We performed a comparison between Checkmarx vs.Veracode based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Veracode has the winning edge in this comparison. Customers are more satisfied with Veracode’s robust features, stability, and pricing model.
"It gives the proper code flow of vulnerabilities and the number of occurrences."
"The product's most valuable feature is static code and supply chain effect analysis. It provides a lot of visibility."
"It shows in-depth code of where actual vulnerabilities are."
"Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before."
"I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy."
"The SAST component was absolutely 100% stable."
"Both automatic and manual code review (CxQL) are valuable."
"Less false positive errors as compared to any other solution."
"It has an easy-to-use interface."
"I have found the user interface extremely helpful in prioritizing issues."
"The most valuable feature is the dynamic application security testing."
"For use cases where our company buys a product with the source code, but only the final executables or the binaries, only Veracode is able to work on that type of tool."
"It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail."
"Veracode is a valuable tool in our secure SDLC process."
"In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better."
"I like Veracode's static scanning and SCA. We use three static scans, software composition analysis, and dynamic scans. We haven't used dynamic scanning as much, but we're trying to integrate that into our environment more."
"Its user interface could be improved and made more friendly."
"I would like to see the tool’s pricing improved."
"The solution's user interface could be improved because it seems outdated."
"The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information."
"Micro-services need to be included in the next release."
"They could work to improve the user interface. Right now, it really is lacking."
"I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time)."
"With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too."
"Searching for applications in Veracode is a little bit difficult. We have to minimize the length of an application's name to 47 characters. It would be good if this limit could be increased so that an application's name can be properly reflected in Veracode."
"Security can always be improved."
"It can be a bit complex because it takes a lot of time to have it complete the task."
"Veracode Static Analysis can improve the false positive. There are always improvements that can be done to the false positive rate. There are some things that get flagged that are not an issue. However, it is not a huge concern."
"Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them."
"One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications."
"I would love to be able to do a dynamic sandbox scan. I think that that would allow us to really get a lot more buy-in from the software development teams."
"There is also a size limit of 100 MB so we cannot upload files that are larger than that. That could be improved. Also, the duration of the scan is a bit too long."
Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. Checkmarx One is rated 7.6, while Veracode is rated 8.2. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Checkmarx One is most compared with SonarQube, Fortify on Demand, Snyk, Coverity and Mend.io, whereas Veracode is most compared with SonarQube, Fortify on Demand, Snyk, OWASP Zap and Fortify Static Code Analyzer. See our Checkmarx One vs. Veracode report.
See our list of best Application Security Tools vendors, best Static Application Security Testing (SAST) vendors, and best Static Code Analysis vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.
Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.
About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this. https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.