My comments 1. Tool Setup and Installation [ADD] Software deployment method used (MSI, EXE, etc.) [ADD] Require a centralized server? [ADD] Minimum and recommended requirements for server and client [ADD] Possibility of backup procedure for collected data [ADD] What are the required libraries (java, .net, etc.) [ADD] Handling of distributed locations 3. Tool Coverage: [ADD] Does the tool assess the code quality? Does the tool provide performance analysis? 5. Triage and Remediation Process [ADD] False positive management allow role-based control with respect to control, review, approbation and false positive) 6. UI Simplicity and Intuitiveness [ADD] Code verification can be run on-demand or not? 8. Product Maturity and Scalability [ADD] Performance impact when the client side plugin is activated? [ADD] Number of release related to crash bug, security fix, etc. [ADD] Tool impacted by the presence of other source code analysis tools 10. Reporting Capabilities [ADD] Number of supported formats [ADD] Languages supported [ADD] Severity of finding based on well known standards [ADD] Ability to track evolution of bugs [ADD] Ability to send reports by email [ADD] Ability to monitor from a centralized console 11. Tool Customization and Automation [ADD] Source code repository support MISC (not sure where to add them) [ADD] Organization support a known Application Security organization, group or initiative [ADD] Local permanent support employees [ADD] Number of enterprise customer supported [ADD] Road map and vision for the next years