We performed a comparison between Checkmarx and Fortify Application Defender based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools."
"The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code."
"It's comprehensive from a feature standpoint."
"The dynamic scanning tool is what I like the best. Compared to other tools that I've used for dynamic scanning, it's much faster and easier to use."
"Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced... in the e-learning you can check into best practices for developing code and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool."
"The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our continuous integration, continuous delivery system, so we can get insight quickly."
"Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM to verify that everything's going well. If we have any outstanding issues, they get serviced and addressed."
"The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA."
"The solution has good performance, it is able to compute in 10 to 15 minutes."
"Apart from software scanning, software composition scanning is valuable."
"The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important."
"I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy."
"The setup is very easy. There is a lot of information in the documents which makes the install not difficult at all."
"One of the most valuable features is it is flexible."
"The setup is fairly easy. We didn't struggle with the process at all."
"The value you can get out of the speedy production may be worth the price tag."
"The information from Fortify Application Defender on how to fix and solve issues is very good compared to other solutions."
"The most valuable features of Fortify Application Defender are the code packages that are default."
"We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment."
"The policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs."
"Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."
"The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved."
"The product has issues with scanning."
"The UI could be better. Also, there are some scenarios where there is no security flaw, but the report indicates that there is a security flaw. The report is not perfectly accurate. So, the accuracy of the scanning reports needs improvement."
"The training lab is not very user-friendly and takes a long time to set up."
"The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most."
"The pricing for qualified startups such as Neo4j could be improved."
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."
"Checkmarx could be improved with more integration with third-party software."
"Checkmarx needs to be more scalable for large enterprise companies."
"Its user interface could be improved and made more friendly."
"There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."
"They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks."
"The integration could improve by including, for example, DevSecOps."
"They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server."
"The solution could improve the time it takes to scan. When comparing it to SonarQube it does it in minutes while in Fortify Application Defender it can take hours."
"The licensing can be a little complex."
"Fortify Application Defender could improve by supporting more code languages, such as GRAAS and Groovy."
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
Checkmarx is ranked 7th in Application Security Tools with 21 reviews while Fortify Application Defender is ranked 23rd in Application Security Tools with 3 reviews. Checkmarx is rated 7.4, while Fortify Application Defender is rated 8.0. The top reviewer of Checkmarx writes "Supports different languages, has excellent support, and easily expands". On the other hand, the top reviewer of Fortify Application Defender writes "Secure, versatile cyber security technology ". Checkmarx is most compared with SonarQube, Micro Focus Fortify on Demand, Snyk, Coverity and Mend, whereas Fortify Application Defender is most compared with SonarQube, Coverity, Micro Focus Fortify on Demand, Sonatype Nexus Lifecycle and CAST Highlight. See our Checkmarx vs. Fortify Application Defender report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
Fewer false positives with CX than Fortify. More integrated.
Looking at the Gartner report I would say that Checkmarx is way easier to set up (initial setup) compared to Micro Focus Fortify.
Also, the financial strength of the Micro Focus Fortify spin/merger is a concern so investments could be at risk.
The major difference is that Checkmarx scans the code without compiling the code. This has a great advantage as code building issues are eliminated,
scan time is very less and false positive is less to some extent. One more major this is Checkmarx learns as you eliminate false positives and does not show the same issue again. We can perform incremental scans on the codebase where the old issue is nicely marked as "Recurring" and new ones in Red as NEW. Checkmarx has a highly customizable filter creation where you can create a filter that can eliminate the common recurring issues in
scans. This feature is very flexible and you can write your own filters and also, write specific patterns that are found in manual review which is a
great help as coding styles differ form teams to teams.
Thanks a lot. Thank you for the information.