Cx gives you the ability to push SAST down much lower in the SDLC process. With the use of multiple IDE plugins and the ability to do "incremental" scanning, a scan of your latest code does not bog down your machine as it is offloaded.
Senior Software Security Analyst at a financial services firm with 1,001-5,000 employees
It allows for SAST scanning of uncompiled code. More API functionality should be added.
Pros and Cons
- "It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."
- "Meta data is always needed."
How has it helped my organization?
What is most valuable?
It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc).
What needs improvement?
Meta data is always needed. More tutorials/videos for developers to fix their vulnerabilities is nice. Although the API is useful, I would like to see more functionality added.
What do I think about the stability of the solution?
I've had to restart services/bounce the VM on two rare occasions.
Buyer's Guide
Checkmarx One
November 2024
Learn what your peers think about Checkmarx One. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
What do I think about the scalability of the solution?
It scales very easy.
How are customer service and support?
Customer Service:
Customer service is good. Engineers have been quick to get back to me regarding issues and custom work that I have performed.
Technical Support:
Technical support is very knowledgeable.
How was the initial setup?
Initial setup couldn't be any easier. Cx has good documentation on environment requirements. As long as you meet those, the installation process takes maybe 30 minutes for an initial setup; perhaps a bit longer if you're adding multiple engines.
What about the implementation team?
An in-house team implemented it.
What's my experience with pricing, setup cost, and licensing?
Everything is negotiable. Checkmarx approached our dealings in good faith and clearly wanted to be around for awhile. It is much more inexpensive than some alternatives.
Which other solutions did I evaluate?
Before choosing, we also evaluated Fortify, IBM Appscan, Veracode, etc.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Sr. Security Engineer at SugarCRM
Security testing solution with vulnerability details and planned blackout times.
Pros and Cons
- "Vulnerability details is valuable."
- "Implementing a blackout time for any user or teams: Needs improvement."
How has it helped my organization?
- Put the vulnerability details area on the right side of the application or it may be changeable
- Save and reset screen configuration
What is most valuable?
Vulnerability details part.
What needs improvement?
- Vulnerability details: Reduce false positive results and improve it by providing more details how I can resolve the vulnerability.
- Implementing a blackout time for any user or teams: Needs improvement. I need to place limits for some users or teams within a specific time frame. For example, between 02:00 to 06:00. They can't start any scanning during that time, even if they have scanner privileges.
What do I think about the stability of the solution?
In the latest version, the session logout doesn't work properly.
What do I think about the scalability of the solution?
We have two engine licenses, but we can't scan two projects at the same time.
How are customer service and technical support?
I would give technical support a rating of 9/10.
Which solution did I use previously and why did I switch?
We were using Fortify. Its software capability was limited in terms of mobile code scanning.
How was the initial setup?
The initial setup was very easy.
What's my experience with pricing, setup cost, and licensing?
We don't have any specific advice about these issues.
Which other solutions did I evaluate?
We evaluated Fortify and AppScan.
What other advice do I have?
I don't like the latest license update. I can't set a limit for the reviewer account.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Checkmarx One
November 2024
Learn what your peers think about Checkmarx One. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
Director at a tech services company with 11-50 employees
Good features, good support, fair price, and good ability to deliver what customers require
Pros and Cons
- "The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important."
- "There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."
What is our primary use case?
We're selling their licenses and their technologies. We have on-premises and cloud deployments. Its deployment depends on the customer requirements.
It is used for a range of requirements for DevSecOps. It has been deployed to ensure that the development cycle delivers clean and secure code that is vulnerability-free. It is there as a part of the whole compliance and security process.
What is most valuable?
The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important.
What needs improvement?
There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver.
For how long have I used the solution?
I have been using this solution for two years.
What do I think about the scalability of the solution?
Our customers are completely comfortable with the scalability of the technologies. They can deploy them initially in a relatively straightforward manner and then grow them into their organization quite successfully. We primarily have large customers.
How are customer service and technical support?
Our team works with them. Their sales engineering team as well as their pre-sales capabilities are very good. They're clear. They work, and they're available, which is good. It is somewhat unusual in this business.
How was the initial setup?
It depends on different technologies, but it is reasonably quite straightforward.
What's my experience with pricing, setup cost, and licensing?
Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive.
What other advice do I have?
They're a very good company to work with, and that's a very important aspect of any technology these days. You could find very nice technologies, but if the company is not good to work with, it could be of no use. You'll not be able to get it deployed, and you'll not get assistance. You will get bad value for good technology. Checkmarx is a nice, pleasant, and relatively easy company to work with. You will get a good return, and you will get a good partnership and relationship working with them.
I would rate Checkmarx an eight out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Security Source Code Analyst at a tech services company with 10,001+ employees
Easy to insert in the SDLC, but the CxAudit tool has room for improvement
Pros and Cons
- "The most valuable feature for me is the Jenkins Plugin."
- "I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time)."
- "Updating and debugging of queries is not very convenient."
How has it helped my organization?
It is very easy to insert the tool in the SDLC because there are a wide variety of ways to access the source-code, initiate scans, and review the results. The projects need not care about getting a tool, accessing the tool, and it is cheaper using it.
What is most valuable?
The most valuable feature for me is the Jenkins Plugin. We usually take a copy of the normal build job for Checkmarx so that:
- we have all of the source code we need for the build, normal and generated source code;
- we need only one technical user for scanning the projects (SVN access and Git access need to change the passwords every 90 days).
What needs improvement?
I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time).
Updating and debugging of queries is not very convenient.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
In our last update to version 8.5.0, we had a problem with DB migration but, overall, I must say it has been stable.
What do I think about the scalability of the solution?
Regarding scalability, we have only one scan engine and our licence allows only two scans at the same time.
How are customer service and technical support?
I would rate the technical support seven out of 10. When you first create a ticket you sometimes get questions that you wouldn't expect from first-level support.
Which solution did I use previously and why did I switch?
None. I started with this product.
How was the initial setup?
The initial setup was decribed very well and it was straightforward. We had only two small problems: implementing the SSL certificate, and getting access for LDAP users.
What's my experience with pricing, setup cost, and licensing?
We got a special offer for a 30% reduction for three years, after our first year.
I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year).
Which other solutions did I evaluate?
I didn’t evaluate this or other solutions, but my team leader had experience with HPE Fortify and he said it is much more expensive, and the service even worse.
What other advice do I have?
Before implementing the product I would evaluate if it is really necessary to scan so many different languages and frameworks. If not, I think there must be a cheaper solution for scanning Java-only applications (which are 90% of our applications).
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cyber Security Consultant at a computer software company with 5,001-10,000 employees
Stable with an easy setup and good visibility
Pros and Cons
- "The setup is fairly easy. We didn't struggle with the process at all."
- "They could work to improve the user interface. Right now, it really is lacking."
What is our primary use case?
We primarily use the solution for static analysis.
What is most valuable?
The visibility the solution gives you is great. It really gives you the ability to see what the root issues in the code actually are.
The setup is fairly easy. We didn't struggle with the process at all.
What needs improvement?
The solution isn't exactly user-friendly. They could make the user experience a bit better in future builds.
They could work to improve the user interface. Right now, it really is lacking.
For how long have I used the solution?
We've been using this solution for six months. It's been less than a year and not very long just yet.
What do I think about the stability of the solution?
The solution is very stable. There aren't bugs or glitches. The solution doesn't freeze and it's not likely to crash. We find it very reliable.
What do I think about the scalability of the solution?
It's my understanding that the solution is scalable. A company that needs to expand can do so.
We have about 100 people that use it in the company.
How are customer service and technical support?
The technical support is fine. We've always had good experiences. We're satisfied with the level of service we are provided.
Which solution did I use previously and why did I switch?
We didn't previously use a different solution. We've only ever used this product.
How was the initial setup?
The initial setup is easy and straightforward. It's not complex.
We don't have to handle any maintenance. It's my understanding that Checkmarx handles it.
What's my experience with pricing, setup cost, and licensing?
The pricing is rather reasonable. It's not the most expensive on the market.
What other advice do I have?
We're a customer. We use the solution in our organization.
I'm not sure of which version of the solution we're using.
Overall, I'd rate the solution eight out of ten. We've had a pretty positive experience overall.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Sr. Application Security Manager at a tech services company with 201-500 employees
Good interface and reporting capability, and it integrates well with other products
Pros and Cons
- "The user interface is modern and nice to use."
- "If it is a very large code base then we have a problem where we cannot scan it."
What is our primary use case?
I am in charge of application security and Checkmarx is one of the products that I use in this capacity. We use this product for code scanning and static code analysis.
What is most valuable?
The user interface is modern and nice to use.
This product has very good reports.
Checkmarx integrates with a lot of different tools such as BitBucket and Jira.
There is good coverage for different languages.
What needs improvement?
I think that the configuration is a bit difficult and we required support from Checkmarx to complete it (there are a lot of manual, not documented configurations should be done, like direct changes in a Database for example). This is the case, at least, if you are using the on-premises version. From my point of view, the configuration should be improved.
If it is a very large code base then we have a problem where we cannot scan it (if more then ~ 30 mb zip file provided - scan is crashes or takes a lot of time) . It seems to me that they have a problem with the number of code line scans.
In the future, I would like to see Checkmarx support a combination of dynamic and static code scanning (IAST)
For how long have I used the solution?
I have been working with Checkmarx for about five months.
What do I think about the stability of the solution?
It works fine but if you have a file that is too big to scan then it takes a lot of time to run and sometimes crashes.
There is a problem with the memory, and scanning a large codebase should be done by dividing it into different files. For microservices with a small number of lines of code, it works well well. On the other hand, scanning a legacy solution such as a big monolith with millions of lines of code in it has been a problem. We need to make certain modifications to the files before we can upload them to the scan.
What do I think about the scalability of the solution?
We have 80 users who are using Checkmarx.
How are customer service and technical support?
They have very good technical support and we haven't had a problem with them. If you have a problem that you cannot handle on your own or you need to configure this product then you should have technical support.
How was the initial setup?
The basic installation is easy for us but in our case, we had some additional configuration that had to be done to access our documents on the server. We were not able to complete it without help from Checkmarx because there are a lot of configuration options, and we had to make manual changes to the database as well.
What other advice do I have?
In summary, this is a good application that you can use to scan every code language. You can configure the scan because they provide the Checkmarx query language. These queries are very good and very flexible. It requires a knowledge of this language but you can reach and deal with it using most languages.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
SAP FIORI / HCP Consultant at Silveo
Helps us check vulnerabilities in our applications. I would like to integrate it as a service along with the cloud platform.
Pros and Cons
- "Helps us check vulnerabilities in our SAP Fiori application."
- "I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service."
How has it helped my organization?
This product helps us to deliver good quality software.
What is most valuable?
- Performs security checks for SAP Fiori applications
- Helps us check vulnerabilities in our SAP Fiori application
- Easy to use and master
- One of the most important tools in our building process
What needs improvement?
I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service.
This improvement is needed in order to follow up the growth and of SAP cloud platform, it is a Platform as a service created by SAP, many services have been added to SAP HANA Cloud Platform, like GIT repository, Jenkins, Translation etc.
So, if it is possible to add the Checkmarx as a service in this platform, it will be easy to perform security check directly without using a dedicated server.
What do I think about the stability of the solution?
Maybe this issue is related to our configuration. When we have many applications to check, I need to wait a long time in the queue.
What do I think about the scalability of the solution?
We did encounter scalability issues. Maybe this is related to the stability issue mentioned above.
Which solution did I use previously and why did I switch?
We haven't used anything else. This is our first solution.
How was the initial setup?
I don’t know how to set up the product.
Which other solutions did I evaluate?
We did not look at any other options.
What other advice do I have?
It is a good tool. I recommend it in order to ensure software quality.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Software Security Analyst at a financial services firm with 1,001-5,000 employees
It scans code for security vulnerabilities without needing to compile first. It reports many false positives.
Pros and Cons
- "We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code."
- "Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”."
How has it helped my organization?
Checkmarx saves us a lot of time. We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code.
What is most valuable?
The most valuable feature is that Checkmarx scans code for security vulnerabilities without needing to compile first.
What needs improvement?
Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”.
What do I think about the stability of the solution?
We encountered stability issues when scanning large code blocks. It consumes a lot of memory, and at times, Checkmarx services freeze and don’t work properly.
What do I think about the scalability of the solution?
I don’t know of any scalability issues.
How are customer service and technical support?
Just four words for the technical support team: “Checkmarx team is awesome”.
Which solution did I use previously and why did I switch?
Before Checkmarx, we used HPE Security Fortify and IBM AppScan. We also tried several open-source scanning tools.
How was the initial setup?
Overall, the initial setup is easy. Checkmarx provides an installer binary and we just need go through the wizard for an express installation. If we need an advanced configuration, we contact the Checkmarx support team.
What's my experience with pricing, setup cost, and licensing?
I believe pricing is better compared to other commercial tools.
Which other solutions did I evaluate?
Yes, we compared Checkmarx features and benefits with IBM AppScan and HPE Security Fortify.
What other advice do I have?
Personally, I recommend Checkmarx for static analysis.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Checkmarx One Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Vulnerability Management Static Code Analysis API Security DevSecOps Risk-Based Vulnerability ManagementPopular Comparisons
SonarQube Server (formerly SonarQube)
Veracode
GitLab
Mend.io
Fortify on Demand
Sonatype Lifecycle
Acunetix
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
HCL AppScan
GitHub Advanced Security
Qualys Web Application Scanning
GitHub
Klocwork
Buyer's Guide
Download our free Checkmarx One Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between Veracode and Checkmarx?
- Checkmarx or Veracode. Which should we choose?
- What is the Biggest Difference Between Checkmarx and Fortify?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- Which application security solutions include both vulnerability scans and quality checks?
Hi Joe,
Given that you've continued to successfully use Checkmarx for an extended period of time since you contributed to our discussion that compares the solution to Veracode,
How does your experience compare one year later?
(See the discussion thread here:
www.itcentralstation.com)
Looking forward to your feedback