We performed a comparison between Checkmarx One, Fortify Application Defender, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."The most valuable feature for me is the Jenkins Plugin."
"The report function is the solution's greatest asset."
"The solution has good performance, it is able to compute in 10 to 15 minutes."
"The most valuable feature is that it actually identifies the different criteria you can set to meet whatever standards you're trying to get your system accredited for."
"The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages."
"We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code."
"The SAST component was absolutely 100% stable."
"The main advantage of this solution is its centralized reporting functionality, which lets us track issues, then see and report on the priorities via a web portal."
"Fortify Application Defender's most valuable features are machine learning algorithms, real-time remediation, and automatic vulnerability notifications."
"Its ability to find security defects is valuable."
"We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment."
"The information from Fortify Application Defender on how to fix and solve issues is very good compared to other solutions."
"The most valuable feature is that it analyzes data in real-time."
"I find the configuration of rules in Fortify Application Defender useful. Its integration is also easy."
"The most valuable features of Fortify Application Defender are the code packages that are default."
"The product saves us cost and time."
"I like Veracode's integration with our CI/CD. It automatically scans our code when we do the build. It can also detect any security flaws in our third-party libraries. Veracode is good at pinpointing the sections of code that have vulnerabilities."
"It scans for the OWASP top-10 security flaws at the dynamic level and, at the static level, it scans for all the warnings so that developers can fix the code before we go to UAT or the next phase."
"Veracode does not require any maintenance."
"Because it is a SaaS offering, I do not have to support the infrastructure."
"The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up."
"It is a cloud-based platform, so every organization or every security team in the organization is concerned about uploading their code because ultimately the code is intellectual property. The most useful thing about Veracode is that if you want to upload the code, they accept only byte code. They do not accept the plain source code as an input. The code is converted into binary code, and it is uploaded to Veracode. So, it is quite secure. It also has the automation feature where you can integrate security during the initial stages of your software development life cycle. It is pretty much easy with Veracode. Veracode provides integration with multiple tools and platforms, such as Visual Studio, Java, and Eclipse. Developers can integrate with those tools by using Jenkins. The security consultation or the support that they provide is also really good. Its user management is also good. You can restrict the users for a particular application so that only certain developers will be able to see the code that has been scanned. Their reporting model is really good. For each customer, they provide a program manager. Every quarter, they have their reviews about how much it has scanned. They also ensure that the tool has been used efficiently."
"They also have what's called a Software Composition Analysis that can point out errors and fixes for third-party software frameworks, which is very nice."
"Veracode enables us to build a strong data security layer in our platforms. We can increase customer confidence in data security. Some PCI/HIPAA compliance issues were impossible to resolve without Veracode."
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."
"Implementing a blackout time for any user or teams: Needs improvement."
"I would like the product to include more debugging and developed tools. It needs to also add enhancements on the coding side."
"Meta data is always needed."
"One area for improvement in Checkmarx is pricing, as it's more expensive than other products."
"The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode."
"They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks."
"The product's reporting feature could be better. The feature works well for developers, but reports generated to be shared with external parties are poor, it lacks the details one gets when viewing the results directly from the Checkmarx One platform."
"The solution could improve the time it takes to scan. When comparing it to SonarQube it does it in minutes while in Fortify Application Defender it can take hours."
"Fortify Application Defender gives a lot of false positives."
"The product should integrate industry-standard code review tools internally with its system. This would streamline the coding process, as developers wouldn't need multiple tools for code review and security checks. Many independent and open-source tools are available, from Apache to various libraries. Using multiple DevOps pipeline tools can slow the turnaround time."
"The solution is quite expensive."
"I encountered many false positives for Python applications."
"Support for older compilers/IDEs is lacking."
"The licensing can be a little complex."
"The workbench is a little bit complex when you first start using it."
"The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but it sometimes causes more work on our end."
"Veracode's false positives have room for improvement."
"The solution does not support Dynamic Application Security Testing."
"I haven't heard about any problems so far. However, it would be great if Veracode automatically packaged stuff up for you."
"The scanning could be improved, because some scans take a bit of time."
"I would like to see more AI features. It's a current subject because with ChatGPT and other solutions being developed all the time, IT attacks will increase... To defend against those it's very important that the good guys use AI in ways that are good instead of bad."
"We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it."
"I'd like to see an improved component of it work in a DevOps world, where the scanning speed does not impede progress along the AppSec pipeline."
