We performed a comparison between Checkmarx One, OWASP Zap, and PortSwigger Burp Suite Professional based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Testing (AST)."It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."
"The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete."
"The setup is very easy. There is a lot of information in the documents which makes the install not difficult at all."
"It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security."
"Checkmarx has helped us deliver more secure products. We are able to do static code analysis with the tool before shipping our code to production. When the integration is in the pipeline, this tool gives us early notifications on code fixes."
"The process of remediating software security vulnerabilities can now be performed (ongoing) as portions of the application are being built in advance of being compiled."
"It is very useful because it fits our requirements. It is also easy to use. It is not complex, and we are satisfied with the results."
"The solution is scalable, but other solutions are better."
"The best feature is the Zap HUD (Heads Up Display) because the customers can use the website normally. If we scan websites with automatic scanning, and the website has a web application firewall, it's very difficult."
"The most valuable feature is scanning the URL to drill down all the different sites."
"The product discovers more vulnerabilities compared to other tools."
"Automatic updates and pull request analysis."
"ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."
"The solution is scalable."
"The ZAP scan and code crawler are valuable features."
"The application scanning feature is the most valuable feature."
"I have found this solution has more plugins than other competitors which is a benefit. You are able to attach different plugins to the security scan to add features. For example, you can check to see if there are any payment systems that exist on a server, or username and password brute force analysis."
""The product is very good just the way it is; It has everything already well established and functions great. I can't see any way for this current version to be improved.""
"The automated scan is what I find most useful because a lot of customers will need it. Not every domain will be looking for complete security, they just need a stamp on the security key. For these kinds of customers, the scan works really well."
"You can scan any number of applications and it updates its database."
"The solution has a great user interface."
"The solution has a pretty simple setup."
"Once I capture the proxy, I'm able to transfer across. All the requested information is there. I can send across the request to what we call a repeater, where I get to ready the payload that I send to the application. Put in malicious content and then see if it's responding to it."
"The most valuable feature of PortSwigger Burp Suite Professional is the advanced features, user-friendly interface, and integration with other tools."
"We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level."
"It would be really helpful if the level of confidence was included, with respect to identified issues."
"The pricing can get a bit expensive, depending on the company's size."
"They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks."
"I would like to see the tool’s pricing improved."
"The product's reporting feature could be better. The feature works well for developers, but reports generated to be shared with external parties are poor, it lacks the details one gets when viewing the results directly from the Checkmarx One platform."
"Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve."
"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
"Sometimes, we get some false positives."
"There isn't too much information about it online."
"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
"The automated vulnerability assessments that the application performs needs to be simplified as well as diversified."
"OWASP Zap needs to extend to mobile application testing."
"I would like to see a version of “repeater” within OWASP ZAP, a tool capable of sending from one to 1000 of the same requests, but with preselected modified fields, changing from a predetermined word list, or manually created."
"It would be nice to have a solid SQL injection engine built into Zap."
"ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."
"There is not much automation in the tool."
"The scanner and crawler need to be improved."
"Sometimes the solution can run a little slow."
"The Burp Collaborator needs improvement. There also needs to be improved integration."
"We'd like to have more integration potential across all versions of the product."
"You can have many false positives in Burp Suite. It depends on the scale of the penetration testing."
"It would be good if the solution could give us more details about what exactly is defective."
"One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that."
More PortSwigger Burp Suite Professional Pricing and Cost Advice →