30+ years of tech, retired from an identity intelligence company, now part-time with an insurance broker.
Dev community mod - mostly light gardening & weeding out spam :)
Thanks Jin, a nice selection of tools with varying focus. Back in the in 2000s my colleagues & I conducted a survey of available SAST tools, and settled on Klocwork for it's easy integration to existing build systems and wide language support, as we were providing a SAST consultancy service within BT to internal and 3rd party development teams and did not have the budget for Fortify360 :) We also used a number of open source tools from this list: en.wikipedia.org/wiki/List_of_tool... and investigated the 'weird one' that is Veracode (en.wikipedia.org/wiki/Veracode), the only binary-based offering at the time. Unfortunately Veracode insisted on (they may still insist on) having us ship binaries to them, which did not suit a lot of internal / sensitive development in a large telco, so we never got to try it.
30+ years of tech, retired from an identity intelligence company, now part-time with an insurance broker.
Dev community mod - mostly light gardening & weeding out spam :)
Fair point when you look at current tools (such as SonarQube - in use in my last position), but compared to the available single language tools (eg: checkstyle) and the multiple flavours of C/C++, Java, and early C# (remember this was 15 years ago) that were in use for telecoms software it was a reasonable fit, and meant that my team didn't have to learn how to effectively use multiple tools in a consultancy environment. We also found that it produced fewer false positives from the start compared to other more expensive tooling.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Thanks Jin, a nice selection of tools with varying focus. Back in the in 2000s my colleagues & I conducted a survey of available SAST tools, and settled on Klocwork for it's easy integration to existing build systems and wide language support, as we were providing a SAST consultancy service within BT to internal and 3rd party development teams and did not have the budget for Fortify360 :) We also used a number of open source tools from this list: en.wikipedia.org/wiki/List_of_tool... and investigated the 'weird one' that is Veracode (en.wikipedia.org/wiki/Veracode), the only binary-based offering at the time. Unfortunately Veracode insisted on (they may still insist on) having us ship binaries to them, which did not suit a lot of internal / sensitive development in a large telco, so we never got to try it.
Wide language support? You mean C family and Java? Lol.
Fair point when you look at current tools (such as SonarQube - in use in my last position), but compared to the available single language tools (eg: checkstyle) and the multiple flavours of C/C++, Java, and early C# (remember this was 15 years ago) that were in use for telecoms software it was a reasonable fit, and meant that my team didn't have to learn how to effectively use multiple tools in a consultancy environment. We also found that it produced fewer false positives from the start compared to other more expensive tooling.