We performed a comparison between Checkmarx vs.Veracode based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Veracode has the winning edge in this comparison. Customers are more satisfied with Veracode’s robust features, stability, and pricing model.
"The UI is user-friendly."
"The value you can get out of the speedy production may be worth the price tag."
"The main thing we find valuable about Checkmarx is the ease of use. It's easy to initiate scans and triage defects."
"The solution communicates where to fix the issue for the purpose of less iterations."
"The setup is fairly easy. We didn't struggle with the process at all."
"The most valuable features of Checkmarx are the SCA module and the code-checking module. Additionally, the solutions are explanatory and helpful."
"It is very useful because it fits our requirements. It is also easy to use. It is not complex, and we are satisfied with the results."
"Most valuable features include: ease of use, dashboard. interface and the ability to report."
"Vulnerability Management and mitigation recommendations help with resolution of issues found, prior to deployment to production."
"It is scalable and quick to deploy into the site and the pipelines. The reports and analytics are good, and the false positive rate is low. It gives true results."
"My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople is fabulous."
"Veracode has good support for microservices, and I also like the sandbox environment. For example, when introducing a new component, we can scan it in a sandbox environment. It will not impact the main environment. When our team fixes it, they. can push it to the production environment when the results are acceptable."
"I contacted the solution's technical support during the automation part, and it went well, after which I never faced any issues."
"It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail."
"Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM to verify that everything's going well. If we have any outstanding issues, they get serviced and addressed."
"With the tools that Veracode provides, our developers are actually able to comprehend what the vulnerability was and then resolve it. So a lot of knowledge has been grown as a result, around security, with our developers."
"Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve."
"The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information."
"Checkmarx being Windows only is a hindrance. Another problem is: why can't I choose PostgreSQL?"
"It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use."
"Integration into the SDLC (i.e. support for last version of SonarQube) could be added."
"The resolutions should also be provided. For example, if the user faces any problem regarding an installation due to the internal security policies of their company, there should be a resolution offered."
"I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time)."
"The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools."
"I've found that Veracode is not particularly suitable for Dynamic Application Security Testing."
"When we engaged Veracode to conduct the manual penetration testing, they were extremely slow in completing the task and delivering the report, causing a delay of two to three weeks for us."
"The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved."
"False positives are a problem. Sometimes the flow paths are not accurate and don't represent real attack vectors, but this happens with every application that performs static analysis of the code. But it's under control. The number of false positives is not so high that it is unmanageable on our side."
"I would love to be able to do a dynamic sandbox scan. I think that that would allow us to really get a lot more buy-in from the software development teams."
"Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had."
"A high number of false positives are reported and this should be reduced."
"If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing."
Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. Checkmarx One is rated 7.6, while Veracode is rated 8.2. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Checkmarx One is most compared with SonarQube, Fortify on Demand, Snyk, Coverity and Mend.io, whereas Veracode is most compared with SonarQube, Fortify on Demand, Snyk, OWASP Zap and Fortify Static Code Analyzer. See our Checkmarx One vs. Veracode report.
See our list of best Application Security Tools vendors, best Static Application Security Testing (SAST) vendors, and best Static Code Analysis vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.
Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.
About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this. https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.