Try our new research platform with insights from 80,000+ expert users

CAST Highlight vs Checkmarx One comparison

 

Comparison Buyer's Guide

Executive Summary

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

CAST Highlight
Average Rating
7.8
Reviews Sentiment
7.1
Number of Reviews
7
Ranking in other categories
Software Composition Analysis (SCA) (16th)
Checkmarx One
Average Rating
7.6
Reviews Sentiment
6.9
Number of Reviews
70
Ranking in other categories
Application Security Tools (3rd), Static Application Security Testing (SAST) (3rd), Vulnerability Management (21st), Static Code Analysis (2nd), API Security (3rd), DevSecOps (2nd), Risk-Based Vulnerability Management (8th)
 

Mindshare comparison

While both are Security Software solutions, they serve different purposes. CAST Highlight is designed for Software Composition Analysis (SCA) and holds a mindshare of 0.9%, up 0.9% compared to last year.
Checkmarx One, on the other hand, focuses on Application Security Tools, holds 10.7% mindshare, down 15.1% since last year.
Software Composition Analysis (SCA)
Application Security Tools
 

Featured Reviews

Jayanti Rode - PeerSpot reviewer
Identifies migration blockers and boosters while facing challenges with platform-specific roadblocks
The solution provides agnostic blockers for platforms as well as for containerization. Within that containerization, it offers generic blockers. However, my project might require it to provide Windows-specific blockers or Linux-specific blockers, as I often work with only one platform at a time. If I received categorization in containerization blockers, it would save time. Understanding only the OS-specific blockers means I would avoid resolving irrelevant issues, thus saving time. Initially, I receive a response from support, however, if there is involvement from R&D or other teams, it may take longer than expected. The support team is challenging when sharing source code. As this is a static code analysis tool, it sometimes requires source code for R&D. However, CAST clients may be restricted from sharing due to business logic and nondisclosure agreements. This creates a challenge, and I may have to share pseudo code or seek client approval, risking escalation.
Rohit Kesharwani - PeerSpot reviewer
Provides good security analysis and security identification within the source code
We integrate Checkmarx into our software development cycle using GitLab's CI/CD pipeline. Checkmark has been the most helpful for us in the development stage. The solution's incremental scanning feature has impacted our development speed. The solution's vulnerability detection is around 80% to 90% accurate. I would recommend Checkmarx to other users because it is one of the good tools for doing security analysis and security identification within the source code. Overall, I rate Checkmarx a nine out of ten.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"In cloud migration, I use CAST highlight to identify blockers, which are the negative road patterns, and also the boosters, which are positive code patterns."
"CAST Highlight is easy to use and has a good dashboard."
"The way it tells you which codebase is more ready for the cloud and which codebase is less ready is very valuable. It works seamlessly with most languages."
"CAST Highlight provides a clear overview of the role portfolio and allows users to assess the overall quality of the environment. Users can see where improvements are needed and follow up on trends of the application."
"The most valuable features of the CAST Highlight are the interface and there are three notations that are very simple to understand and communicate with."
"The solution provides agnostic blockers for platforms as well as for containerization."
"It offers good performance."
"The most valuable features of CAST Highlight are automation and speed."
"The most valuable features of Checkmarx are the SCA module and the code-checking module. Additionally, the solutions are explanatory and helpful."
"I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy."
"The report function is the solution's greatest asset."
"The SAST component was absolutely 100% stable."
"It gives the proper code flow of vulnerabilities and the number of occurrences."
"What I like best about Checkmarx is that it has fewer false positives than other products, giving you better results."
"The most valuable feature for me is the Jenkins Plugin."
"Helps us check vulnerabilities in our SAP Fiori application."
 

Cons

"CAST Highlight could improve to allow us to comment and do a deep analysis by ourselves."
"There's a bit of a learning curve at the outset."
"If I received categorization in containerization blockers, it would save time."
"Its price should be better. It is a pretty costly tool. They have two products: CAST Highlight and CAST AIP. I would expect CAST Highlight to have the Help dashboard and the Engineering dashboard. These dashboards are currently a part of CAST AIP, and if these are made available in CAST Highlight, customers won't have to use two different products all the time."
"The ease of configuration and customization could be improved in CAST Highlight."
"The reports that describe the issues of concern are rather abstract and the issues should be more clearly described to the user."
"There could be potential improvements or additional features added to CAST Highlight to make it better."
"Checkmarx could be improved with more integration with third-party software."
"They could work to improve the user interface. Right now, it really is lacking."
"The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode."
"They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks."
"I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features."
"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
"Checkmarx could improve the speed of the scans."
"I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service."
 

Pricing and Cost Advice

"Basic support is included with the standard licensing feed but it can be upgraded for an additional cost."
"It is a pretty costly tool. A lot of customers are resistant to using it."
"CAST Highlight is an expensive solution. However, CAST Highlight is less expensive than the CAST AIP, but it remains too expensive and the professional services from CAST are also too expensive. The high price is part of the problem with the CAST solutions."
"CAST Highlight is an expensive solution."
"For around 250 users or committers, the cost is approximately $500,000."
"It is a good product but a little overpriced."
"The solution's price is high and you pay based on the number of users."
"Before implementing the product I would evaluate if it is really necessary to scan so many different languages and frameworks. If not, I think there must be a cheaper solution for scanning Java-only applications (which are 90% of our applications)."
"It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."
"If you want more, you have to pay more. You have to pay for additional modules or functionalities."
"The number of users and coverage for languages will have an impact on the cost of the license."
"It's relatively expensive."
report
Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
849,190 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
23%
Computer Software Company
17%
Manufacturing Company
8%
Government
7%
Financial Services Firm
21%
Computer Software Company
14%
Manufacturing Company
10%
Government
5%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about CAST Highlight?
The most valuable features of CAST Highlight are automation and speed.
What is your experience regarding pricing and costs for CAST Highlight?
The pricing of CAST Highlight was not considered expensive or cheap, and no specific comment was made about the setup cost.
What needs improvement with CAST Highlight?
The solution provides agnostic blockers for platforms as well as for containerization. Within that containerization, it offers generic blockers. However, my project might require it to provide Wind...
What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
What do you like most about Checkmarx?
Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
What is your experience regarding pricing and costs for Checkmarx?
The pricing is relatively expensive due to the product's quality and performance, but it is worth it.
 

Overview

 

Sample Customers

Wells Fargo, Bank of NY Mellon, Northern Trust, Microsoft, Amazon, IBM, BMW, AT&T, US Army, US Air Force, US Navy, John Hancock, Marsh & McLennan, Ernst & Young, PwC, Volkswagen, Boston Consulting Group, London Stock Exchange, Telefonica, Saur France, Total Energies France, SNCF
YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Find out what your peers are saying about CAST Highlight vs. Checkmarx One and other solutions. Updated: September 2022.
849,190 professionals have used our research since 2012.