Checkmarx One vs Fortify Software Security Center vs Veracode comparison

Fortify Software Security C...

Read 200 Veracode reviews

15,486 Views
1,866 Comparison Views

90% willing to recommend

Checkmarx One

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between Checkmarx One, Fortify Software Security Center, and Veracode based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Static Application Security Testing (SAST).

To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: June 2025).

Static Application Security Testing (SAST)

Download the complete report

Helped 858,649 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Mindshare comparison

As of June 2025, in the Static Application Security Testing (SAST) category, the mindshare of Checkmarx One is 9.5%, down from 12.8% compared to the previous year. The mindshare of Fortify Software Security Center is 0.4%, up from 0.2% compared to the previous year. The mindshare of Veracode is 8.3%, down from 10.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST)

Featured Reviews

Syed Hasan

Specialist Leader at Deloitte

Partner experiences excellent technical support and seamless initial setup

In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically. It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.

Read full review

Jonathan Steyn

Principal Technical Consultant at EOH

Comprehensive vulnerability analysis and customization features with decent pricing

Software Security Center is highly customizable and helps me test all vulnerability data against the latest conventions like OWASP Top Ten, CVE Top twenty-five, and several other legal compliances. WebInspect supports a number of APIs and web endpoints. I find its feature of macro recording allows for testing vulnerabilities during multi-factor authentication sessions very valuable. I appreciate the ability to further analyze data with tools like Audit Workbench.

Read full review

David-Robertson

Director Enterprise Architecture at Exeter Finance Corp.

Static scanning and software composition analysis are very helpful, but the usability needs improvement

Static scanning and software composition analysis are very helpful. My colleagues and I don't need to be experts on all of those ancillary things, so we can focus more on the business deliverables. They have a pretty good tool that allows me to run scans of my local integrated development environment. I can find a lot of those flaws a lot sooner than I would if I had to wait for these cloud-based scans. They've come out with some sort of automated fix feature. I haven't used it, but they gave us a demo of it, and that one looks promising. I don't know if it's ready for prime time yet.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security."

"The most valuable feature is that it actually identifies the different criteria you can set to meet whatever standards you're trying to get your system accredited for."

"It shows in-depth code of where actual vulnerabilities are."

"The most valuable feature of Checkmarx is the user interface, it is very easy to use. We do not need to configure anything, we only have to scan to see the results."

"The setup is very easy. There is a lot of information in the documents which makes the install not difficult at all."

"Scan reviews can occur during the development lifecycle."

"Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application."

"The solution is scalable, but other solutions are better."

More Checkmarx One pros

"The overall rating for this tool is ten out of ten."

"You can easily download the tool's rule packs and update them."

"Software Security Center is highly customizable and helps me test all vulnerability data against the latest conventions like OWASP Top Ten, CVE Top twenty-five, and several other legal compliances."

"Fortify Analytics' AI function helps scan and provides more detailed explanations and recommendations about vulnerabilities."

"I like the explanation of issues provided by Fortify Software Security Center."

"This is a stable solution at the end of the day."

"The reporting is very useful because you can always view an entire list of the issues that you have."

"The product provides guidance to develop secure software."

"It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security."

"It has improved the quality of code being delivered for test and its vulnerability resolutions timeline has improved."

"The user interface is quick, familiar, and user-friendly and makes navigation to other software very easy."

"Our development team use this solution for static code analysis and pen testing."

"Veracode Fix has affected our time to remediate security flaws in cases where we've been able to use it correctly because the proposals were on point, and it's been great."

"The solution is stable. we've never had any issues surrounding its stability."

"For our rapid, secure DevOps cycle, we have integration of the Vericode API into our build tool, and Greenlight into our IDE."

More Veracode pros

Cons

"It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use."

"When we first ran it on a big project, there wasn't enough memory on the computer. It originally ran with eight gigabytes, and now it runs with 32. The software stopped at some point, and while I don't think it said it ran out of memory, it just said "stopped" and something else. We had to go to the logs and send them to the integrator, and eventually, they found a memory issue in the logs and recommended increasing the memory. We doubled it once, and it didn't seem enough. We doubled it again, and it helped."

"In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."

"Checkmarx could improve by reducing the price."

"The integration could improve by including, for example, DevSecOps."

"One area for improvement in Checkmarx is pricing, as it's more expensive than other products."

"The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode."

"There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."

More Checkmarx One cons

"This solution is difficult to implement, and it should be made more comfortable for the end-users."

"We are having issues with false positives that need to be resolved."

"Fortify Software Security Center's setup is really painful."

"Improvements needed for Software Security Center include better aggregation views of datasets."

"The product's overlap feature is restrictive and requires more customization efforts, which can be expensive."

"Improvements needed for Software Security Center include better aggregation views of datasets."

"I am not satisfied with the percentage of false positives, which is around eighteen percent."

"The number of false positives could be reduced a lot. For each good result, we are getting somewhere around 15 to 20 false positives."

"There needs to be better API integration to the development team's pipeline, which is something that is missing and needs to be improved."

"The solution could improve the Dynamic Analysis Security Testing(DAST)."

"The overall reporting structure is complicated, and it's difficult to understand the report."

"They could improve how they fix vulnerabilities. They could have more support in place to help the developers."

"Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries."

"The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most."

"Veracode Static Analysis lacks penetration testing, so that's a concern. The tool is also unable to scan when it's a C or C++ model, so that's another area for improvement."

More Veracode cons

Pricing and Cost Advice

"The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security."

"The solution's price is high and you pay based on the number of users."

"The solution is costly."

"We have a subscription license that is on a yearly basis, and it's a pretty competitive solution."

"Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."

"We have purchased an annual license to use this solution. The price is reasonable."

"I believe pricing is better compared to other commercial tools."

"The price of Checkmarx could be reduced to match their competitors, it is expensive."

More Checkmarx One pricing and cost advice

"The solution is priced fair."

"As a Fortify partner company providing technical support, I find the product expensive in our country, where local, inexpensive products are available."

"This is a costly solution that could be cheaper."

"It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent."

"It is expensive. It depends on the use case, but it is very hard to find a pricing page on their website. Instead, they need to analyze your use case, but without knowing the entire project and how you're going to be using Veracode, how many scans you're going to do, if yours is a small business, it is very expensive and it affects ROI."

"From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately."

"Veracode is costly. They have different license models for different customers. What we had was based on the amount of code that has been analyzed. The license that we had was capped to a certain amount, for example, 5 Gig. There would be an extra charge for anything above 5 Gig."

"They just changed their pricing model two weeks ago. They went from a per-app license to a per-megabyte license. I know that the dynamic scan was $500 per app. Static analysis was about $4500 yearly. The license is only for the number of users, it doesn't matter what data you put in there. That was the old model. I do not know how the new model works."

"Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive."

"We are still considering it at the enterprise level. It has a subscription-based model. We find its price a little high based on the features it provides."

"They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey."

More Veracode pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

858,649 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

21%

Computer Software Company

14%

Manufacturing Company

10%

Government

Manufacturing Company

20%

Financial Services Firm

15%

Computer Software Company

11%

Government

Computer Software Company

17%

Financial Services Firm

16%

Manufacturing Company

Insurance Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

No data available

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?

I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as ...

What do you like most about Checkmarx?

Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.

What is your experience regarding pricing and costs for Checkmarx?

The pricing is relatively expensive due to the product's quality and performance, but it is worth it.

What do you like most about Micro Focus Software Security Center?

You can easily download the tool's rule packs and update them.

What is your experience regarding pricing and costs for Micro Focus Software Security Center?

In the beginning, it was difficult for me to verify that our usage of Fortify Software Security Center corresponded t...

What needs improvement with Micro Focus Software Security Center?

I would like the false positive issue to diminish. I have experienced a lot of false positives, but I think this is d...

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. Son...

What do you like most about Veracode?

The SAST and DAST modules are great.

What is your experience regarding pricing and costs for Veracode?

The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and da...

SonarQube Server (formerly SonarQube) vs Checkmarx One

Comparisons

Compared 36% of the time

Checkmarx SAST vs Checkmarx One

Compared 6% of the time

OpenText Core Application Security vs Checkmarx One

Compared 6% of the time

OWASP Zap vs Checkmarx One

Compared 5% of the time

GitHub Advanced Security vs Checkmarx One

Compared 4% of the time

More Checkmarx One Competitors

OpenText Core Application Security vs Fortify Software Security Center

Compared 46% of the time

Acunetix vs Fortify Software Security Center

Compared 42% of the time

HCL AppScan vs Fortify Software Security Center

Compared 11% of the time

More Fortify Software Security Center Competitors

SonarQube Server (formerly SonarQube) vs Veracode

Compared 19% of the time

GitHub Advanced Security vs Veracode

Compared 7% of the time

OpenText Core Application Security vs Veracode

Compared 5% of the time

Snyk vs Veracode

Compared 4% of the time

OpenText Static Application Security Testing vs Veracode

Compared 4% of the time

More Veracode Competitors

Product Reports

Checkmarx One

Download Checkmarx One product report

Static Application Security Testing (SAST)

Download Fortify Software Security Center product report

Download Veracode product report

May 2025

Also Known As

No data available

Micro Focus Software Security Center, Application Security Center, HPE Application Security Center, WebInspect

Crashtest Security , Veracode Detect

Overview

Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.

Checkmarx One offers comprehensive application scanning across the SDLC:

Static Application Security Testing (SAST)
Software Composition Analysis (SCA)
API security
Dynamic Application Security Testing (DAST)
Container security
IaC security
Correlation, prioritization, and risk management
Codebashing secure code training
AI security
Tech partnerships extending AppSec into runtime analysis
Developer tool integrations including: CI/CD tools, development frameworks, feedback tools, IDEs, programming languages and SCMs

Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.

Checkmarx

Software Security Center enables management, development, and security teams to work together to triage, track, validate, automate, and manage software security activities.

OpenText

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
Scalability - Supports organizations with large-scale application portfolios.
Compliance support - Ensures applications meet various security standards and regulations.
Developer training - Provides tools for educating developers on secure coding practices.
Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.

Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC

Neosecure, Acxiom, Skandinavisk Data Center A/S, Parkeon

Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.

Static Application Security Testing (SAST)