We use this solution to check our systems for any vulnerabilities in our applications. Currently, I'm working on a banking tool, which is aligned with the menu. Our system was created 30 years ago and still is running in the market and doing well. However, currently, there are so many changes happening. Any solution coming into the technology needs to have a security check to ensure everything is safe.
Technical Lead at a tech services company with 1,001-5,000 employees
User friendly with a good interface and excellent at detecting vulnerabilities
Pros and Cons
- "The user interface is excellent. It's very user friendly."
- "The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated."
What is our primary use case?
What is most valuable?
The reporting on the solution is very good. The reports we get are very self-explanatory. They aren't complex or confusing. They will tell us if we are facing vulnerabilities and where. From the reporting, it's quite easy to find the problems and fix them.
The solution overall is very good at detecting and pinpointing vulnerabilities in the code.
The user interface is excellent. It's very user friendly.
The solution offers good training documentation so we know how to handle problems as they arise.
What needs improvement?
Honestly speaking, we do not have much experience in this tool yet as we just started using it a couple of months ago. I personally am still just diving into the data. It may be too early to tell if there are improvements that need to be made.
The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated.
For how long have I used the solution?
I've only been using the solution for three months. It hasn't been too long yet. I'm new to the position. My organization, however, has been using the solution for quite a while.
Buyer's Guide
Checkmarx One
December 2024
Learn what your peers think about Checkmarx One. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
What do I think about the scalability of the solution?
We have different team members on the solution in the UK and India. It's only available to those directly involved in the security aspects of our company.
How are customer service and support?
We have our own in-house team that manages a lot of issues that may come up on the solution.
The thing is, security is a major concern for us. We cannot exactly contact their team about a lot of things as we do have process guidelines and we need to follow these processes if we run into issues. If we have problems, we have an expert that can sit right next to us and figure out a solution. This helps us better manage the tool and the security surrounding it, rather than, for example, calling up the company and having a random help desk technician try and assist us.
How was the initial setup?
For our purposes, the initial set up was not complex. It was fairly easy to plug the solution into our build processes and pipelines. We haven't had any issues with configurations or anything like that. It's been very straightforward.
The deployment is very fast and only takes about 15 minutes or so.
We manage the solution ourselves. However, if I personally want to access it, I do need to contact specific team members. Only specific individuals have access. It's not accessible to everyone in the organization.
What about the implementation team?
A specific team in our organization handled the initial setup and holds the license for the product.
Which other solutions did I evaluate?
I've looked at SonarQube. The basic difference between the two solutions is that Checkmarx is a bit more intelligent and can detect vulnerabilities better and faster than SonarQube. SonarQube is more focused on code and style formatting or code complexity. It depends on the priorities of the organization, as each has its own unique benefits.
What other advice do I have?
I don't recall the exact version of the solution we are using.
I would recommend the solution. I'd rate it eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Founder at a tech company with 51-200 employees
It can scan precompiled (source) code, as well as compiled (binary) code.
Pros and Cons
- "The process of remediating software security vulnerabilities can now be performed (ongoing) as portions of the application are being built in advance of being compiled."
- "The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools."
How has it helped my organization?
The process of remediating software security vulnerabilities can now be performed (ongoing) as portions of the application are being built in advance of being compiled. Among other benefits, this reduces the cost to fix the problem(s) as the fix can occur earlier in the SDLC.
What is most valuable?
The ability to identify a vulnerability, the optimal place for remediation and the correct syntax is very valuable. This feature helps ensure that the software fix is comprehensive and effective. The CxSuite is easy to use and because it provides the correct coding syntax to address a vulnerability, it helps improve the secure coding skill set among developers. The product can scan precompiled (source) code, as well as compiled (binary) code, delivering effectiveness and efficiency throughout the SDLC.
What needs improvement?
The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools.
The Checkmarx CxSuite covers a wide range of programming languages including many of the most popular languages used by developers today. As matter of general improvement, expanding coverage to languages (emerging, legacy) and open source frameworks will increase the overall effectiveness of product.
*2017 Update. A number of leading Open Source Frameworks are now supported.
What do I think about the stability of the solution?
The product is stable.
What do I think about the scalability of the solution?
The product scales well.
How are customer service and technical support?
The technical support is high quality. The support team is well versed in how best to configure, implement and operate the product.
Which solution did I use previously and why did I switch?
I did not previously use a different solution.
How was the initial setup?
The initial set up is straightforward. The product requires a fairly simple computing environment for operation.
What's my experience with pricing, setup cost, and licensing?
The product licensing offers the flexibility to cover a wide range of environments. The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security.
Which other solutions did I evaluate?
We considered several other commercial-grade application security solutions. The Checkmarx solution offers an ideal combination of code coverage, functionality, usability and TCO.
What other advice do I have?
The Checkmarx CxSuite product works well, delivers efficiency to the SDLC, and most important of all, it effectively improves application security.
It works!
Disclosure: My company has a business relationship with this vendor other than being a customer: My company is a Checkmarx Certified Partner.
Buyer's Guide
Checkmarx One
December 2024
Learn what your peers think about Checkmarx One. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
Head of DevOps at Tpconnects technologies
A highly recommended tool for delivering secure products
Pros and Cons
- "Checkmarx has helped us deliver more secure products. We are able to do static code analysis with the tool before shipping our code to production. When the integration is in the pipeline, this tool gives us early notifications on code fixes."
- "I would like to see the tool’s pricing improved."
What is our primary use case?
We use the solution for SAST and DAST testing.
How has it helped my organization?
Checkmarx has helped us deliver more secure products. We are able to do static code analysis with the tool before shipping our code to production. When the integration is in the pipeline, this tool gives us early notifications on code fixes.
What is most valuable?
Checkmarx gives you an overview of all security aspects of the codes and shows what code aspects you need to be looking into.
What needs improvement?
I would like to see the tool’s pricing improved.
For how long have I used the solution?
I have been working with the solution for three years. At present, I am using the latest version.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution is scalable. Around 50 developers in our organization are using it.
How was the initial setup?
The solution was easy to setup since it had proper documentation.
What about the implementation team?
The solution’s deployment was done by in-house members.
What was our ROI?
We got good ROI with the use of the solution. We have seen returns on PCI and other security aspects.
What's my experience with pricing, setup cost, and licensing?
I would rate the solution’s pricing an eight out of ten. The tool’s pricing is higher than others and it is for the license alone.
What other advice do I have?
I would rate the solution an eight out of ten since it fulfills most of the requirements. I recommend this tool to anyone who is willing to give it a try.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Chief Executive Officer at Ethnos ITSolutions
Integrates well, overall good functionality, and highly reliable
Pros and Cons
- "The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera."
- "Checkmarx could improve by reducing the price."
What is our primary use case?
Checkmarx is a source code application for development, which means from the source code level, you can use Checkmarx to detect your coding errors, and to detect vulnerabilities that could have come from the different tools that you were using to develop your application. At the source code level, you can prevent the weaknesses that the application can carry on the journey of its development and use.
Checkmarx helps the users to have a secure coding environment and experience, and a secure source code level of application. That main application can leverage or improve the service delivery to customers.
What is most valuable?
The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera.
The software languages that they support are one of the largest in the market.
What needs improvement?
Checkmarx could improve by reducing the price.
For how long have I used the solution?
I have been using Checkmarx within the past 12 months.
What do I think about the stability of the solution?
Checkmarx has been stable in my usage and I'm confident to recommend it to anybody.
What do I think about the scalability of the solution?
Checkmarx is very scalable. It can run for a small and large organizations.
How are customer service and support?
The technical support is good.
I rate the support from Checkmarx a four out of five.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup of Checkmarx is easy.
I rate the initial setup of Checkmarx a four out of five.
What about the implementation team?
We use one engineer with the help of Checkmarx for support and deployment.
What's my experience with pricing, setup cost, and licensing?
The price of Checkmarx could be reduced to match their competitors, it is expensive.
What other advice do I have?
I strongly recommend Checkmarx to others. I have sold the solution for nearly eight years, and I'm not aware of any major complaints that the users have that could not be resolved.
I rate Checkmarx an eight out of ten.
The Checkmarx application is a live wire of technology delivery, and if your application is vulnerable, then the asset that your acquisition will run will also suffer vulnerability. Providing the scanning ability that shows the errors at the source code level is critical to have effective development of any critical application.
I would recommend Checkmarx eight because it's very critical and integral to the improvement of technology and cyber security today. It's a critical tool in protecting cyberspace, your asset in cyberspace, and an application that runs nearly all human life today. Everything is driven by technology and application.
Disclosure: My company has a business relationship with this vendor other than being a customer:
Solution Manager at a computer software company with 201-500 employees
Good value with a very good CodeBashing platform and AppSec Awareness
Pros and Cons
- "The value you can get out of the speedy production may be worth the price tag."
- "The pricing can get a bit expensive, depending on the company's size."
What is our primary use case?
We're more evaluating the solution rather than using it right now. We're resellers and it's something we'd like to offer to our clients.
What is most valuable?
I am aware of Checkmarx's portfolio, however, we've been playing exclusively with the SAST and with the AppSec Awareness platform, they're Codebashing platform. It's been a very positive experience overall.
The value you can get out of the speedy production may be worth the price tag.
What needs improvement?
The reporting could be better on the product. The need to be much more customizable including being customizable for various roles.
The pricing can get a bit expensive, depending on the company's size.
For how long have I used the solution?
We've been working with this solution for some time. I have personally been working with the product for the last three or four months.
Which solution did I use previously and why did I switch?
We haven't really extensively worked with any other products.
What's my experience with pricing, setup cost, and licensing?
The cost might seem steep, however, it really depends on, first the size and requirements of your company. There are companies for which the speed of developing new features and developing them securely, is more valuable than for other organizations.
This goes not only for Checkmarx. It goes for any automated desktop security platform in general. I definitely see the cases when the Checkmarx license is a reasonable expense. It just may not be for everyone.
Which other solutions did I evaluate?
We've been looking at SonarQube. We're looking into other options as we don't want exclusively to just offer Checkmarx to potential clients.
We looking for solutions more on the enterprise spectrum. Therefore, I would probably consider products such as Vericode. I would also consider the newer players, such as, for example, GitLab.
What other advice do I have?
We're resellers, however, we don't have an exclusive relationship with this company. We're looking at other products we can use and offer to our clients as well.
In our company, we do not have the Checkmarx solution running on production. We do have it, however, we only have a learning license, which is non-commercial.
On a scale from one to ten, I would rate this product at an eight. Overall, it's been a positive experience so far.
Disclosure: My company has a business relationship with this vendor other than being a customer: reseller
Senior Manager at a manufacturing company with 10,001+ employees
A stable solution for identifying security vulnerabilities but needs functionalities for identifying the run-time null values and doing static and dynamic code validation
Pros and Cons
- "The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."
- "We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
What is our primary use case?
We use Checkmarx for security vulnerability identification. We are using its latest version. We have a license to upgrade to the latest version. Whenever there is a new version, we update it to the latest version.
What is most valuable?
The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking.
What needs improvement?
We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code.
The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything.
For how long have I used the solution?
I have been using this solution for two years.
What do I think about the stability of the solution?
Its stability is okay.
How are customer service and technical support?
We don't directly deal with the Checkmarx technical team. There is a support group available for that, and they work with the Checkmarx team. When we have any issues, we directly call our internal team, and they call the Checkmarx team. They get back to us pretty quickly. The response is very quick. There is no problem.
How was the initial setup?
The initial setup was easy. Our project was quite big, and it took a bit longer. It took almost six hours. We could not do it as CI/CD pipeline because the pipeline expects a response in a short span of time, which was a challenge for us. We are now doing the Checkmarx review manually. We first run the code analysis, and, after the code analysis is over, we go for the pipeline. This is an overhead for us.
It would be helpful if they can improve the speed of the analysis rate. We also need to find out from our side if there is a way to increase the wait time of the CI/CD pipeline and modify the timeout limit. It would then take 30 minutes to one hour rather than five or six hours. We should be able to adjust the timeout time, change the CI/CD settings, and go ahead with the integrated process. Currently, we cannot have an integrated system, and we also have to move from one script to the next script manually.
What other advice do I have?
Even though we run it manually, it captures most of the things. We decided to go with Checkmarx two years ago, and we are continuing with it.
I would rate Checkmarx a seven out of ten. There are a few things that can be improved in this solution.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Arquitecto de soluciones at Tsoft
Has GPT and Copilot integration, and UI is easy to navigate
Pros and Cons
- "The tool's valuable features include integrating GPT and Copilot. Additionally, the UI web representation is very user-friendly, making navigation easy. GPT has made several improvements to my security code."
- "I can't create a business case with multiple-factor authentication."
What is our primary use case?
I use the tool for testing purposes.
What is most valuable?
The tool's valuable features include integrating GPT and Copilot. Additionally, the UI web representation is very user-friendly, making navigation easy. GPT has made several improvements to my security code.
What needs improvement?
I can't create a business case with multiple-factor authentication.
For how long have I used the solution?
I have been working with the product for two years.
How are customer service and support?
While support handles tickets and resolves specific issues, such as business cases, it can be frustrating waiting for responses. They often take a lot of time to address cases or provide resolutions.
How would you rate customer service and support?
Neutral
How was the initial setup?
Checkmarx One's deployment is easy. When we deployed it for a new client, it took around a month to complete. This involved setting up all parameters and sub-administrators. Additionally, finalizing the project involved several tasks, such as scanning with all security gates.
What was our ROI?
We can get a return in six months.
What's my experience with pricing, setup cost, and licensing?
The tool's pricing is fine.
What other advice do I have?
I rate the overall product an eight out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Last updated: Jun 10, 2024
Flag as inappropriateSenior Software Security Analyst at a financial services firm with 1,001-5,000 employees
It allows for SAST scanning of uncompiled code. More API functionality should be added.
Pros and Cons
- "It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."
- "Meta data is always needed."
Improvements to My Organization
Cx gives you the ability to push SAST down much lower in the SDLC process. With the use of multiple IDE plugins and the ability to do "incremental" scanning, a scan of your latest code does not bog down your machine as it is offloaded.
Valuable Features
It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc).
Room for Improvement
Meta data is always needed. More tutorials/videos for developers to fix their vulnerabilities is nice. Although the API is useful, I would like to see more functionality added.
Stability Issues
I've had to restart services/bounce the VM on two rare occasions.
Scalability Issues
It scales very easy.
Customer Service and Technical Support
Customer Service:
Customer service is good. Engineers have been quick to get back to me regarding issues and custom work that I have performed.
Technical Support:
Technical support is very knowledgeable.
Initial Setup
Initial setup couldn't be any easier. Cx has good documentation on environment requirements. As long as you meet those, the installation process takes maybe 30 minutes for an initial setup; perhaps a bit longer if you're adding multiple engines.
Implementation Team
An in-house team implemented it.
Pricing, Setup Cost and Licensing
Everything is negotiable. Checkmarx approached our dealings in good faith and clearly wanted to be around for awhile. It is much more inexpensive than some alternatives.
Other Solutions Considered
Before choosing, we also evaluated Fortify, IBM Appscan, Veracode, etc.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Hi Joe,
Given that you've continued to successfully use Checkmarx for an extended period of time since you contributed to our discussion that compares the solution to Veracode,
How does your experience compare one year later?
(See the discussion thread here:
www.itcentralstation.com)
Looking forward to your feedback
Buyer's Guide
Download our free Checkmarx One Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Vulnerability Management Static Code Analysis API Security DevSecOps Risk-Based Vulnerability ManagementPopular Comparisons
SonarQube Server (formerly SonarQube)
Veracode
GitLab
Mend.io
Fortify on Demand
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
Acunetix
PortSwigger Burp Suite Professional
GitHub Advanced Security
HCL AppScan
Qualys Web Application Scanning
GitHub
Klocwork
Buyer's Guide
Download our free Checkmarx One Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between Veracode and Checkmarx?
- Checkmarx or Veracode. Which should we choose?
- What is the Biggest Difference Between Checkmarx and Fortify?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- Which application security solutions include both vulnerability scans and quality checks?
The software and application security should be the mandatory thing because most of the applications crash because of virus or harmful attacks. I was also getting the virus issue in my application then avastsupportnumber.co.uk avast customer service helped me a lot.