Reaction to the Tool

“Teams use CheckMarx to make their code more secure.” CheckMarx is a tool that analyzes code, looking for vulnerabilities. It produces a report of likely problems, with specific locations in the source code.

“We will mandate that our teams use CheckMarx.” Will this make the code more secure?

That depends how the team reacts to the report. Do they understand the vulnerabilities? Do they know how to remediate them? Do they have time to remediate them?

It’s not the tool that counts, it’s your reaction to the tool.

Jerry Weinberg

If the team responds to the report by remediating vulnerabilities, the code will be more secure. If they respond by increasing their understanding, all the code they write in the future will be more secure. That’s the big payoff.

If the response to vulnerability reports is pressure to change the report, without understanding each item’s meaning, then the code might be more secure. Or it might be messier, messy enough to confuse the tool and lower the known vulnerability count.

A tool by itself is clutter. It’s your reaction to it that matters.