Has anyone done a comparison between Checkmarx and Veracode application security testing?
What are the main pros and cons of each solution?
What else do we need to consider when evaluating these two products?
As someone who has been long using HP Fortify, I've been actively looking at both these tools as serious options. Both are reputable SAST products but work very different. You wouldn't go wrong choosing either, but you should take into account the width and breadth of each when deciding. Pricing will vary, but both products are fairly competitive with each other.
Veracode uses supplied binaries to perform the static scan. Although not a huge deal, this still requires a build and an initial baseline review that can potentially take days to complete. Follow up scans are performed in the same manner but turn around faster. Veracode also has APPSEC staff available (at additional cost) to assist your developers. This is great if your company is in it's infosec infancy or lacking FTE resources. The only downsides at this stage appear to be the IDE integration and that VC does not offer an on-premise solution. One other plus is that Veracode also offers a dynamic solution. (Integrates with Jenkins/JIRA/etc)
Checkmarx is a pretty swift moving SAST tool. It offers both a cloud and on-premise solution and is very light on the resources. Checkmarx works differently by means that it scans the source code directly, no builds are required. However, if you are looking for simple and easy with all the bells and whistles, Cx is great. Further, if you are an enterprise that has and endless supply of projects (new and legacy) that need evaluation you can spin them up quickly and consistently with Cx. Not having to perform a build makes the process much easier, especially when you're working with legacy products whose developers may have left long ago. (Integrates with Jenkins/JIRA/GIT/SVN/etc) A couple downsides include the lack of a dynamic product and that you may miss something that another product would evaluate in the build process.
Hi Joe, excellent post. Thank you. I am new to the static scanning word. My understanding is that Fortify requires a build into intermediate format for its analysis (e.g. taint, data flow etc.). You also include the binaries of any libraries that are part of the build. I assume you felt the trade off between ease of use versus the potential to "miss something" that a build product would evaluate was not worth going to a build product solution. Thanks again Joe