We performed a comparison between Checkmarx One and Fortify Application Defender based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The solution is scalable, but other solutions are better."
"The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions)."
"It is a stable product."
"Both automatic and manual code review (CxQL) are valuable."
"The solution has good performance, it is able to compute in 10 to 15 minutes."
"Helps us check vulnerabilities in our SAP Fiori application."
"Apart from software scanning, software composition scanning is valuable."
"The UI is user-friendly."
"The product saves us cost and time."
"We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment."
"The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities."
"I find the configuration of rules in Fortify Application Defender useful. Its integration is also easy."
"The information from Fortify Application Defender on how to fix and solve issues is very good compared to other solutions."
"The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology."
"The most valuable feature is that it analyzes data in real-time."
"Its ability to find security defects is valuable."
"Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not."
"Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve."
"Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities."
"There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."
"I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features."
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."
"As the solution becomes more complex and feature rich, it takes more time to debug and resolve problems. Feature-wise, we have no complaints, but Checkmarx becomes harder to maintain as the product becomes more complex. When I talk to support, it takes them longer to fix the problem than it used to."
"The solution sometimes reports a false auditable code or false positive."
"Support for older compilers/IDEs is lacking."
"The workbench is a little bit complex when you first start using it."
"The solution is quite expensive."
"The licensing can be a little complex."
"Fortify Application Defender could improve by supporting more code languages, such as GRAAS and Groovy."
"Fortify Application Defender gives a lot of false positives."
"The product should integrate industry-standard code review tools internally with its system. This would streamline the coding process, as developers wouldn't need multiple tools for code review and security checks. Many independent and open-source tools are available, from Apache to various libraries. Using multiple DevOps pipeline tools can slow the turnaround time."
"The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java."
Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while Fortify Application Defender is ranked 30th in Application Security Tools with 11 reviews. Checkmarx One is rated 7.6, while Fortify Application Defender is rated 7.8. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Fortify Application Defender writes "Useful for fast code review in devOps pipelines ". Checkmarx One is most compared with SonarQube, Veracode, Fortify on Demand, Snyk and SonarCloud, whereas Fortify Application Defender is most compared with CAST Application Intelligence Platform, Coverity, SonarQube, Qualys Web Application Scanning and Fortify on Demand. See our Checkmarx One vs. Fortify Application Defender report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
Fewer false positives with CX than Fortify. More integrated.
Looking at the Gartner report I would say that Checkmarx is way easier to set up (initial setup) compared to Micro Focus Fortify.
Also, the financial strength of the Micro Focus Fortify spin/merger is a concern so investments could be at risk.
The major difference is that Checkmarx scans the code without compiling the code. This has a great advantage as code building issues are eliminated,
scan time is very less and false positive is less to some extent. One more major this is Checkmarx learns as you eliminate false positives and does not show the same issue again. We can perform incremental scans on the codebase where the old issue is nicely marked as "Recurring" and new ones in Red as NEW. Checkmarx has a highly customizable filter creation where you can create a filter that can eliminate the common recurring issues in
scans. This feature is very flexible and you can write your own filters and also, write specific patterns that are found in manual review which is a
great help as coding styles differ form teams to teams.
Thanks a lot. Thank you for the information.