Checkmarx Competitors and Alternatives
Read reviews of Checkmarx competitors and alternatives
Senior Security Architect at a tech services company with 5,001-10,000 employees
Real UserTop 20
Jun 21, 2020
Continuously looks at application traffic, adding to the coverage of our manual pen testing
What is our primary use case?We use the solution for application vulnerability scanning and pen-testing. We have a workflow where we use a Contrast agent and deploy it to apps from our development team. Contrast continuously monitors the apps. When any development team comes to us and asks, "Hey, can you take care of the Assess, run a pen test and do vulnerability scanning for our application?" We have a workflow and deploy a Contrast agent to their app. Because Contrast continuously monitors the app, when we have notifications from Contrast and they go to the developers who are responsible for fixing that piece of the… more »
Pros and Cons
- "We use the Contrast OSS feature that allows us to look at third-party, open-source software libraries, because it has a cool interface where you can look at all the different libraries. It has some really cool additional features where it gives us how many instances in which something has been used... It tells us it has been used 10 times out of 20 workloads, for example. Then we know for sure that OSS is being used."
- "Contrast Security Assess covers a wide range of applications like .NET Framework, Java, PSP, Node.js, etc. But there are some like Ubuntu and the .NET Core which are not covered. They have it in their roadmap to have these agents. If they have that, we will have complete coverage."
What other advice do I have?If you are thinking about Contrast, you should evaluate it for your specific needs. Companies are different. The way they work is different. I know a bunch of companies that still have the Waterfall model. So evaluate and see how it fits in your mode. It's very easy to go and buy a tool, but if it does not fit very well in your processes and in your software development lifecycle, it will be wasted money. My strongest advice is: See how well it fits in your model and in your environment. For example, are developers using more of pre-production? Are they using a Dev sandbox? How is QA working…
Security Architect at a financial services firm with 1,001-5,000 employees
Dec 2, 2020
Effective at preventing vulnerable code from going into production, but static analysis is prone to false positives
What is our primary use case?We use it to scan our web applications before we publish them to see if there are any security vulnerabilities. We use it for static analysis and dynamic analysis.
Pros and Cons
- "The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards."
- "The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved."
What other advice do I have?If you are doing pipeline-based implementation, it would be more complex than the way that I'm doing this, but I didn't see any real challenges that would be tool-specific or vendor-specific, with implementation. Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive. But if you have maybe one or two developers doing many projects, then you might look more towards…
Security Consultant at a tech services company with 11-50 employees
Oct 1, 2020
Straightforward to install and reports few false positives, but it should be easier to specify your own validation and sanitation routines
What is our primary use case?I am a consultant and I work to bring solutions to different companies. Static code analysis is one of the things that I assist people with, and Coverity is one of the tools that I use for doing that. I worked with Coverity when doing a couple of different PoCs. For these, I get a few different teams of developers together and we want to decide what makes the most sense for each team as far as scanning technologies. So, part of that is what languages are supported, part of that is how extensible it is, and part of that extensibility is do the developers have time to actually create custom… more »
Pros and Cons
- "The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at."
- "It should be easier to specify your own validation routines and sanitation routines."
What other advice do I have?My advice for anybody who is considering this product is to first look around your organization to see if it has already been implemented in another group. If you're a big organization then Coverity or a similar tool may already be in use. In cases like this, I would say that it is best to adopt the same tool because your organization has already gone down that path and there are no huge differences in the capabilities of these tools. Some of them do it in different ways and some do things that others don't, but you won't have the initial bump of the learning curve and you can leverage their…
Team Lead at a computer software company with 10,001+ employees
This is a very capable analysis tool for development projects but the free version has limitations
What is our primary use case?We are using the free version of the SonarQube product. Be warned if you choose this version because it is lacking some of the capabilities and support. It is for this reason that we are currently considering migrating to a commercial solution.
Pros and Cons
- "It is a very good tool for analysis despite its limitations."
- "There is a free version."
- "There are limitations to the free version that limit development options as far as languages."
What other advice do I have?Anyone considering SonarQube should initially start with a free trial and then start doing an evaluation. If you have a list of target requirements which you are looking for and you can accomplish these things with Sonar, then you can go ahead and use Sonar. If you are looking for something for diving more deeply into your application security, then you can possibly start with it and scale it or use some other complementary tools. If you want to see your reports, and how your development is performing, Sonar is the best tool, I think. On a scale from one to ten, where one is the worst and ten…
Owner/ Consultant at a tech services company with 1-10 employees
Dec 9, 2020
Offers many support languages, scans in a decent amount of time and is easy to set up
What is our primary use case?We primarily use the solution for static analysis.
Pros and Cons
- "There's extensive functionality with custom rules and a custom knowledge base."
- "The solution often has a high number of false positives. It's an aspect they really need to improve upon."