Checkmarx vs Veracode

Overview

Veracode

Stacks66

Followers129

Votes0

Checkmarx

Stacks84

Followers135

Votes0

Checkmarx vs Veracode: What are the differences?

Introduction:

Checkmarx and Veracode are both popular static application security testing (SAST) tools used in the software development lifecycle to identify and fix vulnerabilities in code. While they share some similarities, there are key differences between the two.

1. Deployment method: Checkmarx is an on-premises solution that requires installation and maintenance of hardware and software infrastructure. On the other hand, Veracode is a cloud-based platform that offers easy scalability and eliminates the need for local setup and maintenance.

2. Language coverage: Checkmarx supports a wide range of programming languages, including C, C++, Java, .NET, PHP, Ruby, and more. Veracode, on the other hand, has broader language coverage, supporting not only traditional languages but also newer ones like Swift, Kotlin, and others.

3. False positive rates: Checkmarx has a reputation for having a higher false positive rate compared to Veracode. False positives occur when the tool incorrectly identifies a piece of code as vulnerable when it is not. Veracode, on the other hand, uses advanced algorithms and a vast knowledge base to minimize false positives and increase accuracy.

4. Reporting and remediation: Checkmarx provides detailed reports with vulnerability information, but the responsibility for fixing identified vulnerabilities lies with the development team. Veracode, on the other hand, not only provides comprehensive reports but also offers remediation guidance and recommendations to assist developers in fixing the vulnerabilities more effectively.

5. Integration and automation: Checkmarx offers integration capabilities with popular code repositories, build tools, and issue trackers but might require additional effort for customization. Veracode, on the other hand, provides seamless integration with various development tools and automation capabilities, making it easier to incorporate security measures into the software development process.

6. Pricing model: Checkmarx generally follows a perpetual software license model, where customers pay upfront for the software and ongoing maintenance. Veracode, on the other hand, follows a subscription-based model, allowing customers to pay for the services on a recurring basis, making it more flexible for organizations with fluctuating testing needs.

In Summary, Checkmarx and Veracode differ in deployment method, language coverage, false positive rates, reporting and remediation capabilities, integration and automation options, and pricing models.

Share your Stack

Help developers discover the tools you use. Get visibility for your team's tech choices and contribute to the community's knowledge.

View Docs

CLI (Node.js)

Manual

Detailed Comparison

Veracode	Checkmarx
It seamlessly integrates application security into the software lifecycle, effectively eliminating vulnerabilities during the lowest-cost point in the development/deployment chain, and blocking threats while in production.	It is a provider of state-of-the-art application security solution: static code analysis software, seamlessly integrated into development process.
Statice Application Security Scanning; Dynamic Application Security Scanning	Evaluate Your Exposure with a Holistic Platform; Gain Full Visibility; Secure Your Entire SDLC; Empower Your Developers; Determine Your Acceptable Risk
Statistics
Stacks 66	Stacks 84
Followers 129	Followers 135
Votes 0	Votes 0
Integrations
Gradle Apache Maven Jenkins Bitbucket Travis CI Apache Ant Appveyor	Jenkins Gradle Bitbucket Travis CI TeamCity Bamboo

What are some alternatives to Veracode, Checkmarx?

Code Climate

After each Git push, Code Climate analyzes your code for complexity, duplication, and common smells to determine changes in quality and surface technical debt hotspots.

Codacy

Codacy automates code reviews and monitors code quality on every commit and pull request on more than 40 programming languages reporting back the impact of every commit or PR, issues concerning code style, best practices and security.

Phabricator

Phabricator is a collection of open source web applications that help software companies build better software.

Let's Encrypt

It is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).

PullReview

PullReview helps Ruby and Rails developers to develop new features cleanly, on-time, and with confidence by automatically reviewing their code.

Gerrit Code Review

Gerrit is a self-hosted pre-commit code review tool. It serves as a Git hosting server with option to comment incoming changes. It is highly configurable and extensible with default guarding policies, webhooks, project access control and more.

SonarQube

SonarQube provides an overview of the overall health of your source code and even more importantly, it highlights issues found on new code. With a Quality Gate set on your project, you will simply fix the Leak and start mechanically improving.

Sqreen

Sqreen is a security platform that helps engineering team protect their web applications, API and micro-services in real-time. The solution installs with a simple application library and doesn't require engineering resources to operate. Security anomalies triggered are reported with technical context to help engineers fix the code. Ops team can assess the impact of attacks and monitor suspicious user accounts involved.