5 out of 5.0, Reviewed Oct 14, 2016
We have been using Sysnopsys Codenomicon AppCheck (now called Protecode SC) as an early adopter. It's an innovative tool which provides a quick & straight-forward solution help us to address 3rd-party software vulnerabilties and license issue in software integration. it greatly improves the accuracy and agilty to cope with the complete product offerings at scale. AppCheck also provides learn ability to add vendor component.
We're happy with service and support which Synopsys team provides.
4 out of 5.0, Reviewed Oct 14, 2016
Coverity is the best static souce code analysis tool on the market today for C/C++. They provide a very mature product
Negotiate the pricing model to be one that isn't based on lines of code or per-user.
The product functionality is world class. It is the best static code analysis tool on the market. It was relatively easy to setup and put into a Jenkins continuously delivery system that provides accurate results daily to our development team.
The licensing model is based on lines of code or per-developer. It should be more flexible to allow a per-use model. They should also add in more platforms like XCode 8 with clang. We are using a Windows only system due to that limitation.
Change their licensing model so that it is more flexible based on usage not per developer on the team or the lines of code in the product. I wish they would also support XCode 8 and the clang compiler on the Mac OS X platform. We would also like to see a mobile offering that covers the Swift programming language.
Negotiate the cost of the overall solution to be lower. Their licensing model is either lines of code (which is not possible for products with as much source code as Adobe), or per-user which isn't the best either given that not all developers use the tool daily. I wish Coverity would provide an alternative licensing model that is bsaed on per-use instead.
Everytime Coverity releases a new version of their software Adobe Photoshop does need to work with their support to ensure it still compiles 100% of the codebase. The quality of their software is generally fantastic, but it could be better.
5 out of 5.0, Reviewed Oct 13, 2016
Synopsys provides a technically excellent product, then backs it up with effective and professional tech support. We can usually resolve any problems using internal resources, but when we reach out to tech support we usually have solutions within 24 hours. Synopsys has been very willing to work with us on suitable licensing terms and has a history of implementing our suggestions for improvements. Improvements in the product are significant from release to release.
Establish an in-house expert or two to help with project deployments. Integrate with Jenkins for rapid detection of issues.
Technical performance is excellent, with high-quality defect detection. False-positive rate is extremely low, which reinforces developer trust. New "developer intent" checkers like copy-paste provide great value. Tech support and field support are outstanding.
Coverity is a very expensive product. Technically, the access control configuration is very flexible but too complicated.
Initial deployment faltered until we put a small team of experts together to help with deployments across many projects. We should have done that sooner.
Tech support is very responsive and typically resolves issues within 24 hours. Field support, when needed, supplies highly experienced people who really have an impact.
5 out of 5.0, Reviewed Oct 13, 2016
They always share the roadmap. I like the fact that they are always forward thinking and very engaging the customers, e.g. not only providing the happy path but also learning from customer insights. The vendor is very responsive and I think that this is important, especially when it comes to production environments. Additionally, I was surprised that even our account manager understands the technology and secure development lifecycle very well, as oppose to "regular" sales people in the market.
Bring your best hands-on engineer/architect to the POC, as it requires a deep understanding of the tested product.
Seeker - it's an amazing approach to reducing false positives and find REAL exploits in the system. Coverity - it tries to ease the build automation process by integrating with bug tracking systems and its user interface is simple.
Seeker - not straight forward installation Coverity - while it is integrated with most of the build systems, it isn't integrated with TFS. Additionally, it doesn't support PHP security testing (yet).
Did I mention that my satisfaction rate is 5?
I'd expand the engagement of the engineering teams during the POC process.
Everything is done professionally and in a timely manner.
4 out of 5.0, Reviewed Oct 12, 2016
Coverity brings opportunities for improvements in productivity and quality, helps to achieve business goals and standardizes management processes at reasonable costs. Its wide range of applications allows one-fit-all implementation and relieves the burden of change management while preserving spaces for future enhancements and functionalities. If pluggable checkers, better integrations with issue management systems and more complete analysis on new languages could become official, Coverity would be our sole choice for coming years to assure business objectives.
Change management should be planned ahead. Once Coverity is taken into consideration for mass deployment, you will recognize that sluggishness in an adoption of the new tool may wipe out its feasibilities.
Since we are doing out-sourcing, Its capability of supporting wide range of programming languagues and ease of management are the best things among all whistles and bells.
Checkers cannot be extended by incorporating other analysis tools and sometimes, analysis results on new languages are too basic.
Trials could be distributed more freely, either with the limitation of time, user submissions or functionalities.
If there is another chance, Coverity is still among our first considerations. There are debates over functionalities versus pricing, but after all, you will value its ease of management & deployment - in our situation, a tool that fits 90% need of projects is better than 10% of perfection for several cases.
Except email integration problem, everything else works as expectation.
5 out of 5.0, Reviewed Oct 12, 2016
The overall experience is very good. Local sales staff, solid understanding of the industry, and proven capabilities. No bullshit in the sales phase, to the point and focused effort in the product itself.
Be aware of false positives. The existence of such makes service very hard to integrate into a functional SDL and makes it easier for the teams to reject the service.
Low the number of false positives. Good workflow, very agile support for implementation.
Massive complexity, but required for the complex task at hand. Would love tighter integrations with SDL by default.
More automation, less manual tinkering.
More focus on the mature state of the service when implemented to ensure easy integration with operations when implemented.
4 out of 5.0, Reviewed Oct 10, 2016
For C/C++ it is the best SAST (Static Application Security Testing ) tool. Good coverage for all code related security vulnerabilities as well as quality issues. Excellent signal to noise ratio - low false positives, acceptable false negatives ratio. The collaboration tool Coverity Connect and the administration functions could be improved.
For us developer adoption and integration into Secure SDL was key - this is the decisive factors for ROI of this tool.
Coverity Static Analysis (SA) is the best SAST tool for C/C++ code due to the best quality of findings == low false positives ratio and good coverage - low false negative ratio.
Admin services of Coverity Connect
Invest more in the lifecycle management of the tools collaborative servers (Coverity Connect) - such as upgrade support, data archiving, user management.
Carefully plan the overall landscape of distributed servers (Coverity Connect) to cover numerous dev projects with huge code volume and a high number of developers.
We use consulting services to optimize use . Consulting skills of our dedicated point of contact are excellent.