We performed a comparison between Checkmarx One, Fortify Application Defender, and Klocwork based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."We use the solution to validate the source code and do SAST and security analysis."
"The user interface is excellent. It's very user friendly."
"It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."
"The solution is scalable, but other solutions are better."
"The most valuable features of Checkmarx are the automation and information that it provides in the reports."
"Our static operation security has been able to identify more security issues since implementing this solution."
"The value you can get out of the speedy production may be worth the price tag."
"The setup is fairly easy. We didn't struggle with the process at all."
"The most valuable features of Fortify Application Defender are the code packages that are default."
"The information from Fortify Application Defender on how to fix and solve issues is very good compared to other solutions."
"The solution helped us to improve the code quality of our organization."
"Its ability to find security defects is valuable."
"The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities."
"The most valuable feature is that it analyzes data in real-time."
"We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment."
"Fortify Application Defender's most valuable features are machine learning algorithms, real-time remediation, and automatic vulnerability notifications."
"The tool helps the team to think beforehand about corner cases or potential bugs that might arise in real-time."
"I like not having to dig through false positives. Chasing down a false positive can take anywhere from five minutes for a small easy one, then something that is complicated and goes through a whole bunch of different class cases, and it can take up to 45 minutes to an hour to find out if it is a false positive or not."
"The ability to create custom checkers is a plus."
"We like using the static analysis and code refactoring, which are very valuable because of our requirements to meet safety critical levels and reliability."
"On-the-fly analysis and incremental analysis are the best parts of Klocwork. Currently, we are using both of these features very effectively."
"Klocwork's most valuable feature is the static code analysis feature. It detects the potential problem earlier to allow the developer to receive feedback quickly and then address it before it becomes a problem."
"The reporting helps us understand the trend of our results and whether we improve over time. We can see the history within Klocwork's server architecture and know that we're making things better. It creates a great story for our management. We can demonstrate value and how our software is developing over time."
"The most valuable feature is the Incremental analysis."
"In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."
"It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use."
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."
"The resolutions should also be provided. For example, if the user faces any problem regarding an installation due to the internal security policies of their company, there should be a resolution offered."
"They could work to improve the user interface. Right now, it really is lacking."
"Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model."
"Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not."
"It would be really helpful if the level of confidence was included, with respect to identified issues."
"Fortify Application Defender gives a lot of false positives."
"I encountered many false positives for Python applications."
"The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java."
"The licensing can be a little complex."
"The workbench is a little bit complex when you first start using it."
"The solution could improve the time it takes to scan. When comparing it to SonarQube it does it in minutes while in Fortify Application Defender it can take hours."
"Support for older compilers/IDEs is lacking."
"The false positive rate should be lower."
"We bought Klocwork, but it was limited to one little program, but the program is now sort of failing. So, we have a license for usage on a program that is sort of failing, and we really can't use the license on anything else."
"The main problem is that since it only parses the code, the warnings or the problems that are given as a result of the report can sometimes require a lot of effort to analyze."
"Klocwork does have a problem with true positives. It only found 30% of true positives in the Juliet test case."
"Every update that we receive requires of us a lengthy and involved process."
"I would like to see better codes between projects and a more user-friendly desktop in the next release."
"Modern languages, such as Angular and .NET, should be included as a part of Klocwork. They have recently added Kotlin as a part of their project, but we would like to see more languages in Klocwork. That's the reason we are using Coverity as a backup for some of the other languages."
"We'd like to see integration with Agile DevOps and Agile methodologies."
"This solution could be improved if they offered support of more languages including Ada and Golang. They currently only support seven languages."