OpenText Core Application Security vs SonarQube Server (formerly SonarQube) comparison

OpenText Core Application Security vs. SonarQube Server (formerly SonarQube)

Download the complete report

Helped 868,706 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Categories and Ranking

OpenText Core Application S...

Ranking in Application Security Tools

14th

Ranking in Static Application Security Testing (SAST)

13th

Average Rating

8.0

Reviews Sentiment

7.8

Number of Reviews

Ranking in other categories

No ranking in other categories

SonarQube Server (formerly ...

Ranking in Application Security Tools

1st

Ranking in Static Application Security Testing (SAST)

1st

Average Rating

8.0

Reviews Sentiment

7.2

Number of Reviews

117

Ranking in other categories

Software Development Analytics (1st)

Mindshare comparison

As of October 2025, in the Application Security Tools category, the mindshare of OpenText Core Application Security is 3.9%, down from 5.1% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 20.5%, down from 26.0% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Application Security Tools Market Share Distribution
Product	Market Share (%)
SonarQube Server (formerly SonarQube)	20.5%
OpenText Core Application Security	3.9%
Other	75.6%

Application Security Tools

Q&A Highlights

Miriam Tover

Service Delivery Manager at PeerSpot

Jan 11, 2019

What Is The Biggest Difference Between Fortify on Demand And SonarQube?

I think the benefit of Fortify on Demand is that it covers all the scan types: DAST, SAST. RASP, and Mobile. The research team that builds the vuln database is solid and well-staffed.

Source code analyzer, FPR file generation, reduction of false positives and generates compliance reports, for in-depth analysis

Featured Reviews

Jonathan Steyn

Principal Technical Consultant at EOH

Not challenges with the product itself. The product is very reliable. It does have a steep learning curve. But, again, one thing that Fortify or OpenText does very well is training. There are a lot of free resources and training in the community forums, free training as well as commercial training where users can train on how to use the back-end systems and the scanning engines and how to use command-line arguments because some of the procedures or some of the tools do require a bit of a learning curve. That's the only challenge I've really seen for customers because you have to learn how to use the tool effectively. But Fortify has, in fact, improved its user interface and the way users engage the dashboards and the interfaces. It is intuitive. It's easy to understand. But in some regards, the cybersecurity specialist or AppSec would need a bit of training to engage the user interface and to understand how it functions. But from the point of the reliability index and how powerful the tool is, there's no challenge there. But it's just from a learning perspective; users might need a bit more skill to use the tool. The user interface isn't that tedious. It's not that difficult to understand. When I initially learned how to use the interfaces, I was able to master it within a week and was able to use it quite effectively. So training is required. All skills are needed to learn how to use the tool. I would like to see more enhancements in the dashboards. Dashboards are available. They do need some configuration and settings. But I would like to see more business intelligence capabilities within the tool. It's not particularly a cybersecurity function, but, for instance, business impact analysis or other features where you can actually use business intelligence capabilities within your security tool. That would be remarkable because not only do you have a cybersecurity tool, but you also have a tool that can give you business impact analysis and some other measurements. A bit more intelligence in terms of that from a cybersecurity perspective would be remarkable.

Read full review

Sthembiso Zondi

Head of Software Engineering at ronaldmariah@gmail.com

Consistent improvements in code quality and security with effective integration and reliable technical support

The features of SonarQube Server (formerly SonarQube) that I find most useful are the suggestions received from reviewing the code. When they review the code, they provide suggestions on how to fix it, and we find those very useful from a development perspective. We use SonarQube Server's (formerly SonarQube) centralized management and visualization of code quality metrics on the dashboard because that's the executive dashboard that we send to the executives to show where we are in terms of quality, security, and where the company can improve. We use that for organizational improvement purposes. The ability to tailor metrics tracking in SonarQube Server (formerly SonarQube) has been beneficial to my team. There are team-specific dashboards which are related to specific repositories they utilize, and we have that aggregative dashboard that shows the whole organization's performance. We can drill down per specific repository, which makes it easier for the team to improve specific things.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it."

"Audit workbench: for on-the-fly defect auditing."

"There is not only one specific feature that we find valuable. The idea is to integrate the solution in DevSecOps which we were able to do."

"I do not remember any issues with stability."

"The installation was easy."

"The solution is very fast."

"While using Micro Focus Fortify on Demand we have been very happy with the results and findings."

"Each bank may have its own core banking applications with proprietary support for different programming languages. This makes Fortify particularly relevant and advantageous in those cases."

More OpenText Core Application Security pros

"There's plenty of documentation available to users."

"Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers."

"The fact that the solution does security scanning is valuable."

"It easily ties into our continuous integration pipeline."

"The integrations SonarQube provides with our software delivery pipeline are very seamless."

"I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla."

"SonarQube is a fantastic tool which saves us precious time."

"It is a very good tool for analysis despite its limitations."

More SonarQube Server (formerly SonarQube) pros

Cons

"The reporting capabilities need improvement, as there are some features that we would like to have but are not available at the moment."

"There are lots of limitations with code technology. It cannot scan .net properly either."

"It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available."

"They could provide features for artificial intelligence similar to other vendors."

"We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access."

"This solution would be improved if the code-quality perspective were added to it, on top of the security aspect."

"We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days."

"An improvement would be the ability to get vulnerabilities flowing automatically into another system."

More OpenText Core Application Security cons

"I would like to see dynamic code analysis in the next version of the software."

"SonarQube Server (formerly SonarQube) could be improved on the reporting front. Instead of grouping, I would prefer to scan the code as part of development and then generate a report on a daily basis among different units or projects, which is currently complicated."

"It would be better if SonarQube provided a good UI for external configuration."

"It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts."

"A better design of the interface and add some new rules."

"I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it."

"The solution could improve the management reports by making them easier to understand for the technical team that needs to review them."

"There isn't a very good enterprise report."

More SonarQube Server (formerly SonarQube) cons

Pricing and Cost Advice

"I believe the rental license is not too expensive, but it provides a lot of information about the vulnerabilities."

"The licensing was good because the licenses have the heavy centralized server."

"The solution is a little expensive."

"Fortify on Demand is more expensive than Burpsuite. I rate its pricing a nine out of ten."

"It's a yearly contract, but I don't remember the dollar amount."

"It is cost-effective."

"The product's cost depends on the type of license."

"The solution is expensive and the price could be reduced."

More OpenText Core Application Security pricing and cost advice

"I think comparing the product to competitors it should be less expensive."

"This solution is free."

"We're using the Community Edition, and we don't pay for anything."

"SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off."

"I am satisfied with the pricing."

"SonarQube price is a little bit higher than Kiuwan's. Kiuwan also gives a little bit of flexibility in terms of pricing."

"Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs."

"We are using the community version of the solution and we plan on purchasing licenses for the upgraded version soon. There is a limitation on how many lines of code can be scanned and this is why we are going to purchase a license for an increased amount."

More SonarQube Server (formerly SonarQube) pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.

See recommendations

868,706 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

19%

Manufacturing Company

15%

Computer Software Company

10%

Government

Financial Services Firm

15%

Computer Software Company

14%

Manufacturing Company

14%

Government

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

By reviewers
Company Size	Count
Small Business	16
Midsize Enterprise	8
Large Enterprise	43

By reviewers
Company Size	Count
Small Business	32
Midsize Enterprise	21
Large Enterprise	75

Questions from the Community

What do you like most about Micro Focus Fortify on Demand?

It helps deploy and track changes easily as per time-to-time market upgrades.

What is your experience regarding pricing and costs for Micro Focus Fortify on Demand?

In comparison with other tools, they're competitive. It is not more expensive than other solutions, but their pricing is competitive. The licenses for Fortify On Demand are generally bought in unit...

What needs improvement with Micro Focus Fortify on Demand?

There are frequent complaints about false positives from Fortify. One day it may pass a scan with no issues, and the next day, without any code changes, it will report vulnerabilities such as passw...

Is SonarQube the best tool for static analysis?

I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...

How would you decide between Coverity and Sonarqube?

We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...

Checkmarx One vs OpenText Core Application Security

Comparisons

Compared 13% of the time

Coverity Static vs OpenText Core Application Security

Compared 9% of the time

Veracode vs OpenText Core Application Security

Compared 9% of the time

GitHub Advanced Security vs OpenText Core Application Security

Compared 7% of the time

OWASP Zap vs OpenText Core Application Security

Compared 4% of the time

More OpenText Core Application Security Competitors

Checkmarx One vs SonarQube Server (formerly SonarQube)

Compared 20% of the time

GitHub Advanced Security vs SonarQube Server (formerly SonarQube)

Compared 10% of the time

Coverity Static vs SonarQube Server (formerly SonarQube)

Compared 10% of the time

Veracode vs SonarQube Server (formerly SonarQube)

Compared 6% of the time

Klocwork vs SonarQube Server (formerly SonarQube)

Compared 2% of the time

More SonarQube Server (formerly SonarQube) Competitors

Product Reports

OpenText Core Application Security

Download OpenText Core Application Security product report

OpenText Core Application Security report

SonarQube Server (formerly SonarQube)

Download SonarQube Server (formerly SonarQube) product report

SonarQube Server (formerly SonarQube) report

Also Known As

Micro Focus Fortify on Demand

Sonar

Overview

OpenText Core Application Security offers robust features like static and dynamic scanning, real-time vulnerability tracking, and seamless integration with development platforms, designed to enhance code security and reduce operational costs.

OpenText Core Application Security is a cloud-based, on-demand service providing accurate and deep scanning capabilities with detailed reporting. Its integrations with development platforms ensure an enhanced security layer in the development lifecycle, benefiting users by lowering operational costs and facilitating efficient remediation. The platform addresses needs for intuitive interfaces, API support, and comprehensive vulnerability assessments, helping improve code security and accelerate time-to-market. Despite its strengths, challenges exist around false positives, report clarity, and language support, alongside confusing pricing and package options. Enhancements are sought in areas like CI/CD pipeline configuration, report visualization, scan times, and integration with third-party tools such as GitLab, container scanning, and software composition analysis.

What features define OpenText Core Application Security?

Static and Dynamic Scanning: Offers thorough analysis to identify vulnerabilities during development.
Real-time Vulnerability Tracking: Continuously updates and monitors potential security threats.
Seamless Development Platform Integration: Enhances security processes without disrupting workflows.
Cloud-Based Service: Provides flexible, on-demand security capabilities with accurate results.
API Support: Allows smooth integration and automation within existing systems.

What benefits should users look for in reviews?

Reduced Operational Costs: Optimizes resources by lowering costs associated with security management.
Efficient Remediation: Speeds up the process of identifying and resolving vulnerabilities.
Enhanced Code Security: Strengthens overall application security during the development lifecycle.
Accelerated Time-to-Market: Streamlines development stages by integrating essential security tools.

Industries like mobile applications, e-commerce, and banking leverage OpenText Core Application Security for its ability to identify vulnerabilities such as SQL injections. Integrating seamlessly with DevSecOps and security auditing processes, this tool supports developers in writing safer code, ensuring secure application deployment and enhancing software assurance.

OpenText

SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.

SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations use it for code inspection, security testing, and compliance, ensuring development environments with better maintainability and fewer issues.

What are the key features of SonarQube Server?

Support for 20+ languages: Extensive programming language support suitable for diverse coding environments.
Custom coding rules: Allows for tailored rule sets to match specific coding standards.
Flexible quality gates: Define criteria for code acceptance at various intervals.
CI/CD integration: Seamless integration with Continuous Integration/Continuous Deployment tools.
Rich interface: User-friendly dashboard with detailed visual insights.

What benefits should users expect from SonarQube Server?

Improved code quality: Enhanced analysis contributes to fewer bugs and improved coding practices.
Security enhancements: Identifies and mitigates security vulnerabilities pre-emptively.
Maintainability: Reduces technical debt, yielding long-term development efficiency.
Customizable: Flexibility in configuration aligns with specific project needs.

Many industries implement SonarQube Server to uphold coding standards, maintain security protocols, and streamline their software development lifecycle. In sectors like finance and healthcare, adhering to regulations and ensuring reliable software is critical, making SonarQube Server invaluable. It is often integrated into CI/CD pipelines, ensuring that code changes meet set standards before deployment. This approach enhances productivity and maintains compliance with industry-specific requirements.

Sonar

Sample Customers

SAP, Aaron's, British Gas, FICO, Cox Automative, Callcredit Information Group, Vital and more.

Information Not Available

OpenText Core Application Security vs. SonarQube Server (formerly SonarQube)