Checkmarx SAST vs OpenText Core Application Security comparison

Checkmarx SAST vs. OpenText Core Application Security

Download the complete report

Helped 900,644 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Categories and Ranking

Checkmarx SAST

Ranking in Static Application Security Testing (SAST)

21st

Average Rating

7.6

Reviews Sentiment

6.0

Number of Reviews

Ranking in other categories

No ranking in other categories

OpenText Core Application S...

Ranking in Static Application Security Testing (SAST)

9th

Average Rating

8.0

Reviews Sentiment

7.0

Number of Reviews

Ranking in other categories

Application Security Tools (12th)

Mindshare comparison

As of June 2026, in the Static Application Security Testing (SAST) category, the mindshare of Checkmarx SAST is 1.6%, up from 1.0% compared to the previous year. The mindshare of OpenText Core Application Security is 3.2%, down from 4.3% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST) Mindshare Distribution
Product	Mindshare (%)
OpenText Core Application Security	3.2%
Checkmarx SAST	1.6%
Other	95.2%

Static Application Security Testing (SAST)

Featured Reviews

Tharindu Malwenna

Senior Application Security Engineer at a newspaper with 5,001-10,000 employees

Has supported early vulnerability detection but requires tuning to reduce false positives and scanning delays

When assessing the accuracy and efficiency of Checkmarx SAST scanning capabilities, they are currently recommending that doing the full scan is the main, correct way of scanning the repositories. However, based on the repository size we have, it sometimes takes more than 10 minutes for larger repositories, which is a downside. The accuracy of the results depends on various factors, as some of the test folders tend to give us false positives, which makes a huge impact on the vulnerabilities. Those are the major things that we have to fine-tune from our end. I would rate Checkmarx SAST around a seven, as it does have some false positives we have to work with, which are the major concerning things. The number of false positives is significant because we cannot implement policies because of this.

Read full review

Himanshu_Tyagi

Lead Cybersecurity at TBO

Supports secure development pipelines and improves issue detection but limits internal visibility and needs broader dashboard integration

If you have an internal team and you want your internal team to validate false positives, basically to determine whether it's a valid issue or an invalid issue, then I wouldn't recommend it much. That was the only reason we migrated from Fortify on Demand to another solution. Fortify has another tool which is Fortify WebInspect. On Demand is the outsourcing solution, and WebInspect you can use with your in-house team, which is basically the product developed by the Fortify team. For automated scanning, Fortify helps a lot. Regarding the visibility for the internal team, everyone is moving toward the DevSecOps side, and Fortify team has made good progress that you can integrate into your CICD pipeline. One thing I would highlight is if Fortify can focus more on the centralized dashboard of the tools because nowadays, tools such as SentinelOne also exist for identifying security issues, but they have a centralized dashboard that merges their cloud solution and application security side solution together. If you have one tool that works for different solutions, it helps a lot. They are doing good, but they should invest more on the AI side as well because AI security is evolving these days. On the cloud side, they have already made good progress, but I believe they should explore the new area related to AI security as well.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"The detailed reports from Checkmarx SAST help with our security process by showing details about which line is actually vulnerable, which is beneficial for the developers, and I do not have any suggestions or inputs on that area."

"This helps us a lot in identifying vulnerabilities in early stages, and the integration within the IDEs helps developers get the results into their IDE itself, making it easier for them to fix vulnerabilities."

"The most important feature is that Checkmarx protects our company against attacks."

"The CX1 is a unified platform that covers all components such as SAST, SCA, DAST, container scanning, and infrastructure code, which is quite beneficial because some clients need one-stop solutions for all their needs."

"The most important competitive advantage and benefit is the ability to identify vulnerabilities in the source code immediately without needing to complete the coding."

"The static code analyzer provides views from a security perspective and it is easy to use compared to others."

"The best features with Fortify on Demand include having analysis for any product based on analysis points."

"It improves future security scans."

"The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira."

"There is not only one specific feature that we find valuable. The idea is to integrate the solution in DevSecOps which we were able to do."

"The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities, and it is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it."

"Security defects are captured early in the lifecycle and fixed quicker."

"Fortify on Demand has helped us more easily ensure the security of our client's application, which works with sensitive information such as payments and taxation."

More OpenText Core Application Security pros

Cons

"The on-premises version is more expensive compared to the cloud version."

"We had some issues where Checkmarx did not recognize a vulnerability. We had to talk with the vendor, and they had to include an improvement in the tool to resolve this issue."

"I believe that nothing in particular could be improved about Checkmarx SAST, only the turnaround time and the fact that technical account managers keep moving around, which leads to some lag in communication."

"The accuracy of the results depends on various factors, as some of the test folders tend to give us false positives, which makes a huge impact on the vulnerabilities."

"The main challenge with Checkmarx SAST is the price. The price is a challenge because Checkmarx SAST is a very big brand, and many mid-sized companies cannot afford it as they are very price-conscious."

"In terms of what could be improved, we need more strategic analysis reports, not just for one specific application, but for the whole enterprise. In the next release, we need more reports and more analytic views for all the applications. There is no enterprise view in Fortify. I would like enterprise views and reports."

"It natively supports only a few languages. They can include support for more native languages. The response time from the support team can also be improved. They can maybe include video tutorials explaining the remediation process. The remediation process is sometimes not that clear. It would be helpful to have videos. Sometimes, the solution that the tool gives in the GUI is not straightforward to understand for the developer. At present, for any such issues, you have to create a ticket for the support team and request help from the support team."

"It natively supports only a few languages. The response time from the support team can also be improved."

"I would say OpenText Core Application Security is not very user-friendly in terms of price; it is quite high."

"The technical support is actually a problem that needs to be addressed. Since the acquisition and merger with Hewlett Packard, it has been really hard to know who the technical or salesperson to talk to."

"Fortify on Demand could be improved with support in Russia."

"The solution is expensive and the price could be reduced."

"The biggest deficiency is the integration with bug tracker systems."

More OpenText Core Application Security cons

Pricing and Cost Advice

Information not available

"Despite being on the higher end in terms of cost, the biggest value lies in its abilities, including robust features, seamless integration, and high-quality findings."

"We make an annual purchase of the licenses we need."

"I believe the rental license is not too expensive, but it provides a lot of information about the vulnerabilities."

"The product's cost depends on the type of license."

"The solution is expensive and the price could be reduced."

"We are still using the trial version at this point but I can already see from the trial version alone that it is a good product. For others, I would say that Fortify on Demand might look expensive at the beginning, but it is very powerful and so you shouldn't be put off by the price."

"The pricing model it's based on how many applications you wish to scan."

"The subscription model, on a per-scan basis, is a bit expensive. That's another reason we are not using it for all the apps."

More OpenText Core Application Security pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

900,644 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

19%

Computer Software Company

10%

Manufacturing Company

Comms Service Provider

Financial Services Firm

15%

Manufacturing Company

12%

Government

Construction Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

No data available

By reviewers
Company Size	Count
Small Business	18
Midsize Enterprise	8
Large Enterprise	46

Questions from the Community

What is your experience regarding pricing and costs for Checkmarx SAST?

We were users in a small country, and we paid one consolidated bill for all the tools, so I don't know the specific amount for Checkmarx.

What needs improvement with Checkmarx SAST?

I believe that nothing in particular could be improved about Checkmarx SAST, only the turnaround time and the fact that technical account managers keep moving around, which leads to some lag in com...

What is your primary use case for Checkmarx SAST?

I manage the application security side of the products here, currently utilizing solutions such as Checkmarx, Akamai, Traceable, and Invicti, which are the security scanning tools that we use. In t...

What is your experience regarding pricing and costs for Micro Focus Fortify on Demand?

In comparison with other tools, they're competitive. It is not more expensive than other solutions, but their pricing is competitive. The licenses for Fortify On Demand are generally bought in unit...

What needs improvement with Micro Focus Fortify on Demand?

Areas for improvement should be contextualized post the OpenText acquisition, but back when I was working with Micro Focus, they focused heavily on enterprise-centric solutions. Now, after the acqu...

What is your primary use case for Micro Focus Fortify on Demand?

For OpenText Core Application Security, I currently support a couple of my clients who are using Fortify on Demand for their web application, CRM, and sales platform. Many good features of Fortify ...

Checkmarx One vs Checkmarx SAST

Comparisons

Compared 21% of the time

Qualys Web Application Scanning vs Checkmarx SAST

Compared 12% of the time

Snyk vs Checkmarx SAST

Compared 10% of the time

SonarQube vs Checkmarx SAST

Compared 8% of the time

Veracode vs Checkmarx SAST

Compared 7% of the time

More Checkmarx SAST Competitors

SonarQube vs OpenText Core Application Security

Compared 22% of the time

Checkmarx One vs OpenText Core Application Security

Compared 7% of the time

PortSwigger Burp Suite Professional vs OpenText Core Application Security

Compared 5% of the time

Veracode vs OpenText Core Application Security

Compared 4% of the time

HCL AppScan vs OpenText Core Application Security

Compared 4% of the time

More OpenText Core Application Security Competitors

Product Reports

Checkmarx SAST

Download Checkmarx SAST product report

OpenText Core Application Security

Download OpenText Core Application Security product report

OpenText Core Application Security report

Also Known As

SAST

Micro Focus Fortify on Demand

Overview

Checkmarx SAST provides advanced static application security testing by identifying vulnerabilities in source code. It's ideal for ISOs, security professionals, and developers striving to secure applications during development.

Checkmarx SAST is known for its powerful code scanning capabilities that integrate seamlessly into existing development environments. It supports a wide range of programming languages, which makes it applicable for diverse development projects. Some users suggest improvements in the scan performance speed and enhanced support in handling false positives to further optimize workflow efficiency.

What are the standout features of Checkmarx SAST?

Language Support: Offers broad language support catering to multiple coding frameworks.
Integration Flexibility: Seamlessly integrates with existing CI/CD pipelines and developer tools.
Comprehensive Scanning: Detects security vulnerabilities early in the development process.
Detailed Reporting: Provides comprehensive reports that help prioritize remediation efforts.

What benefits and ROI should users consider?

Improved Security Posture: Enhances application security by catching vulnerabilities early.
Cost Efficiency: Reduces costs associated with post-deployment issue resolution.
Developer Empowerment: Allows developers to identify and fix issues independently.
Regulatory Compliance: Assists in meeting compliance requirements efficiently.

Implemented across various industries, Checkmarx SAST supports sectors like finance, healthcare, and technology with their stringent security requirements. By integrating seamlessly into existing workflows, it ensures that applications remain secure while not disrupting industry-specific processes.

Checkmarx

OpenText Core Application Security offers robust features like static and dynamic scanning, real-time vulnerability tracking, and seamless integration with development platforms, designed to enhance code security and reduce operational costs.

OpenText Core Application Security is a cloud-based, on-demand service providing accurate and deep scanning capabilities with detailed reporting. Its integrations with development platforms ensure an enhanced security layer in the development lifecycle, benefiting users by lowering operational costs and facilitating efficient remediation. The platform addresses needs for intuitive interfaces, API support, and comprehensive vulnerability assessments, helping improve code security and accelerate time-to-market. Despite its strengths, challenges exist around false positives, report clarity, and language support, alongside confusing pricing and package options. Enhancements are sought in areas like CI/CD pipeline configuration, report visualization, scan times, and integration with third-party tools such as GitLab, container scanning, and software composition analysis.

What features define OpenText Core Application Security?

Static and Dynamic Scanning: Offers thorough analysis to identify vulnerabilities during development.
Real-time Vulnerability Tracking: Continuously updates and monitors potential security threats.
Seamless Development Platform Integration: Enhances security processes without disrupting workflows.
Cloud-Based Service: Provides flexible, on-demand security capabilities with accurate results.
API Support: Allows smooth integration and automation within existing systems.

What benefits should users look for in reviews?

Reduced Operational Costs: Optimizes resources by lowering costs associated with security management.
Efficient Remediation: Speeds up the process of identifying and resolving vulnerabilities.
Enhanced Code Security: Strengthens overall application security during the development lifecycle.
Accelerated Time-to-Market: Streamlines development stages by integrating essential security tools.

Industries like mobile applications, e-commerce, and banking leverage OpenText Core Application Security for its ability to identify vulnerabilities such as SQL injections. Integrating seamlessly with DevSecOps and security auditing processes, this tool supports developers in writing safer code, ensuring secure application deployment and enhancing software assurance.

OpenText

Sample Customers

Information Not Available

SAP, Aaron's, British Gas, FICO, Cox Automative, Callcredit Information Group, Vital and more.

Checkmarx SAST vs. OpenText Core Application Security