We mainly use Checkmarx for accreditation, checking for vulnerabilities, and identifying areas in the code to fix some of the NIST 800 security controls.
Techincal Lead of Developers at a government with 10,001+ employees
Intuitive, with good dashboards and metrics but needs more third-party integration
Pros and Cons
- "The most valuable feature is that it actually identifies the different criteria you can set to meet whatever standards you're trying to get your system accredited for."
- "Checkmarx could be improved with more integration with third-party software."
What is our primary use case?
What is most valuable?
The most valuable feature is that it actually identifies the different criteria you can set to meet whatever standards you're trying to get your system accredited for. It's also pretty intuitive and has a lot of good dashboards and metrics.
What needs improvement?
Checkmarx could be improved with more integration with third-party software.
For how long have I used the solution?
I've been using Checkmarx for about six months.
Buyer's Guide
Checkmarx One
November 2024
Learn what your peers think about Checkmarx One. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,660 professionals have used our research since 2012.
What do I think about the stability of the solution?
We've had no issues with Checkmarx's stability.
What do I think about the scalability of the solution?
I thought Checkmarx was pretty scalable.
How are customer service and support?
My experience with Checkmarx's technical support has been very positive.
How would you rate customer service and support?
Positive
How was the initial setup?
I found the setup pretty straightforward, though it took several days because the system engineers had to go through some different configuration settings to get it done.
What about the implementation team?
We worked with Checkmarx when we ran into issues, and they were pretty responsive.
What other advice do I have?
Checkmarx isn't accredited by the US government for DOD networks, so we've been forced to remove it from the network. I'd rate Checkmarx as seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Software Configuration Manager at a tech vendor with 501-1,000 employees
Works well with Windows servers but no Linux support and takes too long to scan files
Pros and Cons
- "Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before."
- "Checkmarx being Windows only is a hindrance. Another problem is: why can't I choose PostgreSQL?"
What is our primary use case?
The primary use that we have for Checkmarx is the evaluation of source code vulnerabilities.
We use Git to connect to Checkmarx. We don't use GitHub. We use our own self-hosted Git. We're just using generic Git. One of the biggest thorns in our side is managing that aspect of it. It wouldn't matter if it was GitHub or Bitbucket or any of the other tools that you can use to connect Git to Checkmarx. The issue is the same.
The tool is good at telling us what repository we're connected to, but it is horrible in telling us what branch we're connected to.
How has it helped my organization?
I haven't been monitoring how well our projects have been at reducing vulnerabilities. Checkmarx is one that you have to actively follow, and my position doesn't require that I do that. I set up the tool, and then I let other people use it.
I'm the system administrator of the tool rather than an active user of it. This product has room for improvement in administration.
Adding users is kind of a pain. We need a more automated way of adding users. User administration for the IDs can be improved, they can make it a more automated feature set so that you can add users more quickly and easily.
Most tools that I'm dealing with today have a mechanism where people can self-enroll.
What is most valuable?
I'm more of the admin as opposed to a user of Checkmarx. Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before.
What needs improvement?
One of the biggest heartaches that we have is that all of our Windows servers are on an automated upgrade. Whenever Windows upgrades, we lose the order of the ciphers and it brings down the Checkmarx webpage.
Our company policy is that we upgrade our servers at a minimum of once a month, if not more. It's a hassle to keep up on that. The ciphers are such a pain to manage.
To set up a cipher connection, there's a tool out there called IIS Crypto. We just run that tool to set the best practices. It forces us to reboot the server. We haven't figured out how to automate the whole thing yet.
There have been some Windows updates that haven't triggered this issue where the ciphers get messed up. The only thing we're running is TLS2. At that higher level, everything is just a pain.
All of our servers are built out through code. In other words, we use Ansible and Jenkins to automatically create machines. Everything is virtual these days. It's either virtual in-house or virtual in the cloud.
The issue with Checkmarx is the next pain point, i.e. their installation procedure is GUI-based. They've got a command line for upgrades. I haven't seen the command line for the initial install.
My last statement on Checkmarx is Windows would not be my choice for any kind of server implementation. I'm not a Windows fan at all. Every other tool in our company is Linux-based and our target systems are Linux as well.
I don't have the experience and the knowledge of working on a Windows system compared to my Linux knowledge. Checkmarx being Windows only is a hindrance as well.
Another problem is: why can't I choose PostgreSQL? I would like to have an additional feature added to the product to support either PostgreSQL or MySQL. Those are the two free databases that are enterprise-ready.
For how long have I used the solution?
We've been using Checkmarx for two to three years since we fully put it into production.
What do I think about the stability of the solution?
Checkmarx is a stable product, especially based on the number of updates that we receive. Every time we get a new update or a hotfix, I'm very much in the loop on getting that information. Compared to some other products, it doesn't have the churn that others do, i.e. in the number of updates and patches that we have to apply to it.
We're licensed for 100 users. Primarily we use Checkmarx for developers, managers, architects, and maybe some of the design folk, but not QA. This would solely be in the realm of development and architecture.
There is no plan for us to increase our usage of Checkmarx. We're trying to get as many scans as possible. One of the issues that we have is the concept of an incremental scan. The more of the incremental that you do, the slower the service becomes.
When you go in and you look at the last result: it's your baseline or your full scan, followed by applying each incremental. The more of the incrementals that you have, the slower Checkmarx gets.
They've come up with a recommendation for users to do one full scan a week and maybe six incremental scans. This needs to be worked on to get the performance better on this particular tool.
What do I think about the scalability of the solution?
Checkmarx can scale up very easily. Anything that can be automated can be scaled. If I can automate it, I can scale it. Under the hood, it does the management of the scan engines well.
We have some large code bases, that according to the Checkmarx internal people, based on the number of lines of code, everything is 100% optimized hardware-wise. The fastest that the scan should take is 13 hours. That's a full scan, an incremental is a little different.
The problem with Checkmarx from that standpoint is, in our most active code base, we want it to be scanned frequently. At one point in time, it was taking up to 26 hours to do a single scan. We were scanning twice a week or four times a week.
That same code base has two separate instances of itself. A long time ago they started as a common code base and then they split. Now, in essence, we have two products based on the same code base. We had to scan them twice a week.
How are customer service and technical support?
The customer service on the phone so far with Checkmarx has been good. We've had more issues with other projects that have gone into the cloud than with this particular instance.
It's mostly email until you scream enough with Checkmarx or you go through your salesperson. It's a little bit of a burden to get to them.
For the most part, the people that I have dealt with know their stuff, and we haven't had any problems. It's been a challenge. We did try to do things that no one else had tried before according to them, and so we ended up having setbacks because of trying new things.
Which solution did I use previously and why did I switch?
The tool that we were using before was AppScan.
How was the initial setup?
The initial setup of Checkmarx is straightforward. We did a bunch of things that shot ourselves in the foot that we weren't expecting. We were initially trying to put Checkmarx in the cloud. We were even putting Checkmarx into an Azure system until we found out that Azure, with the Microsoft SQL engine, does not support what Checkmarx requires.
The Azure implementation of SQL does not allow the USE statement. Extremely odd. Maybe Microsoft figured out if you can't use USE, that means you have to have more databases and so they can charge more. Microsoft Oracle and IBM have been pulling that crap for years. They're making a lot of money.
It probably took us a couple of months to go through all of the issues, basically trying to find a home for SQL. We ended up creating a Microsoft SQL server in Amazon.
What about the implementation team?
With Amazon's RDB, you can use Oracle, PostgreSQL, Sybase, Microsoft SQL, etc. as its RDB engines. Depending on whether you already have a license, or if you want to pay for the license when you set up the instance, you can do either.
We had the license. We just created an instance in the Amazon cloud.
What's my experience with pricing, setup cost, and licensing?
I've got 100 licenses for Checkmarx. As people come and go, it's a hassle to add and remove them. In this day and age, it's such a meaningless time-waster.
Which other solutions did I evaluate?
We were previously working with Azure. We switched because of their implementation of SQL Server. Checkmarx uses statements to move from database to database. Azure does not support that in its implementation at this time.
Time will tell and Microsoft does improve their code over time.
What other advice do I have?
From an administrative standpoint, I would rate Checkmarx with a five out of ten. From what my users are telling me, I'd give it an eight for the tool's ability to report on vulnerabilities in the user experience.
I would rate Checkmarx with an eight on the user side and a five on the admin side.
Customers need to work with Checkmarx to scale the system for their needs, i.e. work with their recommendations. The best practices that they have there.
They have this formula to calculate how many CPUs and how much memory you need. The memory requirements are huge. We've got 64 GB machines to scan them.
That's the low end of what they're recommending. Their processes do a lot of number crunching in memory. For a 4 million line code base, it's just going to consume a lot of time and a lot of resources.
We are only using the source code scanner. We're not using the OSS scanner. We use Artifactory for our OSS repository, and Artifactory comes with its own built-in OSS scanner. We didn't need two OSS scanners.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Checkmarx One
November 2024
Learn what your peers think about Checkmarx One. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,660 professionals have used our research since 2012.
Practice Head - IT Risk & Security Management Services at Suma Soft Private Limited
Enables us to find vulnerabilities in our software before the development cycle is complete
Pros and Cons
- "The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete."
- "The reports are good, but they still need to be improved considering what the UI offers."
What is our primary use case?
My team uses this product extensively for application vulnerability assessment. This solution is for static application security testing and is used within our software development process.
As the software developers are creating solutions, they are able to identify vulnerabilities while the application is being written, rather than after the entire development is over.
We were interested in having the raw source code scanned, so that was the primary requirement and that is where Checkmarx comes in. We do not need any precompiled libraries, or compiled source code, to be checked by the source code analysis solution.
We have a security team that uses this product to scan source code, rather than have the developers handle it. We do not have any developer licenses (i.e. the SDLC Edition). Instead, the security team identifies the vulnerabilities and shares the report with the development team.
How has it helped my organization?
The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete.
As an example, an application may contain three hundred thousand lines of code that was written over two or three months. Rather than having to examine the entire product for vulnerabilities, we are able to assess weaknesses and identify vulnerabilities in, say, five hundred or one thousand lines of code. This is really advantageous for us.
What is most valuable?
There are many features, but first is the fact that it is easy to use, and not complicated.
One of the cool features is that it identifies the development technology that we are using on its own, whether it is Java or .NET or otherwise, it identifies it by itself.
The most important aspect is that it shows us exactly, on which particular line, the vulnerability is.
The user interface is very intuitive and it offers help on the fly.
What needs improvement?
The reports are good, but they still need to be improved considering what the UI offers. For example, the UI will suggest the "best-fix location", whereas this information is not captured in the reports.
For how long have I used the solution?
A couple of years.
What do I think about the stability of the solution?
We have not observed any issues, such as the application crashing, with respect to the stability of this solution.
What do I think about the scalability of the solution?
The solution is quite scalable. We are not using the SDLC edition, but with that version, the developers can use different plugins and initiate the scan from their own development environment.
There are three or four members in our security team who use this tool. At the current time, we are happy with this solution and do not plan to increase its usage to the point where we need a different license.
How are customer service and technical support?
We have found the technical support to be good. Whenever anyone has an issue, we write directly to Checkmarx.com and they issue a support ID. Most of the time we receive a quick response.
We are currently based in India, and they have increased their team size in India with a couple of people providing support. It covers the Indian subcontinent as well. With this increase, our tickets are answered very quickly as compared to what we used to get.
Which solution did I use previously and why did I switch?
I do not have recent, hands-on experience with this tool but, I have used it in the past and my team now uses it extensively. We did not use a tool previous to this one, and we plan to continue using this because we are getting good results.
We use this solution for static application security testing. For dynamic testing, we use the Netsparker solution.
How was the initial setup?
The initial setup is pretty simple and straightforward, and it does not take more than fifteen minutes, maximum. The entire deployment was completed in not more than half an hour.
Not many people are required for deployment or maintenance. We have not done much since the original installation. When a new version comes in, any member of the security team can update the solution. In that way, a single person can maintain it. Within my team, it is a Senior Security Analyst who maintains this solution for us.
What about the implementation team?
It is a very simple tool and we do not have a complex environment. It is installed on a standalone machine.
We do not have an integrated solution. This is a standalone solution that is used with the Security Gate. The installation was completed in-house, by our team only.
What was our ROI?
We have seen ROI, but quantifying it in terms of the numbers is difficult. The biggest advantage we have seen is that we're able to develop and deliver secure solutions, in a faster time. We used to test our applications efficiently, and we still do, but there used to be a period of rework required. Now, that does not happen. We are able to identify the issues and address them while the development is in progress.
What's my experience with pricing, setup cost, and licensing?
We have a subscription license that is on a yearly basis, and it's a pretty competitive solution. I don't know of any additional costs, beyond the standard licensing fees, for our version of the software.
In the case of the SDLC edition, which is a higher version, there may be some professional support that is required. Otherwise, any license that they provide is just an annual subscription fee.
Which other solutions did I evaluate?
We evaluated the Fortify Static Code Analyzer and IBM Security AppScan, but our evaluation was not fully completed. We were happy with what we were seeing with Checkmarx, so we did not go ahead with the others.
What other advice do I have?
My advice to any software development team using a different set of tools is to look at Checkmarx. It's a very good product. It's a great product, in fact. Any organization spending money on a subscription license should not look at it as a cost, rather, it should be seen as an investment. The Checkmarx solution can act as a resource that can help the development team to secure their application delivery. Be it an internal application for their own use, or applications being written for their customers.
This solution tells us where, in our code, the "best-fix location" is. To put this into perspective, consider a particular piece of code where there are ten vulnerabilities detected. Perhaps it is an SQL injection vulnerability. This tool gives you specific locations and informs that if you fix the code in certain areas (e.g. in three specific locations) then the subsequent vulnerabilities will automatically be addressed. Therefore, you save on development effort because you do not need to fix all ten vulnerabilities specifically and independently.
I would rate this product a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cybersecurity at a transportation company with 1,001-5,000 employees
No need to compile the code to execute static code analysis, but should be more container-friendly and optimized for the CI pipeline
Pros and Cons
- "I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy."
- "They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server."
What is our primary use case?
I am using it for software assurance focused on security. I am using its latest version.
How has it helped my organization?
I use both the static code analysis and the open-source analysis engine. It gives visibility into weaknesses and the software that may be there in the source code and static analysis. It also gives some insights into the open source vulnerabilities that may be there in the codebase.
What is most valuable?
I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy. Typically when using SCA tools on C/C++ and C# you must compile the software for SCA to work. CX doesn’t require any compilation due to the way the tool does synthetic compilation to help find errors in code. Many times 3rd party assurance providers don’t have all the files to compile so CX comes in handy.
What needs improvement?
They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server.
I had several issues with the installation. It should just work out of the box.
For how long have I used the solution?
I have been using it off and on for about a year.
What do I think about the stability of the solution?
I've run into a few bugs here and there but i would recommend installing on virtual machine and snapshoting a working install.
What do I think about the scalability of the solution?
My setup is standalone. They do have a scalable version, but it's not something I need.
We're not using it a lot. Its usage is once a month. The way our organization works is that we don't do static code analysis every day. It's more on an as-needed basis. So, it's no fault of the Checkmarx tool. It's just not something that we've been working on.
How are customer service and support?
They were pretty good. I would rate them a four out of five, but I was using their salespeople. It wasn't their traditional tech support, so I can't really evaluate their traditional tech support. When they're selling something, they give you a lot more service instead of having to go through the support system.
Which solution did I use previously and why did I switch?
I still use other tools, so I just added it to the tool chest. I have Fortify, CodeSonar, etc and I added Checkmarx as a different tool.
How was the initial setup?
I installed it. It's straightforward to install, but I had several issues with the installation. I don't know if it was with my environment or not. If it works properly, it's a simple install, but in my example, it did not work right off the bat. There was some troubleshooting that had to go on, which was a little frustrating.
It took weeks. It required back and forth communication with support for a couple of days, but I wasn't actively working on it for days. I would run into a bug, send the log file, and go back and forth. It wasn't anything crazy, but it was a little frustrating. It should just work out of the box. It should be pretty straightforward where you just click the installer and go, but it wasn't.
What about the implementation team?
It was implemented in-house, and then I had to call support when needed.
In terms of maintenance, it is pretty self-sustaining. You update it whenever it needs to be updated.
What was our ROI?
There hasn't been much return yet because we haven't used it much, but I have enough faith in it that I committed to it for multiple years. We are starting to use it more but not enough to state ROI yet
What other advice do I have?
I would rate it a seven out of ten. It's not the best tool on the market, but it provides some good capability for what it is.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Penetration Tester & Information Security Expert at a comms service provider with 11-50 employees
Responsive support, useful code-checking module, and high availability
Pros and Cons
- "The most valuable features of Checkmarx are the SCA module and the code-checking module. Additionally, the solutions are explanatory and helpful."
- "Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not."
What is our primary use case?
Checkmarx is used to check the code from programmers and vulnerabilities in third-party software.
Checkmarx can be deployed on the cloud and on-premise. However, it depends on the version.
How has it helped my organization?
Checkmarx detected code sections that did not adhere to best practices. After being informed, the programmers were able to rectify some of the issues. Without Checkmarx, it is unlikely we would have identified these issues.
Utilizing the SCA module, I gained valuable insights into the vulnerabilities present in open-source Python libraries that individuals desire to use. As an information security consultant, I advise against employing Python libraries that contain known vulnerabilities. The SCA solution proved to be helpful in this regard.
What is most valuable?
The most valuable features of Checkmarx are the SCA module and the code-checking module. Additionally, the solutions are explanatory and helpful.
What needs improvement?
Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not.
In a future release, the SCA module could have better documentation. It was difficult to know how to check the names of all the modules. It took me a lot of time and I needed help to be able to write the requirements file. More clarification would be helpful in the documentation, such as examples.
For how long have I used the solution?
I have been using Checkmarx for approximately six months.
What do I think about the stability of the solution?
The stability is great.
I rate the stability of Checkmarx a ten out of ten.
What do I think about the scalability of the solution?
The scalability of the solution is great. Everything I send to the solution is processed quickly.
We have five information security analysts and programmers using this solution.
We plan to increase our usage. We will install it on more networks.
I rate the scalability of Checkmarx a ten out of ten.
How are customer service and support?
I found someone in the evening that logged in and answered my issues. They are responsive.
I rate the support of Checkmarx a ten out of ten.
How would you rate customer service and support?
Positive
What other advice do I have?
We have one person for the maintenance of the solution but it is minimal and is not a full-time job.
I would advise others to ask for a demo of the solution and if it works well for their use case then purchase it.
I rate Checkmarx a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: consultant
Vice President Of Technology at a computer software company with 5,001-10,000 employees
Good reporting, performance, and coverage for different languages
Pros and Cons
- "The most valuable feature is the application tracking reporting."
- "The cost per user is high and should be reduced."
What is our primary use case?
We primarily use Checkmarx for application security and tracking.
What is most valuable?
The most valuable feature is the application tracking reporting.
From the user's perspective, the interface is pretty good. It will point out the exact line of code when an issue is found.
It is good in terms of coverage for different languages.
It is updated automatically so there is less maintenance.
What needs improvement?
The cost per user is high and should be reduced. Five years ago, it was a user-based model, which was significantly better. It would be great if we could distribute the cost equally between projects.
For how long have I used the solution?
I have been working with Checkmarx for about two years.
What do I think about the stability of the solution?
This is a stable product.
What do I think about the scalability of the solution?
It is scalable in terms of being able to run multiple instances for different products. We have approximately 10 users, which is the size of our application security team.
I would like to increase our usage of this product, but it will ultimately depend on the company's strategy.
How are customer service and technical support?
Given the stability of Checmarx, it doesn't require a lot of communication with technical support. That said, we have been in touch with them for non-technical issues and they have a good team with a lot of Russian speakers.
Which solution did I use previously and why did I switch?
Prior to using Checkmarx, I used AppScan but the concept is completely different. With Checkmarx, you are working with source code, whereas as with AppScan, you are working with binaries. You can say that AppScan is more like a dynamic security scan and Checkmarx is more static.
These products are quite different in terms of how you do the testing. Checkmarx is better from both a performance perspective and reporting a lower number of false positives.
How was the initial setup?
We did not have any trouble with the initial setup. Our deployment was done within a couple of hours. The easiest thing to do is create a virtual machine and deploy it.
What about the implementation team?
Our in-house IT staff was responsible for the implementation.
What's my experience with pricing, setup cost, and licensing?
The number of users and coverage for languages will have an impact on the cost of the license. We would like to deploy it for the whole company but it's a question of spending thousands of dollars. Investing $200,000 or $300,000 would be an upper management decision.
The educational component is additional and costs approximately $100 per month for each user. This is too high so we did not agree to the service.
What other advice do I have?
Overall, we are very satisfied with Checkmarx and it is a product that I recommend.
I would rate this solution an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Engineer at a tech vendor with 10,001+ employees
Useful automation , detailed reports, but scalability could improve
Pros and Cons
- "The most valuable features of Checkmarx are the automation and information that it provides in the reports."
- "Checkmarx needs to be more scalable for large enterprise companies."
What is our primary use case?
We use Checkmarx as a code analysis tool.
How has it helped my organization?
We have always used some kind of code analysis tool and Checkmarx has been working for us at this time. We like the tool.
What is most valuable?
The most valuable feature of Checkmarx are the automation and information that it provides in the reports.
For how long have I used the solution?
I am using Checkmarx for approximately two years.
What do I think about the stability of the solution?
The stability of Checkmarx could improve. We're having issues with it, but we don't want to upgrade to the newest version until we make sure that the issues we're having now aren't present in the newer version.
The scan reliability sometimes is impacted and we sometimes have to restart the services to allow scans out of the queue.
What do I think about the scalability of the solution?
Checkmarx needs to be more scalable for large enterprise companies.
How are customer service and support?
I have used the support from Checkmarx.
I rate the support from Checkmarx a seven out of ten.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I was previously using Fortify but they were antiquated. They were not updating the solution on a regular basis.
How was the initial setup?
The initial setup of Checkmarx is straightforward. The implementation of Checkmarx does not take long because we have a process for it.
What about the implementation team?
We have four people that maintain Checkmarx in our company. We have professional services but I did most of the deployment myself.
What other advice do I have?
My advice to others is that Checkmarx is good compared to the other tools. However, they are all comparable, it depends on what languages they want to scan. Overall, Checkmarx is a decent solution. It would be a good idea to test other solutions.
I rate Checkmarx
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Head of IT Security Department at a energy/utilities company with 5,001-10,000 employees
Many false positives and inaccurate information, but scalable
Pros and Cons
- "The solution is scalable, but other solutions are better."
- "Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities."
What is our primary use case?
We are using Checkmarx for analyzing threats.
We are not using the latest version of Checkmarx because we faced some issues.
What needs improvement?
Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities.
SonarCube functions better in these areas.
For how long have I used the solution?
I have used Checkmarx within the last 24 months.
What do I think about the stability of the solution?
The stability of Checkmarx could improve.
I would rate the stability of Checkmarx a six out of ten.
What do I think about the scalability of the solution?
The solution is scalable, but other solutions are better.
We have 20 developers using this solution. We have a few projects left to use this solution and then we will move to something else next year.
How are customer service and support?
The support could improve, it takes a long time for a response. The service we received was poor.
Which solution did I use previously and why did I switch?
I am using Checkmarx in parallel with SonarQube.
How was the initial setup?
We didn't like how long they took to implement the product. The installation was not intuitive. We were constantly having meetings and installation additional things.
The implementation process should improve.
What about the implementation team?
We were helped by both the local partner and the vendor for the implementation.
We have two developers for the maintenance and support of Checkmarx.
What's my experience with pricing, setup cost, and licensing?
We're using a commercial version of Checkmarx, and we paid for the solution for two years. The price is high and could be reduced.
The local distributor charges two times higher than in other countries.
What other advice do I have?
The purchase of this solution was a mistake.
I would advise others to deploy the solution and to test all of the functionality before buying and do not trust the marketing from Checkmarx.
I rate Checkmarx a four out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Checkmarx One Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Vulnerability Management Static Code Analysis API Security DevSecOps Risk-Based Vulnerability ManagementPopular Comparisons
SonarQube Server (formerly SonarQube)
Veracode
GitLab
Mend.io
Fortify on Demand
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
Acunetix
PortSwigger Burp Suite Professional
HCL AppScan
GitHub Advanced Security
Qualys Web Application Scanning
GitHub
Klocwork
Buyer's Guide
Download our free Checkmarx One Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between Veracode and Checkmarx?
- Checkmarx or Veracode. Which should we choose?
- What is the Biggest Difference Between Checkmarx and Fortify?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- Which application security solutions include both vulnerability scans and quality checks?