We performed a comparison between Checkmarx vs.Veracode based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Veracode has the winning edge in this comparison. Customers are more satisfied with Veracode’s robust features, stability, and pricing model.
"The user interface is excellent. It's very user friendly."
"I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy."
"Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application."
"The SAST component was absolutely 100% stable."
"The reports are very good because they include details on the code level, and make suggestions about how to fix the problems."
"Checkmarx has helped us deliver more secure products. We are able to do static code analysis with the tool before shipping our code to production. When the integration is in the pipeline, this tool gives us early notifications on code fixes."
"Both automatic and manual code review (CxQL) are valuable."
"The most valuable features are the easy to understand interface, and it 's very user-friendly."
"We have such a wide variety of users for Veracode, including security champions, development leads, developers themselves, that the ease of use is really quite important, because we don't assume anything about what those people might already know, or need to know. It just makes it very useful for anyone who has to engage with it."
"I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate."
"The SAST and DAST modules are great."
"Because it is a SaaS offering, I do not have to support the infrastructure."
"Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it."
"Provides consistent evaluation and results without huge fluctuations in false positives or negatives."
"The most valuable feature is the dynamic application security testing."
"It's not "one policy fits all." I really like that Veracode allows me to set up specific policies that I can apply to applications."
"The solution sometimes reports a false auditable code or false positive."
"This product requires you to create your own rulesets. You have to do a lot of customization."
"We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level."
"The reports are good, but they still need to be improved considering what the UI offers."
"You can't use it in the continuous delivery pipeline because the scanning takes too much time."
"There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."
"Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model."
"The resolutions should also be provided. For example, if the user faces any problem regarding an installation due to the internal security policies of their company, there should be a resolution offered."
"I would like to see improvement on the analytics side, and in integrations with different tools. Also, the dynamic scanning takes time."
"It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help."
"Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight."
"We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time."
"I would like Veracode to add more language support."
"The scanning could be a little faster. The process around three or four minutes, but it would help if it could be further reduced."
"Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk"
"We have some constraints interacting with Veracode self-support. I'm not talking about their technical support. I'm talking about self-support. We sometimes have a hard time communicating with them."
Checkmarx One is ranked 2nd in Static Code Analysis with 67 reviews while Veracode is ranked 1st in Static Code Analysis with 194 reviews. Checkmarx One is rated 7.6, while Veracode is rated 8.2. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Checkmarx One is most compared with SonarQube, Fortify on Demand, Snyk, Coverity and Mend.io, whereas Veracode is most compared with SonarQube, Fortify on Demand, Snyk, OWASP Zap and Fortify Static Code Analyzer. See our Checkmarx One vs. Veracode report.
See our list of best Static Application Security Testing (SAST) vendors, best Static Code Analysis vendors, and best Application Security Tools vendors.
We monitor all Static Code Analysis reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.
Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.
About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this. https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.