This document is a comparison of the features and capabilities of various enterprise SAST and DAST products. It is intended to be a living document, and contributions are welcome. Contibution is welcome so long as ratings can be qualified with a reference to a publically available sources.
Each product was rated on the below scale using publicly available information by myself. The ratings are subjective but generally qualified.
I am not associated with any of the products listed in this document, this is simply a collection of information that is useful to me, and may be useful to others, in the analysis and selection of a SAST/DAST product.
This document is a vanilla excel spreadsheet that does not contain any macros or scripts. It is intended to be easily readable and editable by anyone with a basic understanding of excel.
- CheckMarx One Platform
- Veracode
- Rapid7 AppSpider (InsightAppSec Edition)
- Wiz.IO
- Fortify Static Code Analyzer
- Acunetix
- Invicti/NetSparker
- CloudDefense.AI
- Rapid7 Insight
- Fortify WebInspect
- SonarQube
- Multi-Modal System Compatibility
- IOT Device / Firmware Analysis
- Web Application Analysis
- Mobile Application Analysis
- POS System Analysis
- Integration with Diverse Architectures
- Advanced Threat Detection
- High Volume Data Handling
- Cloud and On-Premise Scalability
- Real-Time Analysis for High Traffic Systems
- 0-Day Vulnerability Detection
- Advanced Logic Flaw Detection
- Integration & Automation
- CI/CD Pipeline Integration
- Automated Security Policy Enforcement
- Third-Party Tool Integration
- API Extensibility
- Automated Alerting and Response Mechanisms
- Compliance & Regulatory Adherence
- Compliance Reporting
- Regulatory Framework Alignment
- Data Privacy Analysis
- Audit Trail & Documentation
- Custom Compliance Rule Sets
- Secure Development Lifecycle Integration
- Secure Coding Guidelines Adherence
- Risk Assessment and Prioritization
- Developer Security Training Integration
- Policy Compliance Validation
- Feedback Loop Efficiency
- Dynamic Analysis Proficiency
- Runtime Behavior Analysis
- Simulated Attack Patterns
- Third-Party Component Analysis
- Environment Interaction Analysis
- Custom Attack Vector Configuration
- Application Security Testing Automation
- Continuous Scanning Integration
- Automated Exploit Detection
- Authentication and Session Management Testing
- Anomaly Detection and Reporting
- Feedback Mechanisms for False Positives/Negatives
- 10: Industry Leading: State-of-the-art features/capabilities; sets industry standards for functionality, integration, and ease of use; virtually no limits.
- 9: Excellent: Advanced and comprehensive features with seamless integration; very user-friendly and efficient with minimal limitations.
- 8: Very Good: Strong functionality with comprehensive features; integrates well with most systems; only a few minor limitations.
- 7: Good: Good range of features and relatively easy integration with most systems; minor limitations in advanced capabilities.
- 6: Moderately Above Average: Competent functionality; integration with some systems is possible with effort; some advanced features are present.
- 5: Average: Adequate functionality and integration; meets essential requirements but lacks advanced features.
- 4: Below Average: Some useful features, but still lacks robustness and integration capabilities; moderate manual intervention needed.
- 3: Basic: Basic functionality with noticeable deficiencies and limited integration; requires substantial manual effort.
- 2: Very Basic: Minimal functionality; suitable only for the simplest tasks with significant limitations.
- 1: Extremely Limited: The feature exists but is rudimentary and not practical for most use cases.