CAST Highlight vs. Checkmarx

I think CAST is a great tool to give insight into your applications. The tool can be met with resistance from team members as the tool is going to expose defects that should be addressed. Out of the box, it may need some tailoring to focus on certain areas so that you are not overwhelmed with defects the first time you scan your code. But ultimately, you will want to eliminate all defects in the code and have all violations turned on.

Incentivized

If you are going with SAST process or want to improve overall security posture then go for it like integrating it with post deployment steps. If you are more concerned about proactive controls better choose other options such as pee-commit hooks and CI security. Also choose other tools for DAST and API scans.

Incentivized

• Identifies common coding vulnerabilities.
• Compares code to industry best practices.
• Assesses the code for data privacy compliance.

Incentivized

• Detects security vulnerabilities in source code with accuracy and detail.
• Integrates seamlessly with CI/CD pipelines, IDEs, and repositories.
• Provides clear reports and actionable fix recommendations for developers.

Incentivized

• Code scans could be faster. A large application may need to be broken down into smaller sub-applications in order to facilitate faster code scans.
• We spent a lot of time trying to figure out how to best structure our code base in the application for ultimate performance.

Incentivized

• Scan duration
• False positives
• Integration with other tools like Jenkins comes with some inconveniences.

Incentivized

Their API based customizations which I leveraged to create an ASPM package, which is developer friendly and can extend above the dashboard features, other ones are UI which is great and feels clutter free. Menu and navigation is also good so as support. Only drawback is sometimes scan takes longer which I feel so can be reduced

Incentivized

Tech support and pro services are top-notch.

Incentivized

These other tools only do a part of what CAST does. CAST gives a comprehensive view into the code looking at all aspects, code quality, security, maintainability, vulnerability, privacy, reuse, etc. These other tools only focus on one or two dimensions.

Incentivized

Checkmarx is easier to integrate with development tools and gives quick feedback during coding, which is helpful for developers. Veracode is more focused on scanning and reporting for compliance, but it’s more complex to set up. We chose Checkmarx because it fits better into our development process, offering faster scans and more useful suggestions for fixing problems

Incentivized

• I believe once we had the tool working for our code base, we immediately saw positive ROI.
• We spent some time getting to where our code code be scanned efficiently but some of that was trying to do things ourselves instead of fully utilizing Cast Professional Services. I highly recommend to do an engagement with CAST to have them help setup the tool in your environment or to run it in the cloud for you.

Incentivized

• Improved ability to provide high level of IA confidence
• Improved confidence in application-level security

Incentivized