Checkmarx vs. Fortify by OpenText

If you are going with SAST process or want to improve overall security posture then go for it like integrating it with post deployment steps. If you are more concerned about proactive controls better choose other options such as pee-commit hooks and CI security. Also choose other tools for DAST and API scans.

Incentivized

It is best suited for runtime application security scanning and very useful for automation. You can seemlessly integrate with pipeline for dynamic scans. Cloud based apps can also be scanned for vulnerabilities, cross site scripting attacks. Basically all OWASP TOP 10. It is less appropriate to use if you have serverless architecture

Incentivized

• Detects security vulnerabilities in source code with accuracy and detail.
• Integrates seamlessly with CI/CD pipelines, IDEs, and repositories.
• Provides clear reports and actionable fix recommendations for developers.

Incentivized

• DAST Scanning
• API Scanning
• Less detection of false positive

Incentivized

• Scan duration
• False positives
• Integration with other tools like Jenkins comes with some inconveniences.

Incentivized

• Reporting could be better
• Can be an involved setup if your organization is not using common build tools
• Users get spammed with a lot of email updates from the service

Incentivized

Since every firm needs to perform static code analysis on their applications, I believe Micro Focus Fortify WebInspect would work well for them (they also offer dynamic scanning, although I haven't used it myself). Different static analysis tools scan code in different ways, and Micro Focus Fortify WebInspect asks you to submit a complete build of the application along with debugging files. Depending on how your company builds its apps, this requirement may be simple or challenging.

Incentivized

Their API based customizations which I leveraged to create an ASPM package, which is developer friendly and can extend above the dashboard features, other ones are UI which is great and feels clutter free. Menu and navigation is also good so as support. Only drawback is sometimes scan takes longer which I feel so can be reduced

Incentivized

It is a cloud-based platform which can provide us a very useful and unique features like Application Assessment, Scans, Vulnerability Test, Comprehensive Reporting, Monitoring, etc. Fortify by Open Text is also outstanding in various parameters for the support and integration and it is highly adaptable in various DevOps Program where you need secure app testing with all given features.

Incentivized

Always receive excellent support from the vendor. No issues there.

Incentivized

Checkmarx is easier to integrate with development tools and gives quick feedback during coding, which is helpful for developers. Veracode is more focused on scanning and reporting for compliance, but it’s more complex to set up. We chose Checkmarx because it fits better into our development process, offering faster scans and more useful suggestions for fixing problems

Incentivized

Fortify Application Defender is a little more timely and upfront with a lot of their information on cyber security. we like what they provide and how they communicate with our users. I think they have a good understanding and practice in their field. they seem best suited for us and the best fit.

Incentivized

• Improved ability to provide high level of IA confidence
• Improved confidence in application-level security

Incentivized

• DevSecOps helped in reducing efforts
• License cost was less
• We could roll out double the count of applications with implementation of WebInspect

Incentivized