We performed a comparison between Checkmarx One, HCL AppScan, and Klocwork based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."The main thing we find valuable about Checkmarx is the ease of use. It's easy to initiate scans and triage defects."
"The most valuable feature is the application tracking reporting."
"One of the most valuable features is it is flexible."
"It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security."
"The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."
"The process of remediating software security vulnerabilities can now be performed (ongoing) as portions of the application are being built in advance of being compiled."
"The solution is scalable, but other solutions are better."
"We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code."
"The static scans are good, and the SaaS as well."
"The product has valuable features for static and dynamic testing."
"We are now deploying less defects to production."
"The most valuable feature of the solution is the scanning or security part."
"The most valuable feature of the solution is Postman."
"We use it as a security testing application."
"Compared to other tools only AppScan supports special language."
"This solution saves us time due to the low number of false positives detected."
"The reporting helps us understand the trend of our results and whether we improve over time. We can see the history within Klocwork's server architecture and know that we're making things better. It creates a great story for our management. We can demonstrate value and how our software is developing over time."
"Klocwork's most valuable feature is the static code analysis feature. It detects the potential problem earlier to allow the developer to receive feedback quickly and then address it before it becomes a problem."
"The most valuable feature is the Incremental analysis."
"The tool helps the team to think beforehand about corner cases or potential bugs that might arise in real-time."
"There's a feature in Klocwork called 'on-the-fly analysis', which helps developers to find and fix the defects at the time of development itself."
"One can increase the number of vendors, so the solution is scalable."
"The ability to create custom checkers is a plus."
"We like using the static analysis and code refactoring, which are very valuable because of our requirements to meet safety critical levels and reliability."
"It would be really helpful if the level of confidence was included, with respect to identified issues."
"I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time)."
"The solution's user interface could be improved because it seems outdated."
"Checkmarx could improve the REST APIs by including automation."
"We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level."
"They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks."
"They could work to improve the user interface. Right now, it really is lacking."
"It is an expensive solution."
"It's a little bit basic when you talk about the Web Services. If AppScan improved its maturity on Web Services testing, that would be good."
"A desktop version should be added."
"They could add a software component analysis tool."
"Many silly false positives are produced."
"In future releases, I would like to see more aggressive reports. I would also like to see less false positives."
"AppScan is too complicated and should be made more user-friendly."
"Visibility is an issue for us. Our partners do not know we have integrations with some of IBM products."
"We would like to integrate with some of the other reporting tools that we're planning to use in the future."
"The way to define the rules is too complex. The definition/rules for static analysis could be automated according to various SILs, so as to avoid confusion."
"We bought Klocwork, but it was limited to one little program, but the program is now sort of failing. So, we have a license for usage on a program that is sort of failing, and we really can't use the license on anything else."
"We'd like to see integration with Agile DevOps and Agile methodologies."
"The main problem is that since it only parses the code, the warnings or the problems that are given as a result of the report can sometimes require a lot of effort to analyze."
"Klocwork has to improve its features to stay ahead of other free solutions."
"Under NIST cybersecurity standards, we must address vulnerabilities within a specified time after discovering them. When we try to propagate those updates and fixes through the system, it would be nice if the clients could reconnect to the existing server or have the server dynamically updated in some way. I know that isn't easy, but maybe processes could be enhanced to make that more streamlined from a DevOps perspective."
"I would like to see better codes between projects and a more user-friendly desktop in the next release."
"I hope that in each new release they add new features relating to the addition of checkers, improving their analysis engines etc."
