Checkmarx One Reviews

It is used for scanning for some other purposes. We needed Checkmarx to figure out some OS top ten issues in the codec.

The only thing I like is that Checkmarx does not need to compile. That's a good feature.

Checkmarx is not good because it has too many false positive issues. The software does not understand the code very well. It does not handle the process very well and misunderstands the logic, resulting in too many false positives. As per my experience, more than 80% of the issues are false positives, and it takes too much time to figure out which ones are true and which ones are false positives. 

Therefore, this is one of the areas of improvement for Checkmarx. It requires in-depth knowledge of the coding. 

I have been using Checkmarx for more than a year. We are using the latest version. 

I would rate it as four because the scanning engine can crash sometimes.

I would rate scalability a three out of ten. 

The technical support is not good because they charge an extra fee. If we pay them on a call basis, they will charge extra. We can only give them emails; if we have a problem, it takes over half a year to fix the issue. They're just too slow.

Neutral

The deployment is easy, but it may take around half an hour or even more because the software is huge. Also, good hardware performance is required, such as big memory and disk space.

It requires a lot of disk space and good hardware performance, and the speed is slow.

The deployment is pretty tough to do by myself.

It's expensive. I would give it a four out of ten.

We just calculated the speed of Checkmarx; it is around 40 lines of code per second. It's too slow, so we now use a Chinese software called XCheck, which is much better. It can scan around 2,000 or 5,000 lines per second, depending on the code complexity. XCheck is a product of a Chinese company called Tencent.

Overall, I would rate the solution a three out of ten. 

We mainly use this solution for static comprehension testing.

We use it for non-functional insight because it's a security vulnerability scanner. We can use Checkmarx for scanning anytime on our code base. We integrated that as part of our build-a-pipeline, and it helps us detect early. We have piloted in few applications for the shift of testing. From a metric perspective, I am unsure how we benefited from the quantifiable data, but we did benefit.

The administration in Checkmarx is very good. You can create specific teams which give you access to specific projects.

The benefits could be improved. We are a banking company, so we focus on security. We use Checkmarx for multiple applications, and IAST is an interactive application security testing that Checkmarx claims; however, we have not explored it yet.

We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level. We want an option to group several projects and view them at a business level. Additional features could include a comprehensive dashboard and secret scanning capabilities.

We have been using this solution for four years. It is deployed on-premises.

I rate the stability a six out of ten. We've had some stability issues, which may have been because of how we deployed the solution. When multiple scans are running in multiple applications, it closes down. This also happens where there is a large code base. After it runs for about 35 minutes, it abruptly closes. We have been discussing this issue with the Checkmarx team for it to be fixed.

I rate the scalability a six out of ten, and we have 100 staff engineers using this solution.

Our Checkmarx team interacts with their technical support.

I've used Veracode, and there isn't a big difference between both solutions.

I rate the initial setup a seven out of ten. When we integrated it, we built a pipeline, which was done by a separate DevOps team. Checkmarx is installed at the enterprise level, and we have a Checkmarx Dev team that runs the solution.

I rate this solution an eight out of ten. I would recommend going for a piloting approach. With Checkmarx, you have different presets and can determine the security vulnerability standard. Also, check the stability before proceeding with the adoption.

Our main uses of this solution are to ensure our required compliance policies are met, and that we are applying best practice.

This solution helps to remediate the compliance requirements we have. 

The product also increases the quality of the code the developers are able to implement. 

The main advantage of this solution is its centralized reporting functionality, which lets us track issues, then see and report on the priorities via a web portal.

We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process.

We have been using this solution for two years.

The stability of this solution depends on the size of application to be scanned, as larger files result in lower performance levels.

This solution is not very easily scalable, and seems to lack the capability to manage a high volume of applications.

The technical support team for this solution are very supportive and skilled. They also define SLA's for their customers.

We found the initial setup of this solution to be okay, but it is very reliant on server capacity.

We would recommend that organizations considering this solution think about the size of the project involved, as this product works best with very small-scale applications.

I would rate this solution a seven out of ten.

The primary use that we have for Checkmarx is the evaluation of source code vulnerabilities.

We use Git to connect to Checkmarx. We don't use GitHub. We use our own self-hosted Git. We're just using generic Git. One of the biggest thorns in our side is managing that aspect of it. It wouldn't matter if it was GitHub or Bitbucket or any of the other tools that you can use to connect Git to Checkmarx. The issue is the same. 

The tool is good at telling us what repository we're connected to, but it is horrible in telling us what branch we're connected to.

I haven't been monitoring how well our projects have been at reducing vulnerabilities. Checkmarx is one that you have to actively follow, and my position doesn't require that I do that. I set up the tool, and then I let other people use it.

I'm the system administrator of the tool rather than an active user of it. This product has room for improvement in administration.

Adding users is kind of a pain. We need a more automated way of adding users. User administration for the IDs can be improved, they can make it a more automated feature set so that you can add users more quickly and easily. 

Most tools that I'm dealing with today have a mechanism where people can self-enroll.

I'm more of the admin as opposed to a user of Checkmarx. Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before.

One of the biggest heartaches that we have is that all of our Windows servers are on an automated upgrade. Whenever Windows upgrades, we lose the order of the ciphers and it brings down the Checkmarx webpage. 

Our company policy is that we upgrade our servers at a minimum of once a month, if not more. It's a hassle to keep up on that. The ciphers are such a pain to manage.

To set up a cipher connection, there's a tool out there called IIS Crypto. We just run that tool to set the best practices. It forces us to reboot the server. We haven't figured out how to automate the whole thing yet. 

There have been some Windows updates that haven't triggered this issue where the ciphers get messed up. The only thing we're running is TLS2. At that higher level, everything is just a pain.

All of our servers are built out through code. In other words, we use Ansible and Jenkins to automatically create machines. Everything is virtual these days. It's either virtual in-house or virtual in the cloud. 

The issue with Checkmarx is the next pain point, i.e. their installation procedure is GUI-based. They've got a command line for upgrades. I haven't seen the command line for the initial install.

My last statement on Checkmarx is Windows would not be my choice for any kind of server implementation. I'm not a Windows fan at all. Every other tool in our company is Linux-based and our target systems are Linux as well.

I don't have the experience and the knowledge of working on a Windows system compared to my Linux knowledge. Checkmarx being Windows only is a hindrance as well.

Another problem is: why can't I choose PostgreSQL? I would like to have an additional feature added to the product to support either PostgreSQL or MySQL. Those are the two free databases that are enterprise-ready.

Checkmarx is a stable product, especially based on the number of updates that we receive. Every time we get a new update or a hotfix, I'm very much in the loop on getting that information. Compared to some other products, it doesn't have the churn that others do, i.e. in the number of updates and patches that we have to apply to it.

We're licensed for 100 users. Primarily we use Checkmarx for developers, managers, architects, and maybe some of the design folk, but not QA. This would solely be in the realm of development and architecture. 

There is no plan for us to increase our usage of Checkmarx. We're trying to get as many scans as possible. One of the issues that we have is the concept of an incremental scan. The more of the incremental that you do, the slower the service becomes.

When you go in and you look at the last result: it's your baseline or your full scan, followed by applying each incremental. The more of the incrementals that you have, the slower Checkmarx gets.

They've come up with a recommendation for users to do one full scan a week and maybe six incremental scans. This needs to be worked on to get the performance better on this particular tool.

Checkmarx can scale up very easily. Anything that can be automated can be scaled. If I can automate it, I can scale it. Under the hood, it does the management of the scan engines well.

We have some large code bases, that according to the Checkmarx internal people, based on the number of lines of code, everything is 100% optimized hardware-wise. The fastest that the scan should take is 13 hours. That's a full scan, an incremental is a little different.

The problem with Checkmarx from that standpoint is, in our most active code base, we want it to be scanned frequently. At one point in time, it was taking up to 26 hours to do a single scan. We were scanning twice a week or four times a week. 

That same code base has two separate instances of itself. A long time ago they started as a common code base and then they split. Now, in essence, we have two products based on the same code base. We had to scan them twice a week.

The customer service on the phone so far with Checkmarx has been good. We've had more issues with other projects that have gone into the cloud than with this particular instance. 

It's mostly email until you scream enough with Checkmarx or you go through your salesperson. It's a little bit of a burden to get to them. 

For the most part, the people that I have dealt with know their stuff, and we haven't had any problems. It's been a challenge. We did try to do things that no one else had tried before according to them, and so we ended up having setbacks because of trying new things. 

The tool that we were using before was AppScan.

The initial setup of Checkmarx is straightforward. We did a bunch of things that shot ourselves in the foot that we weren't expecting. We were initially trying to put Checkmarx in the cloud. We were even putting Checkmarx into an Azure system until we found out that Azure, with the Microsoft SQL engine, does not support what Checkmarx requires. 

The Azure implementation of SQL does not allow the USE statement. Extremely odd. Maybe Microsoft figured out if you can't use USE, that means you have to have more databases and so they can charge more. Microsoft Oracle and IBM have been pulling that crap for years. They're making a lot of money.

It probably took us a couple of months to go through all of the issues, basically trying to find a home for SQL. We ended up creating a Microsoft SQL server in Amazon.

With Amazon's RDB, you can use Oracle, PostgreSQL, Sybase, Microsoft SQL, etc. as its RDB engines. Depending on whether you already have a license, or if you want to pay for the license when you set up the instance, you can do either. 

We had the license. We just created an instance in the Amazon cloud.

I've got 100 licenses for Checkmarx. As people come and go, it's a hassle to add and remove them. In this day and age, it's such a meaningless time-waster.

We were previously working with Azure. We switched because of their implementation of SQL Server. Checkmarx uses statements to move from database to database. Azure does not support that in its implementation at this time. 

Time will tell and Microsoft does improve their code over time.

From an administrative standpoint, I would rate Checkmarx with a five out of ten. From what my users are telling me, I'd give it an eight for the tool's ability to report on vulnerabilities in the user experience. 

I would rate Checkmarx with an eight on the user side and a five on the admin side.

Customers need to work with Checkmarx to scale the system for their needs, i.e. work with their recommendations. The best practices that they have there. 

They have this formula to calculate how many CPUs and how much memory you need. The memory requirements are huge. We've got 64 GB machines to scan them.

That's the low end of what they're recommending. Their processes do a lot of number crunching in memory. For a 4 million line code base, it's just going to consume a lot of time and a lot of resources. 

We are only using the source code scanner. We're not using the OSS scanner. We use Artifactory for our OSS repository, and Artifactory comes with its own built-in OSS scanner. We didn't need two OSS scanners.

We are currently using the solution for scanning code-level vulnerabilities. 

Checkmarx is more developer friendly. Developers are aware of how to use Checkmarx. It's not too complicated, and they can understand what the problem is in their code, and it helps them to write secure code. That's a big thing. It's not an obstacle for developers. They can easily write their code and make it more secure with Checkmarx. That's the main positive point.

A non-developer may struggle with the solution. 

Codebashing is the learning platform that comes bundled with Checkmarx. The thing with Codebashing is that they give you tips on how to write secure code. However, I saw other developers complain about this. Instead of telling you what the good practices are, it would be more helpful, when we are writing the code, alongside that code, to have Codebashing tell us where exactly we are going wrong and how to help secure code and if there are specific scenarios we should be considering. Basically, the integration needs to be better. 

There's a general lack of space. 

Checkmarx has a slightly difficult compilation with the CI/CD pipeline. If it could be easily integrated into the CI/CD pipeline, then it would be much easier for developers rather than being an extra step that developers have to take to make the code secure. 

We've used the solution since 2019.

The solution is stable and reliable. There are no bugs or glitches. It doesn't crash or freeze.

In general, it can scale. 

There are certain scenarios where scalability becomes an issue. I can't really give any examples, however, while it can scale, there may be hiccups. 

We may have up to a few hundred users on the solution. 

As far as I'm aware, there is a team at Checkmarx that we can contact and they are there to help us with some basic queries. It's not continuous support. It's more like they're there on the side, and we can contact them as and when required.

Positive

We have used and looked at a mix of options, including Veracode and FOSSA.

Right now, I don't really have a competing vendor in my company, so I can't compare. More importantly, I don't have that much experience with others to compare anything accurately.

I did not handle the initial setup and, therefore, cannot speak to how easy or difficult the process would be. 

The licensing is okay. I'd rate it 3.7 out of five. It is moderately priced yet not overly expensive. 

Right now, we are partners.

We have the solution deployed in the cloud and on-premises. It's a hybrid setup.

I'd rate the solution seven out of ten.

I'd recommend the product to other users. 

We use the solution on a developing project. Before we bring the code to production, we have to ensure its quality, and we use this solution. 

It's easy to use. The configuration is easy. 

It has all the features we need. 

We haven't had any issues with the solution so far. It is not missing any features. 

It takes too much time to check the code. The validation process needs to be sped up. 

There have been some configuration issues. We sometimes have failures. 

I've been using the solution for two and a half years at this point. 

We've had to deal with errors. When we blacklist or whitelist, we do have some issues. There are a few configuration issues. I'd rate the stability seven out of ten. It could be improved. 

I can't speak to the scalability. I don't deal with scaling. The usage is limited. We aren't attempting to expand it. We only do two to three processes at the same time. 

Technical support is okay. We are mostly happy with the help we get. We can directly connect with them.

Neutral

I'm also using SonarQube.

I did not handle the deployment directly. We have a team that manages the tool. I'm not aware of how many people are needed to maintain and deploy the solution. 

I don't deal with the pricing directly. I don't know the exact cost. 

I'm a customer and end-user.

I would recommend the solution to other users. I'd rate the solution eight out of ten. 

We primarily use Checkmarx for assessing vulnerabilities in applications.

What I like best about Checkmarx is that it has fewer false positives than other products, giving you better results.

One area for improvement in Checkmarx is pricing, as it's more expensive than other products.

I've used Checkmarx for four to five years.

Regarding Checkmarx stability, it's an eight out of ten.

Checkmarx is a scalable tool and much better scalability-wise than other products I used. I'm rating its scalability as eight out of ten.

We never had to contact the Checkmarx technical support team.

I was not involved in the initial setup for Checkmarx.

Checkmarx is comparatively costlier than other products, which is why some of the customers feel reluctant to go for it, though performance-wise, Checkmarx can compete with other products.

My company is in the service business, so it provides services to customers. For example, the customer uses SonarQube, so my company uses the same tool to execute vulnerability assessments.

I've worked on Checkmarx, NetSuite, Acunetix, and other application security tools used by customers.

My rating for Checkmarx is eight out of ten because it's a good product, and its only con is the cost, which is high for some customers.

I recommend Checkmarx to others because of its performance. The tool has better intelligent outcomes, and Checkmarx has better automation internally.

My company is a Checkmarx customer.

The best thing about Checkmarx is the amount of vulnerabilities that it can find compared to other free tools.

The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information. There are some cases where you have to go directly to the Checkmarx database to get the information that you want. The default module that provides statistics is basic, and you need more elaborate information to do vulnerability management. The tool has a limited scope.

It is easy to scale, you just have to pay. There are about 100 developers and security people using this solution in my company. 

The contract that we have is not directly with Checkmarx. It's with an intermediary company in Argentina, and they give us support. They are not very fast in answering our questions. They have a kind of first level support, but for more technical stuff they go directly to Checkmarx.

As with other tools, if you want more, you have to pay more. You have to pay for additional modules or functionalities. For instance, if you want to do some scanning to external dependencies of the software, you have to buy another tool provided by Checkmarx.

You have to pay for licenses for the number of projects that you want to scan and the number of users. I think you have to pay licenses for three features: the number of users, the projects, and I don't remember the other one.

We have two administrators who coordinate maintenance with the vendor.

My advice is that you need to estimate the right amount of licenses. That's very important because right now, our company needs more licenses, and that was not well estimated at the beginning. The other thing is to be clear about the features of this tool that you want or need.

I would rate this solution as a nine out of ten.