Try our new research platform with insights from 80,000+ expert users

Checkmarx Software Composition Analysis vs OpenText Static Application Security Testing comparison

 

Comparison Buyer's Guide

Executive Summary

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Checkmarx Software Composit...
Average Rating
9.0
Reviews Sentiment
7.6
Number of Reviews
13
Ranking in other categories
Software Composition Analysis (SCA) (8th)
OpenText Static Application...
Average Rating
8.2
Reviews Sentiment
6.9
Number of Reviews
19
Ranking in other categories
Static Code Analysis (2nd)
 

Mindshare comparison

While both are Security Software solutions, they serve different purposes. Checkmarx Software Composition Analysis is designed for Software Composition Analysis (SCA) and holds a mindshare of 2.6%, down 2.9% compared to last year.
OpenText Static Application Security Testing, on the other hand, focuses on Static Code Analysis, holds 11.4% mindshare, up 10.2% since last year.
Software Composition Analysis (SCA)
Static Code Analysis
 

Featured Reviews

Tharindu Malwenna - PeerSpot reviewer
Efficient library identification and upgrade suggestions improve application security
We have many third-party libraries in our organization. I used Checkmarx Software Composition Analysis to identify all the libraries we use and determine whether they are used or unused within the application Checkmarx Software Composition Analysis provides identification of libraries and…
Aphiwat Leetavorn. - PeerSpot reviewer
Provides extensive language support and enhances secure coding practices
The deployment of Fortify Static Code Analyzer needs to be simplified. It should be easier to install, perhaps through a container-based approach where everything is combined into one image or pack of containers. This change would facilitate easier installations and ensure all necessary components are connected and ready to use.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"It is very easy and user friendly. It never requires any kind of technical support. You can do everything on your own."
"One of the strong points of this solution is that it allows you to incorporate it into a CICB pipeline. It has the ability to do incremental scans. If you scan a very large application, it might take two hours to do the initial scan. The subsequent scans, as people are making changes to the app, scan the Delta and are very fast. That's a really nice implementation. The way they have incorporated the functionality of the incremental scans is something to be aware of. It is quite good. It has been very solid. We haven't really had any issues, and it does what it advertises to do very nicely."
"What's most valuable in Checkmarx Software Composition Analysis is its ability to identify vulnerabilities in open-source components, especially if some critical issues exist."
"It is a stable solution...It is a scalable solution."
"The customer service and support were good."
"It has improved identification capabilities, scalability, and integration with AI, such as the AI-powered suggestions."
"The product is stable and scalable."
"The integration part is easy...It's a stable solution right now."
"Integrating the Fortify Static Code Analyzer into our software development lifecycle was straightforward. It highlights important information beyond just syntax errors. It identifies issues like password credentials and access keys embedded in the code."
"The integration Subset core integration, using Jenkins is one of the good features."
"I recommend this product due to its good pricing, extensive language support, valuable features, and additional features like Fortify Academy."
"Automating the Jenkins plugins and the build title is a big plus."
"We've found the documentation to be very good."
"You can really see what's happening after you've developed something."
"I like Fortify Software Security Center or Fortify SSC. This tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions."
"We write software, and therefore, the most valuable aspect for us is basically the code analysis part."
 

Cons

"Parts of the implementation process could improve by making it more user-friendly."
"Personally, I currently use it as a standalone tool without integrating it with other systems, and it meets my needs adequately. As a suggestion, I request on considering to add a "what if" feature to the application. Currently, when the tool identifies issues and suggests updates, if I want to explore different scenarios, I need to prepare another file, turn it into a ZIP, and run the analysis again. It would be more convenient if there was a "what if" option in the GUI. This feature could simulate a run, allowing me to quickly check the impact of changing one or more files or versions without the need for a full rerun."
"It can have better licensing models."
"Checkmarx Software Composition Analysis should improve dynamic analysis."
"Its pricing can be improved. It is a little bit high priced. It would be better if it was a little less expensive. It is a good tool, and we're still figuring out how to fully leverage it. There are some questions regarding whether it can scan the MuleSoft code. We don't know if this is a gap in the tool or something else. This is one thing that we're just working through right now, and I am not ready to conclude that there is a weakness there. MuleSoft is kind of its own beast, and we're trying to see how we get it to work with Checkmarx."
"The solution could improve by determining the success factor of an upgrade, which is currently lacking."
"In terms of areas for improvement, what could be improved in Checkmarx Software Composition Analysis is pricing because customers always compare the pricing among secure DevOps solutions in the market. Checkmarx Software Composition Analysis has a lot of competitors yet its features aren't much different. Pricing is the first thing customers consider, and from a partner perspective, if you can offer affordable pricing to your customers, it's more likely you'll have a winning deal. The performance of Checkmarx Software Composition Analysis also needs improvement because sometimes, it's slow, and in particular, scanning could take several hours."
"API security is an area with shortcomings that needs improvement."
"Their licensing is expensive."
"The deployment of Fortify Static Code Analyzer needs to be simplified."
"Fortify Static Code Analyzer has a bit of a learning curve, and I don't find it particularly helpful in narrowing down the vulnerabilities we should prioritize."
"The troubleshooting capabilities of this solution could be improved. This would reduce the number of cases that users have to submit."
"Not all languages are supported in Fortify."
"It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier."
"The generation of false positives should be reduced."
"Streamlining the upgrade process and enhancing compatibility would make it easier for us to keep our security tools up-to-date."
 

Pricing and Cost Advice

"The license model is somewhat perplexing as it comprises multiple aspects that can be confusing for customers. The model is determined by the number of registered users and the number of projects being scanned, along with a third component that adds to the complexity."
"My customers need to pay for the licensing part, and they need to opt for an annual subscription."
"Pricing for Checkmarx Software Composition Analysis needs to be competitive."
"We don't have a license. The usage is limited to one, two, three, five, or ten people. It is currently used for all projects, and there are plans to increase its usage."
"It is a little bit high priced. It would be better if it was a little less expensive."
"It has a couple of license models. The one that we use most frequently is called their flexible deployment. We use this one because it is flexible and based on the number of code-contributing developers in the organization. It includes almost everything in the Fortify suite for one developer price. It gives access to not just the secure code analyzer (SCA) but also to FSC, the secure code. It gives us accessibility to scan central, which is the decentralized scanning farm. It also gives us access to the software security center, which is the vulnerability management platform."
"Although I am not responsible for the budget, Fortify SAST is expensive."
"The licensing is expensive and is in the 50K range."
"I rate the pricing of Fortify Static Code Analyzer as a seven out of ten since it is a bit expensive."
"The price of Fortify Static Code Analyzer could be reduced."
"There is a licensing fee, and if you bring them to the company and you want them to do the installation and the implementation in the beginning, there is a separate cost. Similarly, if you want consultation or training, there is a separate cost. I see it as suitable only for enterprises. I do not see it suitable for a small business or individual use."
"The setup costs and pricing for Fortify may vary depending on the organization's needs and requirements."
"From our standpoint, we are significantly better off with Fortify due to the favorable pricing we secured five years ago."
report
Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
859,687 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
36%
Manufacturing Company
11%
Computer Software Company
9%
Insurance Company
4%
Financial Services Firm
30%
Computer Software Company
13%
Manufacturing Company
10%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about Checkmarx Software Composition Analysis?
The tool's visual scan analysis shows me all the libraries' vulnerabilities and license types. It helps identify the most complex issues with licenses. It provides good visibility. SCA shows me all...
What is your experience regarding pricing and costs for Checkmarx Software Composition Analysis?
Pricing is complex and high for small organizations but offers great benefits for larger organizations. It is notably different compared to competitors like GitHub Advanced Security.
What needs improvement with Checkmarx Software Composition Analysis?
The solution could improve by determining the success factor of an upgrade, which is currently lacking.
What do you like most about Fortify Static Code Analyzer?
Integrating the Fortify Static Code Analyzer into our software development lifecycle was straightforward. It highlights important information beyond just syntax errors. It identifies issues like pa...
What is your experience regarding pricing and costs for Fortify Static Code Analyzer?
My experience with the pricing, setup costs, and licensing has been good. We have the scan machines, and we are planning to request more from Micro Focus now. We have calls every month or every oth...
What needs improvement with Fortify Static Code Analyzer?
I think Fortify Static Code Analyzer could be improved by updating the number of rule packs according to the latest vulnerabilities we find each year. We have updated to a version that is one less ...
 

Also Known As

CxSCA
Fortify Static Code Analysis SAST
 

Overview

 

Sample Customers

AXA, Liveperson, Aaron's, Playtech, Morningstar
Information Not Available
Find out what your peers are saying about Black Duck, Snyk, Veracode and others in Software Composition Analysis (SCA). Updated: June 2025.
859,687 professionals have used our research since 2012.