What is the Biggest Difference Between Checkmarx and Fortify?

I work for a midsized software startup and I am currently evaluating Checkmarx and Fortify. 

What are the biggest differences between the two? Which would you recommend?

Thanks! I appreciate the help. 

55 Answers

author avatar

Checkmarx SAST is a product supporting 20+ languages, including the modern ones (GoLang, Kotlin, Swift, Scala, Typescript, React). Its language support is constantly kept up with the current versions of the respective languages/frameworks (e.g. .NET Core 2.x etc.).

Unlike Fortify, Checkmarx analyses raw (uncompiled) source code, which makes it less susceptible to changes in the built environment (e.g. no dependency on the specific version of XCode).

Finally, the Checkmarx solution is available both as an on-premise and in the cloud (hosted) solution with the same capabilities. Fortify on demand (which is the cloud-only solution) is different from the on-prem one.

author avatar

Fewer false positives with CX than Fortify. More integrated.

author avatar

Looking at the Gartner report I would say that Checkmarx is way easier to set up (initial setup) compared to Micro Focus Fortify.
Also, the financial strength of the Micro Focus Fortify spin/merger is a concern so investments could be at risk.

author avatar

The major difference is that Checkmarx scans the code without compiling the code. This has a great advantage as code building issues are eliminated,
scan time is very less and false positive is less to some extent. One more major this is Checkmarx learns as you eliminate false positives and does not show the same issue again. We can perform incremental scans on the codebase where the old issue is nicely marked as "Recurring" and new ones in Red as NEW. Checkmarx has a highly customizable filter creation where you can create a filter that can eliminate the common recurring issues in
scans. This feature is very flexible and you can write your own filters and also, write specific patterns that are found in manual review which is a
great help as coding styles differ form teams to teams.

author avatar

Thanks a lot. Thank you for the information.

Find out what your peers are saying about Checkmarx vs. Fortify Application Defender and other solutions. Updated: May 2021.
502,275 professionals have used our research since 2012.