I guess this situation isn’t that different from the situation in the development and build tools space. You have:

– Purify
– valgrind
– multiple compilers all with different incompatible flags and code parsing

And people wanting to run all of them. Most of these things cost money to run, in either fees, people, or both. They all chip away at the problems you’d find in C/C++ code, and yet no one is offering a suite of tools that covers everything, can pipeline it, put it all into 1 reporting database, and not require me to instrument my build process 5 different times. An unfortunate situation to be sure….

Good question. If you count freely available tools (a good corner case is those running both Fortify and Findbugs–which itself is bundled with Fortify these days) then I have quite a few. Outside that, I’d say the most common configurations are:

* [Ounce | Fortify] + FXCop
* Fortify + Coverity

‘Most commonly asked question recently? “Can I save money on Fortify licenses by replacing SOME of my scans with Veracode…?”

I think there’s value in running multiple tools or combining a static analysis tool with a pen-testing practice. As I preach: a good initial objective is to establish an assessment plan that you defend to management: “We’re looking for [these things] in our apps.” From there seek to increase your ability to find problems or reduce the cost of maintaining your existing assessment capacities. Managing to this message is far more desirable than defending license seats or code review head count, IMO.

The BIG problem here is normalizing findings and presenting a unified assessment report at a non-prohibitive cost. Some might not be surprised that the biggest issues one might run into here is not technical but organizational or political. People don’t like:

1) Combining static and dynamic testing because they often report up through different management (each defensive of its budget and headcount)

2) Asking for money to augment their expensive SA implementation with an freely available alternative–even if that alternative addresses a complimentary need.

How many customers have you met that are running more than one SA tool? From what I’ve seen the types of rules that the different tools (much less their coverage/accuracy) don’t perfectly overlap, and in some cases the overlap is only around 50% between two of tools you mention.

I don’t feel that deploying more than one SA tool is really sustainable, but as you point out they do seem to target certain audiences. Some of the tools focus a exclusively on security, some target mostly (75% or greater) what would generally be considered quality but not security issues, and some overlap but don’t cover the same space.