Coming October 25: PeerSpot Awards will be announced! Learn more
Shiva - PeerSpot reviewer
User at Saviynt
  • 4
  • 460

What is the Biggest Difference Between Checkmarx and Fortify?

I work for a midsized software startup and I am currently evaluating Checkmarx and Fortify. 

What are the biggest differences between the two? Which would you recommend?

Thanks! I appreciate the help. 

PeerSpot user
5 Answers
Senior Performance Consultant
17 December 19

Checkmarx SAST is a product supporting 20+ languages, including the modern ones (GoLang, Kotlin, Swift, Scala, Typescript, React). Its language support is constantly kept up with the current versions of the respective languages/frameworks (e.g. .NET Core 2.x etc.).

Unlike Fortify, Checkmarx analyses raw (uncompiled) source code, which makes it less susceptible to changes in the built environment (e.g. no dependency on the specific version of XCode).

Finally, the Checkmarx solution is available both as an on-premise and in the cloud (hosted) solution with the same capabilities. Fortify on demand (which is the cloud-only solution) is different from the on-prem one.

Vice President, Cybersecurity Engineering & Cyberdefense with 1,001-5,000 employees
16 December 19

Fewer false positives with CX than Fortify. More integrated.

it_user1242723 - PeerSpot reviewer
Company Owner at BCMC
16 December 19

Looking at the Gartner report I would say that Checkmarx is way easier to set up (initial setup) compared to Micro Focus Fortify.
Also, the financial strength of the Micro Focus Fortify spin/merger is a concern so investments could be at risk.

Solving Acute Engineering Problems at a tech services company with 1,001-5,000 employees
16 December 19

The major difference is that Checkmarx scans the code without compiling the code. This has a great advantage as code building issues are eliminated,
scan time is very less and false positive is less to some extent. One more major this is Checkmarx learns as you eliminate false positives and does not show the same issue again. We can perform incremental scans on the codebase where the old issue is nicely marked as "Recurring" and new ones in Red as NEW. Checkmarx has a highly customizable filter creation where you can create a filter that can eliminate the common recurring issues in
scans. This feature is very flexible and you can write your own filters and also, write specific patterns that are found in manual review which is a
great help as coding styles differ form teams to teams.

Shiva - PeerSpot reviewer
User at Saviynt
17 December 19

Thanks a lot. Thank you for the information.

Related Questions
Miriam Tover - PeerSpot reviewer
Service Delivery Manager at PeerSpot (formerly IT Central Station)
Jan 04, 2022
Hi, We all know it's really hard to get good pricing and cost information. Please share what you can so you can help your peers.
2 out of 3 answers
Tom Haakma - PeerSpot reviewer
Director of Security at Merito
21 September 20
The base licensing costs for the SaaS platform is about $900 USD per application, per year. Some larger companies have different pricing based on scale and the size of their implementation. I believe they have a trial period, where they allow you to use it for free.
System Quality Assurance Manager at AIS - Advanced Info Services Plc.
07 September 21
The price of this solution could be less expensive.
User at Securities America
Jul 08, 2020
I am looking for pros and cons for the Checkmarx vs SonarQube, in particular regarding: false positives tuning Sonarqube to reduce false positives without introducing false negatives.  I am also wondering if SonarQube could allow developers to delint their code before submitting it to SAST with either Checkmarx or Veracode. 
2 out of 3 answers
Donovan Greeff - PeerSpot reviewer
Head of Software Delivery at a tech services company with 51-200 employees
06 July 20
My opinions are my own and do not represent any other entities that I may be or have been affiliated with.  On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon.  As for Checkmarx vs SonarQube...  Checkmarx may cover more rules over a wider landscape, however I personally found this extra breadth covered outlyer rules and mostly lower priority issues. Both Checkmarx and SonarQube cover the OWASP top 10 and Sans25. Both tools can be tuned to help reduce false positives, for both you will need to analyse your tuning to ensure you are not introducing false negatives. Any tools that provide you customisation come with the risk that you could make things worse.  SonarQube has very good integration into most development IDEs empowering the engineers to run scans against the company rules on their local machine before submitting your source control and further tooling. In some it will even check the code automatically while you type it.  I see you also included Veracode in here. In my opinion that is a far superior tool to Checkmarx, this is down to their more modern approach to this problem. They also allow local developer integration to self lint code before submission.  In a perfect world, I would use Sonar for development bugs, test coverage and technical debt measurements. Then veracode to handle the SAST side for me. In short I would not duplicate the security scans in Sonar and Veracode.  Hope that helps
Factory Head, Web (Digital), Social, Mobile Enterprise COE at a pharma/biotech company with 10,001+ employees
07 July 20
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Content at PeerSpot (formerly IT Central Station)
Aug 21, 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote! If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too! ...
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 05, 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures that its offerings (online tools, videos, forums, events, etc.) remain free and are easily accessible t...
See 2 comments
Ben Arbeit - PeerSpot reviewer
Manager at a retailer with 51-200 employees
31 July 22
Thanks for this informative article.
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a financial services firm with 5,001-10,000 employees
05 August 22
OWASP is nice, but very specific and currently limited. How about trying ISO-24772 for all?
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Mar 04, 2022
Hi community members, Here is our new Community Spotlight for YOU. We publish it to help you catch up on recent contributions by community members. Do you find it useful? Please comment below! Trending Top HCI in 2022 What are the main differences between XDR and SIEM? Articles Top 5 Ethernet Switches in 2022 SASE: what is it and what are the main benefits? Questions Che...
Ram Chenna - PeerSpot reviewer
Enterprise Architect at Blueray Digital Services
Dec 15, 2021
Privacy Concerns in an RPA Implementation Program. The biggest concern we (as RPA solution implementors) have faced when interacting with clients and customers were: 1. Regulatory and Compliance issues. 2. InfoSec and Security issues. 3. Audit Issues. Regulatory and Compliance Issues: There is a huge penalty if the wrong data gets updated and emails are sent to customers by the regulatory...
Tjeerd Saijoen - PeerSpot reviewer
CEO at Rufusforyou
Sep 03, 2021
ICT is getting more and more complex: today I have several systems in Chicago, several more in Amsterdam and if you need to protect your environment you will need to check on-premises, the cloud at Amazon, and the cloud at Microsoft Azure.  Why is Performance related to security? For the following reasons:  Today we need more than one tool to protect our environment. You need anti-spoofing...
See 2 comments
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
01 September 21
Very good insights about correlation for security with performance.
Johann Delaunay - PeerSpot reviewer
Key Account Manager at ITRS Group
03 September 21
Interesting positioning and way of thinking, thank you very much for the article!
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Content at PeerSpot (formerly IT Central Station)
Aug 21, 2022
PeerSpot User's Choice Award 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technol...
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 05, 2022
What is OWASP Top 10 in 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedi...
Download Free Report
Download our free Checkmarx Report and get advice and tips from experienced pros sharing their opinions. Updated: October 2022.
634,590 professionals have used our research since 2012.