We performed a comparison between Checkmarx vs.Veracode based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Veracode has the winning edge in this comparison. Customers are more satisfied with Veracode’s robust features, stability, and pricing model.
"The solution communicates where to fix the issue for the purpose of less iterations."
"The reports are very good because they include details on the code level, and make suggestions about how to fix the problems."
"Helps us check vulnerabilities in our SAP Fiori application."
"Our static operation security has been able to identify more security issues since implementing this solution."
"The solution allows us to create custom rules for code checks."
"Both automatic and manual code review (CxQL) are valuable."
"The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time."
"One of the most valuable features is it is flexible."
"Ours is a Java-based application and Veracode can detect vulnerabilities in both Angular, which is used for the UI, and also in the backend code, which includes APIs and microservices."
"I contacted the solution's technical support during the automation part, and it went well, after which I never faced any issues."
"Veracode provides faster scans compared to other static analysis security testing tools."
"One thing that I like about Veracode is that it is quite a good tool for dynamic application testing."
"Static Scanning is the most valuable feature of Veracode."
"This is a great tool for learning about potential vulnerabilities in code."
"One of the valuable features is that it gives us the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important."
"Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced... in the e-learning you can check into best practices for developing code and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool."
"Checkmarx has a slightly difficult compilation with the CI/CD pipeline."
"I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service."
"The validation process needs to be sped up."
"The reports are good, but they still need to be improved considering what the UI offers."
"It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use."
"Its user interface could be improved and made more friendly."
"The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools."
"We can run only one project at a time."
"They cover a lot of languages already and it doesn't make sense for them to cover legacy languages but I know there is a need for covering legacy languages."
"Veracode's false positives have room for improvement."
"When we engaged Veracode to conduct the manual penetration testing, they were extremely slow in completing the task and delivering the report, causing a delay of two to three weeks for us."
"I would love to be able to do a dynamic sandbox scan. I think that that would allow us to really get a lot more buy-in from the software development teams."
"When Veracode updates the pool of tests and security checks, it could be a little more transparent about what it is releasing. It's not clear what it's adding. They do thousands of checks, and when they add more, there aren't many details about what the new tests are doing."
"Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year."
"It needs more timely support for newer languages and framework versions."
"I would also like to see some improvement in the speed. That is really the only complaint, but in all reality we have a massive Java application that needs to be scanned. Our developers are saying, "It takes 72 hours to scan it." That is probably the nature of the beast, and I'm actually pretty accepting of that time frame, but since it's a complaint that I get, faster is always better. I don't necessarily think that the speed is bad as it is, just that faster would be better."
Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. Checkmarx One is rated 7.6, while Veracode is rated 8.2. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Checkmarx One is most compared with SonarQube, Fortify on Demand, Snyk, Coverity and Mend.io, whereas Veracode is most compared with SonarQube, Fortify on Demand, Snyk, OWASP Zap and Fortify Static Code Analyzer. See our Checkmarx One vs. Veracode report.
See our list of best Application Security Tools vendors, best Static Application Security Testing (SAST) vendors, and best Static Code Analysis vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.
Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.
About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this. https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.