We performed a comparison between Checkmarx One, Fortify Application Defender, and Klocwork based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."The solution allows us to create custom rules for code checks."
"The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera."
"It shows in-depth code of where actual vulnerabilities are."
"The reports are very good because they include details on the code level, and make suggestions about how to fix the problems."
"The process of remediating software security vulnerabilities can now be performed (ongoing) as portions of the application are being built in advance of being compiled."
"Vulnerability details is valuable."
"The solution is scalable, but other solutions are better."
"The administration in Checkmarx is very good."
"The most valuable feature is that it analyzes data in real-time."
"The information from Fortify Application Defender on how to fix and solve issues is very good compared to other solutions."
"I find the configuration of rules in Fortify Application Defender useful. Its integration is also easy."
"The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities."
"The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology."
"Its ability to find security defects is valuable."
"The solution helped us to improve the code quality of our organization."
"The most valuable features of Fortify Application Defender are the code packages that are default."
"We like using the static analysis and code refactoring, which are very valuable because of our requirements to meet safety critical levels and reliability."
"Technical support is quite good."
"The reporting helps us understand the trend of our results and whether we improve over time. We can see the history within Klocwork's server architecture and know that we're making things better. It creates a great story for our management. We can demonstrate value and how our software is developing over time."
"Klocwork's most valuable feature is the static code analysis feature. It detects the potential problem earlier to allow the developer to receive feedback quickly and then address it before it becomes a problem."
"There's a feature in Klocwork called 'on-the-fly analysis', which helps developers to find and fix the defects at the time of development itself."
"The tool helps the team to think beforehand about corner cases or potential bugs that might arise in real-time."
"It's integrated into our CI, continuous integration."
"I like not having to dig through false positives. Chasing down a false positive can take anywhere from five minutes for a small easy one, then something that is complicated and goes through a whole bunch of different class cases, and it can take up to 45 minutes to an hour to find out if it is a false positive or not."
"Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”."
"The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools."
"The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode."
"Micro-services need to be included in the next release."
"As the solution becomes more complex and feature rich, it takes more time to debug and resolve problems. Feature-wise, we have no complaints, but Checkmarx becomes harder to maintain as the product becomes more complex. When I talk to support, it takes them longer to fix the problem than it used to."
"Checkmarx could improve by reducing the price."
"The cost per user is high and should be reduced."
"Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve."
"The workbench is a little bit complex when you first start using it."
"The licensing can be a little complex."
"Fortify Application Defender could improve by supporting more code languages, such as GRAAS and Groovy."
"The product should integrate industry-standard code review tools internally with its system. This would streamline the coding process, as developers wouldn't need multiple tools for code review and security checks. Many independent and open-source tools are available, from Apache to various libraries. Using multiple DevOps pipeline tools can slow the turnaround time."
"The false positive rate should be lower."
"The solution is quite expensive."
"I encountered many false positives for Python applications."
"The solution could improve the time it takes to scan. When comparing it to SonarQube it does it in minutes while in Fortify Application Defender it can take hours."
"Klocwork does have a problem with true positives. It only found 30% of true positives in the Juliet test case."
"We'd like to see integration with Agile DevOps and Agile methodologies."
"This solution could be improved if they offered support of more languages including Ada and Golang. They currently only support seven languages."
"Every update that we receive requires of us a lengthy and involved process."
"Klocwork has to improve its features to stay ahead of other free solutions."
"What needs improvement in Klocwork, compared to other products in the market, is the dashboard or reporting mechanisms that need to be a bit more flexible. The Klocwork dashboard could be improved. Though it's good, it's not as good as some of the other products in the market, which is a problem. The reporting could be more detailed and easier to sort out because sorting in Klocwork could be a bit more time-consuming, mainly when sorting defects based on filters, compared to how it's done on other tools such as Coverity."
"Now the only issue we have is that whenever we need to get the code we have to build it first. Then we can get the report."
"Under NIST cybersecurity standards, we must address vulnerabilities within a specified time after discovering them. When we try to propagate those updates and fixes through the system, it would be nice if the clients could reconnect to the existing server or have the server dynamically updated in some way. I know that isn't easy, but maybe processes could be enhanced to make that more streamlined from a DevOps perspective."
