We performed a comparison between Checkmarx One and OWASP Zap based on real PeerSpot user reviews.
Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The most valuable feature is that it actually identifies the different criteria you can set to meet whatever standards you're trying to get your system accredited for."
"Helps us check vulnerabilities in our SAP Fiori application."
"The user interface is excellent. It's very user friendly."
"The most valuable feature is the simple user interface."
"The most valuable features are the easy to understand interface, and it 's very user-friendly."
"The UI is user-friendly."
"The solution improved the efficiency of our code security reviews. It helps tremendously because it finds hundreds of potential problems sometimes."
"Both automatic and manual code review (CxQL) are valuable."
"We use the solution for security testing."
"The stability of the solution is very good."
"The HUD is a good feature that provides on-site testing and saves a lot of time."
"The API is exceptional."
"It scans while you navigate, then you can save the requests performed and work with them later."
"They offer free access to some other tools."
"It's great that we can use it with Portswigger Burp."
"The most valuable feature is scanning the URL to drill down all the different sites."
"Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve."
"The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information."
"Checkmarx could improve the REST APIs by including automation."
"Integration into the SDLC (i.e. support for last version of SonarQube) could be added."
"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
"The reports are good, but they still need to be improved considering what the UI offers."
"The integration could improve by including, for example, DevSecOps."
"I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time)."
"ZAP's integration with cloud-based CICD pipelines could be better. The scan should run through the entire pipeline."
"The product reporting could be improved."
"I prefer Burp Suite to SWASP Zap because of the extensive coverage it offers."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more."
"Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."
"The port scanner is a little too slow."
"There isn't too much information about it online."
Checkmarx One is ranked 3rd in Static Application Security Testing (SAST) with 67 reviews while OWASP Zap is ranked 8th in Static Application Security Testing (SAST) with 37 reviews. Checkmarx One is rated 7.6, while OWASP Zap is rated 7.6. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of OWASP Zap writes "Great for automating and testing and has tightened our security ". Checkmarx One is most compared with SonarQube, Veracode, Fortify on Demand, Snyk and Fortify Application Defender, whereas OWASP Zap is most compared with SonarQube, Acunetix, Qualys Web Application Scanning, Veracode and Fortify WebInspect. See our Checkmarx One vs. OWASP Zap report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
