2015-03-26T13:44:00Z
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
  • 5
  • 19

Checkmarx or Veracode. Which should we choose?

Has anyone done a comparison between Checkmarx and Veracode application security testing?

What are the main pros and cons of each solution?

What else do we need to consider when evaluating these two products?

2
PeerSpot user
2 Answers
it_user318207 - PeerSpot reviewer
Senior Software Security Analyst at a financial services firm with 1,001-5,000 employees
Vendor
2015-09-24T18:34:18Z
Sep 24, 2015

As someone who has been long using HP Fortify, I've been actively looking at both these tools as serious options. Both are reputable SAST products but work very different. You wouldn't go wrong choosing either, but you should take into account the width and breadth of each when deciding. Pricing will vary, but both products are fairly competitive with each other.

Veracode uses supplied binaries to perform the static scan. Although not a huge deal, this still requires a build and an initial baseline review that can potentially take days to complete. Follow up scans are performed in the same manner but turn around faster. Veracode also has APPSEC staff available (at additional cost) to assist your developers. This is great if your company is in it's infosec infancy or lacking FTE resources. The only downsides at this stage appear to be the IDE integration and that VC does not offer an on-premise solution. One other plus is that Veracode also offers a dynamic solution. (Integrates with Jenkins/JIRA/etc)

Checkmarx is a pretty swift moving SAST tool. It offers both a cloud and on-premise solution and is very light on the resources. Checkmarx works differently by means that it scans the source code directly, no builds are required. However, if you are looking for simple and easy with all the bells and whistles, Cx is great. Further, if you are an enterprise that has and endless supply of projects (new and legacy) that need evaluation you can spin them up quickly and consistently with Cx. Not having to perform a build makes the process much easier, especially when you're working with legacy products whose developers may have left long ago. (Integrates with Jenkins/JIRA/GIT/SVN/etc) A couple downsides include the lack of a dynamic product and that you may miss something that another product would evaluate in the build process.

Product comparison that may be of interest to you
it_user560568 - PeerSpot reviewer
User at JPMorgan
Real User
2016-11-27T18:03:16Z
Nov 27, 2016

Hi Joe, excellent post. Thank you. I am new to the static scanning word. My understanding is that Fortify requires a build into intermediate format for its analysis (e.g. taint, data flow etc.). You also include the binaries of any libraries that are part of the build. I assume you felt the trade off between ease of use versus the potential to "miss something" that a build product would evaluate was not worth going to a build product solution. Thanks again Joe

Find out what your peers are saying about Checkmarx vs. Veracode and other solutions. Updated: March 2023.
686,748 professionals have used our research since 2012.
Related Questions
Meri Harutyunyan - PeerSpot reviewer
DevSecOps Engineer at a financial services firm with 1,001-5,000 employees
Nov 1, 2022
Hello community,  After the first full scan with Veracode SAST, when the programmer changes something in the code, does he scan the code again completely or only the changes? Thank you.
NC
Content Manager at PeerSpot (formerly IT Central Station)
Nov 15, 2021
Why is one better than the other?
2 out of 6 answers
AS
Senior Product Specialist at a tech services company with 51-200 employees
Sep 6, 2021
MV
Cybersecurity Expert at PSYND
Sep 6, 2021
They are mainly two different products.  If your goal is to set the quality on code then SonarQube is your answer.  On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote! If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too! ...
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 5, 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures that its offerings (online tools, videos, forums, events, etc.) remain free and are easily accessible t...
See 2 comments
Ben Arbeit - PeerSpot reviewer
Manager at a retailer with 51-200 employees
Jul 31, 2022
Thanks for this informative article.
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a retailer with 10,001+ employees
Aug 5, 2022
OWASP is nice, but very specific and currently limited. How about trying ISO-24772 for all?
EB
Director of Community at PeerSpot (formerly IT Central Station)
Mar 4, 2022
Hi community members, Here is our new Community Spotlight for YOU. We publish it to help you catch up on recent contributions by community members. Do you find it useful? Please comment below! Trending Top HCI in 2022 What are the main differences between XDR and SIEM? Articles Top 5 Ethernet Switches in 2022 SASE: what is it and what are the main benefits? Questions Che...
RC
Enterprise Architect at CDPL
Dec 15, 2021
Privacy Concerns in an RPA Implementation Program. The biggest concern we (as RPA solution implementors) have faced when interacting with clients and customers were: 1. Regulatory and Compliance issues. 2. InfoSec and Security issues. 3. Audit Issues. Regulatory and Compliance Issues: There is a huge penalty if the wrong data gets updated and emails are sent to customers by the regulatory...
TS
CEO at Rufusforyou
Sep 3, 2021
ICT is getting more and more complex: today I have several systems in Chicago, several more in Amsterdam and if you need to protect your environment you will need to check on-premises, the cloud at Amazon, and the cloud at Microsoft Azure.  Why is Performance related to security? For the following reasons:  Today we need more than one tool to protect our environment. You need anti-spoofing...
See 2 comments
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at a tech services company with 201-500 employees
Sep 1, 2021
Very good insights about correlation for security with performance.
JD
Key Account Manager at ITRS Group
Sep 3, 2021
Interesting positioning and way of thinking, thank you very much for the article!
Product Comparisons
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
PeerSpot User's Choice Award 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technol...
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 5, 2022
What is OWASP Top 10 in 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedi...
Download Free Report
Download our FREE report comparing Checkmarx and Veracode based on reviews, features, and more! Updated: March 2023.
DOWNLOAD NOW
686,748 professionals have used our research since 2012.