App Vulnerability Management Testimonials for Code Dx
We ran [Stat!] against one of our products and the CEO, COO and myself (CIO) are very impressed with your application. The amount of time it will save us in compliance and other aspects is staggering.
One of the things we liked about Code Dx was that you put a face on a lot of lower-line tools, so that we don’t have to worry about doing the translation for the basic tool issue that is unique to the tool. It comes back in CWE language and you pick the appropriate underlying tools for whatever code we’re trying to run. We have some C# .NET projects and that worked out real well. We also have C++ projects and Java [projects] and you’ve handled that, too. It makes a problem that would normally be on our shoulders go away. We also used PMD by itself, and we used FXCop by itself in the past 6 years just to process C# and Java code. It wasn’t as smooth as when something like Code Dx sits on top of it and translates it into understandable CWE language. That is important to us now. I have really been impressed with the support you guys have. They are very responsive. I think the price is pretty competitive compared to some of the other tools we know are out there, and for what it delivers.
Code Dx is pretty easy to set up and has little administrative burden for the actual user. We got it up and running in about 10 minutes!
Code Dx showed that there was a tool that we possibly could standardize on across all [our] developers and play a part within a multi-layered software assurance strategy. [We] believe that the Code Dx product could be a valuable tool in our software assurance arsenal as it can be delivered to all [our] developers at a price point that makes it feasible for use within the organization.
… provides a nice way to document progress on a report. Each weakness has an activity stream, where comments and status changes can be saved.
In response to changing the Code Dx project page around: “YES(!!)…I really do like the changes you guys made…WE definitely appreciate both the new features and WOW…that you’ve implemented some more of my previous suggestions too!
Besides price, I think that the other significant item I look at is the ease of use. How much of a learning curve is there for my employees, in learning how to use the tool. With Code Dx, it’s pretty easy and straightforward to use. You just upload your code and it scans it for you. It isn’t hard to run it against a code base. It is probably one of the easier tools out there to install.
The nice thing about the Enterprise level is that it is able to give you coverage comparison and show you which of the tools are finding which issues. That is actually a really nice feature. One of the things in there that adds value is the fact that there are at least 5 different open-source tools in there, so there is an advantage in not having to go in there and patch and install and maintain and upgrade all of those independently. They are doing all that for you.
Clearly, Code Dx would provide an overall time savings by correlating results from multiple products.
[Code Dx] has a unique and helpful view of the analysis of the tool output. I like the information provided at the top that allows me to select which tool to use, codebase location, CWE findings, severity, overlapping location count, and status of all of the weaknesses. The [Flow Viz] diagram shows a helpful view of where the weaknesses came from, which tool was able to detect them, and the severity of the weakness.