No more typing reviews! Try our Samantha, our new voice AI agent.

Checkmarx One vs Fortify Software Security Center comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Oct 8, 2024

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Checkmarx One
Ranking in Static Application Security Testing (SAST)
2nd
Average Rating
7.8
Reviews Sentiment
6.6
Number of Reviews
81
Ranking in other categories
Application Security Tools (2nd), Vulnerability Management (16th), Container Security (15th), Static Code Analysis (2nd), API Security (4th), Dynamic Application Security Testing (DAST) (2nd), DevSecOps (2nd), Risk-Based Vulnerability Management (10th), Application Security Posture Management (ASPM) (3rd), AI Security (1st)
Fortify Software Security C...
Ranking in Static Application Security Testing (SAST)
19th
Average Rating
8.0
Reviews Sentiment
4.6
Number of Reviews
8
Ranking in other categories
No ranking in other categories
 

Mindshare comparison

As of May 2026, in the Static Application Security Testing (SAST) category, the mindshare of Checkmarx One is 9.7%, down from 10.5% compared to the previous year. The mindshare of Fortify Software Security Center is 1.5%, up from 0.4% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST) Mindshare Distribution
ProductMindshare (%)
Checkmarx One9.7%
Fortify Software Security Center1.5%
Other88.8%
Static Application Security Testing (SAST)
 

Featured Reviews

Shahzad Shahzad - PeerSpot reviewer
Senior Solution Architect | L3+ Systems & Cloud Engineer | SRE Specialist at Canada Cloud Solution
Enable secure development workflows while identifying opportunities for faster scans and improved AI guidance
Checkmarx One is a very strong platform, but there are several areas where it can improve to support modern DevSecOps workflows even better. For example, better real-time developer guidance is needed. The IDE plugin should offer richer AI-powered auto-fixes similar to SNYK Code or GitHub Copilot Security, as current guidance is good but not deeply contextual for large-scale enterprise codebases. This matters because it reduces developer friction and accelerates shift-left adoption. More transparency control over the correlation engines is another need. The correlation engine is powerful but not fully transparent. Users want to understand why vulnerabilities were correlated or de-prioritized, which helps AppSec teams trust the prioritization logic. Faster SAST scan and more language coverage is needed since SAST scan can still be slow for very large mono-repos and there is limited deep support for new language frameworks like Rust and Go, along with advanced coverage for serverless-specific frameworks. This matters because large organizations want sub-minute scans in CI/CD as cloud-native ecosystems evolve fast. A strong API security module is another area for enhancement. API security scanning could be improved with active testing, API discovery, full Swagger, OpenAPI, drift detection, and schema-based fuzzing. This is important as API attacks are one of the biggest AppSec risks in 2025. Checkmarx One is strong, but I see a few areas for improvement including faster SAST scanning for large mono-repos, deeper language framework support, more transparent correlation logic, and stronger API security that includes discovery and runtime context. The IDE plugin could offer more AI-assisted fixes, and the SBOM lifecycle tracking can evolve further. Enhancing integration with SIEM and SOAR would also make enterprise adoption smoother, and these improvements would help developers and AppSec teams move faster with more accuracy.
Diego Caicedo Lescano - PeerSpot reviewer
Chief Innovation Officer at SAGGA
Enables centralized analysis and improves governance through seamless tool integration
The main use case for Fortify Software Security Center is exceptional because we have governance and control through that console. You can centralize both static analysis and dynamic analysis, and correlate both analyses in one tool to get better results by combining those independent results from each solution. That is outstanding, and there is no tool I have seen on the market that offers these capabilities. I appreciate the interoperability with other solutions from Fortify Software Security Center. Because we are using Kiuwan, you can run Kiuwan analyses and integrate them with Fortify Software Security Center to get those results in a single console. That is a good console for centralizing things in one point. That is one of the best features of the on-premises Fortify.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The feature that I have found most valuable is that its number of false positives is less than the other security application platforms, its ease of use is another good feature, and it also supports most of the languages."
"The most valuable feature of Checkmarx is the user interface, it is very easy to use, and we do not need to configure anything, we only have to scan to see the results."
"It is very useful because it fits our requirements, it is also easy to use, it is not complex, and we are satisfied with the results."
"I like that you don't have to compile the code in order to execute static code analysis, so it's very handy."
"Vulnerability details is valuable."
"The product's most valuable feature is static code and supply chain effect analysis. It provides a lot of visibility."
"What I like best about Checkmarx is that it has fewer false positives than other products, giving you better results."
"It can integrate very well with DAST solutions, so both of them are combined into an integrated solution for customers running application security."
"You can easily download the tool's rule packs and update them."
"Software Security Center is highly customizable and helps me test all vulnerability data against the latest conventions like OWASP Top Ten, CVE Top twenty-five, and several other legal compliances."
"I like the explanation of issues provided by Fortify Software Security Center."
"The reporting is very useful because you can always view an entire list of the issues that you have."
"This is a stable solution at the end of the day."
"The main use case for Fortify Software Security Center is exceptional because we have governance and control through that console."
"The reporting is very useful because you can always view an entire list of the issues that you have."
"It's very important because they want to scan their source code every day, so we provide CICD integration to our customers so they can auto build and auto test every day, get reports, and fix issues."
 

Cons

"We can run only one project at a time."
"There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."
"It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use."
"They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server."
"The validation process needs to be sped up."
"Checkmarx could be improved with more integration with third-party software."
"Checkmarx could probably do something to improve their license model."
"I would like the product to include more debugging and developed tools. It needs to also add enhancements on the coding side."
"The initial setup of this solution is very complex. Specifically, the integration between other parts of the solution is difficult."
"The support for Fortify on-premises is the same as for the other products. I would say the support is not good and I would rate it a three out of ten."
"We are having issues with false positives that need to be resolved."
"Fortify Software Security Center's setup is really painful."
"This solution is difficult to implement, and it should be made more comfortable for the end-users."
"The product's overlap feature is restrictive and requires more customization efforts, which can be expensive."
"We are having issues with false positives that need to be resolved."
"Improvements needed for Software Security Center include better aggregation views of datasets."
 

Pricing and Cost Advice

"The solution is costly."
"It is an expensive solution."
"The tool's pricing is fine."
"I believe pricing is better compared to other commercial tools."
"The average deal size was usually anywhere between $120K to $175K on an annual basis, which could be divided across 12 months."
"It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing."
"We got a special offer for a 30% reduction for three years, after our first year. I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year)."
"The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security."
"This is a costly solution that could be cheaper."
"As a Fortify partner company providing technical support, I find the product expensive in our country, where local, inexpensive products are available."
"The solution is priced fair."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
893,244 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
17%
Manufacturing Company
9%
Computer Software Company
8%
Government
6%
Manufacturing Company
14%
Financial Services Firm
11%
Government
9%
Construction Company
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business32
Midsize Enterprise9
Large Enterprise46
By reviewers
Company SizeCount
Small Business4
Midsize Enterprise1
Large Enterprise3
 

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
What is your experience regarding pricing and costs for Checkmarx?
Checkmarx One is a premium solution, so budget accordingly. Make sure you understand how licensing scales with additional applications and users. I advise negotiating multi-year contracts or bundle...
What needs improvement with Checkmarx?
One way Checkmarx One could be improved is if it could automatically run scans every month after implementation. If it is possible to set it in the SAST portal to scan the repositories automaticall...
What needs improvement with Micro Focus Software Security Center?
In my opinion, there are no areas that could be improved with Fortify Software Security Center. I would say it is a good product and a mature product. However, the SAST has many improvement areas. ...
What is your primary use case for Micro Focus Software Security Center?
We have installed Fortify Static Code Analysis, SAST, in Ecuador in two customers. The Fortify ScanCentral includes three components: SAST, Fortify Software Security Center, and the WebInspect.
 

Also Known As

No data available
Micro Focus Software Security Center, Application Security Center, HPE Application Security Center, WebInspect
 

Overview

 

Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Neosecure, Acxiom, Skandinavisk Data Center A/S, Parkeon
Find out what your peers are saying about Checkmarx One vs. Fortify Software Security Center and other solutions. Updated: April 2026.
893,244 professionals have used our research since 2012.