In r/AskNetsec, teams weighing Checkmarx vs Veracode keep circling around compliance requirements versus developer feedback-loop speed, with binary scanning appealing to compliance teams but often too slow for frequent deploys.
Veracode's binary scanning approach means source code stays internal which our compliance team likes, but the CI/CD integration feels heavier and slower.
Checkmarx scan speed is horrible on all scan engines. SAST and SCA are main culprits.
Upload, queue, scan, result was averaging 40 plus minutes per pipeline run. That's a non-starter when you're shipping multiple times daily.
Went with Checkmarx. CxOne interface takes getting used to and the initial query tuning for Java takes real time, don't let anyone tell you otherwise.
You must trial them both in your environment and compare them with the developers feedback. It’s the only way.
This finding is one of many signals tracked across Cyber Security. The live feed updates every few hours with new expert voices, debates, and emerging ideas.
← Back to Cyber Security