We performed a comparison between Checkmarx One and Parasoft SOAtest based on real PeerSpot user reviews.
Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The most valuable feature for me is the Jenkins Plugin."
"The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time."
"It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."
"We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code."
"We use the solution to validate the source code and do SAST and security analysis."
"The reports are very good because they include details on the code level, and make suggestions about how to fix the problems."
"It is a stable product."
"The solution allows us to create custom rules for code checks."
"They have a feature where they can record traffic and create tests on the report traffic."
"We can automate our scenarios in a data driven format, which shows there is no rework on scripts. We only need to update the test data and run for a number of scenarios."
"Automatic testing is the most valuable feature."
"The testing time is shortened because we generate test data automatically with SOAtest."
"We do a lot of web services testing and REST services testing. That is the focus of this product."
"The solution is scalable."
"We have seen a return on investment."
"Parasoft SOAtest has improved the quality of our automated web services, which can be easily implemented through service chaining and service virtualization."
"Checkmarx could improve the speed of the scans."
"They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server."
"You can't use it in the continuous delivery pipeline because the scanning takes too much time."
"The reports are good, but they still need to be improved considering what the UI offers."
"Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve."
"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
"Meta data is always needed."
"This product requires you to create your own rulesets. You have to do a lot of customization."
"Tuning the tool takes time because it gives quite a long list of warnings."
"UI testing should be more in-depth."
"Enabling/disabling an optional element of an XML request is only possible if a data source (e.g., Excel sheet) is connected to the test. Otherwise, the option is not available at all in the drop-down menu."
"Parasoft SOAtest has an internal refresh function where you can refresh the software to show the changes you’ve made in your projects. Unfortunately this function does not work properly, because it often does not show the changes after you’ve hit te refresh button a few times."
"The performance could be a bit better."
"The feedback that we received from the DevOps of our organization was that the tool was a little heavy from the transformation perspective."
"From an automation point of view, it should have better clarity and be more user friendly."
"Compatibility with HTTP 1.1 and TLS 1.2 needs to be improved."
Checkmarx One is ranked 3rd in Static Application Security Testing (SAST) with 67 reviews while Parasoft SOAtest is ranked 28th in Static Application Security Testing (SAST) with 30 reviews. Checkmarx One is rated 7.6, while Parasoft SOAtest is rated 8.2. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Parasoft SOAtest writes "Good API testing and RIT feature; clarity could be improved". Checkmarx One is most compared with SonarQube, Veracode, Fortify on Demand, Snyk and Coverity, whereas Parasoft SOAtest is most compared with Postman, SonarQube, Coverity, Polyspace Code Prover and Klocwork. See our Checkmarx One vs. Parasoft SOAtest report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.