• Home
  • Checkmarx Software Composition Analysis vs. Fortify Static Code Analyzer

Checkmarx Software Composition Analysis vs Fortify Static Code Analyzer comparison

Cancel
You must select at least 2 products to compare!
Comparison Buyer's Guide
Download the complete report
Buyer's Guide
Software Composition Analysis (SCA)
May 2024
Executive Summary

We performed a comparison between Checkmarx Software Composition Analysis and Fortify Static Code Analyzer based on real PeerSpot user reviews.

Find out what your peers are saying about Synopsys, Veracode, Snyk and others in Software Composition Analysis (SCA).
To learn more, read our detailed Software Composition Analysis (SCA) Report (Updated: May 2024).
Download the complete report
772,679 professionals have used our research since 2012.
Featured Review
Dmitriy Savin
Identified and fixed security vulnerabilities in our code, such as a SQL injection vulnerability.
It has helped us identify and fix security vulnerabilities in our code. For example, we were able to fix a SQL injection vulnerability that could... Read more →
Amal Alshehri
Integrates easily with many IDEs, and enables development and security teams to work together
We use Fortify SAST to scan our code. It is used for the static code and not the running code. It finds vulnerabilities, and it finds bad... Read more →
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"The product is stable and scalable.""One of the strong points of this solution is that it allows you to incorporate it into a CICB pipeline. It has the ability to do incremental scans. If you scan a very large application, it might take two hours to do the initial scan. The subsequent scans, as people are making changes to the app, scan the Delta and are very fast. That's a really nice implementation. The way they have incorporated the functionality of the incremental scans is something to be aware of. It is quite good. It has been very solid. We haven't really had any issues, and it does what it advertises to do very nicely.""It is a stable solution...It is a scalable solution.""It is very easy and user friendly. It never requires any kind of technical support. You can do everything on your own.""The most valuable feature of Checkmarx Software Composition Analysis is the comprehensive security scan.""The tool's visual scan analysis shows me all the libraries' vulnerabilities and license types. It helps identify the most complex issues with licenses. It provides good visibility. SCA shows me all libraries that are vulnerable and the extent of their vulnerability.""What's most valuable in Checkmarx Software Composition Analysis is that it provides security from the start. In the traditional approach, an enterprise or company validates the solution before launching to a production environment, but in the modern approach, security must be checked and provided from the beginning and from the design, and this is where Checkmarx Software Composition Analysis comes in. The solution helps you make sure that every open-source application that you use is secure, and that there's no vulnerability inside that open-source application.""What's most valuable in Checkmarx Software Composition Analysis is its ability to identify vulnerabilities in open-source components, especially if some critical issues exist."

More Checkmarx Software Composition Analysis Pros →

"You can really see what's happening after you've developed something.""Fortify Static Code Analyzer tells us if there are any security leaks or not. If there are, then it's notifying us and does not allow us to pass the DevOps pipeline. If it is finds everything's perfect, as per our given guidelines, then it is allowing us to go ahead and start it, and we are able to deploy it.""The integration Subset core integration, using Jenkins is one of the good features.""Its flexibility is most valuable. It is such a flexible tool. It can be implemented in a number of ways. It can do anything you want it to do. It can be fully automated within a DevOps pipeline. It can also be used in an ad hoc, special test case scenario and anywhere in between.""The reference provided for each issue is extremely helpful.""The most valuable features include its ability to detect vulnerabilities accurately and its integration with our CI/CD pipeline.""I like Fortify Software Security Center or Fortify SSC. This tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions.""It's helped us free up staff time."

More Fortify Static Code Analyzer Pros →

Cons
"Instant updates for end users to identify vulnerabilities as soon as possible will make Checkmarx Software Composition Analysis better. The UI of the solution could also be improved.""Personally, I currently use it as a standalone tool without integrating it with other systems, and it meets my needs adequately. As a suggestion, I request on considering to add a "what if" feature to the application. Currently, when the tool identifies issues and suggests updates, if I want to explore different scenarios, I need to prepare another file, turn it into a ZIP, and run the analysis again. It would be more convenient if there was a "what if" option in the GUI. This feature could simulate a run, allowing me to quickly check the impact of changing one or more files or versions without the need for a full rerun.""API security is an area with shortcomings that needs improvement.""I would rate the scalability a seven out of ten.""Some of the recommendations provided by the product are generic. Even if the recommendations provided by the product are of low level, the appropriate ones can help users deal with vulnerabilities.""Parts of the implementation process could improve by making it more user-friendly.""I have received complaints from my customers that the pricing could be improved.""Checkmarx Software Composition Analysis should improve dynamic analysis."

More Checkmarx Software Composition Analysis Cons →

"Streamlining the upgrade process and enhancing compatibility would make it easier for us to keep our security tools up-to-date.""Fortify Static Code Analyzer has a bit of a learning curve, and I don't find it particularly helpful in narrowing down the vulnerabilities we should prioritize.""The generation of false positives should be reduced.""The troubleshooting capabilities of this solution could be improved. This would reduce the number of cases that users have to submit.""The pricing is a bit high.""Not all languages are supported in Fortify.""It comes with a hefty licensing fee.""The price can be improved."

More Fortify Static Code Analyzer Cons →

Pricing and Cost Advice
  • "It is a little bit high priced. It would be better if it was a little less expensive."
  • "Pricing for Checkmarx Software Composition Analysis needs to be competitive."
  • "The license model is somewhat perplexing as it comprises multiple aspects that can be confusing for customers. The model is determined by the number of registered users and the number of projects being scanned, along with a third component that adds to the complexity."
  • "My customers need to pay for the licensing part, and they need to opt for an annual subscription."
  • "We don't have a license. The usage is limited to one, two, three, five, or ten people. It is currently used for all projects, and there are plans to increase its usage."

    • More Checkmarx Software Composition Analysis Pricing and Cost Advice →

  • "It has a couple of license models. The one that we use most frequently is called their flexible deployment. We use this one because it is flexible and based on the number of code-contributing developers in the organization. It includes almost everything in the Fortify suite for one developer price. It gives access to not just the secure code analyzer (SCA) but also to FSC, the secure code. It gives us accessibility to scan central, which is the decentralized scanning farm. It also gives us access to the software security center, which is the vulnerability management platform."
  • "The price of Fortify Static Code Analyzer could be reduced."
  • "The licensing is expensive and is in the 50K range."
  • "There is a licensing fee, and if you bring them to the company and you want them to do the installation and the implementation in the beginning, there is a separate cost. Similarly, if you want consultation or training, there is a separate cost. I see it as suitable only for enterprises. I do not see it suitable for a small business or individual use."
  • "From our standpoint, we are significantly better off with Fortify due to the favorable pricing we secured five years ago."
  • "Although I am not responsible for the budget, Fortify SAST is expensive."
  • "The setup costs and pricing for Fortify may vary depending on the organization's needs and requirements."

    • More Fortify Static Code Analyzer Pricing and Cost Advice →

    report
    See Which Vendors Are Best For You
    Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
    See Recommendations
    772,679 professionals have used our research since 2012.
    Questions from the Community
    What do you like most about Checkmarx Software Composition Analysis?
    Top Answer:The tool's visual scan analysis shows me all the libraries' vulnerabilities and license types. It helps identify the most complex issues with licenses. It provides good visibility. SCA shows me all… more »
    Read all 11 answers   →
    What is your experience regarding pricing and costs for Checkmarx Softwar...
    Top Answer:We have a license. The usage is limited to one, two, three, five, or ten people. It is currently used for all projects, and there are plans to increase its usage.
    Read all 5 answers   →
    What needs improvement with Checkmarx Software Composition Analysis?
    Top Answer:Checkmarx Software Composition Analysis should improve dynamic analysis.
    Read all 11 answers   →
    What do you like most about Fortify Static Code Analyzer?
    Top Answer:Integrating the Fortify Static Code Analyzer into our software development lifecycle was straightforward. It highlights important information beyond just syntax errors. It identifies issues like… more »
    Read all 9 answers   →
    What is your experience regarding pricing and costs for Fortify Static Co...
    Top Answer:Their licensing is expensive.
    Read all 6 answers   →
    What needs improvement with Fortify Static Code Analyzer?
    Top Answer:The product shows false positives for Python applications.
    Read all 9 answers   →
    Ranking
    8th
    out of 41 in Software Composition Analysis (SCA)
    Views
    1,656
    Comparisons
    1,231
    Reviews
    8
    Average Words per Review
    460
    Rating
    9.3
    3rd
    out of 40 in Static Code Analysis
    Views
    1,498
    Comparisons
    1,004
    Reviews
    10
    Average Words per Review
    1,060
    Rating
    8.6
    Comparisons
    Also Known As
    CxSCA
    Fortify Static Code Analysis SAST
    Learn More
    Checkmarx
    OpenText
    Overview

    Checkmarx Software Composition Analysis (SCA) helps organizations manage the risks associated with open source and third-party components in their software applications. While leveraging open source libraries and third-party dependencies is common practice, it can also introduce security vulnerabilities and license risks.


    Checkmarx SCA offers a multifaceted approach to managing these risks by:


    • Automatically scanning project repositories, build configurations, and manifests to create a comprehensive inventory of all components, including version information and associated licenses.

    • Performing vulnerability assessments on each component, including identifying and prioritizing actual exploitable or reachable vulnerabilities.

    • Protecting organizations from software supply chain attacks involving malicious packages, such as the XZ Utils backdoor.

    • Identifying licenses associated and providing insights into license obligations, restrictions, and potential conflicts.

    • Integrating seamlessly into existing development workflows and CI/CD pipelines.

    • Providing actionable remediation guidance to help organizations address identified vulnerabilities and compliance issues effectively.

    Fortify Static Code Analyzer (SCA) utilizes numerous algorithms in addition to a dynamic intelligence base of secure coding protocols to investigate an application’s source code for any potential risk of malicious or dangerous threats. Additionally, the solution will prioritize the most critical concerns and give direction on how users can repair those concerns. This solution researches each and every potential route that workflow and data can travel to discover and repair all possible vulnerabilities. Fortify SCA allows users to create safe and secure software quickly. Users are able to discover potential security gaps more quickly with precise outcomes and repair them immediately.

    Fortify Static Code Analyzer Benefits

    • CI/CD pipeline security: Fortify SCA integrates well with third-party tools such as ALM Octane, Atlassian Bamboo, Azure DevOps, Eclipse, Jenkins, and Jira. It offers real-time scan results, immediate recommendations, and collaborative auditing, and finds threats faster. It also discovers and prioritizes weaknesses to reduce risk.

    • Cost-effective: Improves coding actions by training users as they work to better understand the relationship of static application security testing (SAST). Fortify SCA is able to find more vulnerabilities than other solutions and delivers significantly fewer false positives.

    • Quick and reliable scanning: Fortify SCA will discover and eradicate weaknesses in byte, binary, or source code. SAST is able to stop the bulk of code issues at the start of development. The solution is able to discover 815 specific categories of risk, works through 27 programming languages and more than one million different APIs. Fortify SCA has a positive rate of 100% in the OWASP 1.2 benchmark.

    Fortify Static Code Analyzer Features

    • Flexible deployment: Using Fortify On Demand, users can work in a complete SaaS environment. Fortify Hosted allows users to use on-premises and SaaS to work in a secure virtual space with complete control. Fortify-On-Prem gives users absolute control of the Fortify SCA solution.

    • Security assistant: Users have an interactive guide as they create code that provides risk analysis and anticipated outcomes. Security Assistant is an outstanding immediate feedback tool that gives instant results with significantly fewer false positives.

    • Audit assistant: This feature uses machine learning to reduce manual audit time while prioritizing the most important risks to users' networks. It provides automated audits in minutes. Any manual examinations are reduced, all issues are prioritized in accordance with organizational needs, and Fortify SCA consistently provides audit results to all projects.

    Results from Real Users

    Fortify Static Code Analyzer tells us if there are any security leaks or not. If there are, then it's notifying us and does not allow us to pass the DevOps pipeline. If it finds everything's perfect, as per our given guidelines, then it is allowing us to go ahead and start it, and we are able to deploy it.” - Arun D., Senior Architect at a healthcare company.

    “Its flexibility is most valuable. It is such a flexible tool. It can be implemented in a number of ways. It can do anything you want it to do. It can be fully automated within a DevOps pipeline. It can also be used in an ad hoc, special test case scenario and anywhere in between.” - Tom H., Director of Security at Merito

    Sample Customers
    AXA, Liveperson, Aaron's, Playtech, Morningstar
    Information Not Available
    Top Industries
    REVIEWERS
    Energy/Utilities Company22%
    Manufacturing Company22%
    Outsourcing Company11%
    Financial Services Firm11%
    VISITORS READING REVIEWS
    Financial Services Firm38%
    Manufacturing Company13%
    Computer Software Company12%
    Healthcare Company4%
    REVIEWERS
    Computer Software Company31%
    Financial Services Firm23%
    Healthcare Company8%
    Government8%
    VISITORS READING REVIEWS
    Financial Services Firm28%
    Computer Software Company14%
    Manufacturing Company10%
    Government7%
    Company Size
    REVIEWERS
    Small Business57%
    Large Enterprise43%
    VISITORS READING REVIEWS
    Small Business13%
    Midsize Enterprise8%
    Large Enterprise79%
    REVIEWERS
    Small Business62%
    Large Enterprise38%
    VISITORS READING REVIEWS
    Small Business17%
    Midsize Enterprise9%
    Large Enterprise74%
    Buyer's Guide
    Software Composition Analysis (SCA)
    May 2024
    Download Free Report
    Find out what your peers are saying about Synopsys, Veracode, Snyk and others in Software Composition Analysis (SCA). Updated: May 2024.
    DOWNLOAD NOW
    772,679 professionals have used our research since 2012.

    Checkmarx Software Composition Analysis is ranked 8th in Software Composition Analysis (SCA) with 12 reviews while Fortify Static Code Analyzer is ranked 3rd in Static Code Analysis with 14 reviews. Checkmarx Software Composition Analysis is rated 9.2, while Fortify Static Code Analyzer is rated 8.4. The top reviewer of Checkmarx Software Composition Analysis writes "Comprehensive security scan, helpful support, and high availability". On the other hand, the top reviewer of Fortify Static Code Analyzer writes "Seamless to integrate and identify vulnerabilities and frees up staff time". Checkmarx Software Composition Analysis is most compared with Black Duck, JFrog Xray, Semgrep Supply Chain, FOSSA and Mend.io, whereas Fortify Static Code Analyzer is most compared with Black Duck, Snyk, Veracode, Sonatype Lifecycle and ReShaper.

    We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.