Checkmarx One vs Veracode comparison

Checkmarx One
Read 68 Checkmarx One reviews
  • 31,928 Views
  • 20,416 Comparison Views
86% willing to recommend
Veracode
Read 196 Veracode reviews
  • 23,575 Views
  • 15,913 Comparison Views
90% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive SummaryUpdated on Sep 5, 2022

We performed a comparison between Checkmarx vs.Veracode based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: Users note that both products are very straightforward and simple to set up. A few Veracode users mention slight complexity.
  • Features: Users of both products are happy with their flexibility, stability, and scalability, although a few Checkmarx users note instances with bugs.

    Checkmarx users are particularly satisfied with its fast code scanning and robust security-related scanning, but note that it should also do static code and dynamic code validation.

    Veracode users say they’re impressed with the solution's ability to find issues in static analysis and with the solution’s highly accurate reporting. Some users mention the UI and UX as being disjointed and needing some improvement.
  • Pricing: Users feel that both solutions are expensive but reasonable given all they offer and compared to competitors. Some Checkmarx users mention that the pricing and licensing models are not clear.
  • ROI: Users of both solutions mention being pleased with the ROI.
  • Service and Support: Users of both solutions report excellent service and support.

Comparison Results: Veracode has the winning edge in this comparison. Customers are more satisfied with Veracode’s robust features, stability, and pricing model.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Checkmarx One vs. Veracode Report (Updated: June 2024).
Buyer's Guide
Checkmarx One vs. Veracode
June 2024
Download the complete report
Helped 793,295 peers since 2012
 

Categories and Ranking

Checkmarx One
Ranking in Application Security Tools
3rd
Ranking in Static Application Security Testing (SAST)
3rd
Ranking in Static Code Analysis
2nd
Average Rating
7.6
Number of Reviews
68
Ranking in other categories
Vulnerability Management (12th), API Security (4th), DevSecOps (2nd), Risk-Based Vulnerability Management (5th)
Veracode
Ranking in Application Security Tools
2nd
Ranking in Static Application Security Testing (SAST)
2nd
Ranking in Static Code Analysis
1st
Average Rating
8.2
Number of Reviews
196
Ranking in other categories
Container Security (4th), Software Composition Analysis (SCA) (3rd), Penetration Testing Services (3rd), Application Security Posture Management (ASPM) (2nd)
 

Mindshare comparison

As of July 2024, in the Application Security Tools category, the mindshare of Checkmarx One is 13.0%, down from 15.4% compared to the previous year. The mindshare of Veracode is 10.2%, up from 10.1% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
Unique Categories:
Static Application Security Testing (SAST)
11.1%
Vulnerability Management
0.6%
Container Security
2.7%
 

Q&A Highlights

WH
Jul 08, 2020
Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
My opinions are my own and do not represent any other entities that I may be or have been affiliated with.  On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon.  As for Checkmarx vs SonarQube...  Checkmarx may cover more rules over a wider landscape, however I personally found this extra breadth covered outlyer rules and mostly lower priority issues. Both Checkmarx and SonarQube cover the OWASP top 10 and Sans25. Both tools can be tuned to help reduce false positives, for both you will need to analyse your tuning to ensure you are not introducing false negatives. Any tools that provide you customisation come with the risk that you could make things worse.  SonarQube has very good integration into most development IDEs empowering the engineers to run scans against the company rules on their local machine before submitting your source control and further tooling. In some it will even check the code automatically while you type it.  I see you also included Veracode in here. In my opinion that is a far superior tool to Checkmarx, this is down to their more modern approach to this problem. They also allow local developer integration to self lint code before submission.  In a perfect world, I would use Sonar for development bugs, test coverage and technical debt measurements. Then veracode to handle the SAST side for me. In short I would not duplicate the security scans in Sonar and Veracode.  Hope that helps
See all answers
 

Featured Reviews

EK
Dec 24, 2020
Includes features to easily secure code, multiple language support and excellent customer support
We onboard clients with the solution. We install the product and do the first scan with them. We help developers with security and the best practices with their applications with this solution The most valued feature comes within the platform called Codebashing, it allows scanning code for…
Read full review
RO
Jun 8, 2021
Effective static analysis, plenty of tools, but needs better support for languages
The solution could improve the Dynamic Analysis Security Testing(DAST). There could be better support for different languages. It is very difficult in some languages to prepare the solution for the static analysis and this procedure is really hard for a pipeline, such as GitHub. They should make it easy to scan projects for any language like they do in other vendors, such as Checkmarx. We have found there are a lot of false positives and the severity rating we have been receiving has been different compared to other vendor's solutions. For example, in Veracode, we receive a rating of low but in others solutions, we receive a rating of high when doing the glitch analysis.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"Vulnerability details is valuable."
"The most valuable feature is the simple user interface."
"It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."
"The solution is scalable, but other solutions are better."
"The setup is fairly easy. We didn't struggle with the process at all."
"The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions)."
"Less false positive errors as compared to any other solution."
"It has all the features we need."
More Checkmarx One pros
"Veracode enables us to build a strong data security layer in our platforms. We can increase customer confidence in data security. Some PCI/HIPAA compliance issues were impossible to resolve without Veracode."
"Veracode's most valuable aspect is continuous integration. It helps us integrate with other applications so that it can monitor the security process."
"I like Veracode's integration with our CI/CD. It automatically scans our code when we do the build. It can also detect any security flaws in our third-party libraries. Veracode is good at pinpointing the sections of code that have vulnerabilities."
"The coverage of backdoors attacks on security that's the most valuable for my clients."
"Considering that in my project, we are mostly using Software Composition Analysis as a part of Static Code Analysis, for me, the main part is reporting and highlighting necessary vulnerabilities. Veracode platform has a rather good database of different vulnerabilities in different libraries and different sources. So, finding vulnerabilities in third-party libraries is the main feature of Software Composition Analysis that we use. It is the most important feature for us."
"Veracode Fix is a new feature that functions similarly to auto-remediation for low or medium flaw codes."
"It has provided what we were looking for in such an application, meaning static application security testing functionality. That was what we were interested in."
"It changes the DevSecOps process because we find flaws much earlier in the development life cycle, and we also spot third-party software that we don't allow on developers' machines."
More Veracode pros
 

Cons

"There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."
"The plugins for the development environment have room for improvements such as for Android Studio and X code."
"As the solution becomes more complex and feature rich, it takes more time to debug and resolve problems. Feature-wise, we have no complaints, but Checkmarx becomes harder to maintain as the product becomes more complex. When I talk to support, it takes them longer to fix the problem than it used to."
"The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode."
"If it is a very large code base then we have a problem where we cannot scan it."
"Checkmarx could be improved with more integration with third-party software."
"I would like the product to include more debugging and developed tools. It needs to also add enhancements on the coding side."
"Integration into the SDLC (i.e. support for last version of SonarQube) could be added."
More Checkmarx One cons
"I would like to see improvement on the analytics side, and in integrations with different tools. Also, the dynamic scanning takes time."
"We get some false positives with JavaScript languages like React, TypeScript, and Angular. The problem is rooted in the build process of JavaScript, not the code we are using. This is something we spend lots of time trying to resolve. When we point to a specific library and review that on the code, we can see it is a part of the build that isn't going into production. It's only a part of the build because JavaScript has a different build process."
"The solution could improve the Dynamic Analysis Security Testing(DAST)."
"One concern is that scans take a long time to run. We scan at the end of the day because we know it will take a lot of time. We leave it to run and the report will be generated by the next day when we arrive. The scanning time could be reduced."
"I am expecting some AI-related features in it. Also, if someone is using AI-generated code, Veracode should be able to detect that."
"We have approximately 900 people using the solution. The solution is scalable, but there is a high cost attached to it."
"While Veracode is way ahead of its competitors on Gartner Magic Quadrant, it's a bit more expensive than Fortify. It's a good solution for the cost, but if we had a high budget, we would go with Checkmarx, which is much better than Veracode."
"One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive."
More Veracode cons
 

Pricing and Cost Advice

"The average deal size was usually anywhere between $120K to $175K on an annual basis, which could be divided across 12 months."
"We're using a commercial version of Checkmarx, and we paid for the solution for one year. The price is high and could be reduced."
"Be cautious of the one-year subscription date. Once it expires, your price will go up."
"The interface used to create custom rules comes at an additional cost."
"​Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products."
"This solution is expensive. The customized package allows you to buy additional users at any time."
"We got a special offer for a 30% reduction for three years, after our first year. I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year)."
"It is an expensive solution."
More Checkmarx One pricing and cost advice
"The cost of Veracode is high."
"I think the pricing is in line with the rest of the tools. I think you get what you pay for. It is certainly not inexpensive, but the value proposition is there. There are certainly cheaper tools, but I don't think we'd be getting the support that we get with those, and that is what separates this product from the others."
"There are no setup or implementation charges. They offer a free trial and free consulting services... The price depends on your requirements, your source code sizes, and how complicated your source code is."
"Pricing seems fair for what is offered, and licensing has been no problem. All developers are able to get the access they need."
"The pricing is fair. You get a lot out of the product."
"The pricing for Veracode is high, making it difficult for beginners to afford."
"The pricing and licensing are reasonable, and relatively straightforward, and different licensing and subscription models are available."
"Without getting too specific, I'd say the average yearly cost is around $50,000. The costs include licensing and maintenance support."
More Veracode pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
See recommendations
793,295 professionals have used our research since 2012.
 

Answers from the Community

WH
Jul 8, 2020
Jul 8, 2020
Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
My opinions are my own and do not represent any other entities that I may be or have been affiliated with. On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon. As for Checkmarx vs SonarQube... Checkmarx may cover more rules over a wider land...
2 out of 3 answers
DG
Jul 6, 2020
My opinions are my own and do not represent any other entities that I may be or have been affiliated with.  On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon.  As for Checkmarx vs SonarQube...  Checkmarx may cover more rules over a wider landscape, however I personally found this extra breadth covered outlyer rules and mostly lower priority issues. Both Checkmarx and SonarQube cover the OWASP top 10 and Sans25. Both tools can be tuned to help reduce false positives, for both you will need to analyse your tuning to ensure you are not introducing false negatives. Any tools that provide you customisation come with the risk that you could make things worse.  SonarQube has very good integration into most development IDEs empowering the engineers to run scans against the company rules on their local machine before submitting your source control and further tooling. In some it will even check the code automatically while you type it.  I see you also included Veracode in here. In my opinion that is a far superior tool to Checkmarx, this is down to their more modern approach to this problem. They also allow local developer integration to self lint code before submission.  In a perfect world, I would use Sonar for development bugs, test coverage and technical debt measurements. Then veracode to handle the SAST side for me. In short I would not duplicate the security scans in Sonar and Veracode.  Hope that helps
Read full answer
DG
Jul 7, 2020
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.
Read full answer
See all 3 answers
 

Top Industries

By visitors reading reviews
Financial Services Firm
21%
Computer Software Company
15%
Manufacturing Company
10%
Government
5%
Financial Services Firm
18%
Computer Software Company
16%
Manufacturing Company
9%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
See all answers
What do you like most about Checkmarx?
Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
See all answers
What is your experience regarding pricing and costs for Checkmarx?
The tool's pricing is fine.
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
See all answers
What do you like most about Veracode?
The SAST and DAST modules are great.
See all answers
What is your experience regarding pricing and costs for Veracode?
The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.
See all answers
 

Comparisons

SonarQube vs Checkmarx One Logo
SonarQube vs Checkmarx One
Compared 52% of the time
Fortify on Demand vs Checkmarx One Logo
Fortify on Demand vs Checkmarx One
Compared 7% of the time
Snyk vs Checkmarx One Logo
Snyk vs Checkmarx One
Compared 4% of the time
Coverity vs Checkmarx One Logo
Coverity vs Checkmarx One
Compared 4% of the time
Mend.io vs Checkmarx One Logo
Mend.io vs Checkmarx One
Compared 2% of the time
More Checkmarx One Competitors
SonarQube vs Veracode Logo
SonarQube vs Veracode
Compared 26% of the time
Fortify on Demand vs Veracode Logo
Fortify on Demand vs Veracode
Compared 7% of the time
Snyk vs Veracode Logo
Snyk vs Veracode
Compared 6% of the time
Fortify Static Code Analyzer vs Veracode Logo
Fortify Static Code Analyzer vs Veracode
Compared 4% of the time
OWASP Zap vs Veracode Logo
OWASP Zap vs Veracode
Compared 3% of the time
More Veracode Competitors
 

Product Reports

Buyer's Guide
Checkmarx One
July 2024
Checkmarx One reportDownload Checkmarx One product report
Buyer's Guide
Veracode
June 2024
Veracode reportDownload Veracode product report
 

Also Known As

No data available
Crashtest Security , Veracode Detect
 

Learn More

Checkmarx
Veracode
 

Overview

Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.

Checkmarx One offers comprehensive application scanning across the SDLC:

  • Static Application Security Testing (SAST)
  • Software Composition Analysis (SCA)
  • API security
  • Dynamic Application Security Testing (DAST)
  • Container security
  • IaC security
  • Correlation, prioritization, and risk management
  • Codebashing secure code training
  • AI security
  • Tech partnerships extending AppSec into runtime analysis
  • Developer tool integrations including: CI/CD tools, development frameworks, feedback tools, IDEs, programming languages and SCMs

Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.

Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-generated remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world’s leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achievereal-time vulnerability remediation, and reduce their security debt at scale. Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, and Penetration Testing.

Learn more atwww.veracode.com, on theVeracode blog, and onLinkedInandTwitter.

 

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Buyer's Guide
Checkmarx One vs. Veracode
June 2024
Free Report: Checkmarx One vs. Veracode
Find out what your peers are saying about Checkmarx One vs. Veracode and other solutions. Updated: June 2024.
DOWNLOAD NOW
793,295 professionals have used our research since 2012.
See our Checkmarx One vs. Veracode report.
See our list of best Application Security Tools vendors, best Static Application Security Testing (SAST) vendors, and best Static Code Analysis vendors.

We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.