We performed a comparison between Checkmarx and Micro Focus Fortify on Demand based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: The two solutions are very comparable. All categories received similar ratings except that Checkmarx got better rewviews on deployment and support.
"The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."
"It is very useful because it fits our requirements. It is also easy to use. It is not complex, and we are satisfied with the results."
"Most valuable features include: ease of use, dashboard. interface and the ability to report."
"It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."
"Less false positive errors as compared to any other solution."
"Vulnerability details is valuable."
"The most valuable features are the easy to understand interface, and it 's very user-friendly."
"What I like best about Checkmarx is that it has fewer false positives than other products, giving you better results."
"The most valuable features are the server, scanning, and it has helped identify issues with the security analysis."
"The scanning capabilities, particularly for our repositories, have been invaluable."
"While using Micro Focus Fortify on Demand we have been very happy with the results and findings."
"Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out."
"Micro Focus WebInspect and Fortify code analysis tools are fully integrated with SSC portals and can instantly register to error tracking systems, like TFS and JIRA."
"One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that."
"Fortify on Demand can be scaled very easily."
"Fortify on Demand is easy to use and the reporting is good."
"I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features."
"Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not."
"Checkmarx could improve the REST APIs by including automation."
"The pricing can get a bit expensive, depending on the company's size."
"Some of the descriptions were found to be missing or were not as elaborate as compared to other descriptions. Although, they could be found across various standard sources but it would save a lot of time for developers, if this was fixed."
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."
"They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server."
"It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use."
"In terms of what could be improved, we need more strategic analysis reports, not just for one specific application, but for the whole enterprise. In the next release, we need more reports and more analytic views for all the applications. There is no enterprise view in Fortify. I would like enterprise views and reports."
"We typically do our bulk uploads of our scans with some automation at the end of the development cycle but the scanning can take a lot of time. If you were doing all of it at regular intervals it would still consume a lot of time. This could procedure could improve."
"Micro Focus Fortify on Demand cannot be run from a Linux Agent. When we are coding the endpoint it will not work, we have to use Windows Agent. This is something they could improve."
"I would like the solution to add AI support."
"Sometimes when we run a full scan, we have a bunch of issues in the code. We should not have any issues."
"The technical support is actually a problem that needs to be addressed. Since the acquisition and merger with Hewlett Packard, it has been really hard to know who the technical or salesperson to talk to."
"Primarily for a complex, advanced website, they don't really understand some of the functionalities. So for instance, they could tell us that there is a vulnerability because somebody could possibly do something, but they don't really understand the code to realize that we actually negate that vulnerability through some other mechanism in the program. In addition, the technical support is just not there. We have open tickets. They don't respond. Even if they respond, we're not seeing eye to eye. As the company got sold and bought, the support got worse."
"Integration to CI/CD pipelines could be improved. The reporting format could be more user friendly so that it is easy to read."
Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while Fortify on Demand is ranked 11th in Application Security Tools with 56 reviews. Checkmarx One is rated 7.6, while Fortify on Demand is rated 8.0. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Fortify on Demand writes "Provides good depth of scanning but is unfortunately not fully integrated with CIT processes ". Checkmarx One is most compared with SonarQube, Veracode, Snyk, Coverity and Mend.io, whereas Fortify on Demand is most compared with SonarQube, Veracode, Coverity, Fortify WebInspect and Snyk. See our Checkmarx One vs. Fortify on Demand report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.