We performed a comparison between Checkmarx vs.Veracode based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Veracode has the winning edge in this comparison. Customers are more satisfied with Veracode’s robust features, stability, and pricing model.
"Our static operation security has been able to identify more security issues since implementing this solution."
"The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important."
"It is very useful because it fits our requirements. It is also easy to use. It is not complex, and we are satisfied with the results."
"It's not an obstacle for developers. They can easily write their code and make it more secure with Checkmarx."
"Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%."
"It is a stable product."
"The solution allows us to create custom rules for code checks."
"The best thing about Checkmarx is the amount of vulnerabilities that it can find compared to other free tools."
"It's not "one policy fits all." I really like that Veracode allows me to set up specific policies that I can apply to applications."
"The best feature of Veracode is that we can do static and dynamic scans."
"I like Veracode's ease of integration and onboarding. You can quickly and easily get started with a new project or application. That's one area where Veracode shines relative to other tools we've evaluated. Other tools need more work or an engineer to do the setup. With Veracode, you can do the onboarding in a few steps quickly."
"It scans for the OWASP top-10 security flaws at the dynamic level and, at the static level, it scans for all the warnings so that developers can fix the code before we go to UAT or the next phase."
"Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM to verify that everything's going well. If we have any outstanding issues, they get serviced and addressed."
"From a developer's perspective, Veracode's greenlight feature on the IDE is helpful. It helps the developer to be more proactive in secure coding standards. Apart from that, static analysis scanning is definitely one of the top features of Veracode."
"I like the sandbox, the ability to upload compiled code, and how easy it is."
"It gives feedback to developers on the effectiveness of their secure coding practices."
"One area for improvement in Checkmarx is pricing, as it's more expensive than other products."
"Checkmarx could improve the REST APIs by including automation."
"They could work to improve the user interface. Right now, it really is lacking."
"The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode."
"I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features."
"The solution sometimes reports a false auditable code or false positive."
"If it is a very large code base then we have a problem where we cannot scan it."
"Checkmarx could be improved with more integration with third-party software."
"The interface is basic and has room for improvement."
"Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them."
"It does nearly everything, but penetration testing."
"We have encountered occasional issues with scalability."
"I would like Veracode to add more language support."
"Veracode Static Analysis could improve the terminology. For example, I do not know what the sandbox scan does. The terminology and the way they have used it are quite confusing. They should have a process of capturing problems that users are having on their end."
"The scanning could be a little faster. The process around three or four minutes, but it would help if it could be further reduced."
"There were some additional manual steps or work involved that we should not have needed to do."
Checkmarx One is ranked 2nd in Static Code Analysis with 67 reviews while Veracode is ranked 1st in Static Code Analysis with 194 reviews. Checkmarx One is rated 7.6, while Veracode is rated 8.2. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Checkmarx One is most compared with SonarQube, Fortify on Demand, Snyk, Coverity and Mend.io, whereas Veracode is most compared with SonarQube, Fortify on Demand, Snyk, OWASP Zap and Fortify Static Code Analyzer. See our Checkmarx One vs. Veracode report.
See our list of best Application Security Testing (AST) vendors, best Static Code Analysis vendors, and best Application Security Tools vendors.
We monitor all Static Code Analysis reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.
Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.
About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this. https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.