SAST testing is focused on identifying vulnerabilities in proprietary code. Each vendor’s SAST scanning implementation uses rules and other methods to identify potential security vulnerabilities. SCA focuses on scanning an application's open-source components to identify security vulnerabilities, aging components, and potential license conflicts. These components are compared against established databases of vulnerabilities.

Many AppSec vendors claim to deliver the most accurate test results for SAST and SCA, making it hard to distinguish between accurate solutions and marketing hype. To help cut through the noise, the Tolly Group tested SAST and SCA solutions amongst top competitors. The results show that Checkmarx’ solutions overwhelmingly yield more accurate results.

Compared to competitors, the deep analysis found:

• Checkmarx SAST had 3x higher accuracy
• Checkmarx SCA identified nearly 50% more vulnerabilities
• The competitor’s SCA offering had more false positives

‍