That’s why we’ve sourced 10 tips for evaluating code scanning tools from compliance expert Ibrahim Haddad’s Linux Foundation paper “Open Source Compliance in the Enterprise.”
- Size the knowledge base against which scanned code is being compared. There are trillions of lines of open source code and ½ trillion code snippets. Make sure your tools partner can go this deep.
- Ensure there are frequent updates to the knowledge base.
- Support for different audit models/methods, including traditional, blind and Do It Yourself.
- Time is always squeezed, especially during M&A. Make sure your tools partner has the speed required to scan for the same loads.
- Make sure to ask about deployment models – local, cloud and hybrid.
- Code snippets are often overlooked but are just as important as the rest. The tools should be able to identify snippets.
- Minimize manual labor among your staff with a tool that has the ability to do auto-identification and training time with an intuitive UI that minimized learning curve. A good compliance partner should increase the time for your team to work on other things.
- Support for vulnerability discovery.
- Cost to deploy tools in terms of number of servers needed.
- Ability to use the tool for M&A transactions. You don’t want to be caught off guard with the wrong tool with M&A comes knocking at your door.
We hope this can give you a quick reference as you embark on your tools assessment.