We performed a comparison between Checkmarx and Micro Focus Fortify on Demand based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: The two solutions are very comparable. All categories received similar ratings except that Checkmarx got better rewviews on deployment and support.
"The solution has good performance, it is able to compute in 10 to 15 minutes."
"The process of remediating software security vulnerabilities can now be performed (ongoing) as portions of the application are being built in advance of being compiled."
"Checkmarx has helped us deliver more secure products. We are able to do static code analysis with the tool before shipping our code to production. When the integration is in the pipeline, this tool gives us early notifications on code fixes."
"The main thing we find valuable about Checkmarx is the ease of use. It's easy to initiate scans and triage defects."
"It is very useful because it fits our requirements. It is also easy to use. It is not complex, and we are satisfied with the results."
"The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete."
"The best thing about Checkmarx is the amount of vulnerabilities that it can find compared to other free tools."
"Vulnerability details is valuable."
"It improves future security scans."
"Fortify helps us to stay updated with the newest languages and versions coming out."
"Each bank may have its own core banking applications with proprietary support for different programming languages. This makes Fortify particularly relevant and advantageous in those cases."
"It is a very easy tool for developers to use in parallel while they're doing the coding. It does auto scanning as we are progressing with the CI/CD pipeline. It has got very simple and efficient API support."
"We identified a lot of security vulnerability much earlier in the development and could fix this well before the product was rolled out to a huge number of clients."
"This product is top-notch solution and the technology is the best on the market."
"Fortify on Demand can be scaled very easily."
"The installation was easy."
"Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve."
"Implementing a blackout time for any user or teams: Needs improvement."
"They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server."
"The solution's user interface could be improved because it seems outdated."
"There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."
"We have received some feedback from our customers who are receiving a large number of false positives."
"The reports are good, but they still need to be improved considering what the UI offers."
"Updating and debugging of queries is not very convenient."
"Fortify on Demand could be improved with support in Russia."
"With Rapid7 I utilized its reporting capabilities to deliver Client Reports within just a few minutes of checking the data. I believe that HP’s FoD Clients could sell more services to clients if HP put more effort into delivering visually pleasing reporting capabilities."
"Reporting could be improved."
"Takes up a lot of resources which can slow things down."
"It's still a little bit too complex for regular developers. It takes a little bit more time than usual. I know static code scan is not the main focus of the tool, but the overall time span to scan the code, and even to set up the code scanning, is a bit overwhelming for regular developers."
"The thing that could be improved is reducing the cost of usage and including some of the most pricey features, such as dynamic analysis and that sort of functionality, which makes the difference between different types of tools."
"We typically do our bulk uploads of our scans with some automation at the end of the development cycle but the scanning can take a lot of time. If you were doing all of it at regular intervals it would still consume a lot of time. This could procedure could improve."
"There are many false positives identified by the solution."
Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while Fortify on Demand is ranked 11th in Application Security Tools with 56 reviews. Checkmarx One is rated 7.6, while Fortify on Demand is rated 8.0. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Fortify on Demand writes "Provides good depth of scanning but is unfortunately not fully integrated with CIT processes ". Checkmarx One is most compared with SonarQube, Veracode, Snyk, Coverity and Mend.io, whereas Fortify on Demand is most compared with SonarQube, Veracode, Coverity, Fortify WebInspect and Snyk. See our Checkmarx One vs. Fortify on Demand report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.