IT Central Station is now PeerSpot: Here's why

Checkmarx vs Veracode comparison

Cancel
You must select at least 2 products to compare!
Checkmarx Logo
42,534 views|33,024 comparisons
Veracode Logo
52,683 views|29,866 comparisons
Featured Review
Buyer's Guide
Checkmarx vs. Veracode
May 2022
Find out what your peers are saying about Checkmarx vs. Veracode and other solutions. Updated: May 2022.
609,272 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera.""The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages.""The most valuable feature of Checkmarx is the user interface, it is very easy to use. We do not need to configure anything, we only have to scan to see the results.""It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security.""From my point of view, it is the best product on the market.""The value you can get out of the speedy production may be worth the price tag.""It is very useful because it fits our requirements. It is also easy to use. It is not complex, and we are satisfied with the results.""The user interface is excellent. It's very user friendly."

More Checkmarx Pros →

"Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM to verify that everything's going well. If we have any outstanding issues, they get serviced and addressed.""One of the features they have is Software Composition Analysis. When organizations use third-party, open source libraries with their application development, because they're open source they quite often have a lot of bugs. There are always patches coming out for those open source applications. You really have to stay on your toes and keep up with any third-party libraries that might be integrated into your application. Veracode's Software Composition Analysis scans those libraries and we find that very valuable.""You can easily integrate it with Azure DevOps. This is an added value because we work with Azure DevOps. Veracode is natively supported and we don't have to work with APIs.""The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful.""It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage.""My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople is fabulous.""Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely. By adopting their suggestions, we are fixing this vulnerability.""Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers."

More Veracode Pros →

Cons
"Checkmarx could improve by reducing the price.""Checkmarx could improve the speed of the scans.""Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve.""Its user interface could be improved and made more friendly.""Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model.""I would like to see the rate of false positives reduced.""We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything.""Checkmarx could be improved with more integration with third-party software."

More Checkmarx Cons →

"If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing.""I think if they could improve the operations around accepted vulnerabilities, we would see improvements in our productivity.""The pricing for qualified startups such as Neo4j could be improved.""We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it.""The policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs.""The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it.""Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had.""The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved."

More Veracode Cons →

Pricing and Cost Advice
  • "It's relatively expensive."
  • "The interface used to create custom rules comes at an additional cost."
  • "The number of users and coverage for languages will have an impact on the cost of the license."
  • "Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."
  • "It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."
  • "Most of my customers opted for a perpetual license. They prefer to pay the highest amount up front for the perpetual license and then pay for additional support annually."
  • "We have purchased an annual license to use this solution. The price is reasonable."
  • "We're using a commercial version of Checkmarx, and we paid for the solution for one year. The price is high and could be reduced."
  • More Checkmarx Pricing and Cost Advice →

  • "I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good."
  • "Veracode's price is high. I would like them to better optimize their pricing."
  • "If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount."
  • "Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive."
  • "We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive."
  • "The pricing is really fair compared to a lot of other tools on the market."
  • "It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent."
  • "Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license."
  • More Veracode Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security solutions are best for your needs.
    609,272 professionals have used our research since 2012.
    Questions from the Community
    Top Answer:The most valuable feature of Checkmarx is the user interface, it is very easy to use. We do not need to configure anything, we only have to scan to see the results.
    Top Answer:We have purchased an annual license to use this solution. The price is reasonable.
    Top Answer:Checkmarx could improve the speed of the scans.
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
    Top Answer:You can easily integrate it with Azure DevOps. This is an added value because we work with Azure DevOps. Veracode is natively supported and we don't have to work with APIs.
    Top Answer:The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us. It's an expensive product but we are paying for quality.
    Ranking
    5th
    Views
    42,534
    Comparisons
    33,024
    Reviews
    20
    Average Words per Review
    478
    Rating
    7.6
    2nd
    Views
    52,683
    Comparisons
    29,866
    Reviews
    27
    Average Words per Review
    1,308
    Rating
    8.2
    Comparisons
    Learn More
    Overview

    Checkmarx is a highly accurate and flexible static code analysis product that allows organizations to automatically scan uncompiled code and identify hundreds of security vulnerabilities in all major coding languages and software frameworks. Checkmarx is available as a standalone product and can be effectively integrated into the software development lifecycle (SDLC) to streamline vulnerability detection and remediation. Checkmarx is trusted by leading organizations such as SAP, Samsung, and Salesforce.com.

    Checkmarx is a global leader in software security solutions for modern software development. Checkmarx delivers a comprehensive software security platform that unites with DevOps by scanning uncompiled source code for security vulnerabilities early in the development life cycle to reduce and remediate risk from software vulnerabilities. Using Checkmarx, teams avoid software security vulnerabilities managed via a single and unified dashboard without slowing down their delivery schedule.

    Checkmarx balances the needs of the entire organization, delivering seamless security from the start and throughout the entire software development life cycle. Checkmarx can be deployed on-premises in a private data center or hosted via a public cloud.

    Checkmarx Features

    Some of Checkmarx’s features include:

    • Source code scanning: Detect and repair more vulnerabilities before you release your code.

    • Open-source scanning: Find and eliminate the risks in your open-source code.

    • Interactive code scanning: Scan for vulnerabilities and runtime threats.

    • Open-source security for infrastructure as code: Identify and fix insecure IaC configurations that put your application at risk.

    Reviews from Real Users

    Checkmarx stands out among its competitors for a number of reasons. Two major ones are its ability to enable developers to secure their code with a single management dashboard and its high-speed scanning abilities.

    PeerSpot users note the effectiveness of these features. A CEO at a tech services company writes, “The most valuable features are the easy-to-understand interface, and it’s very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan. We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project. The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.”

    A director at a tech services company notes, “The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important.”

    A senior manager at a manufacturing company writes, “The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."

    Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

    Offer
    Learn more about Checkmarx
    Keep your software secure

    Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

    Sample Customers
    YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
    State of Missouri, Rekner
    Top Industries
    REVIEWERS
    Computer Software Company38%
    Financial Services Firm19%
    Pharma/Biotech Company10%
    Manufacturing Company10%
    VISITORS READING REVIEWS
    Computer Software Company25%
    Financial Services Firm19%
    Comms Service Provider11%
    Manufacturing Company6%
    REVIEWERS
    Financial Services Firm31%
    Insurance Company11%
    Computer Software Company11%
    Healthcare Company7%
    VISITORS READING REVIEWS
    Computer Software Company27%
    Comms Service Provider14%
    Financial Services Firm12%
    Manufacturing Company7%
    Company Size
    REVIEWERS
    Small Business39%
    Midsize Enterprise17%
    Large Enterprise44%
    VISITORS READING REVIEWS
    Small Business13%
    Midsize Enterprise13%
    Large Enterprise75%
    REVIEWERS
    Small Business24%
    Midsize Enterprise27%
    Large Enterprise49%
    VISITORS READING REVIEWS
    Small Business16%
    Midsize Enterprise14%
    Large Enterprise70%
    Buyer's Guide
    Checkmarx vs. Veracode
    May 2022
    Find out what your peers are saying about Checkmarx vs. Veracode and other solutions. Updated: May 2022.
    609,272 professionals have used our research since 2012.

    Checkmarx is ranked 5th in Application Security with 24 reviews while Veracode is ranked 2nd in Application Security with 24 reviews. Checkmarx is rated 7.6, while Veracode is rated 8.0. The top reviewer of Checkmarx writes "No need to compile the code to execute static code analysis, but should be more container-friendly and optimized for the CI pipeline". On the other hand, the top reviewer of Veracode writes "Good reporting, comprehensive interface, and integrates well into our build pipeline". Checkmarx is most compared with SonarQube, Micro Focus Fortify on Demand, Snyk, Coverity and Mend, whereas Veracode is most compared with SonarQube, Micro Focus Fortify on Demand, Coverity, OWASP Zap and HCL AppScan. See our Checkmarx vs. Veracode report.

    See our list of best Application Security vendors and best Application Security Testing (AST) vendors.

    We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.