Senior Software Security Analyst at a financial services firm with 1,001-5,000 employees
Vendor
2015-09-24T18:34:18Z
Sep 24, 2015
As someone who has been long using HP Fortify, I've been actively looking at both these tools as serious options. Both are reputable SAST products but work very different. You wouldn't go wrong choosing either, but you should take into account the width and breadth of each when deciding. Pricing will vary, but both products are fairly competitive with each other.
Veracode uses supplied binaries to perform the static scan. Although not a huge deal, this still requires a build and an initial baseline review that can potentially take days to complete. Follow up scans are performed in the same manner but turn around faster. Veracode also has APPSEC staff available (at additional cost) to assist your developers. This is great if your company is in it's infosec infancy or lacking FTE resources. The only downsides at this stage appear to be the IDE integration and that VC does not offer an on-premise solution. One other plus is that Veracode also offers a dynamic solution. (Integrates with Jenkins/JIRA/etc)
Checkmarx is a pretty swift moving SAST tool. It offers both a cloud and on-premise solution and is very light on the resources. Checkmarx works differently by means that it scans the source code directly, no builds are required. However, if you are looking for simple and easy with all the bells and whistles, Cx is great. Further, if you are an enterprise that has and endless supply of projects (new and legacy) that need evaluation you can spin them up quickly and consistently with Cx. Not having to perform a build makes the process much easier, especially when you're working with legacy products whose developers may have left long ago. (Integrates with Jenkins/JIRA/GIT/SVN/etc) A couple downsides include the lack of a dynamic product and that you may miss something that another product would evaluate in the build process.
Hi Joe, excellent post. Thank you. I am new to the static scanning word. My understanding is that Fortify requires a build into intermediate format for its analysis (e.g. taint, data flow etc.). You also include the binaries of any libraries that are part of the build. I assume you felt the trade off between ease of use versus the potential to "miss something" that a build product would evaluate was not worth going to a build product solution. Thanks again Joe
Hello community,
After the first full scan with Veracode SAST, when the programmer changes something in the code, does he scan the code again completely or only the changes?
Thank you.
They are mainly two different products.
If your goal is to set the quality on code then SonarQube is your answer.
On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote!
If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too!
...
What is OWASP?
The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures that its offerings (online tools, videos, forums, events, etc.) remain free and are easily accessible t...
Hi community members,
Here is our new Community Spotlight for YOU. We publish it to help you catch up on recent contributions by community members.
Do you find it useful? Please comment below!
Trending
Top HCI in 2022
What are the main differences between XDR and SIEM?
Articles
Top 5 Ethernet Switches in 2022
SASE: what is it and what are the main benefits?
Questions
Che...
Privacy Concerns in an RPA Implementation Program.
The biggest concern we (as RPA solution implementors) have faced when interacting with clients and customers were:
1. Regulatory and Compliance issues.
2. InfoSec and Security issues.
3. Audit Issues.
Regulatory and Compliance Issues: There is a huge penalty if the wrong data gets updated and emails are sent to customers by the regulatory...
ICT is getting more and more complex: today I have several systems in Chicago, several more in Amsterdam and if you need to protect your environment you will need to check on-premises, the cloud at Amazon, and the cloud at Microsoft Azure.
Why is Performance related to security?
For the following reasons:
Today we need more than one tool to protect our environment. You need anti-spoofing...
As someone who has been long using HP Fortify, I've been actively looking at both these tools as serious options. Both are reputable SAST products but work very different. You wouldn't go wrong choosing either, but you should take into account the width and breadth of each when deciding. Pricing will vary, but both products are fairly competitive with each other.
Veracode uses supplied binaries to perform the static scan. Although not a huge deal, this still requires a build and an initial baseline review that can potentially take days to complete. Follow up scans are performed in the same manner but turn around faster. Veracode also has APPSEC staff available (at additional cost) to assist your developers. This is great if your company is in it's infosec infancy or lacking FTE resources. The only downsides at this stage appear to be the IDE integration and that VC does not offer an on-premise solution. One other plus is that Veracode also offers a dynamic solution. (Integrates with Jenkins/JIRA/etc)
Checkmarx is a pretty swift moving SAST tool. It offers both a cloud and on-premise solution and is very light on the resources. Checkmarx works differently by means that it scans the source code directly, no builds are required. However, if you are looking for simple and easy with all the bells and whistles, Cx is great. Further, if you are an enterprise that has and endless supply of projects (new and legacy) that need evaluation you can spin them up quickly and consistently with Cx. Not having to perform a build makes the process much easier, especially when you're working with legacy products whose developers may have left long ago. (Integrates with Jenkins/JIRA/GIT/SVN/etc) A couple downsides include the lack of a dynamic product and that you may miss something that another product would evaluate in the build process.
Hi Joe, excellent post. Thank you. I am new to the static scanning word. My understanding is that Fortify requires a build into intermediate format for its analysis (e.g. taint, data flow etc.). You also include the binaries of any libraries that are part of the build. I assume you felt the trade off between ease of use versus the potential to "miss something" that a build product would evaluate was not worth going to a build product solution. Thanks again Joe