Tool Setup and Installation
[ADD] Software deployment method used (MSI, EXE, etc.)
[ADD] Require a centralized server?
[ADD] Minimum and recommended requirements for server and client
[ADD] Possibility of backup procedure for collected data
[ADD] What are the required libraries (java, .net, etc.)
[ADD] Handling of distributed locations
[ADD] Does the tool assess the code quality? Does the tool provide
Triage and Remediation Process
[ADD] False positive management allow role-based control with respect
to control, review, approbation and false positive)
UI Simplicity and Intuitiveness
[ADD] Code verification can be run on-demand or not?
Product Maturity and Scalability
[ADD] Performance impact when the client side plugin is activated?
[ADD] Number of release related to crash bug, security fix, etc.
[ADD] Tool impacted by the presence of other source code analysis tools
[ADD] Number of supported formats
[ADD] Languages supported
[ADD] Severity of finding based on well known standards
[ADD] Ability to track evolution of bugs
[ADD] Ability to send reports by email
[ADD] Ability to monitor from a centralized console
Tool Customization and Automation
[ADD] Source code repository support
MISC (not sure where to add them)
[ADD] Organization support a known Application Security organization,
group or initiative
[ADD] Local permanent support employees
[ADD] Number of enterprise customer supported
[ADD] Road map and vision for the next years