Checkmarx One Reviews

I am using it for software assurance focused on security. I am using its latest version.

I use both the static code analysis and the open-source analysis engine. It gives visibility into weaknesses and the software that may be there in the source code and static analysis. It also gives some insights into the open source vulnerabilities that may be there in the codebase.

I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy. Typically when using SCA tools on C/C++ and C# you must compile the software for SCA to work. CX doesn’t require any compilation due to the way the tool does synthetic compilation to help find errors in code. Many times 3rd party assurance providers don’t have all the files to compile so CX comes in handy. 

They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server.

I had several issues with the installation. It should just work out of the box.

I have been using it off and on for about a year.

I've run into a few bugs here and there but i would recommend installing on virtual machine and snapshoting a working install. 

My setup is standalone. They do have a scalable version, but it's not something I need.

We're not using it a lot. Its usage is once a month. The way our organization works is that we don't do static code analysis every day. It's more on an as-needed basis. So, it's no fault of the Checkmarx tool. It's just not something that we've been working on.

They were pretty good. I would rate them a four out of five, but I was using their salespeople. It wasn't their traditional tech support, so I can't really evaluate their traditional tech support. When they're selling something, they give you a lot more service instead of having to go through the support system.

I still use other tools, so I just added it to the tool chest. I have Fortify, CodeSonar, etc  and I added Checkmarx as a different tool.

I installed it. It's straightforward to install, but I had several issues with the installation. I don't know if it was with my environment or not. If it works properly, it's a simple install, but in my example, it did not work right off the bat. There was some troubleshooting that had to go on, which was a little frustrating.

It took weeks. It required back and forth communication with support for a couple of days, but I wasn't actively working on it for days. I would run into a bug, send the log file, and go back and forth. It wasn't anything crazy, but it was a little frustrating. It should just work out of the box. It should be pretty straightforward where you just click the installer and go, but it wasn't.

It was implemented in-house, and then I had to call support when needed.

In terms of maintenance, it is pretty self-sustaining. You update it whenever it needs to be updated.

There hasn't been much return yet because we haven't used it much, but I have enough faith in it that I committed to it for multiple years. We are starting to use it more but not enough to state ROI yet

I would rate it a seven out of ten. It's not the best tool on the market, but it provides some good capability for what it is.

My team uses this product extensively for application vulnerability assessment. This solution is for static application security testing and is used within our software development process.

As the software developers are creating solutions, they are able to identify vulnerabilities while the application is being written, rather than after the entire development is over.  

We were interested in having the raw source code scanned, so that was the primary requirement and that is where Checkmarx comes in. We do not need any precompiled libraries, or compiled source code, to be checked by the source code analysis solution.

We have a security team that uses this product to scan source code, rather than have the developers handle it. We do not have any developer licenses (i.e. the SDLC Edition). Instead, the security team identifies the vulnerabilities and shares the report with the development team.

The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete.

As an example, an application may contain three hundred thousand lines of code that was written over two or three months. Rather than having to examine the entire product for vulnerabilities, we are able to assess weaknesses and identify vulnerabilities in, say, five hundred or one thousand lines of code. This is really advantageous for us.

There are many features, but first is the fact that it is easy to use, and not complicated.

One of the cool features is that it identifies the development technology that we are using on its own, whether it is Java or .NET or otherwise, it identifies it by itself.

The most important aspect is that it shows us exactly, on which particular line, the vulnerability is.

The user interface is very intuitive and it offers help on the fly.

The reports are good, but they still need to be improved considering what the UI offers. For example, the UI will suggest the "best-fix location", whereas this information is not captured in the reports.

We have not observed any issues, such as the application crashing, with respect to the stability of this solution.

The solution is quite scalable. We are not using the SDLC edition, but with that version, the developers can use different plugins and initiate the scan from their own development environment.

There are three or four members in our security team who use this tool. At the current time, we are happy with this solution and do not plan to increase its usage to the point where we need a different license.

We have found the technical support to be good. Whenever anyone has an issue, we write directly to Checkmarx.com and they issue a support ID. Most of the time we receive a quick response.

We are currently based in India, and they have increased their team size in India with a couple of people providing support. It covers the Indian subcontinent as well. With this increase, our tickets are answered very quickly as compared to what we used to get.

I do not have recent, hands-on experience with this tool but, I have used it in the past and my team now uses it extensively. We did not use a tool previous to this one, and we plan to continue using this because we are getting good results.

We use this solution for static application security testing. For dynamic testing, we use the Netsparker solution.

The initial setup is pretty simple and straightforward, and it does not take more than fifteen minutes, maximum. The entire deployment was completed in not more than half an hour.

Not many people are required for deployment or maintenance. We have not done much since the original installation. When a new version comes in, any member of the security team can update the solution. In that way, a single person can maintain it. Within my team, it is a Senior Security Analyst who maintains this solution for us.

It is a very simple tool and we do not have a complex environment. It is installed on a standalone machine.

We do not have an integrated solution. This is a standalone solution that is used with the Security Gate. The installation was completed in-house, by our team only.

We have seen ROI, but quantifying it in terms of the numbers is difficult. The biggest advantage we have seen is that we're able to develop and deliver secure solutions, in a faster time. We used to test our applications efficiently, and we still do, but there used to be a period of rework required. Now, that does not happen. We are able to identify the issues and address them while the development is in progress.

We have a subscription license that is on a yearly basis, and it's a pretty competitive solution. I don't know of any additional costs, beyond the standard licensing fees, for our version of the software.

In the case of the SDLC edition, which is a higher version, there may be some professional support that is required. Otherwise, any license that they provide is just an annual subscription fee.

We evaluated the Fortify Static Code Analyzer and IBM Security AppScan, but our evaluation was not fully completed. We were happy with what we were seeing with Checkmarx, so we did not go ahead with the others.

My advice to any software development team using a different set of tools is to look at Checkmarx. It's a very good product. It's a great product, in fact. Any organization spending money on a subscription license should not look at it as a cost, rather, it should be seen as an investment. The Checkmarx solution can act as a resource that can help the development team to secure their application delivery. Be it an internal application for their own use, or applications being written for their customers.

This solution tells us where, in our code, the "best-fix location" is. To put this into perspective, consider a particular piece of code where there are ten vulnerabilities detected. Perhaps it is an SQL injection vulnerability. This tool gives you specific locations and informs that if you fix the code in certain areas (e.g. in three specific locations) then the subsequent vulnerabilities will automatically be addressed. Therefore, you save on development effort because you do not need to fix all ten vulnerabilities specifically and independently.

I would rate this product a nine out of ten.

I am representing Checkmarx as a reseller. I work with both the cloud and on-premises versions. I have been working with Checkmarx for more than twelve years.

Checkmarx is a must-use product due to the increasing number of cyber-attacks nowadays. The product's quality and performance justify its pricing, making it a worthwhile investment.

Checkmarx offers many valuable features, including Static Application Security Testing (SAST), Software Composition Analysis (SCA), Infrastructure as Code (IAC), Supply Chain Security, and API Security.

The Dynamic Application Security Testing (DAST) feature should be better. The technical support service could also improve in terms of their response time.

I have been working with Checkmarx since the early days of Checkmarx, which is more than 12 years.

I would rate the stability of Checkmarx at nine out of ten.

Checkmarx is scalable, and I would rate its scalability at nine out of ten.

The customer service and support should be quicker from my point of view. I would rate them eight out of ten.

Positive

I have been working with Checkmarx for over 12 years without switching to a competitor due to Checkmarx being the best product in the market.

The initial setup is straightforward, especially with the cloud version where no deployment is needed. The on-premises version requires some time and depends on the customer's environment.

In typical circumstances, one senior engineer is enough for implementation, but in special cases, maybe two engineers are needed.

Checkmarx is cost-effective. It is a must-use product in today's cyber security environment.

The pricing is relatively expensive due to the product's quality and performance, but it is worth it.

I chose Checkmarx over competitors due to ethical considerations and its superior functionality.

Checkmarx is plug-and-play and the best product in the market at the moment, as evidenced by reports such as Gartner's.

I'd rate the solution nine out of ten.

We are using Checkmarx for analyzing threats.

We are not using the latest version of Checkmarx because we faced some issues.

Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities.

SonarCube functions better in these areas.

I have used Checkmarx within the last 24 months.

The stability of Checkmarx could improve.

I would rate the stability of Checkmarx a six out of ten.

The solution is scalable, but other solutions are better.

We have 20 developers using this solution. We have a few projects left to use this solution and then we will move to something else next year.

The support could improve, it takes a long time for a response. The service we received was poor.

I am using Checkmarx in parallel with SonarQube.

We didn't like how long they took to implement the product. The installation was not intuitive. We were constantly having meetings and installation additional things.

The implementation process should improve.

We were helped by both the local partner and the vendor for the implementation.

We have two developers for the maintenance and support of Checkmarx.

We're using a commercial version of Checkmarx, and we paid for the solution for two years. The price is high and could be reduced.

The local distributor charges two times higher than in other countries.

The purchase of this solution was a mistake.

I would advise others to deploy the solution and to test all of the functionality before buying and do not trust the marketing from Checkmarx.

I rate Checkmarx a four out of ten.

Checkmarx is used to check the code from programmers and vulnerabilities in third-party software.

Checkmarx can be deployed on the cloud and on-premise. However, it depends on the version.

Checkmarx detected code sections that did not adhere to best practices. After being informed, the programmers were able to rectify some of the issues. Without Checkmarx, it is unlikely we would have identified these issues.

Utilizing the SCA module, I gained valuable insights into the vulnerabilities present in open-source Python libraries that individuals desire to use. As an information security consultant, I advise against employing Python libraries that contain known vulnerabilities. The SCA solution proved to be helpful in this regard.

The most valuable features of Checkmarx are the SCA module and the code-checking module. Additionally, the solutions are explanatory and helpful.

Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not. 

In a future release, the SCA module could have better documentation. It was difficult to know how to check the names of all the modules. It took me a lot of time and I needed help to be able to write the requirements file. More clarification would be helpful in the documentation, such as examples.

I have been using Checkmarx for approximately six months.

The stability is great.

I rate the stability of Checkmarx a ten out of ten.

The scalability of the solution is great. Everything I send to the solution is processed quickly.

We have five information security analysts and programmers using this solution.

We plan to increase our usage. We will install it on more networks.

I rate the scalability of Checkmarx a ten out of ten.

I found someone in the evening that logged in and answered my issues. They are responsive.

I rate the support of Checkmarx a ten out of ten.

Positive

We have one person for the maintenance of the solution but it is minimal and is not a full-time job.

I would advise others to ask for a demo of the solution and if it works well for their use case then purchase it.

I rate Checkmarx a nine out of ten.

We use the solution for SAST and DAST testing.

Checkmarx has helped us deliver more secure products. We are able to do static code analysis with the tool before shipping our code to production. When the integration is in the pipeline, this tool gives us early notifications on code fixes.

Checkmarx gives you an overview of all security aspects of the codes and shows what code aspects you need to be looking into.

 I would like to see the tool’s pricing improved.

I have been working with the solution for three years. At present, I am using the latest version.

The solution is stable.

The solution is scalable. Around 50 developers in our organization are using it.

The solution was easy to setup since it had proper documentation.

The solution’s deployment was done by in-house members.

We got good ROI with the use of the solution. We have seen returns on PCI and other security aspects.

I would rate the solution’s pricing an eight out of ten. The tool’s pricing is higher than others and it is for the license alone.

I would rate the solution an eight out of ten since it fulfills most of the requirements. I recommend this tool to anyone who is willing to give it a try.

We use this solution to check our systems for any vulnerabilities in our applications. Currently, I'm working on a banking tool, which is aligned with the menu. Our system was created 30 years ago and still is running in the market and doing well. However, currently, there are so many changes happening. Any solution coming into the technology needs to have a security check to ensure everything is safe. 

The reporting on the solution is very good. The reports we get are very self-explanatory. They aren't complex or confusing. They will tell us if we are facing vulnerabilities and where. From the reporting, it's quite easy to find the problems and fix them.

The solution overall is very good at detecting and pinpointing vulnerabilities in the code.

The user interface is excellent. It's very user friendly.

The solution offers good training documentation so we know how to handle problems as they arise.

Honestly speaking, we do not have much experience in this tool yet as we just started using it a couple of months ago. I personally am still just diving into the data. It may be too early to tell if there are improvements that need to be made.

The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated.

I've only been using the solution for three months. It hasn't been too long yet. I'm new to the position. My organization, however, has been using the solution for quite a while.

We have different team members on the solution in the UK and India. It's only available to those directly involved in the security aspects of our company.

We have our own in-house team that manages a lot of issues that may come up on the solution. 

The thing is, security is a major concern for us. We cannot exactly contact their team about a lot of things as we do have process guidelines and we need to follow these processes if we run into issues. If we have problems, we have an expert that can sit right next to us and figure out a solution. This helps us better manage the tool and the security surrounding it, rather than, for example, calling up the company and having a random help desk technician try and assist us.

For our purposes, the initial set up was not complex. It was fairly easy to plug the solution into our build processes and pipelines. We haven't had any issues with configurations or anything like that. It's been very straightforward.

The deployment is very fast and only takes about 15 minutes or so.

We manage the solution ourselves. However, if I personally want to access it, I do need to contact specific team members. Only specific individuals have access. It's not accessible to everyone in the organization. 

A specific team in our organization handled the initial setup and holds the license for the product.

I've looked at SonarQube. The basic difference between the two solutions is that Checkmarx is a bit more intelligent and can detect vulnerabilities better and faster than SonarQube. SonarQube is more focused on code and style formatting or code complexity. It depends on the priorities of the organization, as each has its own unique benefits.

I don't recall the exact version of the solution we are using.

I would recommend the solution. I'd rate it eight out of ten.

The process of remediating software security vulnerabilities can now be performed (ongoing) as portions of the application are being built in advance of being compiled. Among other benefits, this reduces the cost to fix the problem(s) as the fix can occur earlier in the SDLC.

The ability to identify a vulnerability, the optimal place for remediation and the correct syntax is very valuable. This feature helps ensure that the software fix is comprehensive and effective. The CxSuite is easy to use and because it provides the correct coding syntax to address a vulnerability, it helps improve the secure coding skill set among developers. The product can scan precompiled (source) code, as well as compiled (binary) code, delivering effectiveness and efficiency throughout the SDLC.

The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools.

The Checkmarx CxSuite covers a wide range of programming languages including many of the most popular languages used by developers today. As matter of general improvement, expanding coverage to languages (emerging, legacy) and open source frameworks will increase the overall effectiveness of product.

*2017 Update. A number of leading Open Source Frameworks are now supported.

The product is stable.

The product scales well.

The technical support is high quality. The support team is well versed in how best to configure, implement and operate the product.

I did not previously use a different solution.

The initial set up is straightforward. The product requires a fairly simple computing environment for operation.

The product licensing offers the flexibility to cover a wide range of environments. The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security.

We considered several other commercial-grade application security solutions. The Checkmarx solution offers an ideal combination of code coverage, functionality, usability and TCO.

The Checkmarx CxSuite product works well, delivers efficiency to the SDLC, and most important of all, it effectively improves application security.

It works!