We are currently evaluating application security solutions. What is the biggest difference between Veracode and Checkmarx? Which would you recommend?
Thanks! I appreciate the help.
JaeLee, check out our comparison page here of Veracode vs Checkmarx: https://www.itcentralstation.com/products/comparisons/checkmarx_vs_veracode
Checkmarx is ranked 4th, while Veracode is ranked 1st with 39 reviews. Checkmarx is rated 8.0, while Veracode is rated 8.2. The top reviewer of Checkmarx writes "Works well with Windows servers but no Linux support and takes too long to scan files". On the other hand, the top reviewer of Veracode writes "Enables us to automatically submit each new build for scanning and get results directly into our JIRA". Checkmarx is most compared with SonarQube, Veracode and Micro Focus Fortify on Demand, whereas Veracode is most compared with SonarQube, Checkmarx and Micro Focus Fortify on Demand.
Veracode has offered a dynamic analysis testing solution for several years, having launched our first offering in 2015. Veracode’s DAST product line offers the ideal solution to find all of the sites on your web perimeter, including the ones that you did not know about, and run a comprehensive DAST scan of the websites you are securing. Veracode Dynamic Analysis scans Single Page Apps and apps built with Angular and React Vue.js frameworks. Veracode Dynamic Analysis provides scanning automation to configure, schedule, and kick-off scans using REST APIs. We offer integrations with Jira and Jenkins to help streamline your processes. While we are new entrants into the IAST market, we’re confident that Veracode Interactive Analysis can meet the needs of the market. Veracode’s IAST product installs in the pipeline with a lightweight, multi-language agent that delivers high-quality results. Veracode Interactive Analysis covers multiple languages to simplify CICD tooling and adds only 3% to pipeline timelines.
In order to run correctly, Veracode needs executables compiled with debug, that is not so different from having source code, but configuration files checking will be excluded from the analysis. The quality of detections of CheckMarx is superior, as well as the number of supported programming languages. Further, the Veracode company's stability was recently mined by a further recent acquisition. Between those products I haven't any doubt to choose Checkmarx
Veracode is very new in DAST and IAST, Checkmarx is offering that since longer time and is more experienced.
Checkmarx can be deploy on private , Veracode only support the Saas Model . But in China I think that is better for Appscan which include black box and white box function . Any question can contact SYSTIME CHINA . (Apple@systime.com.cn)
I am looking for pros and cons for the Checkmarx vs SonarQube, in particular regarding:
I am also wondering if SonarQube could allow developers to delint their code before submitting it to SAST with either Checkmarx or Veracode.
Let the community know what you think. Share your opinions now!