O2 AppScan/IBM posts on this blog, and these O2 AppScan posts on the O2 blog)
- HP Fortify (see these O2 Fortify posts)
- Veracode (these O2 Veracode posts)
- Engines I still need to take for a spin:
- Powerful engines, but not focused on App Security: