We performed a comparison between Checkmarx One and OWASP Zap based on real PeerSpot user reviews.
Find out in this report how the two Application Security Testing (AST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%."
"The solution has good performance, it is able to compute in 10 to 15 minutes."
"The most valuable feature of Checkmarx is the user interface, it is very easy to use. We do not need to configure anything, we only have to scan to see the results."
"The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages."
"The SAST component was absolutely 100% stable."
"The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."
"One of the most valuable features is it is flexible."
"The main thing we find valuable about Checkmarx is the ease of use. It's easy to initiate scans and triage defects."
"It updates repositories and libraries quickly."
"The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult."
"The product helps users to scan and fix vulnerabilities in the pipeline."
"The application scanning feature is the most valuable feature."
"The community edition updates services regularly. They add new vulnerabilities into the scanning list."
"Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high."
"Automatic scanning is a valuable feature and very easy to use."
"It can be used effectively for internal auditing."
"You can't use it in the continuous delivery pipeline because the scanning takes too much time."
"Licensing models and Swift language support are the aspects in which this product needs to improve. Swift is a new language, in which major customers require support for lower prices."
"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
"Integration into the SDLC (i.e. support for last version of SonarQube) could be added."
"The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information."
"It is an expensive solution."
"We have received some feedback from our customers who are receiving a large number of false positives."
"The plugins for the development environment have room for improvements such as for Android Studio and X code."
"I'd like to see a kind of feature where we can just track what our last vulnerability was and how it has improved or not. More reports that can have some kind of base-lining, I think that would be a good feature too. I'm not sure whether it can be achieved and implement but I think that would really help."
"Sometimes, we get some false positives."
"It would be a great improvement if they could include a marketplace to add extra features to the tool."
"Lacks resources where users can internally access a learning module from the tool."
"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
"The technical support team must be proactive."
"The reporting feature could be more descriptive."
"Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."
Checkmarx One is ranked 3rd in Application Security Testing (AST) with 67 reviews while OWASP Zap is ranked 8th in Application Security Testing (AST) with 37 reviews. Checkmarx One is rated 7.6, while OWASP Zap is rated 7.6. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". Checkmarx One is most compared with SonarQube, Veracode, Fortify on Demand, Snyk and Fortify Application Defender, whereas OWASP Zap is most compared with SonarQube, Acunetix, PortSwigger Burp Suite Professional, Qualys Web Application Scanning and Fortify WebInspect. See our Checkmarx One vs. OWASP Zap report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.