We did not previously use a different solution. 

We have used and looked at a mix of options, including Veracode and FOSSA.

Right now, I don't really have a competing vendor in my company, so I can't compare. More importantly, I don't have that much experience with others to compare anything accurately.

I've used Veracode, and there isn't a big difference between both solutions.

I used to work mostly on checking the source code manually, and estimated the time of completion counting the lines of code to review. With Checkmarx that time was hugely reduced.

I also worked with Veracode, which I use for compiled code, but most of the customer’s applications have uncompiled code, so that is why I use Checkmarx more frequently.

Prior to using Checkmarx, I used AppScan but the concept is completely different. With Checkmarx, you are working with source code, whereas as with AppScan, you are working with binaries. You can say that AppScan is more like a dynamic security scan and Checkmarx is more static.

These products are quite different in terms of how you do the testing. Checkmarx is better from both a performance perspective and reporting a lower number of false positives.

I still use other tools, so I just added it to the tool chest. I have Fortify, CodeSonar, etc  and I added Checkmarx as a different tool.

I was previously using Fortify but they were antiquated. They were not updating the solution on a regular basis.

The tool that we were using before was AppScan.

I do not have recent, hands-on experience with this tool but, I have used it in the past and my team now uses it extensively. We did not use a tool previous to this one, and we plan to continue using this because we are getting good results.

We use this solution for static application security testing. For dynamic testing, we use the Netsparker solution.

I'm also using SonarQube.

I am using Checkmarx in parallel with SonarQube.

I did not previously use a different solution.

We haven't really extensively worked with any other products.

Prior to this solution, we were using IBM Security AppScan. We had many, many issues with the application, along with complaints about the deployment time. The main reason we switched is that it was not updated, and it did not support certain technologies. For example, it did not support Visual Studio 2017, so we had to switch to a new solution.

We were using Fortify. Its software capability was limited in terms of mobile code scanning.

None. I started with this product.

We didn't previously use a different solution. We've only ever used this product.

We haven't used anything else. This is our first solution.

Before Checkmarx, we used HPE Security Fortify and IBM AppScan. We also tried several open-source scanning tools.

We were using IBM AppScan. Checkmarx is much better than that particular tool. It has more functionality and offers much more support to its users than IBM.

We have some experience with HPP AppScan, and with SonarQube. We started with a trial and felt that Checkmarx was the best.

We have used other products and found that you have to spend considerable time fine-tuning the scanning engine. With Checkmarx, it is a lot less and I would say that this is one of the significant differences with this solution.

The maintenance in terms of running the scans and fine-tuning the scans is very low.

On the other hand, we have used other tools where writing custom rules is not so difficult to do.

I have not used another before Checkmarx.

I have used SonarQube previously.

We used Veracode for some time and it's also a good solution. Veracode fits better for small companies. It's more automatic.

Checkmarx is more complete and they have more features to support our development team and security team requirements.

In general, Checkmarx is a better solution, but it's more complicated, especially in terms of the price for a small company.

Previously, we were using a different solution. We were leveraging multiple tools since we have code in multiple languages. Checkmarx advertised that they provide support for C, C+++, Java, etc. It turned out that they aren’t able to scan C and C++ for us. Our reason to switch to Checkmarx didn’t work out for us.

We switched solutions due to the client's requirements.

I am not aware of any previous solutions.

This is the only solution I have used.

Previously, we considered: Veracode, SonarQube, Fortify and IBM Security AppScan.

We are using other tools along with this solution.

I have used Armorize codesecure.

Straight forward. Easy to follow steps. 

I worked for an IT security firm and it was quite easy to setup the product for demo purposes virtually and even physically on the client premises

In my previous company, I used SonarQube. In my opinion, Checkmarx gives better results, and its protection is better than SonarQube.

We have used no other product.

We didn’t really have a previous solution but Checkmarx was the best match for .NET support and scan without resolving the dependencies.