We performed a comparison between Checkmarx One, Fortify Application Defender, and Trustwave App Scanner [EOL] based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time."
"The most valuable feature is the application tracking reporting."
"The solution allows us to create custom rules for code checks."
"The user interface is modern and nice to use."
"The most valuable feature of Checkmarx is the user interface, it is very easy to use. We do not need to configure anything, we only have to scan to see the results."
"The product's most valuable feature is static code and supply chain effect analysis. It provides a lot of visibility."
"Our static operation security has been able to identify more security issues since implementing this solution."
"It shows in-depth code of where actual vulnerabilities are."
"The most valuable feature is that it analyzes data in real-time."
"The most valuable features of Fortify Application Defender are the code packages that are default."
"We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment."
"The information from Fortify Application Defender on how to fix and solve issues is very good compared to other solutions."
"Its ability to find security defects is valuable."
"The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology."
"The solution helped us to improve the code quality of our organization."
"The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities."
"The stability is great. We haven't had any issues at all with it."
"When we first ran it on a big project, there wasn't enough memory on the computer. It originally ran with eight gigabytes, and now it runs with 32. The software stopped at some point, and while I don't think it said it ran out of memory, it just said "stopped" and something else. We had to go to the logs and send them to the integrator, and eventually, they found a memory issue in the logs and recommended increasing the memory. We doubled it once, and it didn't seem enough. We doubled it again, and it helped."
"The solution's user interface could be improved because it seems outdated."
"One area for improvement in Checkmarx is pricing, as it's more expensive than other products."
"The solution sometimes reports a false auditable code or false positive."
"Checkmarx being Windows only is a hindrance. Another problem is: why can't I choose PostgreSQL?"
"It would be really helpful if the level of confidence was included, with respect to identified issues."
"Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not."
"The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode."
"The product should integrate industry-standard code review tools internally with its system. This would streamline the coding process, as developers wouldn't need multiple tools for code review and security checks. Many independent and open-source tools are available, from Apache to various libraries. Using multiple DevOps pipeline tools can slow the turnaround time."
"The licensing can be a little complex."
"The solution could improve the time it takes to scan. When comparing it to SonarQube it does it in minutes while in Fortify Application Defender it can take hours."
"The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java."
"Fortify Application Defender gives a lot of false positives."
"The false positive rate should be lower."
"Support for older compilers/IDEs is lacking."
"Fortify Application Defender could improve by supporting more code languages, such as GRAAS and Groovy."
"I would like to see a little more flexibility with regards to setting up profiles for vulnerabilities."
Earn 20 points