We performed a comparison between Checkmarx vs.Veracode based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Veracode has the winning edge in this comparison. Customers are more satisfied with Veracode’s robust features, stability, and pricing model.
"One of the most valuable features is it is flexible."
"The user interface is excellent. It's very user friendly."
"Both automatic and manual code review (CxQL) are valuable."
"The main thing we find valuable about Checkmarx is the ease of use. It's easy to initiate scans and triage defects."
"Apart from software scanning, software composition scanning is valuable."
"The UI is very intuitive and simple to use."
"The solution is scalable, but other solutions are better."
"It gives the proper code flow of vulnerabilities and the number of occurrences."
"All the features provided by Veracode are valuable, including static scan, dynamic scan, and MPT (Manual Penetration Testing)."
"It's good at identifying security issues. It can pinpoint issues very effectively."
"It has improved the quality of code being delivered for test and its vulnerability resolutions timeline has improved."
"It gives me an idea about the most important vulnerabilities and fast remediation tips."
"The best feature of Veracode is that we can do static and dynamic scans."
"It can be very hard to make a good lab environment with a console with log windows and code bases. What I like about Veracode is that they managed to do that. It has a very responsive graphical user interface and has worked very well. I was very pleased with that."
"Before Veracode, the application was deployed to the production server and there would be a lot of bugs and issues. Once we implemented the Veracode scan, the full deployment issues were drastically reduced."
"We have to look at it from the perspectives of how important it is to fix something and when it should be prioritized for fixing. The JSON output from the agent-based scans gives us the CVS core, and that makes things much easier."
"Its user interface could be improved and made more friendly."
"There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."
"The validation process needs to be sped up."
"Implementing a blackout time for any user or teams: Needs improvement."
"The solution's user interface could be improved because it seems outdated."
"Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities."
"I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time)."
"I would like the product to include more debugging and developed tools. It needs to also add enhancements on the coding side."
"The technical support service has room for improvement."
"It does not have a reporting structure for an OS-based vulnerability report, whereas its peers such as Fortify and Checkmarx have this ability. Checkmarx also provides a better visibility of the code flow."
"Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had."
"We would like the consolidation of all the different modules. This would help, so then we would be able to see analytics and results on one screen, like a single pane of glass."
"The negative that I found is that it has a subscription-based model."
"In the future, I would like to see the RASP capability built-in."
"The product has issues with scanning."
"Veracode should include the feature to run multiple scales at a time."
Checkmarx One is ranked 2nd in Static Code Analysis with 67 reviews while Veracode is ranked 1st in Static Code Analysis with 194 reviews. Checkmarx One is rated 7.6, while Veracode is rated 8.2. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Checkmarx One is most compared with SonarQube, Fortify on Demand, Snyk, Coverity and Mend.io, whereas Veracode is most compared with SonarQube, Fortify on Demand, Snyk, OWASP Zap and Fortify Static Code Analyzer. See our Checkmarx One vs. Veracode report.
See our list of best Application Security Testing (AST) vendors, best Static Code Analysis vendors, and best Application Security Tools vendors.
We monitor all Static Code Analysis reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.
Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.
About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this. https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.