They are mainly two different products.
If your goal is to set the quality on code then SonarQube is your answer.
On the other side, if your main goal is to set high-quality standards in terms of cybersecurity (i.e. both security and compliance with regulations), then Veracode is a better match.
I am looking for pros and cons for the Checkmarx vs SonarQube, in particular regarding:
tuning Sonarqube to reduce false positives without introducing false negatives.
I am also wondering if SonarQube could allow developers to delint their code before submitting it to SAST with either Checkmarx or Veracode.
Head of Software Delivery at a tech services company with 51-200 employees
06 July 20
My opinions are my own and do not represent any other entities that I may be or have been affiliated with.
On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon.
As for Checkmarx vs SonarQube...
Checkmarx may cover more rules over a wider landscape, however I personally found this extra breadth covered outlyer rules and mostly lower priority issues. Both Checkmarx and SonarQube cover the OWASP top 10 and Sans25.
Both tools can be tuned to help reduce false positives, for both you will need to analyse your tuning to ensure you are not introducing false negatives. Any tools that provide you customisation come with the risk that you could make things worse.
SonarQube has very good integration into most development IDEs empowering the engineers to run scans against the company rules on their local machine before submitting your source control and further tooling. In some it will even check the code automatically while you type it.
I see you also included Veracode in here. In my opinion that is a far superior tool to Checkmarx, this is down to their more modern approach to this problem. They also allow local developer integration to self lint code before submission.
In a perfect world, I would use Sonar for development bugs, test coverage and technical debt measurements. Then veracode to handle the SAST side for me. In short I would not duplicate the security scans in Sonar and Veracode.
Hope that helps
Factory Head, Web (Digital), Social, Mobile Enterprise COE at a pharma/biotech company with 10,001+ employees
07 July 20
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote!
If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too!
What is OWASP?
The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures that its offerings (online tools, videos, forums, events, etc.) remain free and are easily accessible t...
Hi community members,
Here is our new Community Spotlight for YOU. We publish it to help you catch up on recent contributions by community members.
Do you find it useful? Please comment below!
Top HCI in 2022
What are the main differences between XDR and SIEM?
Top 5 Ethernet Switches in 2022
SASE: what is it and what are the main benefits?
Privacy Concerns in an RPA Implementation Program.
The biggest concern we (as RPA solution implementors) have faced when interacting with clients and customers were:
1. Regulatory and Compliance issues.
2. InfoSec and Security issues.
3. Audit Issues.
Regulatory and Compliance Issues: There is a huge penalty if the wrong data gets updated and emails are sent to customers by the regulatory...
ICT is getting more and more complex: today I have several systems in Chicago, several more in Amsterdam and if you need to protect your environment you will need to check on-premises, the cloud at Amazon, and the cloud at Microsoft Azure.
Why is Performance related to security?
For the following reasons:
Today we need more than one tool to protect our environment. You need anti-spoofing...