Comparison Buyer's Guide

Executive SummaryUpdated on Aug 25, 2022
 

Categories and Ranking

Checkmarx One
Ranking in Application Security Tools
3rd
Ranking in DevSecOps
2nd
Average Rating
7.6
Number of Reviews
68
Ranking in other categories
Static Application Security Testing (SAST) (3rd), Vulnerability Management (11th), Static Code Analysis (2nd), API Security (4th), Risk-Based Vulnerability Management (5th)
Snyk
Ranking in Application Security Tools
4th
Ranking in DevSecOps
1st
Average Rating
8.2
Number of Reviews
42
Ranking in other categories
Container Security (5th), Software Composition Analysis (SCA) (3rd), Software Development Analytics (2nd)
 

Mindshare comparison

As of June 2024, in the Application Security Tools category, the mindshare of Checkmarx One is 13.2%, down from 15.3% compared to the previous year. The mindshare of Snyk is 6.2%, down from 8.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
Unique Categories:
Static Application Security Testing (SAST)
10.1%
Vulnerability Management
1.2%
Container Security
7.2%
Software Composition Analysis (SCA)
17.6%
 

Featured Reviews

PG
Sep 10, 2022
A good compliance solution that is best suited to small scale applications, and suffers from stability issues
Our main uses of this solution are to ensure our required compliance policies are met, and that we are applying best practice This solution helps to remediate the compliance requirements we have.  The product also increases the quality of the code the developers are able to implement.  The main…
UmarQureshi - PeerSpot reviewer
Aug 12, 2022
Developer-friendly with many useful features in the works, but lacks in language and framework coverage
For the areas that they're new in, it's very early stages for them. For example, their expertise is in looking at third-party components and packages, which is their bread-and-butter and what they've been doing for ages, but for newer features such as static analysis I don't think they've got compatibility for all the languages and frameworks yet. That's something I believe will be expanding over time, but I'm not 100% sure when they're going to get to it. Thus, my main concerns for improvement would definitely be greater language and framework coverage, and on a lesser note I would also like to see a reduced number of false positives on their scans. Then there's the issue of their support. It's not very good, to be honest, and it hasn't been the best experience to deal with them. I think they need to develop proper customer success managers when it comes to Service Level Agreements and how they engage with their customers. On the other hand, their technical support is okay as all the technical aspects are essentially all written down and you just have to follow them.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The setup is very easy. There is a lot of information in the documents which makes the install not difficult at all."
"The solution has good performance, it is able to compute in 10 to 15 minutes."
"The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."
"The most valuable features of Checkmarx are the automation and information that it provides in the reports."
"It is a stable product."
"The solution improved the efficiency of our code security reviews. It helps tremendously because it finds hundreds of potential problems sometimes."
"The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete."
"The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database."
"What is valuable about Snyk is its simplicity."
"It has improved our vulnerability rating and reduced our vulnerabilities through the tool during the time that we've had it. It's definitely made us more aware, as we have removed scoping for existing vulnerabilities and platforms since we rolled it out up until now."
"I think all the standard features are quite useful when it comes to software component scanning, but I also like the new features they're coming out with, such as container scanning, secrets scanning, and static analysis with SAST."
"The code scans on the source code itself were valuable."
"It has an accurate database of vulnerabilities with a low amount of false positives."
"Static code analysis is one of the best features of the solution."
"The dependency checks of the libraries are very valuable, but the licensing part is also very important because, with open source components, licensing can be all over the place. Our project is not an open source project, but we do use quite a lot of open source components and we want to make sure that we don't have surprises in there."
"There are many valuable features. For example, the way the scanning feature works. The integration is cool because I can integrate it and I don't need to wait until the CACD, I can plug it in to our local ID, and there I can do the scanning. That is the part I like best."
 

Cons

"This product requires you to create your own rulesets. You have to do a lot of customization."
"The integration could improve by including, for example, DevSecOps."
"I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service."
"The interactive application security testing, or IAST, the interactive part where you're looking at an application that lives in a runtime environment on a server or virtual machine, needs improvement."
"Checkmarx could improve the REST APIs by including automation."
"Checkmarx could improve by reducing the price."
"The solution's user interface could be improved because it seems outdated."
"Some of the descriptions were found to be missing or were not as elaborate as compared to other descriptions. Although, they could be found across various standard sources but it would save a lot of time for developers, if this was fixed."
"Generating reports and visibility through reports are definitely things they can do better."
"The way Snyk notifies if we have an issue, there are a few options: High vulnerability or medium vulnerability. The problem with that is high vulnerabilities are too broad, because there are too many. If you enable notifications, you get a lot of notifications, When you get many notifications, they become irrelevant because they're not specific. I would prefer to have control over the notifications and somehow decide if I want to get only exploitable vulnerabilities or get a specific score for a vulnerability. Right now, we receive too many high vulnerabilities. If we enable notifications, then we just get a lot of spam message. Therefore, we would like some type of filtering system to be built-in for the system to be more precise."
"The tool should provide more flexibility and guidance to help us fix the top vulnerabilities before we go into production."
"It can be improved from the reporting perspective and scanning perspective. They can also improve it on the UI front."
"All such tools should definitely improve the signatures in their database. Snyk is pretty new to the industry. They have a pretty good knowledge base, but Veracode is on top because Veracode has been in this business for a pretty long time. They do have a pretty large database of all the findings, and the way that the correlation engine works is superb. Snyk is also pretty good, but it is not as good as Veracode in terms of maintaining a large space of all the historical data of vulnerabilities."
"We would like to have upfront knowledge on how easy it should be to just pull in an upgraded dependency, e.g., even introduce full automation for dependencies supposed to have no impact on the business side of things. Therefore, we would like some output when you get the report with the dependencies. We want to get additional information on the expected impact of the business code that is using the dependency with the newer version. This probably won't be easy to add, but it would be helpful."
"They need to improve the Snyk plugins and make it easier to make your optimizations based on your own needs or features."
"We use Bamboo for CI.CD, and we had problems integrating Snyk with it. Ultimately, we got the two solutions to work together, but it was difficult."
 

Pricing and Cost Advice

"The average deal size was usually anywhere between $120K to $175K on an annual basis, which could be divided across 12 months."
"The pricing was not very good. This is just a framework which shouldn’t cost so much."
"It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."
"The solution is costly."
"We have purchased an annual license to use this solution. The price is reasonable."
"It is a good product but a little overpriced."
"The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies."
"We have a subscription license that is on a yearly basis, and it's a pretty competitive solution."
"The price of the solution is expensive compared to other solutions."
"Compared to Veracode, Snyk is definitely a cheaper tool."
"Snyk is an expensive solution."
"Their licensing model is fairly robust and scalable for our needs. I believe we have reached a reasonable agreement on the licensing to enable hundreds of developers to participate in this product offering. The solution is very tailored towards developers and its licensing model works well for us."
"Snyk is a premium-priced product, so it's kind of expensive. The big con that I find frustrating is when a company charges extra for single sign-on (SSO) into their SaaS app. Snyk is one of the few that I'm willing to pay that add-on charge, but generally I disqualify products that charge an extra fee to do integrated authentication to our identity provider, like Okta or some other SSO. That is a big negative. We had to pay extra for that. That little annoyance aside, it is expensive. You get a lot out of it, but you're paying for that premium."
"On a scale of one to ten, where one is cheap and ten is expensive, I rate the pricing a three. It is a cheap solution."
"Cost-wise, it's similar to Veracode, but I don't know the exact cost."
"We are using the open-source version for the scans."
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
789,728 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
21%
Computer Software Company
15%
Manufacturing Company
9%
Government
5%
Computer Software Company
16%
Financial Services Firm
15%
Manufacturing Company
8%
Insurance Company
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
What do you like most about Checkmarx?
Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
What is your experience regarding pricing and costs for Checkmarx?
The solution's price is high and you pay based on the number of users.
How does Snyk compare with SonarQube?
Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to find any issues reported on the internet. It will store dependencies that you a...
What do you like most about Snyk?
The most effective feature in securing project dependencies stems from its ability to highlight security vulnerabilities.
What needs improvement with Snyk?
I use Snyk alongside Sonar, and Snyk tends to generate a lot of false positives. Improving the overall report quality and reducing false positives would be beneficial. I don't need additional featu...
 

Comparisons

 

Learn More

 

Overview

 

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
StartApp, Segment, Skyscanner, DigitalOcean, Comic Relief
Find out what your peers are saying about Checkmarx One vs. Snyk and other solutions. Updated: June 2024.
789,728 professionals have used our research since 2012.