Checkmarx One vs Fortify Application Defender vs Klocwork Comparison 2024

Checkmarx One

Read 67 Checkmarx One reviews

35,279 views|23,132 comparisons

Fortify Application Defender

Read 10 Fortify Application Defender reviews

1,977 views|1,670 comparisons

Klocwork

Read 20 Klocwork reviews

3,450 views|2,082 comparisons

Comparison Buyer's Guide

Download the complete report

Buyer's Guide

Application Security Tools

April 2024

Executive Summary

We performed a comparison between Checkmarx One, Fortify Application Defender, and Klocwork based on real PeerSpot user reviews.

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools.

To learn more, read our detailed Application Security Tools Report (Updated: April 2024).

Download the complete report

767,847 professionals have used our research since 2012.

Featured Review

Naveen Hariharan Vijaya

Security Consultant at IBM Thailand

A highly scalable solution that reduces workloads, saves time, and fixes loopholes and vulnerabilities swiftly

Static code reviews are small projects. Previously, with a team of four analysts, we did two project reviews every month. Since we started using... Read more →

HisaoOgata

Department Manger at Hitachi Channel

Saves time and warns about the vulnerabilities in the software, but the false positive rate should be lower

Based on the alerts created by the solution during development, we modify the software we are developing.

Anonymous User

Principle engineer at a manufacturing company

Their technical team helps us get the most out of the solution, but we've faced some stability problems in our...

Klocwork created an environment where the engineers have checks and balances as they develop and progress through our release process. The solution... Read more →

Quotes From Members

We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:

Pros

"We use the solution to validate the source code and do SAST and security analysis.""The user interface is excellent. It's very user friendly.""It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc).""The solution is scalable, but other solutions are better.""The most valuable features of Checkmarx are the automation and information that it provides in the reports.""Our static operation security has been able to identify more security issues since implementing this solution.""The value you can get out of the speedy production may be worth the price tag.""The setup is fairly easy. We didn't struggle with the process at all."

More Checkmarx One Pros →

"The most valuable features of Fortify Application Defender are the code packages that are default.""The information from Fortify Application Defender on how to fix and solve issues is very good compared to other solutions.""The solution helped us to improve the code quality of our organization.""Its ability to find security defects is valuable.""The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities.""The most valuable feature is that it analyzes data in real-time.""We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment.""Fortify Application Defender's most valuable features are machine learning algorithms, real-time remediation, and automatic vulnerability notifications."

More Fortify Application Defender Pros →

"The tool helps the team to think beforehand about corner cases or potential bugs that might arise in real-time.""I like not having to dig through false positives. Chasing down a false positive can take anywhere from five minutes for a small easy one, then something that is complicated and goes through a whole bunch of different class cases, and it can take up to 45 minutes to an hour to find out if it is a false positive or not.""The ability to create custom checkers is a plus.""We like using the static analysis and code refactoring, which are very valuable because of our requirements to meet safety critical levels and reliability.""On-the-fly analysis and incremental analysis are the best parts of Klocwork. Currently, we are using both of these features very effectively.""Klocwork's most valuable feature is the static code analysis feature. It detects the potential problem earlier to allow the developer to receive feedback quickly and then address it before it becomes a problem.""The reporting helps us understand the trend of our results and whether we improve over time. We can see the history within Klocwork's server architecture and know that we're making things better. It creates a great story for our management. We can demonstrate value and how our software is developing over time.""The most valuable feature is the Incremental analysis."

More Klocwork Pros →

Cons

"In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now.""It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use.""We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process.""The resolutions should also be provided. For example, if the user faces any problem regarding an installation due to the internal security policies of their company, there should be a resolution offered.""They could work to improve the user interface. Right now, it really is lacking.""Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model.""Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not.""It would be really helpful if the level of confidence was included, with respect to identified issues."

More Checkmarx One Cons →

"Fortify Application Defender gives a lot of false positives.""I encountered many false positives for Python applications.""The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java.""The licensing can be a little complex.""The workbench is a little bit complex when you first start using it.""The solution could improve the time it takes to scan. When comparing it to SonarQube it does it in minutes while in Fortify Application Defender it can take hours.""Support for older compilers/IDEs is lacking.""The false positive rate should be lower."

More Fortify Application Defender Cons →

"We bought Klocwork, but it was limited to one little program, but the program is now sort of failing. So, we have a license for usage on a program that is sort of failing, and we really can't use the license on anything else.""The main problem is that since it only parses the code, the warnings or the problems that are given as a result of the report can sometimes require a lot of effort to analyze.""Klocwork does have a problem with true positives. It only found 30% of true positives in the Juliet test case.""Every update that we receive requires of us a lengthy and involved process.""I would like to see better codes between projects and a more user-friendly desktop in the next release.""Modern languages, such as Angular and .NET, should be included as a part of Klocwork. They have recently added Kotlin as a part of their project, but we would like to see more languages in Klocwork. That's the reason we are using Coverity as a backup for some of the other languages.""We'd like to see integration with Agile DevOps and Agile methodologies.""This solution could be improved if they offered support of more languages including Ada and Golang. They currently only support seven languages."

More Klocwork Cons →

Pricing and Cost Advice

"It is the right price for quality delivery."

"I believe pricing is better compared to other commercial tools."

"The pricing was not very good. This is just a framework which shouldn’t cost so much."

"The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security."

"It is a good product but a little overpriced."

"The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies."

"Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products."

"We got a special offer for a 30% reduction for three years, after our first year. I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year)."

More Checkmarx One Pricing and Cost Advice →

"The base licensing costs for the SaaS platform is about $900 USD per application, per year."

"The price of this solution could be less expensive."

"The licensing is very complex, it's project based and can range from $10,000 to $200,000+ depending on the project type and size."

"Fortify Application Defender is very expensive."

"The product’s price is much higher than other tools."

More Fortify Application Defender Pricing and Cost Advice →

"Klocwork is still tight on their licensing. If Klocwork would loosen up on the licensing, and where the license could be used, and how many different programs could be run on it, then we have several development programs that I would love to be able to use it for going forward."

"Klocwork should not to be quite so heavy handed on the licensing for very specific programs."

"The limitation that we have is that Klocwork is licensed to certain programs, and if you want to license them to other programs, you have to pay more money."

"When it comes to licensing, the solution has two packages, one for a fixed and the other for a floating server, with the former being more cost effective than the latter."

"Licensing fees are paid annually, but they also have a perpetual license."

"There are other solutions on the market such as Microsoft Visual Studio. They have been adding more static code analysis features that come for free. It is getting better all the time. That is one of the possibilities is that we've been considering that we may stop using the Klocwork because it doesn't give us any added value."

"This solution offers competitive pricing."

"The pricing for Klocwork is very competitive if you compare it from apple to apple. It has competitive pricing regarding the licensing model and the per-license cost. Klocwork isn't a high-end investment for anyone deploying it; even SMBs can afford it. The Klocwork cost per user would depend on the license type, so I'm unable to mention a ballpark figure because it would depend on the type of installation and how the deployment will be, and the nodes to give an accurate calculation or figure. The total price depends on the package, so my company could never publish pricing for Klocwork on the website. My team first collects information from potential clients on the deployment scenario, project environment, etc., before suggesting a package for Klocwork. My rating for Klocwork in terms of pricing is a five because of its flexible license models. There's a license model for every type of organization, whether small, midsize, or enterprise, so it's a five out of five for me."

More Klocwork Pricing and Cost Advice →

See Which Vendors Are Best For You

Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.

See Recommendations

767,847 professionals have used our research since 2012.

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?

Top Answer:I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as… more »

Read all 4 answers →

What do you like most about Checkmarx?

Top Answer:Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.

Read all 38 answers →

What is your experience regarding pricing and costs for Checkmarx?

Top Answer:The solution's price is high and you pay based on the number of users.

Read all 25 answers →

What do you like most about Fortify Application Defender?

Top Answer:The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications… more »

Read all 10 answers →

What needs improvement with Fortify Application Defender?

Top Answer:I encountered many false positives for Python applications.

Read all 10 answers →

What is your primary use case for Fortify Application Defender?

Top Answer:I use Fortify to analyze projects in .NET languages.

Read all 9 answers →

What do you like most about Klocwork?

Top Answer:It's integrated into our CI, continuous integration.

Read all 9 answers →

What is your experience regarding pricing and costs for Klocwork?

Top Answer:Our purchasing department is responsible for tracking costs. It's one of the most widely used tools in our organization… more »

Read all 11 answers →

What needs improvement with Klocwork?

Top Answer:The main problem is that since it only parses the code, the warnings or the problems that are given as a result of the… more »

Read all 14 answers →

Ranking

3rd

out of 74 in Application Security Tools

Views

35,279

Comparisons

23,132

Reviews

Average Words per Review

513

Rating

7.7

34th

out of 74 in Application Security Tools

Views

1,977

Comparisons

1,670

Reviews

Average Words per Review

282

Rating

6.3

18th

out of 74 in Application Security Tools

Views

3,450

Comparisons

2,082

Reviews

Average Words per Review

774

Rating

7.8

Comparisons

SonarQube vs. Checkmarx One

Compared 52% of the time.

Veracode vs. Checkmarx One

Compared 13% of the time.

Fortify on Demand vs. Checkmarx One

Compared 6% of the time.

Snyk vs. Checkmarx One

Compared 4% of the time.

Sonatype Lifecycle vs. Checkmarx One

Compared 2% of the time.

More Checkmarx One Competitors →

Coverity vs. Fortify Application Defender

Compared 12% of the time.

CAST Application Intelligence Platform vs. Fortify Application Defender

Compared 11% of the time.

SonarQube vs. Fortify Application Defender

Compared 10% of the time.

Qualys Web Application Scanning vs. Fortify Application Defender

Compared 7% of the time.

Fortify on Demand vs. Fortify Application Defender

Compared 6% of the time.

More Fortify Application Defender Competitors →

SonarQube vs. Klocwork

Compared 36% of the time.

Coverity vs. Klocwork

Compared 34% of the time.

Polyspace Code Prover vs. Klocwork

Compared 8% of the time.

CodeSonar vs. Klocwork

Compared 5% of the time.

Veracode vs. Klocwork

Compared 4% of the time.

More Klocwork Competitors →

Also Known As

HPE Fortify Application Defender, Micro Focus Fortify Application Defender

Learn More

Checkmarx

OpenText

Perforce

Overview

Checkmarx is a highly accurate and flexible static code analysis product that allows organizations to automatically scan uncompiled code and identify hundreds of security vulnerabilities in all major coding languages and software frameworks. Checkmarx is available as a standalone product and can be effectively integrated into the software development lifecycle (SDLC) to streamline vulnerability detection and remediation. Checkmarx is trusted by leading organizations such as SAP, Samsung, and Salesforce.com.

Checkmarx is a global leader in software security solutions for modern software development. Checkmarx delivers a comprehensive software security platform that unites with DevOps by scanning uncompiled source code for security vulnerabilities early in the development life cycle to reduce and remediate risk from software vulnerabilities. Using Checkmarx, teams avoid software security vulnerabilities managed via a single and unified dashboard without slowing down their delivery schedule.

Checkmarx balances the needs of the entire organization, delivering seamless security from the start and throughout the entire software development life cycle. Checkmarx can be deployed on-premises in a private data center or hosted via a public cloud.

Checkmarx Features

Some of Checkmarx’s features include:

Source code scanning: Detect and repair more vulnerabilities before you release your code.
Open-source scanning: Find and eliminate the risks in your open-source code.
Interactive code scanning: Scan for vulnerabilities and runtime threats.
Open-source security for infrastructure as code: Identify and fix insecure IaC configurations that put your application at risk.

Reviews from Real Users

Checkmarx stands out among its competitors for a number of reasons. Two major ones are its ability to enable developers to secure their code with a single management dashboard and its high-speed scanning abilities.

PeerSpot users note the effectiveness of these features. A CEO at a tech services company writes, “The most valuable features are the easy-to-understand interface, and it’s very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan. We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project. The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.”

A director at a tech services company notes, “The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important.”

A senior manager at a manufacturing company writes, “The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."

Micro Focus Security Fortify Application Defender is a runtime application self-protection (RASP) solution that helps you manage and mitigate risk from homegrown or third-party applications. It provides centralized visibility into application use and abuse while protecting from software vulnerability exploits and other violations in real time.

Klocwork detects security, safety, and reliability issues in real-time by using this static code analysis toolkit that works alongside developers, finding issues as early as possible, and integrates with teams, supporting continuous integration and actionable reporting.

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC

ServiceMaster, Saltworks, SAP

ACCESS Co Ltd, Risk-AI, Winbond Electronics, Bristol-Myers Squibb Pharmaceutical Research Institute, University of Southern California, Alebra Technologies, SIMULIA, Risk Management Solutions, Brigham Young University, SRD, HRL

Top Industries

REVIEWERS

Computer Software Company31%

Financial Services Firm19%

Comms Service Provider9%

Manufacturing Company9%

VISITORS READING REVIEWS

Financial Services Firm21%

Computer Software Company15%

Manufacturing Company9%

Insurance Company5%

REVIEWERS

Computer Software Company29%

Logistics Company14%

Energy/Utilities Company14%

Comms Service Provider14%

VISITORS READING REVIEWS

Financial Services Firm21%

Computer Software Company14%

Manufacturing Company12%

Government8%

REVIEWERS

Manufacturing Company50%

Engineering Company10%

Non Tech Company10%

Transportation Company10%

VISITORS READING REVIEWS

Educational Organization38%

Manufacturing Company19%

Computer Software Company10%

Financial Services Firm3%

Company Size

REVIEWERS

Small Business38%

Midsize Enterprise13%

Large Enterprise50%

VISITORS READING REVIEWS

Small Business17%

Midsize Enterprise11%

Large Enterprise72%

REVIEWERS

Small Business40%

Midsize Enterprise10%

Large Enterprise50%

VISITORS READING REVIEWS

Small Business12%

Midsize Enterprise14%

Large Enterprise74%

REVIEWERS

Small Business52%

Midsize Enterprise5%

Large Enterprise43%

VISITORS READING REVIEWS

Small Business8%

Midsize Enterprise45%

Large Enterprise47%

Buyer's Guide

Application Security Tools

April 2024

Download Free Report

Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools. Updated: April 2024.

DOWNLOAD NOW

767,847 professionals have used our research since 2012.

Checkmarx One vs Fortify Application Defender vs Klocwork comparison

Checkmarx One

Fortify Application Defender

Klocwork