OpenText Core Application Security vs SonarQube Server (formerly SonarQube) comparison

OpenText Core Application Security vs. SonarQube Server (formerly SonarQube)

Download the complete report

Helped 868,759 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Categories and Ranking

OpenText Core Application S...

Ranking in Application Security Tools

14th

Ranking in Static Application Security Testing (SAST)

13th

Average Rating

8.0

Reviews Sentiment

7.8

Number of Reviews

Ranking in other categories

No ranking in other categories

SonarQube Server (formerly ...

Ranking in Application Security Tools

1st

Ranking in Static Application Security Testing (SAST)

1st

Average Rating

8.0

Reviews Sentiment

7.2

Number of Reviews

117

Ranking in other categories

Software Development Analytics (1st)

Mindshare comparison

As of October 2025, in the Application Security Tools category, the mindshare of OpenText Core Application Security is 3.9%, down from 5.1% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 20.5%, down from 26.0% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Application Security Tools Market Share Distribution
Product	Market Share (%)
SonarQube Server (formerly SonarQube)	20.5%
OpenText Core Application Security	3.9%
Other	75.6%

Application Security Tools

Q&A Highlights

Miriam Tover

Service Delivery Manager at PeerSpot

Jan 11, 2019

What Is The Biggest Difference Between Fortify on Demand And SonarQube?

I think the benefit of Fortify on Demand is that it covers all the scan types: DAST, SAST. RASP, and Mobile. The research team that builds the vuln database is solid and well-staffed.

Source code analyzer, FPR file generation, reduction of false positives and generates compliance reports, for in-depth analysis

Featured Reviews

Jonathan Steyn

Principal Technical Consultant at EOH

Not challenges with the product itself. The product is very reliable. It does have a steep learning curve. But, again, one thing that Fortify or OpenText does very well is training. There are a lot of free resources and training in the community forums, free training as well as commercial training where users can train on how to use the back-end systems and the scanning engines and how to use command-line arguments because some of the procedures or some of the tools do require a bit of a learning curve. That's the only challenge I've really seen for customers because you have to learn how to use the tool effectively. But Fortify has, in fact, improved its user interface and the way users engage the dashboards and the interfaces. It is intuitive. It's easy to understand. But in some regards, the cybersecurity specialist or AppSec would need a bit of training to engage the user interface and to understand how it functions. But from the point of the reliability index and how powerful the tool is, there's no challenge there. But it's just from a learning perspective; users might need a bit more skill to use the tool. The user interface isn't that tedious. It's not that difficult to understand. When I initially learned how to use the interfaces, I was able to master it within a week and was able to use it quite effectively. So training is required. All skills are needed to learn how to use the tool. I would like to see more enhancements in the dashboards. Dashboards are available. They do need some configuration and settings. But I would like to see more business intelligence capabilities within the tool. It's not particularly a cybersecurity function, but, for instance, business impact analysis or other features where you can actually use business intelligence capabilities within your security tool. That would be remarkable because not only do you have a cybersecurity tool, but you also have a tool that can give you business impact analysis and some other measurements. A bit more intelligence in terms of that from a cybersecurity perspective would be remarkable.

Read full review

Sthembiso Zondi

Head of Software Engineering at ronaldmariah@gmail.com

Consistent improvements in code quality and security with effective integration and reliable technical support

The features of SonarQube Server (formerly SonarQube) that I find most useful are the suggestions received from reviewing the code. When they review the code, they provide suggestions on how to fix it, and we find those very useful from a development perspective. We use SonarQube Server's (formerly SonarQube) centralized management and visualization of code quality metrics on the dashboard because that's the executive dashboard that we send to the executives to show where we are in terms of quality, security, and where the company can improve. We use that for organizational improvement purposes. The ability to tailor metrics tracking in SonarQube Server (formerly SonarQube) has been beneficial to my team. There are team-specific dashboards which are related to specific repositories they utilize, and we have that aggregative dashboard that shows the whole organization's performance. We can drill down per specific repository, which makes it easier for the team to improve specific things.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"What stands out to me is the user-friendliness of each feature."

"t's a cloud-based solution, so there was no installation involved."

"Provides good depth of scanning and we get good results."

"There is not only one specific feature that we find valuable. The idea is to integrate the solution in DevSecOps which we were able to do."

"Each bank may have its own core banking applications with proprietary support for different programming languages. This makes Fortify particularly relevant and advantageous in those cases."

"Almost all the features are good. This solution has simplified designing and architecting for our solutions. We were early adopters of microservices. Their documentation is good. You don't need to put in much effort in setting it up and learning stuff from scratch and start using it. The learning curve is not too much."

"The SAST feature is the most valuable."

"The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira."

More OpenText Core Application Security pros

"The most valuable function is its usability."

"It automatically scans for code, detects vulnerabilities, and generates daily reports."

"It provides the security that is required from a solution for financial businesses."

"There's plenty of documentation available to users."

"The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices)."

"The overall quality of the indicator is good."

"Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version."

"The solution's user interface is very user-friendly."

More SonarQube Server (formerly SonarQube) pros

Cons

"The solution has some issues with latency. Sometimes it takes a while to respond. This issue should be addressed."

"Not fully integrated with CIT processes."

"The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there."

"It natively supports only a few languages. They can include support for more native languages. The response time from the support team can also be improved. They can maybe include video tutorials explaining the remediation process. The remediation process is sometimes not that clear. It would be helpful to have videos. Sometimes, the solution that the tool gives in the GUI is not straightforward to understand for the developer. At present, for any such issues, you have to create a ticket for the support team and request help from the support team."

"It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available."

"The product has a lot of false positives."

"They could provide features for artificial intelligence similar to other vendors."

"There are frequent complaints about false positives from Fortify. One day it may pass a scan with no issues, and the next day, without any code changes, it will report vulnerabilities such as password exposure."

More OpenText Core Application Security cons

"In terms of analysis and findings, other tools provide more in-depth insights and detailed steps to mitigate or handle issues."

"After scanning our code and generating a report, it would be helpful if SonarQube could also generate a solution to fix vulnerabilities in the report."

"Having performance regression would be a helpful add on or ability to be able to do during the scan."

"An improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case."

"The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications."

"The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages."

"There are limitations to the free version that limit development options as far as languages."

"The reporting can be improved."

More SonarQube Server (formerly SonarQube) cons

Pricing and Cost Advice

"It is cost-effective."

"We are still using the trial version at this point but I can already see from the trial version alone that it is a good product. For others, I would say that Fortify on Demand might look expensive at the beginning, but it is very powerful and so you shouldn't be put off by the price."

"It is quite expensive. Pricing and the licensing model could be improved."

"I'd rate it an eight out of ten in terms of pricing."

"The product's cost depends on the type of license."

"Fortify on Demand is affordable, and its licensing comes with a year of support."

"Fortify on Demand is more expensive than Burpsuite. I rate its pricing a nine out of ten."

"I believe the rental license is not too expensive, but it provides a lot of information about the vulnerabilities."

More OpenText Core Application Security pricing and cost advice

"My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted."

"It's an open-source product."

"I do not know about the pricing as I am using the community edition, which is free. But I compared the pricing with Sigma, and it is higher than SonarQube."

"The solution is cheaper than other products."

"The solution has a free version and a license version. The license is priced reasonably, the cost of hiring one programmer is more expensive than the solution."

"This solution is free."

"The product’s price is lower than Veracode’s price."

"The tool's pricing is reasonable."

More SonarQube Server (formerly SonarQube) pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.

See recommendations

868,759 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

19%

Manufacturing Company

15%

Computer Software Company

10%

Government

Financial Services Firm

15%

Computer Software Company

14%

Manufacturing Company

14%

Government

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

By reviewers
Company Size	Count
Small Business	16
Midsize Enterprise	8
Large Enterprise	43

By reviewers
Company Size	Count
Small Business	32
Midsize Enterprise	21
Large Enterprise	75

Questions from the Community

What do you like most about Micro Focus Fortify on Demand?

It helps deploy and track changes easily as per time-to-time market upgrades.

What is your experience regarding pricing and costs for Micro Focus Fortify on Demand?

In comparison with other tools, they're competitive. It is not more expensive than other solutions, but their pricing is competitive. The licenses for Fortify On Demand are generally bought in unit...

What needs improvement with Micro Focus Fortify on Demand?

There are frequent complaints about false positives from Fortify. One day it may pass a scan with no issues, and the next day, without any code changes, it will report vulnerabilities such as passw...

Is SonarQube the best tool for static analysis?

I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...

How would you decide between Coverity and Sonarqube?

We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...

Checkmarx One vs OpenText Core Application Security

Comparisons

Compared 13% of the time

Coverity Static vs OpenText Core Application Security

Compared 9% of the time

Veracode vs OpenText Core Application Security

Compared 9% of the time

GitHub Advanced Security vs OpenText Core Application Security

Compared 7% of the time

OWASP Zap vs OpenText Core Application Security

Compared 4% of the time

More OpenText Core Application Security Competitors

Checkmarx One vs SonarQube Server (formerly SonarQube)

Compared 20% of the time

GitHub Advanced Security vs SonarQube Server (formerly SonarQube)

Compared 10% of the time

Coverity Static vs SonarQube Server (formerly SonarQube)

Compared 10% of the time

Veracode vs SonarQube Server (formerly SonarQube)

Compared 6% of the time

Klocwork vs SonarQube Server (formerly SonarQube)

Compared 2% of the time

More SonarQube Server (formerly SonarQube) Competitors

Product Reports

OpenText Core Application Security

Download OpenText Core Application Security product report

OpenText Core Application Security report

SonarQube Server (formerly SonarQube)

Download SonarQube Server (formerly SonarQube) product report

SonarQube Server (formerly SonarQube) report

Also Known As

Micro Focus Fortify on Demand

Sonar

Overview

OpenText Core Application Security offers robust features like static and dynamic scanning, real-time vulnerability tracking, and seamless integration with development platforms, designed to enhance code security and reduce operational costs.

OpenText Core Application Security is a cloud-based, on-demand service providing accurate and deep scanning capabilities with detailed reporting. Its integrations with development platforms ensure an enhanced security layer in the development lifecycle, benefiting users by lowering operational costs and facilitating efficient remediation. The platform addresses needs for intuitive interfaces, API support, and comprehensive vulnerability assessments, helping improve code security and accelerate time-to-market. Despite its strengths, challenges exist around false positives, report clarity, and language support, alongside confusing pricing and package options. Enhancements are sought in areas like CI/CD pipeline configuration, report visualization, scan times, and integration with third-party tools such as GitLab, container scanning, and software composition analysis.

What features define OpenText Core Application Security?

Static and Dynamic Scanning: Offers thorough analysis to identify vulnerabilities during development.
Real-time Vulnerability Tracking: Continuously updates and monitors potential security threats.
Seamless Development Platform Integration: Enhances security processes without disrupting workflows.
Cloud-Based Service: Provides flexible, on-demand security capabilities with accurate results.
API Support: Allows smooth integration and automation within existing systems.

What benefits should users look for in reviews?

Reduced Operational Costs: Optimizes resources by lowering costs associated with security management.
Efficient Remediation: Speeds up the process of identifying and resolving vulnerabilities.
Enhanced Code Security: Strengthens overall application security during the development lifecycle.
Accelerated Time-to-Market: Streamlines development stages by integrating essential security tools.

Industries like mobile applications, e-commerce, and banking leverage OpenText Core Application Security for its ability to identify vulnerabilities such as SQL injections. Integrating seamlessly with DevSecOps and security auditing processes, this tool supports developers in writing safer code, ensuring secure application deployment and enhancing software assurance.

OpenText

SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.

SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations use it for code inspection, security testing, and compliance, ensuring development environments with better maintainability and fewer issues.

What are the key features of SonarQube Server?

Support for 20+ languages: Extensive programming language support suitable for diverse coding environments.
Custom coding rules: Allows for tailored rule sets to match specific coding standards.
Flexible quality gates: Define criteria for code acceptance at various intervals.
CI/CD integration: Seamless integration with Continuous Integration/Continuous Deployment tools.
Rich interface: User-friendly dashboard with detailed visual insights.

What benefits should users expect from SonarQube Server?

Improved code quality: Enhanced analysis contributes to fewer bugs and improved coding practices.
Security enhancements: Identifies and mitigates security vulnerabilities pre-emptively.
Maintainability: Reduces technical debt, yielding long-term development efficiency.
Customizable: Flexibility in configuration aligns with specific project needs.

Many industries implement SonarQube Server to uphold coding standards, maintain security protocols, and streamline their software development lifecycle. In sectors like finance and healthcare, adhering to regulations and ensuring reliable software is critical, making SonarQube Server invaluable. It is often integrated into CI/CD pipelines, ensuring that code changes meet set standards before deployment. This approach enhances productivity and maintains compliance with industry-specific requirements.

Sonar

Sample Customers

SAP, Aaron's, British Gas, FICO, Cox Automative, Callcredit Information Group, Vital and more.

Information Not Available

OpenText Core Application Security vs. SonarQube Server (formerly SonarQube)