Try our new research platform with insights from 80,000+ expert users

Checkmarx One vs Fortify WebInspect comparison

 

Comparison Buyer's Guide

Executive Summary
 

Categories and Ranking

Checkmarx One
Ranking in DevSecOps
2nd
Average Rating
7.6
Reviews Sentiment
7.9
Number of Reviews
70
Ranking in other categories
Application Security Tools (3rd), Static Application Security Testing (SAST) (3rd), Vulnerability Management (16th), Static Code Analysis (2nd), API Security (2nd), Risk-Based Vulnerability Management (5th)
Fortify WebInspect
Ranking in DevSecOps
9th
Average Rating
7.2
Reviews Sentiment
6.8
Number of Reviews
20
Ranking in other categories
Dynamic Application Security Testing (DAST) (2nd)
 

Featured Reviews

Rohit Kesharwani - PeerSpot reviewer
Feb 19, 2024
Provides good security analysis and security identification within the source code
We use the solution to validate the source code and do SAST and security analysis. Checkmarx dynamics code analysis improved our software security posture by showcasing vulnerabilities within the code and identifying or providing recommendations on how to improve The solution's user interface…
Navin N - PeerSpot reviewer
Sep 16, 2024
Effective scanning of diverse file extensions with fast reporting and issue resolution
We develop software packages for clients, and these clients are mostly in the BFSI sector. The packages need to be scanned, and we engage Fortify WebInspect for this.  Customers typically perform their own application pen tests, but in some cases, we have engagements where customers want us to scan…

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"It shows in-depth code of where actual vulnerabilities are."
"It's not an obstacle for developers. They can easily write their code and make it more secure with Checkmarx."
"We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code."
"The most valuable features of Checkmarx are the SCA module and the code-checking module. Additionally, the solutions are explanatory and helpful."
"It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."
"We use the solution to validate the source code and do SAST and security analysis."
"It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security."
"Most valuable features include: ease of use, dashboard. interface and the ability to report."
"The most valuable feature of this solution is the ability to make our customers more secure."
"The user interface is ok and it is very simple to use."
"The tool provides comprehensive vulnerability assessments which help ensure our deliverables are as free from vulnerabilities as possible. It has also streamlined our web application vulnerability assessments, assisting us in delivering secure applications to our clients."
"The most valuable feature is the static analysis."
"It is easy to use, and its reporting is fairly simple."
"Guided Scan option allows us to easily scan and share reports."
"The accuracy of its scans is great."
"Good at scanning and finding vulnerabilities."
 

Cons

"The interactive application security testing, or IAST, the interactive part where you're looking at an application that lives in a runtime environment on a server or virtual machine, needs improvement."
"I would like to see the rate of false positives reduced."
"When we first ran it on a big project, there wasn't enough memory on the computer. It originally ran with eight gigabytes, and now it runs with 32. The software stopped at some point, and while I don't think it said it ran out of memory, it just said "stopped" and something else. We had to go to the logs and send them to the integrator, and eventually, they found a memory issue in the logs and recommended increasing the memory. We doubled it once, and it didn't seem enough. We doubled it again, and it helped."
"One area for improvement in Checkmarx is pricing, as it's more expensive than other products."
"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
"The validation process needs to be sped up."
"The pricing can get a bit expensive, depending on the company's size."
"The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools."
"Fortify WebInspect could improve user-friendliness. Additionally, it is very bulky to use."
"Our biggest complaint about this product is that it freezes up, and literally doesn't work for us."
"Fortify WebInspect's shortcoming stems from the fact that it is a very expensive product in Korea, which makes it difficult for its potential customers to introduce the product in their IT environment."
"I'm not sure licensing, but on the pricing, it's a bit costly. It's a bit overpriced. Though it is an enterprise tool, there are other tools also with similar functionalities."
"Not sufficiently compatible with some of our systems."
"It requires improvement in terms of scanning. The application scan heavily utilizes the resources of an on-premise server. 32 GB RAM is very high for an enterprise web application."
"It took us between eight and ten hours to scan an entire site, which is somewhat slow and something that I think can be improved."
"The scanner could be better."
 

Pricing and Cost Advice

"The solution's price is high and you pay based on the number of users."
"​Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products."
"Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."
"For around 250 users or committers, the cost is approximately $500,000."
"It is the right price for quality delivery."
"We have purchased an annual license to use this solution. The price is reasonable."
"The solution is costly."
"We're using a commercial version of Checkmarx, and we paid for the solution for one year. The price is high and could be reduced."
"It’s a fair price for the solution."
"The price is okay."
"Our licensing is such that you can only run one scan at a time, which is inconvenient."
"The pricing is not clear and while it is not high, it is difficult to understand."
"This solution is very expensive."
"Its price is almost similar to the price of AppScan. Both of them are very costly. Its price could be reduced because it can be very costly for unlimited IT scans, etc. I'm not sure, but it can go up to $40,000 to $50,000 or more than that."
"Fortify WebInspect is a very expensive product."
report
Use our free recommendation engine to learn which DevSecOps solutions are best for your needs.
814,649 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
21%
Computer Software Company
15%
Manufacturing Company
10%
Government
5%
Financial Services Firm
18%
Computer Software Company
16%
Government
13%
Manufacturing Company
13%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
What do you like most about Checkmarx?
Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
What is your experience regarding pricing and costs for Checkmarx?
The pricing is relatively expensive due to the product's quality and performance, but it is worth it.
What do you like most about Fortify WebInspect?
The solution's technical support was very helpful.
What is your experience regarding pricing and costs for Fortify WebInspect?
Pricing depends on the deal and can vary. Smaller clients might find it challenging to afford Fortify WebInspect, while it is more suitable for medium to large enterprises. The OEMs tend to price s...
What needs improvement with Fortify WebInspect?
There are some file extensions, like .SER, that Fortify WebInspect doesn't scan. For these, we have to depend on other tools like GitHub scanners.
 

Also Known As

No data available
Micro Focus WebInspect, WebInspect
 

Overview

 

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Aaron's
Find out what your peers are saying about Checkmarx One vs. Fortify WebInspect and other solutions. Updated: October 2024.
814,649 professionals have used our research since 2012.