1. Look at your application inventory to determine the language and framework coverage.
2. The following would be what has the developer integrations with my current and future state CI/CD toolset, Developer IDE's
3. Do I have the security team to support it? Helps determine vendor and approach. I say Fortify as they are the only Hybrid (Cloud and OnPremise) approach.
4. Does this need to be Cloud or On-Premise?
My most successful customers have used the following:
SAST - Hybrid of Fortify on-premise and Fortify on Demand, if support is needed for Perl or Groovy, buy some CheckMarx to cover that gap and Correlate findings with Saltworks SaltMiner.
DAST - WebInspect/ScanCentral & Fortify on Demand
Component Scanning - The most successful deployments have been with SonaType due to the Fortify integration. Blackduck, WhiteSource, and Snyk also manage plugins to Fortify SSC. If there is no budget, use OWASP Dependency Track to build your use case for a more robust Composition Analysis tool.
Vulnerability auditing - Done within Fortify SSC or Fortify OnDemand
Mitigation - Your Team, but if consulting is needed I would recommend Saltworks Security, Deloitte, Accenture & Cigital which have a reputation for managing Fortify programs.
Ping me if you need further guidance.
Search for a product comparison in Static Application Security Testing (SAST)
The best application security testing platforms include GitHub, GitLab, HCL AppScan, Netsparker, Acunetix Vulnerability Scanner, Pentest-Tools.com, Detectify Deep Scan, Appknox, Checkmarx, and Micro Focus Fortify On Demand.
A lot of responses already on this one. Considerations will include on-premises vs SaaS, one tool vs modular approach to using different tools. I will share some additional details
1. Snyk: It can do SAST, SCA, Containers, IaaC scripts - all 4. They have 4 products as part of their SaaS platform. It's commercial and has an open-source version with limited capabilities. Their on-premises scanner is in private beta
2. Clouddefense.AI: It can do SAST, DAST, SCA, etc. Commercial SaaS Platform. Uses ZAP rules behind the scenes for DAST
3. Synopsys: Great product, the leader in Gartner MQ 2021. Can do IAST as well.
4. SonarQube Enterprise Licensed Deployment is an excellent product for SAST. It supports 27+ languages including SQL, strong reporting capabilities, trend analysis.
If you need to do CSPM (Cloud Security Posture Management), you will need to look at others like Prisma Cloud.
Hi my name is Rogerio from Xmart Solutions Brazil (we are an independent consultancy that represents several AST solutions). Some factors are important to be evaluated such as:
How many SAST applications (static analysis) and how often will you do the analysis? How many analyzes (URLs) will you do dynamically?
What are your sprints? Do you have internal development or third parties?
Which languages from your legacy? How will you implement integrations? What tools?
Incident Manager at a tech services company with 1,001-5,000 employees
Real User
Apr 22, 2021
I suggest go for a Secure SDLC approach by integrating security at each level of the development life cycle. If you are constrained to select just one from the above then start with DAST. As it helps simulate realtime attacks on your production application and thus helps you address the most glaring issues.
Find out what your peers are saying about SonarSource Sàrl, Checkmarx, Veracode and others in Static Application Security Testing (SAST). Updated: May 2026.
I would like you to buy CHECKMARX as a SAST TOOL and have a look to KONDUKTO which embeds security tests into DevOps pipelines in an automated fashion using both open source and commercial security tools. Vulnerabilities coming from different sources, be it from penetration tests, bug bounty programs or automated tools can be managed in a single platform to provide a unified view. With its unique process automation and CI/CD integration capabilities, Kondukto helps to scale AppSec effort and paves the way for DevSecOps. My advice to pay attention the Visibility into vulnerabilities in native environments leads to improved security awareness among developers.
✔ Custom-tailored training programs based on the vulnerabilities created by each developer and team increase the ROI of training.
✔ Remediation database allows developers to benefit from the know-how accumulated in the company and fix vulnerabilities faster.
Static Application Security Testing provides tools to identify vulnerabilities in code early in the development cycle, improving security and minimizing risk exposure.SAST focuses on analyzing source code, binaries, or bytecode to detect issues like SQL injection, buffer overflows, and cross-site scripting. This proactive approach enables developers to remediate potential security flaws before applications are deployed. The solution integrates seamlessly with existing CI/CD pipelines,...
The first thing you'd want to do is:
1. Look at your application inventory to determine the language and framework coverage.
2. The following would be what has the developer integrations with my current and future state CI/CD toolset, Developer IDE's
3. Do I have the security team to support it? Helps determine vendor and approach. I say Fortify as they are the only Hybrid (Cloud and OnPremise) approach.
4. Does this need to be Cloud or On-Premise?
My most successful customers have used the following:
Ping me if you need further guidance.
The best application security testing platforms include GitHub, GitLab, HCL AppScan, Netsparker, Acunetix Vulnerability Scanner, Pentest-Tools.com, Detectify Deep Scan, Appknox, Checkmarx, and Micro Focus Fortify On Demand.
SAST - Veracode, goes well with integration
DAST - Either Microfocus Webinspect or Burp Suite Professional or OWASP ZAP (Open Source)
Component Scanning - Blackduck or Sonatype Nexus Platform or Whitesource Bolt
Vulnerability Auditing - Nessus & CIS - CAT ( Assessor Pro) or Qualys
Mitigation - Team effort, for Security Orchestration - Threadfix or ZeroNorth
Hello @Charles Race,
A lot of responses already on this one. Considerations will include on-premises vs SaaS, one tool vs modular approach to using different tools. I will share some additional details
1. Snyk: It can do SAST, SCA, Containers, IaaC scripts - all 4. They have 4 products as part of their SaaS platform. It's commercial and has an open-source version with limited capabilities. Their on-premises scanner is in private beta
2. Clouddefense.AI: It can do SAST, DAST, SCA, etc. Commercial SaaS Platform. Uses ZAP rules behind the scenes for DAST
3. Synopsys: Great product, the leader in Gartner MQ 2021. Can do IAST as well.
4. SonarQube Enterprise Licensed Deployment is an excellent product for SAST. It supports 27+ languages including SQL, strong reporting capabilities, trend analysis.
If you need to do CSPM (Cloud Security Posture Management), you will need to look at others like Prisma Cloud.
Hope this helps.
Hi my name is Rogerio from Xmart Solutions Brazil (we are an independent consultancy that represents several AST solutions). Some factors are important to be evaluated such as:
How many SAST applications (static analysis) and how often will you do the analysis? How many analyzes (URLs) will you do dynamically?
What are your sprints? Do you have internal development or third parties?
Which languages from your legacy? How will you implement integrations? What tools?
Would you like to have everything automated?
These are just a few questions for your decision.
I hope I've contributed.
I suggest go for a Secure SDLC approach by integrating security at each level of the development life cycle. If you are constrained to select just one from the above then start with DAST. As it helps simulate realtime attacks on your production application and thus helps you address the most glaring issues.
Kiuwan - scan for 3rd party libs
SonarQube - CD\CI integration with low price
I would like you to buy CHECKMARX as a SAST TOOL and have a look to KONDUKTO which embeds security tests into DevOps pipelines in an automated fashion using both open source and commercial security tools. Vulnerabilities coming from different sources, be it from penetration tests, bug bounty programs or automated tools can be managed in a single platform to provide a unified view. With its unique process automation and CI/CD integration capabilities, Kondukto helps to scale AppSec effort and paves the way for DevSecOps. My advice to pay attention the Visibility into vulnerabilities in native environments leads to improved security awareness among developers.
✔ Custom-tailored training programs based on the vulnerabilities created by each developer and team increase the ROI of training.
✔ Remediation database allows developers to benefit from the know-how accumulated in the company and fix vulnerabilities faster.