Checkmarx One Reviews

We use Checkmarx to review the source code for the external applications that we expose to the cloud or other servers on the internet.

We received two main benefits from Checkmarx:

1. Better Security
2. Saving Time

I recommend Checkmarx to be sure that your development has robust security. For your team management, Checkmarx has a very nice feature to check out manual staff in the process.

The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time.

Checkmarx could probably do something to improve their license model. If you have a small company, or if you have a small team with just one or two applications, the entry-level price is too high for such a company. 

You can find all the solutions offered by Checkmarx through other solutions providers. That is why this type of company needs to be more flexible. 

In this space, you have a security code and also you have a quality code. It is totally different in terms of investment. In terms of functionality, there are a lot of differences between the various competing products. 

With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too.

The problem with Checkmarx lies with the pricing and licensing, not the product itself. The product is very good.

Checkmarx is a good product, certainly stable.

The scalability is good. We haven't had any problems with it.

Our experience with technical support is good. They have a lot of expert staff on their customer service lines. We have had no problems with their technical support services.

We used Veracode for some time and it's also a good solution. Veracode fits better for small companies. It's more automatic.

Checkmarx is more complete and they have more features to support our development team and security team requirements.

In general, Checkmarx is a better solution, but it's more complicated, especially in terms of the price for a small company.

Our deployment of Checkmarx took a couple of days, at max, a week. 

The setup was a long time back, but I know that we did not use a reseller or consultant for the deployment.

We evaluated some products from a company in Spain. Checkmarx provided better functionality and options for us.

We have a small team. It is about four people in total. We do not require that many staff for the deployment and maintenance of Checkmarx.

We are testing the solution in a small local company. Our idea is to expand the use of it to our clients in the West.

In this space, you can have different points of view and if only you are looking for a solution to do a check in your auditory report, then you can choose anyone. 

If you really are worried about your business, i.e. about your development sites or development environments, Checkmarx is a great solution.

I would rate Checkmarx a nine out of ten because of the price, but technically for me, it is a 10. 

I would rate Checkmarx with a nine because it would be perfect at a more functional level, and could be better at providing these features for parity. 

If you research what Checkmarx is offering in their package distribution, you get exactly what they promise up front, so they are not lying.

It is very useful because it fits our requirements. It is also easy to use. It is not complex, and we are satisfied with the results.

Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model.

I have been using this solution for a couple of years.

It is pretty stable.

It has the capability to scale very easily. It is not a problem.

Their support is good. It has a good webpage with a lot of details.

It is very easy to set up. It takes a couple of days. It is not an issue.

It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing. 

I would absolutely recommend this solution. I would rate Checkmarx a nine out of 10.

Our primary use case for this solution is SAST, Static Application Security Testing.

Our static operation security has been able to identify more security issues since implementing this solution.

There are many good features like site integration, but the most valuable feature for us is the XL scan of source code. 

It would be really helpful if the level of confidence was included, with respect to identified issues. Some competitors have this feature, and it helps a lot to concentrate on the real findings.

In general, stability is good, although sometimes it crashes. We use this product daily, and I would rate the stability a four out of five.

The scalability is very good.

Technical support for this solution is very effective. Each time we have had questions, the answers they provided have been very clear and comprehensive.

Prior to this solution, we were using IBM Security AppScan. We had many, many issues with the application, along with complaints about the deployment time. The main reason we switched is that it was not updated, and it did not support certain technologies. For example, it did not support Visual Studio 2017, so we had to switch to a new solution.

The initial setup for this solution is straightforward.

It took less that one day to deploy.

We handled the implementation in-house.

We have not yet seen ROI.

We did evaluate other options.

If people are in need of static application security, then I would recommend this product.

I would rate this solution an eight out of ten.

Code scan. We performed periodic static code scans on copies of our Git repository to identify possible vulnerabilities.

Code consistency. It prompted our developers to fix code or document code they otherwise would not have done.

The consistency of code. Showed our team where they are inconsistent or where they have made simple omissions.

Dynamic testing. If it had that feature I would have liked to see more consideration of framework validations that we don't have to duplicate. These flags are false positives.

It moved our organization towards being agile vs. waterfall.

Scan reviews can occur during the development lifecycle.

The areas in which this product needs to improve are:

• C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported.
• There were issues in regards to the JSP parsing.
• Defect report generation takes multiple hours for large projects.
• The Jenkins plugin does not work for projects that are larger than 4 million lines of code.
• The Eclipse plugin does not work.
• The hardware requirements for the tool add to the substantial cost of the solution and thus, increase the total cost of ownership.

• There seems to be a decline in the support team's responsiveness as our contract nears its end.

• We felt like we were the extended quality organization for Checkmarx as they frequently released poor quality patches that broke the existing functionality. A lot of the organizational hours, almost 1 FTE per year since Checkmarx was implemented, were spent to allow regression testing of the product. The Checkmarx SME team at my company had to do this testing to ensure that we do not expose product flaws to our user community.

We did encounter stability issues. The different versions of this product provide inconsistent results when the same piece of code is scanned.

We did not encounter any scalability issues.

The support team is knowledgeable. However, we still have tickets open from 2014. There is a lot of follow up required to get closure on issues.

Previously, we were using a different solution. We were leveraging multiple tools since we have code in multiple languages. Checkmarx advertised that they provide support for C, C+++, Java, etc. It turned out that they aren’t able to scan C and C++ for us. Our reason to switch to Checkmarx didn’t work out for us.

The initial setup was straightforward.

The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies.

I suggest using a trial term to run a gamut of scenarios that need to be leveraged before settling in with the Checkmarx solution.

We evaluated the Veracode option.

The product is not mature and ready for the enterprise usage yet. It is okay to use it when the support expectations are low and the code is in languages that require support only in Java and .NET.

We use the solution for scanning the code for security.

One of the most valuable features is it is flexible. 

The integration could improve by including, for example, DevSecOps.

In an upcoming release, they could improve by adding support for more languages.

I have been using the solution for two years.

I have found the solution to be stable.

The scalability of the solution is good. We have approximately 4000 using the solution in my organization and they are mostly engineers.

The technical support we have experience was good but they could be faster.

I would recommend this solution to others.

I rate Checkmarx a six out of ten.

I have used it for source code scanning of security vulnerabilities. It seems to be a good tool. It gives the proper code flow of vulnerabilities and the number of occurrences.

We have scanned various applications with it. It works fine, although we need to check manually for false positive issues. 

After scanning, it shows in-depth code of where actual vulnerabilities are, which helps us to analyze them.

It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use.

Now we have information about which specific sections have to be fixed. We can now remove the issue from most of the sections.

The solution communicates where to fix the issue for the purpose of less iterations.

The resolutions should also be provided. For example, if the user faces any problem regarding an installation due to the internal security policies of their company, there should be a resolution offered.

There were no stability issues.

There were no scalability issues.

I would give technical support a rating of 8/10.

We switched solutions due to the client's requirements.

I faced a few issues in the installation due to my local policies. The customer support was very helpful.

We looked at other tools, such as HPE Security and ZAP solutions.

Go for it, if you want testing on the code level.