Checkmarx or Veracode. Which should we choose?

Ariel Lindenfeld - PeerSpot reviewer
  • 5
  • 55
PeerSpot user

2 Answers

it_user318207 - PeerSpot reviewer
Sep 24, 2015

As someone who has been long using HP Fortify, I've been actively looking at both these tools as serious options. Both are reputable SAST products but work very different. You wouldn't go wrong choosing either, but you should take into account the width and breadth of each when deciding. Pricing will vary, but both products are fairly competitive with each other.

Veracode uses supplied binaries to perform the static scan. Although not a huge deal, this still requires a build and an initial baseline review that can potentially take days to complete. Follow up scans are performed in the same manner but turn around faster. Veracode also has APPSEC staff available (at additional cost) to assist your developers. This is great if your company is in it's infosec infancy or lacking FTE resources. The only downsides at this stage appear to be the IDE integration and that VC does not offer an on-premise solution. One other plus is that Veracode also offers a dynamic solution. (Integrates with Jenkins/JIRA/etc)

Checkmarx is a pretty swift moving SAST tool. It offers both a cloud and on-premise solution and is very light on the resources. Checkmarx works differently by means that it scans the source code directly, no builds are required. However, if you are looking for simple and easy with all the bells and whistles, Cx is great. Further, if you are an enterprise that has and endless supply of projects (new and legacy) that need evaluation you can spin them up quickly and consistently with Cx. Not having to perform a build makes the process much easier, especially when you're working with legacy products whose developers may have left long ago. (Integrates with Jenkins/JIRA/GIT/SVN/etc) A couple downsides include the lack of a dynamic product and that you may miss something that another product would evaluate in the build process.

Product comparison that may be of interest to you
it_user560568 - PeerSpot reviewer
Real User
Nov 27, 2016

Hi Joe, excellent post. Thank you. I am new to the static scanning word. My understanding is that Fortify requires a build into intermediate format for its analysis (e.g. taint, data flow etc.). You also include the binaries of any libraries that are part of the build. I assume you felt the trade off between ease of use versus the potential to "miss something" that a build product would evaluate was not worth going to a build product solution. Thanks again Joe

Find out what your peers are saying about Checkmarx One vs. Veracode and other solutions. Updated: March 2024.
767,496 professionals have used our research since 2012.
Checkmarx One vs. Veracode comparison
We performed a comparison between Checkmarx vs.Veracode based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below. Ease of Deployment: Users note that both products are very straightforward and simple to set up. A few Veracode users mention slight complexity. Features: Users of both products are happy with their flexibility, stability, and scalability, although a few Checkmarx users note instances with bugs.Checkmarx users are...
Download Checkmarx One vs. Veracode comparison ReportRead more

Related Q&As