We use the solution for dynamic application testing.
Cyber Security Engineer at Defa3 cyber security
A stable solution that helps with dynamic application testing
Pros and Cons
- "We use the solution for dynamic application testing."
- "I would like the product to include more debugging and developed tools. It needs to also add enhancements on the coding side."
What is our primary use case?
What needs improvement?
I would like the product to include more debugging and developed tools. It needs to also add enhancements on the coding side.
For how long have I used the solution?
I have been working with the product for seven months.
What do I think about the stability of the solution?
I would rate the product's stability a ten out of ten.
Buyer's Guide
Checkmarx One
December 2024
Learn what your peers think about Checkmarx One. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
What do I think about the scalability of the solution?
I would rate the product's scalability a ten out of ten. My company has 15 users for the produc.
How are customer service and support?
The solution's technical support is good.
How would you rate customer service and support?
Positive
How was the initial setup?
The tool's setup is very straightforward and I would rate it a ten out of ten. The product's deployment took one to two months to complete. We required the technical and development team which consisted of four to five people to handle the deployment.
What's my experience with pricing, setup cost, and licensing?
The solution's price is high and you pay based on the number of users.
What other advice do I have?
I would rate the product a ten out of ten. The solution is the best tool for developers and organizations.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Software Engineer Intern at Connex Information Technologies
Easy to deploy, scalable, and user-friendly UI
Pros and Cons
- "The UI is user-friendly."
- "The plugins for the development environment have room for improvements such as for Android Studio and X code."
What is our primary use case?
We use the solution for our international customers.
What is most valuable?
The UI is user-friendly.
The Fast feature for static application security testing is the most valuable.
What needs improvement?
The plugins for the development environment have room for improvements such as for Android Studio and X code.
For how long have I used the solution?
I have been using the solution for two months.
What do I think about the stability of the solution?
I give the stability a seven out of ten.
What do I think about the scalability of the solution?
I give the scalability a nine out of ten.
The scalability is based on the number of licenses. We currently have five licenses.
How are customer service and support?
The technical support is quick to respond.
How would you rate customer service and support?
Positive
How was the initial setup?
I give the initial setup an eight out of ten. The deployment takes about ten minutes.
What about the implementation team?
The implementation was completed by a consultant.
What's my experience with pricing, setup cost, and licensing?
The solution is costly. I give the solution a six out of ten for price.
What other advice do I have?
I give the solution a nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Checkmarx One
December 2024
Learn what your peers think about Checkmarx One. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
Founder & Chairman at Endpoint-labs Cyber Security R&D
The flexibility in regards to finding false-positives and false-negatives is amazing
Pros and Cons
- "From my point of view, it is the best product on the market."
- "Micro-services need to be included in the next release."
What is our primary use case?
I am the founder and the chairman of an internationally certified cybersecurity research lab. I have a Ph.D. in cryptology and network security.
We are a strategic partner of Checkmarx. Our job is to help them develop solutions. Currently, we are developing some algorithms and strategic solutions for them. Checkmarx informs us about what is happening, in advance, before they launch a product. We are also one of their testers.
What is most valuable?
Aside from my occupation, I am an academic. Because of our status, we test products as well as their competition, for example, we45, AppScan, SonarQube, etc. I have to point out, from an academic and business point of view, there is a very serious competitive advantage to using Checkmarx. Even if there are multiple vulnerabilities in the source coding, Checkmarx is able to identify which lines need to be corrected and then proceeds to automatically remediate the situation. This is an outstanding advantage that none of the competition offers.
The flexibility in regards to finding false-positives and false-negatives is amazing. Checkmarx can easily manage false-positives and negatives. You don't need to generate an additional platform if you would like to scan a mobile application from iOS or Android. With a single license, you are able to scan and test every platform. This is not possible with other competitive products. For instance, say you are using we45 — if you would like to scan an iOS application, you would have to generate an iOS platform first. With Checkmarx you don't need to do anything — take the source code, scan it and you're good to go. Last but not least, the incremental scanning capabilities are a mission-critical feature for developers.
Also, the API and integrations are both very flexible.
What needs improvement?
Checkmarx is going to announce the cloud version very soon. Every product has something innovative at the moment. Presently, we are extremely satisfied and that's why Checkmarx has been the leader for the last few years, consecutively. This is the third year they have been recognized in the static code analysis world.
Micro-services need to be included in the next release; however, as a developer, I can assure you that micro-service methodology is going to be improved in the next version. Presently, they support micro-services, but the supporting methodology of the micro-services is not good enough at the moment.
For how long have I used the solution?
I have been using Checkmarx for six years.
What do I think about the stability of the solution?
Checkmarx is stable. We investigate the stability of the competition as well. From my point of view, it is the best product on the market. It's relatively expensive, but it's the best product. Keep in mind, this is not my private comment. I respect the comments, results, and the statistics of Gartner and these are their findings.
What do I think about the scalability of the solution?
Checkmarx has been selected as the front-runner by Gartner for the third year in a row — you bet it's scalable.
How are customer service and technical support?
We give technical support in our territory; Checkmarx's technical support is also quite good. If you open a ticket with a question, they'll reply the same day.
How was the initial setup?
The initial setup is not complex at all, it's straightforward and robust. If you decide to use Checkmarx, you'll be ready to go in one day.
What other advice do I have?
If you wish to purchase Checkmarx, you should scan the same source code with a different product, compare them to their competition, and make a decision. This way, you can see the difference and understand the benefits of Checkmarx. Test and scan some lines of code in any programming language you wish, then do the same with a competitor. Checkmarx will produce far fewer false-positives compared to any other solution on the market. Other solutions will produce roughly 900 false-positives whereas Checkmarx will cut that number in half. I am not trying to sell this product to you, this is simply the reality of it.
From the technological side, I would give this solution a rating of ten. From a commercial aspect, because it's relatively expensive, I would give it a rating of eight. Overall, because I must choose one number between one and ten, I will give Checkmarx a rating of ten.
Day by day, they are improving this product. For example, one of the most important features missing was open sources, which they have now added. They were also missing code training facilities, but they have added those as well. They have a complimentary product now.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Vice President at Arisglobal Software Pvt Ltd
Very good technical support, good vulnerability protection upgrades, and rich in features
Pros and Cons
- "The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database."
- "In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."
What is our primary use case?
We are using it for static security scanning and static security testing. We also use it for code dependency analysis. We use two of the solution's tools for each variable.
What is most valuable?
The support the solution offers is very good. When we were evaluating tools, they were extremely helpful. They're always available and they always respond back to any queries.
The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database. I am able to be assured that when I am scanning my product those vulnerabilities are identified at very initial stages. It gives my development team more time to react.
What needs improvement?
The particular way the tool works for the scanning at the IDE level, is very expensive. It makes it very expensive to deploy this tool on to multiple different developers' machines. Right now, the way it scans, the request is raised to the IDE of the developer but then the actual scanning gets done in the centralized scan server. This increases the load on the scanning server and that will make it difficult to use Checkmarx at the developer end. That forces me to look for another solution for implementing at the developer IDE level. I would strongly recommend Checkmarx relook into their approach.
From a technical point of view, it's better to integrate with other systems within my ecosystem. For example, when I'm connecting Checkmarx with my DevSecOps pipeline and then wiring Checkmarx with other security systems as well as the pipeline (and my defect management system), it provides the connectivity to some of the tools, but there are tools which are excluded. It would be nice if they were added to the solution itself, otherwise, it requires us to do custom development.
In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now. I would recommend much more flexibility in terms of dashboarding to help us customize more effectively.
Their licensing model is rigid and difficult to navigate.
For how long have I used the solution?
I haven't been dealing with the solution for that long. We've only used it for one quarter - about three months.
What do I think about the scalability of the solution?
Their licensing fees are rigid and this causes two main issues. One is a restriction in terms of scaling the product at an enterprise level. The number of licenses required for a sizable business is just too large. The solution forces a user to apply for the licenses not directly to the software and the software products are defined in a curious way. For that reason, I wouldn't say it's great at scaling.
How are customer service and support?
So far, technical support at the initial level has been decent. We paid for their protection services, and, the protection tool is definitely very expensive. However, with the price tag comes more support and service.
We'll have to see in the coming quarters once the protection services end if the support will continue to be at such a high level of attention.
Which solution did I use previously and why did I switch?
We were using AppScan. Checkmarx is much better than that particular tool. It has more functionality and offers much more support to its users.
How was the initial setup?
It took about two to three days to deploy a basic portion of the solution. However, it takes more time in terms of configuring and fine-tuning the product so that it's useable. I would say it took us about two to three weeks of configuring before we could start our initial scans.
What about the implementation team?
We bought that separate service from Checkmarx to help us out in terms of deploying and configuring the products.
What's my experience with pricing, setup cost, and licensing?
This solution is definitely one of the more expensive tools. However, if I'm able to get value out of using it, I don't mind paying.
They have protection services costs that are separate from the main license.
There are multiple components that are part of the product suite and there are different license costs for each of those components. Sometimes it can be a little difficult to understand. There are a lot of components an individual will need to buy to cover an organization's needs. It really should be more transparent and flexible. Their licensing model as of today is quite rigid.
What other advice do I have?
We're just a customer. We don't have a special relationship with the company.
I would definitely recommend Checkmarx, I find them much more feature-rich than other tools I've used in the past.
I'd rate the solution eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
CEO at a tech services company with 11-50 employees
Easy interface that is user friendly, quick scanning, and good technical support
Pros and Cons
- "The most valuable features are the easy to understand interface, and it 's very user-friendly."
- "We have received some feedback from our customers who are receiving a large number of false positives."
What is our primary use case?
The primary use case is for a white-box penetration testing security. When we work with source code, it's a tool to help us conduct a deep analysis on a source code level.
We push the zip file with source code to our own stent with the solution and receive a report. Also, we work with the interface to find the vulnerabilities we may have.
The most popular projects for us are the mobile application security assessment. We propose this option to our customers to check source code for iOS and Android mobile applications.
What is most valuable?
The most valuable features are the easy to understand interface, and it 's very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan.
We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project.
The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.
What needs improvement?
Checkmarx has tried to build a deeper analysis using IAST and SAST. They have a code version for developers. It would be good if they improve the combination of the two solutions.
Both are good, but ISAT (Interactive Application Security Testing) is in progress and doesn't support the full spectrum of languages. A combination of the two solutions would achieve good results.
We have received some feedback from our customers who are receiving a large number of false positives. I believe that they can improve their engine to reduce false positives. It's better for reducing false positives when you use a compilation.
There are several levels and they are mapped to the different languages and some customers want to check when the developers will pass the training. There should be a questionnaire for the team lead to check the employees and how well they understand the material and the training.
Also, they will want to add their own content to this solution.
I would like to see some improvements in technology to reduce false positives. This is only relevant to some use cases, not all. For example, there are several false positives for some languages, but it works in C#.
For how long have I used the solution?
I have been using this solution since 2015.
What do I think about the stability of the solution?
This solution is stable and we have not had bugs or glitches. If it is set up according to the instructions, there will be no negative feedback from the customers.
The platform has regular updates.
What do I think about the scalability of the solution?
This solution is scalable, but it depends on the package you have purchased as some do not allow you to expand.
How are customer service and support?
They have a great support team, and they can help you tune a solution. For our country, it is very important that they have Russian speaking support engineers and to have a quick response.
Also, they have a very good knowledge base. The resources are public on the Checkmarx website and they have good instructions and regulations on how you should tune the solution. It shows you where you can download the plug-ins, how to do it, and explains how they should be integrated.
Which solution did I use previously and why did I switch?
We have some experience with AppScan and with SonarQube. We started with a trial and felt that Checkmarx was the best.
How was the initial setup?
The initial setup is pretty simple, it's no problem to start using Checkmarx. It's a very good approach if you compare it with competitors.
It only takes a few hours to tune your Checkmarx solution. You may need more time for deeper integration when it comes to DLC integration, for example, when using plug-in build management, such as Jenkins.
If you are scanning and you have the source code then you are good to start scanning in a few hours. Three to four hours is required for tasks done in source code.
We have one or two engineers who can work with the solution.
For some of our customers have more than 100 developers and a DevOps team.
What's my experience with pricing, setup cost, and licensing?
This solution is expensive.
The customized package allows you to buy additional users at any time.
You could advise the vendor that you are in need of some more resources, and they can send you a trial license which lets you pay later. In the meantime, you can start working with the trial license.
They have subscriptions for licenses, but this is confidential information and I cannot share the price as per our non-disclosure agreement.
If you purchase a typical package then it is clear licensing with no hidden payments. You can add integration services for Checkmarx if you needed to, but it's optional.
The hardware is on the customer site. It could be virtual, or a physical server, or even cloud-based. You can choose what you want to use and there are still no hidden fees. Licensing and policy are clear.
What other advice do I have?
We are resellers but we are also users of this product when we need to check source code because our main business activity is security assessments, not reselling.
We have many customers who have purchased this solution from our company. One of them is Softcell, a Ukrainian company.
With our approach, we need to find a way to reduce false positives. We don't have great resources to do this work long-term, and we need quick results. There are some projects that have a lot of false positives but we can reduce them by tuning during the scanning.
Some of our customers like the Codebashing model. It's an additional model for learning for security practice for developers. They ask for additional tests to this model and want to receive the functionality to check the knowledge.
When you receive your product, you should start with testing and understand how it works according to your environment. This includes the language and what framework to choose because it is not a simple solution. You should understand that you should tune it.
The most effective approach is to implement SAST into the SDLC, (software development life cycle).
You should regularly check your source code, and check your security before every release. For infrastructure, security testing is not enough. There are several applications and static source code security is a must.
You should choose Checkmarx SAST for security checks and try to optimize it's build management or source code repository.
I would rate this solution a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
AVP, aPaaS Engineer at a financial services firm with 10,001+ employees
Reasonably price, high performance, and simple installation
Pros and Cons
- "The solution has good performance, it is able to compute in 10 to 15 minutes."
- "Checkmarx could improve the REST APIs by including automation."
What is our primary use case?
We are using Checkmarx for application code scanning, such as scanning for different leverages in the application code.
What is most valuable?
The solution has good performance, it is able to compute in 10 to 15 minutes.
What needs improvement?
Checkmarx could improve the REST APIs by including automation.
For how long have I used the solution?
I have been using Checkmarx for approximately one year.
What do I think about the stability of the solution?
Checkmarx is stable.
What do I think about the scalability of the solution?
The scalability of Checkmarx is good, we can onboard easily.
We have approximately 200 people in my organization using this solution.
How are customer service and support?
I have not contacted technical support. We have not required it.
Which solution did I use previously and why did I switch?
I have used SonarQube previously.
How was the initial setup?
The installation is straightforward and takes approximately 40 minutes.
What about the implementation team?
I am able to do the implementation myself.
We have administrators and engineers that support and maintain the solution.
What's my experience with pricing, setup cost, and licensing?
We have purchased an annual license to use this solution. The price is reasonable.
What other advice do I have?
I rate Checkmarx a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Security Engineer at a pharma/biotech company with 501-1,000 employees
Detailed reporting assists in repairing problems, but there are a lot of false positives
Pros and Cons
- "The reports are very good because they include details on the code level, and make suggestions about how to fix the problems."
- "You can't use it in the continuous delivery pipeline because the scanning takes too much time."
What is our primary use case?
When I had an issue that was causing trouble in my code, I would upload it to Checkmarx to perform static code analysis. I would then study the reports.
How has it helped my organization?
Using this product improved the stability of my code that went into production.
What is most valuable?
The most valuable feature is the scanning.
The reports are very good because they include details on the code level, and make suggestions about how to fix the problems.
What needs improvement?
You can't use it in the continuous delivery pipeline because the scanning takes too much time. Better integration with the CD pipeline would be helpful.
It reports a lot of false positives so you have to discriminate and take ones that are rated at either a one or a two. The lower-rated problems need to be discarded.
For how long have I used the solution?
I used Checkmarx for about six months at my previous place of employment. I stopped using it about six months ago.
What do I think about the scalability of the solution?
We had perhaps 100 users at my previous job.
How are customer service and technical support?
I was not in contact with technical support.
What other advice do I have?
I would rate this solution a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Director and Co-Founder at Ushiro-tec
The Best Fix Location & Payments Features Can Save Time Mitigating Network Configurations
Pros and Cons
- "The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time."
- "With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too."
What is our primary use case?
We use Checkmarx to review the source code for the external applications that we expose to the cloud or other servers on the internet.
How has it helped my organization?
We received two main benefits from Checkmarx:
- Better Security
- Saving Time
I recommend Checkmarx to be sure that your development has robust security. For your team management, Checkmarx has a very nice feature to check out manual staff in the process.
What is most valuable?
The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time.
What needs improvement?
Checkmarx could probably do something to improve their license model. If you have a small company, or if you have a small team with just one or two applications, the entry-level price is too high for such a company.
You can find all the solutions offered by Checkmarx through other solutions providers. That is why this type of company needs to be more flexible.
In this space, you have a security code and also you have a quality code. It is totally different in terms of investment. In terms of functionality, there are a lot of differences between the various competing products.
With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too.
The problem with Checkmarx lies with the pricing and licensing, not the product itself. The product is very good.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
Checkmarx is a good product, certainly stable.
What do I think about the scalability of the solution?
The scalability is good. We haven't had any problems with it.
How are customer service and technical support?
Our experience with technical support is good. They have a lot of expert staff on their customer service lines. We have had no problems with their technical support services.
Which solution did I use previously and why did I switch?
We used Veracode for some time and it's also a good solution. Veracode fits better for small companies. It's more automatic.
Checkmarx is more complete and they have more features to support our development team and security team requirements.
In general, Checkmarx is a better solution, but it's more complicated, especially in terms of the price for a small company.
How was the initial setup?
Our deployment of Checkmarx took a couple of days, at max, a week.
What about the implementation team?
The setup was a long time back, but I know that we did not use a reseller or consultant for the deployment.
Which other solutions did I evaluate?
We evaluated some products from a company in Spain. Checkmarx provided better functionality and options for us.
What other advice do I have?
We have a small team. It is about four people in total. We do not require that many staff for the deployment and maintenance of Checkmarx.
We are testing the solution in a small local company. Our idea is to expand the use of it to our clients in the West.
In this space, you can have different points of view and if only you are looking for a solution to do a check in your auditory report, then you can choose anyone.
If you really are worried about your business, i.e. about your development sites or development environments, Checkmarx is a great solution.
I would rate Checkmarx a nine out of ten because of the price, but technically for me, it is a 10.
I would rate Checkmarx with a nine because it would be perfect at a more functional level, and could be better at providing these features for parity.
If you research what Checkmarx is offering in their package distribution, you get exactly what they promise up front, so they are not lying.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Checkmarx One Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Vulnerability Management Static Code Analysis API Security DevSecOps Risk-Based Vulnerability ManagementPopular Comparisons
SonarQube Server (formerly SonarQube)
Veracode
GitLab
Mend.io
Fortify on Demand
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
Acunetix
PortSwigger Burp Suite Professional
GitHub Advanced Security
HCL AppScan
Qualys Web Application Scanning
GitHub
Klocwork
Buyer's Guide
Download our free Checkmarx One Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between Veracode and Checkmarx?
- Checkmarx or Veracode. Which should we choose?
- What is the Biggest Difference Between Checkmarx and Fortify?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- Which application security solutions include both vulnerability scans and quality checks?