We performed a comparison between Checkmarx One, HCL AppScan, and Klocwork based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."The solution has good performance, it is able to compute in 10 to 15 minutes."
"The SAST component was absolutely 100% stable."
"Both automatic and manual code review (CxQL) are valuable."
"Our static operation security has been able to identify more security issues since implementing this solution."
"The solution improved the efficiency of our code security reviews. It helps tremendously because it finds hundreds of potential problems sometimes."
"It's not an obstacle for developers. They can easily write their code and make it more secure with Checkmarx."
"The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important."
"One of the most valuable features is it is flexible."
"The solution offers services in a few specific development languages."
"The static scans are good, and the SaaS as well."
"The solution is easy to use."
"For me, as a manager, it was the ease of use. Inserting security into the development process is not normally an easy project to do. The ability for the developer to actually use it and get results and focuses, that's what counted."
"It is a stable solution...It is a scalable solution...The initial setup or installation of HCL AppScan is easy."
"It was easy to set up."
"There's extensive functionality with custom rules and a custom knowledge base."
"We use it as a security testing application."
"On-the-fly analysis and incremental analysis are the best parts of Klocwork. Currently, we are using both of these features very effectively."
"There is a central Klocwork server at our headquarter in France so we connect the client directly to the server on-premises remotely."
"It's integrated into our CI, continuous integration."
"One can increase the number of vendors, so the solution is scalable."
"There's a feature in Klocwork called 'on-the-fly analysis', which helps developers to find and fix the defects at the time of development itself."
"The tool helps the team to think beforehand about corner cases or potential bugs that might arise in real-time."
"We like using the static analysis and code refactoring, which are very valuable because of our requirements to meet safety critical levels and reliability."
"The ability to create custom checkers is a plus."
"The validation process needs to be sped up."
"Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model."
"You can't use it in the continuous delivery pipeline because the scanning takes too much time."
"The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode."
"The reports are good, but they still need to be improved considering what the UI offers."
"Checkmarx could improve the REST APIs by including automation."
"The solution sometimes reports a false auditable code or false positive."
"In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."
"We would like to integrate with some of the other reporting tools that we're planning to use in the future."
"It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good."
"I would love to see more containers. Many of the tools are great, they require an amount of configuration, setup and infrastructure. If most the applications were in a container, I think everything would be a little bit faster, because all our clients are now using containers."
"Sometimes it doesn't work so well."
"I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources."
"They should have a better UI for dashboards."
"The solution could improve by having a mobile version."
"There are so many lines of code with so many different categories that I am likely to get lost. "
"I hope that in each new release they add new features relating to the addition of checkers, improving their analysis engines etc."
"Klocwork does have a problem with true positives. It only found 30% of true positives in the Juliet test case."
"We bought Klocwork, but it was limited to one little program, but the program is now sort of failing. So, we have a license for usage on a program that is sort of failing, and we really can't use the license on anything else."
"Klocwork has to improve its features to stay ahead of other free solutions."
"Under NIST cybersecurity standards, we must address vulnerabilities within a specified time after discovering them. When we try to propagate those updates and fixes through the system, it would be nice if the clients could reconnect to the existing server or have the server dynamically updated in some way. I know that isn't easy, but maybe processes could be enhanced to make that more streamlined from a DevOps perspective."
"This solution could be improved if they offered support of more languages including Ada and Golang. They currently only support seven languages."
"The main problem is that since it only parses the code, the warnings or the problems that are given as a result of the report can sometimes require a lot of effort to analyze."
"Modern languages, such as Angular and .NET, should be included as a part of Klocwork. They have recently added Kotlin as a part of their project, but we would like to see more languages in Klocwork. That's the reason we are using Coverity as a backup for some of the other languages."