Try our new research platform with insights from 80,000+ expert users
Security Consultant at IBM Thailand
Real User
Top 5Leaderboard
A highly scalable solution that reduces workloads, saves time, and fixes loopholes and vulnerabilities swiftly
Pros and Cons
  • "Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%."
  • "We can run only one project at a time."

What is our primary use case?

Whenever a web application needs to be moved into production, a static code analysis or source code review must be done. The analyst runs several tools on the web application and collects details. Completing a source code review for a particular application will take around five working days.

Since we moved to Checkmarx, it has reduced the time significantly. Usually, we get the report within a day. It lists all the critical vulnerabilities and provides remediation. We provide suggestions to the customers and the project owners to fix the loopholes immediately so that we can move to production. Sometimes, the life cycle is reduced from five days to one day.

How has it helped my organization?

Static code reviews are small projects. Previously, with a team of four analysts, we did two project reviews every month. Since we started using the solution, we could do four projects every week with the same team.

What is most valuable?

It is very easy for the analyst to have everything in a consolidated single pane of glass. Previously, they ran multiple tools. They used one tool for source code analysis and another for static code review. Then, I manually verified each result. Since we moved to Checkmarx, it has been very easy for the analyst.

The tool gives us a shareable report that can be easily shared with management once the product is done. The solution’s performance and the consolidated information it provides are valuable. The platform is completely on the cloud. There are no scalability or connectivity issues. The platform is stable. It can be accessed from anywhere.

We used open-source tools before. We had to deploy the tools in the customers' environment to establish the connection between the tools and their product application. Since Checkmarx is a SaaS-based platform, we need only the forward connection from Checkmarx to the tool. The tool handles everything else. We just need a single firewall rule to be enabled on the platform to establish the connection.

The deployment is very simple. We need just one rule to forward the web application to Checkmarx. The scanning engine is very good. Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%. The tool has greatly reduced the time and effort our analysts need to do their tasks. It's very useful if we need to perform a short-term project. It is greatly helpful in fixing loopholes and vulnerabilities swiftly.

What needs improvement?

We can run only one project at a time. We haven't tested multiple projects at the same time. Currently, not all the projects are visible under one pane. We handle one-time projects. As a manager, I do not have the overall visibility of all projects simultaneously. I have already raised a support ticket requesting the ability to manage all projects from a single pane. There may be an option for it. However, I am not aware of it. The solution must provide more integration with different platforms.

Buyer's Guide
Checkmarx One
December 2024
Learn what your peers think about Checkmarx One. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.

For how long have I used the solution?

I have been using the solution for three months.

What do I think about the stability of the solution?

I rate the tool's stability an eight out of ten.

What do I think about the scalability of the solution?

The tool is scalable since it is a cloud-based solution. We have served over 100 customers.

How was the initial setup?

The setup is straightforward. Our analysts had a training for half a day. They were able to use the product form the next day. We just need to purchase a license. Since it is a SaaS-based solution, no additional deployment is required. We only need to enable the firewall rule.

What was our ROI?

The solution helps us push the application into production much sooner than anticipated. If we have a web application that needs to go live, traditionally, it takes 15 days to a month to push it into production after all the security checks. If the other teams can patch the vulnerabilities as soon as we suggest them, Checkmarx can help us push the product into production within a week. It's very easy to rescan.

What other advice do I have?

If someone has too many applications, they can directly integrate Checkmarx into the CI/CD pipeline. We got the license and are running the solution for our customers. We do not charge our customers for the solution. Overall, I rate the product an eight out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
reviewer1523667 - PeerSpot reviewer
Penetration Tester & Information Security Expert at a comms service provider with 11-50 employees
Real User
Top 5
Specifies the exact line of code where it finds the problem and gives good reports
Pros and Cons
  • "The solution improved the efficiency of our code security reviews. It helps tremendously because it finds hundreds of potential problems sometimes."
  • "When we first ran it on a big project, there wasn't enough memory on the computer. It originally ran with eight gigabytes, and now it runs with 32. The software stopped at some point, and while I don't think it said it ran out of memory, it just said "stopped" and something else. We had to go to the logs and send them to the integrator, and eventually, they found a memory issue in the logs and recommended increasing the memory. We doubled it once, and it didn't seem enough. We doubled it again, and it helped."

What is our primary use case?

One use case is when a development team finishes, or even in the middle of, development. They run Checkmarx, which shows potential vulnerabilities. If they don't understand something, they consult with me. 

I explain what Checkmarx is highlighting, why it's "shouting" as we say, the specific vulnerability, and the problem it found in the code. Then, together, we explore the code and decide if it's a valid issue requiring a fix. 

We also discuss how to fix it, or if it's a false positive because, in their environment, the problem either cannot exist or doesn't exist in the way they use their software.

We also have another use case. When a software company, like an integration company, does a project for us, we request them to run their code through Checkmarx. If they don't have their own tool, we run it on our Checkmarx and provide them with the report. We request, or rather insist, that they fix most, if not all, of the problems Checkmarx finds. 

These might be issues they didn't consider, but we put it in the contract that they have to submit their software to a "code check," meaning they can use Checkmarx or another approved tool. If they don't have a tool or refuse, then it's okay. The key is to have it in the contract and signed. 

Otherwise, fixing the software later becomes difficult, especially when the project is nearing completion. That's why we do it when the integration begins, so there's still time to address the issues. If you wait until the very end, it's too late.

How has it helped my organization?

The solution improved the efficiency of our code security reviews. It helps tremendously because it finds hundreds of potential problems sometimes. When the development teams fix them, or even some of them, it significantly enhances the security of the software. 

For example, we had a project, an outsourced one, that provided code written in PHP and included dozens of open-source utilities, libraries, and the like. Their server-side code was in PHP, and their client-side was in JavaScript. Both sides also used many libraries and utilities.

When we ran Checkmarx, it found numerous problems in both their code and the third-party software, including hundreds of high- and medium-severity issues in the PHP code. I didn't dig into the specifics; I just said, "Look, it found hundreds of high and medium problems. You need to reduce them. Before testing starts, you need to provide us the code again, and we'll run it again."

They started fixing it, and while I didn't follow up on the specific fixes, perhaps they removed some libraries. As long as the number of high and medium problems in the Checkmarx report decreased, it meant they were making progress. They hadn't finished yet, though.

After they fixed about half of the problems, we allowed them to start integration. However, they still need to fix the remaining issues, and hopefully, they will.

What is most valuable?

The most valuable feature is that Checkmarx specifies the exact line of code where it finds the problem. They show it in the report, the exact line or two lines. They also show where the problem starts and where it's used. 

Even if it's used later in routines or messages during the computation, they show both sides. For example, they show the user input and where it's being used, even if it's saved in a different file. 

They follow the code, the function code, the method code, and all the calls until it's used because they have all the code mapped. So, they show where it starts, where it's being used, and they say it hasn't been checked all the way. They prove it, not just say it, by showing exactly where the issue is. 

Even if you don't know the software, like third-party software you want to fix or modify, you know where to start looking in the code.

As for the UI, it's okay. You give it the code, it runs, and it's pretty good.

What needs improvement?

There's one thing Checkmarx can maybe fix, actually two things.

First, when we first ran it on a big project, there wasn't enough memory on the computer. It originally ran with eight gigabytes, and now it runs with 32. The software stopped at some point, and while I don't think it said it ran out of memory, it just said "stopped" and something else. 

We had to go to the logs and send them to the integrator, and eventually, they found a memory issue in the logs and recommended increasing the memory. We doubled it once, and it didn't seem enough. We doubled it again, and it helped.

So, even if the software reaches capacity on the computer, even though it writes it in the logs, it should also give an indication in the GUI to the person running it, saying "not enough memory" or "not enough disk space."

Another problem is that when it's scanning and it has an internal problem, for example, it cannot check something, or an internal bug or internal problem, it's being found in the logs, but there's no indication to the user. Now, this is good for them because the user runs it, gets a report, everything's fine.

But in a way, it's not good for them because the user doesn't know there's a problem since they don't check the logs. Because mostly, only the manager looks at the logs and only if there's a problem being reported. You run a process, get a report, but in the logs, there might be an indication that it couldn't check several files or understand something. There's a problem, an internal problem that can be fixed, but nobody knows about it because we don't look at the code. The user doesn't look at the logs; only the business manager does, but they don't know because the user doesn't report it, because the user doesn't know.

So, my suggestion for them is this: if they have problems, they should say, 'Here is the report,' but also indicate to the user somewhere, perhaps in the GUI, not necessarily in the report itself, 'We found 100 problems while looking at your code. Please provide us the logs so we can try to fix those.' Then they can ask if the user has any problems. This way, users would know to send them their logs, and they could improve their software, meaning fix the problems.

Now, they may not want to do this because they'll get flooded with millions of responses and millions of problems from all over the world. They would have to fix them, and people might get angry, asking why they provided a report when there were hidden problems. People might say, 'How come you gave me a report with seven or eight problems when analyzing it, there were internal problems with your code? So it's not a perfect report.'"

So, these internal issues are logged but not communicated to the user through the Checkmarx interface (GUI) or report.

The solution also has a few false positives. So, if they had an easier way for users to send an email directly, instead of just opening a ticket. Because when we open a ticket, they want all the logs and everything, and it becomes a hassle.

Perhaps they could implement an easier system where users can send a snippet of the code, along with an explanation of why they believe it's a false positive, referencing the specific report. 

This way, Checkmarx could analyze the information and the development team could potentially fix the product in those areas. It wouldn't require them to necessarily respond to the user, but I'm not sure if that's feasible for most companies. 

For how long have I used the solution?

I have been using it for one year. 

What do I think about the stability of the solution?


What do I think about the scalability of the solution?

If you have enough memory, it's scalable. You need a lot of memory for it to be scalable. 

Once you have enough memory, it is stable and scalable, and there are one or two parameters you can modify to make it even more scalable. Scalability is relatively fine.

For the scanning option, the default is to use only one main language, but you can request multiple languages. It's scalable.

Nowadays, nearly all the developers, when they finish development, either they or the team leader runs it, and they have to fix the problems.

How are customer service and support?

The customer service and support are okay because the thing is, we spoke with the integrator, so we didn't reach Checkmarx tech support.

How would you rate customer service and support?

Positive

What about the implementation team?

The setup was done by an integration company. 

What other advice do I have?

I would definitely recommend it. It's an excellent solution.  

Overall, I would rate the solution a nine out of ten because there is always room for improvement. 

Checkmarx could perhaps give more examples of solutions in the reports. It's very good, but sometimes the solutions they give are not necessarily relevant to the code or how it's written. 

So, Checkmarx should give more examples of solutions. Although, it's not that bad because they give a few, one or two. And if you want more, you can look online. But it would help if they could refine it and give additional options for solutions.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Checkmarx One
December 2024
Learn what your peers think about Checkmarx One. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
Engineer senior at a hospitality company with 10,001+ employees
Real User
A good compliance solution that is best suited to small scale applications, and suffers from stability issues
Pros and Cons
  • "The main advantage of this solution is its centralized reporting functionality, which lets us track issues, then see and report on the priorities via a web portal."
  • "We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."

What is our primary use case?

Our main uses of this solution are to ensure our required compliance policies are met, and that we are applying best practice.

How has it helped my organization?

This solution helps to remediate the compliance requirements we have. 

The product also increases the quality of the code the developers are able to implement. 

What is most valuable?

The main advantage of this solution is its centralized reporting functionality, which lets us track issues, then see and report on the priorities via a web portal.

What needs improvement?

We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process.

For how long have I used the solution?

We have been using this solution for two years.

What do I think about the stability of the solution?

The stability of this solution depends on the size of application to be scanned, as larger files result in lower performance levels.

What do I think about the scalability of the solution?

This solution is not very easily scalable, and seems to lack the capability to manage a high volume of applications.

How are customer service and support?

The technical support team for this solution are very supportive and skilled. They also define SLA's for their customers.

How was the initial setup?

We found the initial setup of this solution to be okay, but it is very reliant on server capacity.

What other advice do I have?

We would recommend that organizations considering this solution think about the size of the project involved, as this product works best with very small-scale applications.

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1534434 - PeerSpot reviewer
System Engineer at a tech vendor with 10,001+ employees
Real User
Top 20
Easy to use, configurable, and has all the features we need
Pros and Cons
  • "It has all the features we need."
  • "The validation process needs to be sped up."

What is our primary use case?

We use the solution on a developing project. Before we bring the code to production, we have to ensure its quality, and we use this solution. 

What is most valuable?

It's easy to use. The configuration is easy. 

It has all the features we need. 

What needs improvement?

We haven't had any issues with the solution so far. It is not missing any features. 

It takes too much time to check the code. The validation process needs to be sped up. 

There have been some configuration issues. We sometimes have failures. 

For how long have I used the solution?

I've been using the solution for two and a half years at this point. 

What do I think about the stability of the solution?

We've had to deal with errors. When we blacklist or whitelist, we do have some issues. There are a few configuration issues. I'd rate the stability seven out of ten. It could be improved. 

What do I think about the scalability of the solution?

I can't speak to the scalability. I don't deal with scaling. The usage is limited. We aren't attempting to expand it. We only do two to three processes at the same time. 

How are customer service and support?

Technical support is okay. We are mostly happy with the help we get. We can directly connect with them.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I'm also using SonarQube.

How was the initial setup?

I did not handle the deployment directly. We have a team that manages the tool. I'm not aware of how many people are needed to maintain and deploy the solution. 

What's my experience with pricing, setup cost, and licensing?

I don't deal with the pricing directly. I don't know the exact cost. 

What other advice do I have?

I'm a customer and end-user.

I would recommend the solution to other users. I'd rate the solution eight out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Rajiv - PeerSpot reviewer
Practice Lead - Cyber Security at a tech vendor with 10,001+ employees
Vendor
Top 10
It has fewer false positives than other products, giving you better results
Pros and Cons
  • "What I like best about Checkmarx is that it has fewer false positives than other products, giving you better results."
  • "One area for improvement in Checkmarx is pricing, as it's more expensive than other products."

What is our primary use case?

We primarily use Checkmarx for assessing vulnerabilities in applications.

What is most valuable?

What I like best about Checkmarx is that it has fewer false positives than other products, giving you better results.

What needs improvement?

One area for improvement in Checkmarx is pricing, as it's more expensive than other products.

For how long have I used the solution?

I've used Checkmarx for four to five years.

What do I think about the stability of the solution?

Regarding Checkmarx stability, it's an eight out of ten.

What do I think about the scalability of the solution?

Checkmarx is a scalable tool and much better scalability-wise than other products I used. I'm rating its scalability as eight out of ten.

How are customer service and support?

We never had to contact the Checkmarx technical support team.

How was the initial setup?

I was not involved in the initial setup for Checkmarx.

What's my experience with pricing, setup cost, and licensing?

Checkmarx is comparatively costlier than other products, which is why some of the customers feel reluctant to go for it, though performance-wise, Checkmarx can compete with other products.

What other advice do I have?

My company is in the service business, so it provides services to customers. For example, the customer uses SonarQube, so my company uses the same tool to execute vulnerability assessments.

I've worked on Checkmarx, NetSuite, Acunetix, and other application security tools used by customers.

My rating for Checkmarx is eight out of ten because it's a good product, and its only con is the cost, which is high for some customers.

I recommend Checkmarx to others because of its performance. The tool has better intelligent outcomes, and Checkmarx has better automation internally.

My company is a Checkmarx customer.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Engineer at a computer software company with 5,001-10,000 employees
Real User
Top 10
Requires in-depth knowledge of coding and bad stability
Pros and Cons
  • "The only thing I like is that Checkmarx does not need to compile."
  • "Checkmarx is not good because it has too many false positive issues."

What is our primary use case?

It is used for scanning for some other purposes. We needed Checkmarx to figure out some OS top ten issues in the codec.

What is most valuable?

The only thing I like is that Checkmarx does not need to compile. That's a good feature.

What needs improvement?

Checkmarx is not good because it has too many false positive issues. The software does not understand the code very well. It does not handle the process very well and misunderstands the logic, resulting in too many false positives. As per my experience, more than 80% of the issues are false positives, and it takes too much time to figure out which ones are true and which ones are false positives. 

Therefore, this is one of the areas of improvement for Checkmarx. It requires in-depth knowledge of the coding. 

For how long have I used the solution?

I have been using Checkmarx for more than a year. We are using the latest version. 

What do I think about the stability of the solution?

I would rate it as four because the scanning engine can crash sometimes.

What do I think about the scalability of the solution?

I would rate scalability a three out of ten. 

How are customer service and support?

The technical support is not good because they charge an extra fee. If we pay them on a call basis, they will charge extra. We can only give them emails; if we have a problem, it takes over half a year to fix the issue. They're just too slow.

How would you rate customer service and support?

Neutral

How was the initial setup?

The deployment is easy, but it may take around half an hour or even more because the software is huge. Also, good hardware performance is required, such as big memory and disk space.

It requires a lot of disk space and good hardware performance, and the speed is slow.

What about the implementation team?

The deployment is pretty tough to do by myself.

What's my experience with pricing, setup cost, and licensing?

It's expensive. I would give it a four out of ten.

Which other solutions did I evaluate?

We just calculated the speed of Checkmarx; it is around 40 lines of code per second. It's too slow, so we now use a Chinese software called XCheck, which is much better. It can scan around 2,000 or 5,000 lines per second, depending on the code complexity. XCheck is a product of a Chinese company called Tencent.

What other advice do I have?

Overall, I would rate the solution a three out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Marcelo Carrasco - PeerSpot reviewer
Security Architect at a financial services firm with 5,001-10,000 employees
Real User
Top 20
Easily scalable and finds more vulnerabilities than other tools
Pros and Cons
  • "The best thing about Checkmarx is the amount of vulnerabilities that it can find compared to other free tools."
  • "The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information."

What is most valuable?

The best thing about Checkmarx is the amount of vulnerabilities that it can find compared to other free tools.

What needs improvement?

The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information. There are some cases where you have to go directly to the Checkmarx database to get the information that you want. The default module that provides statistics is basic, and you need more elaborate information to do vulnerability management. The tool has a limited scope.

What do I think about the scalability of the solution?

It is easy to scale, you just have to pay. There are about 100 developers and security people using this solution in my company. 

How are customer service and support?

The contract that we have is not directly with Checkmarx. It's with an intermediary company in Argentina, and they give us support. They are not very fast in answering our questions. They have a kind of first level support, but for more technical stuff they go directly to Checkmarx.

What's my experience with pricing, setup cost, and licensing?

As with other tools, if you want more, you have to pay more. You have to pay for additional modules or functionalities. For instance, if you want to do some scanning to external dependencies of the software, you have to buy another tool provided by Checkmarx.

You have to pay for licenses for the number of projects that you want to scan and the number of users. I think you have to pay licenses for three features: the number of users, the projects, and I don't remember the other one.

What other advice do I have?

We have two administrators who coordinate maintenance with the vendor.

My advice is that you need to estimate the right amount of licenses. That's very important because right now, our company needs more licenses, and that was not well estimated at the beginning. The other thing is to be clear about the features of this tool that you want or need.

I would rate this solution as a nine out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Cuneyt KALPAKOGLU Phd. - PeerSpot reviewer
Founder & Chairman at Endpoint-labs Cyber Security R&D
Real User
Top 5Leaderboard
Enhanced security with robust feature set for comprehensive protection
Pros and Cons
  • "Checkmarx offers many valuable features, including Static Application Security Testing (SAST), Software Composition Analysis (SCA), Infrastructure as Code (IAC), Supply Chain Security, and API Security."
  • "The Dynamic Application Security Testing (DAST) feature should be better."

What is our primary use case?

I am representing Checkmarx as a reseller. I work with both the cloud and on-premises versions. I have been working with Checkmarx for more than twelve years.

How has it helped my organization?

Checkmarx is a must-use product due to the increasing number of cyber-attacks nowadays. The product's quality and performance justify its pricing, making it a worthwhile investment.

What is most valuable?

Checkmarx offers many valuable features, including Static Application Security Testing (SAST), Software Composition Analysis (SCA), Infrastructure as Code (IAC), Supply Chain Security, and API Security.

What needs improvement?

The Dynamic Application Security Testing (DAST) feature should be better. The technical support service could also improve in terms of their response time.

For how long have I used the solution?

I have been working with Checkmarx since the early days of Checkmarx, which is more than 12 years.

What do I think about the stability of the solution?

I would rate the stability of Checkmarx at nine out of ten.

What do I think about the scalability of the solution?

Checkmarx is scalable, and I would rate its scalability at nine out of ten.

How are customer service and support?

The customer service and support should be quicker from my point of view. I would rate them eight out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have been working with Checkmarx for over 12 years without switching to a competitor due to Checkmarx being the best product in the market.

How was the initial setup?

The initial setup is straightforward, especially with the cloud version where no deployment is needed. The on-premises version requires some time and depends on the customer's environment.

What about the implementation team?

In typical circumstances, one senior engineer is enough for implementation, but in special cases, maybe two engineers are needed.

What was our ROI?

Checkmarx is cost-effective. It is a must-use product in today's cyber security environment.

What's my experience with pricing, setup cost, and licensing?

The pricing is relatively expensive due to the product's quality and performance, but it is worth it.

Which other solutions did I evaluate?

I chose Checkmarx over competitors due to ethical considerations and its superior functionality.

What other advice do I have?

Checkmarx is plug-and-play and the best product in the market at the moment, as evidenced by reports such as Gartner's.

I'd rate the solution nine out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer:
Flag as inappropriate
PeerSpot user
Buyer's Guide
Download our free Checkmarx One Report and get advice and tips from experienced pros sharing their opinions.
Updated: December 2024
Buyer's Guide
Download our free Checkmarx One Report and get advice and tips from experienced pros sharing their opinions.