We performed a comparison between Checkmarx and HCL AppScan based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."What I like best about Checkmarx is that it has fewer false positives than other products, giving you better results."
"The most valuable feature is that it actually identifies the different criteria you can set to meet whatever standards you're trying to get your system accredited for."
"The user interface is modern and nice to use."
"The most valuable features are the easy to understand interface, and it 's very user-friendly."
"The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important."
"It gives the proper code flow of vulnerabilities and the number of occurrences."
"It's not an obstacle for developers. They can easily write their code and make it more secure with Checkmarx."
"It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security."
"It was easy to set up."
"The UI was very intuitive."
"Compared to other tools only AppScan supports special language."
"It identifies all the URLs and domains on its own and then performs tests and provides the results."
"It's generally a very user-friendly tool. Anyone can easily learn how to scan"
"We use it as a security testing application."
"There's extensive functionality with custom rules and a custom knowledge base."
"The product is useful, particularly in its sensitivity and scanning capabilities."
"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
"Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve."
"I would like to see the DAST solution in the future."
"I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service."
"It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use."
"I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time)."
"There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."
"In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."
"IBM Security AppScan Source is rather hard to use."
"There is room for improvement in the pricing model."
"The penetration testing feature should be included."
"They should have a better UI for dashboards."
"We have experienced challenges when trying to integrate this solution with other products. When you compare it with the other SecOps products, the quality of the output is too low. It is not a new-age product. It is very outdated."
"The product has some technical limitations."
"There are so many lines of code with so many different categories that I am likely to get lost. "
"The solution's scalability can be a matter of concern because one license runs on one machine only."
Checkmarx is ranked 3rd in Application Security Tools with 23 reviews while HCL AppScan is ranked 14th in Application Security Tools with 19 reviews. Checkmarx is rated 7.6, while HCL AppScan is rated 7.6. The top reviewer of Checkmarx writes "Specifies the exact line of code where it finds the problem and gives good reports". On the other hand, the top reviewer of HCL AppScan writes "A useful tool to scan applications that can be easily installed". Checkmarx is most compared with SonarQube, Veracode, Fortify on Demand, Snyk and Acunetix, whereas HCL AppScan is most compared with SonarQube, Veracode, Acunetix, OWASP Zap and Fortify on Demand. See our Checkmarx vs. HCL AppScan report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.