They're all as valuable as each other.
Co-Founder, CTO at a tech services company with 51-200 employees
It allows us to verify the dev department's code in order to minimize security holes, but it needs better role management.
What is most valuable?
How has it helped my organization?
We have used this product to verify the dev department's code in order to minimize security holes.
What needs improvement?
It needs better role management.
For how long have I used the solution?
I've used it for three years.
Buyer's Guide
Checkmarx One
December 2024
Learn what your peers think about Checkmarx One. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
What was my experience with deployment of the solution?
No issues encountered.
What do I think about the stability of the solution?
No issues encountered.
What do I think about the scalability of the solution?
No issues encountered.
How are customer service and support?
Customer Service:
It's very good.
Technical Support:It's very good.
Which solution did I use previously and why did I switch?
This is the only solution I have used.
How was the initial setup?
Very straightforward.
What about the implementation team?
I implemented it myself.
What's my experience with pricing, setup cost, and licensing?
Licensing is expensive per X amount of lines in the code.
Which other solutions did I evaluate?
No other options were evaluated.
Disclosure: My company has a business relationship with this vendor other than being a customer: We are providing leads to Checkmarx.
Director of consultory at a non-tech company with 1,001-5,000 employees
Includes features to easily secure code, multiple language support and excellent customer support
Pros and Cons
- "The setup is very easy. There is a lot of information in the documents which makes the install not difficult at all."
- "I would like to see the DAST solution in the future."
What is our primary use case?
We onboard clients with the solution. We install the product and do the first scan with them. We help developers with security and the best practices with their applications with this solution.
What is most valuable?
The most valued feature comes within the platform called Codebashing, it allows scanning code for security flaws. Our clients are able to learn from these scans and develop more secure code. The solution is easy to configure and user friendly as well. They also have support for a large variety of languages compared to other solutions and the product updates continuously.
What needs improvement?
I would like to see the DAST solution in the future.
For how long have I used the solution?
We have been using the solution for one year.
What do I think about the stability of the solution?
We had no issues and it has always worked at a top level of performance.
What do I think about the scalability of the solution?
The solution is easy to intergate. It is plug and play and intergrates well with the pipeline and DevSecOps. Our main client is a big company and the solution works well.
How are customer service and technical support?
The support is excellent.
How was the initial setup?
The setup is very easy. There is a lot of information in the documents which makes the install not difficult at all.
What was our ROI?
The product saves you money by minimizing the time needed to figure out how to mitigate the problems by using such features such as The Best Fixed Location and the flow charts.
Which other solutions did I evaluate?
We evaluated Veracode before choosing Checkmarx.
What other advice do I have?
Depending on the client, we could deploy the solution on the cloud or on-premise. I would recommend Checkmarx because you can learn from the scanning done. They have some of the best features which make the product wonderful.
I rate Checkmarx a ten out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Buyer's Guide
Checkmarx One
December 2024
Learn what your peers think about Checkmarx One. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
Minimal configuration, simple setup, and useful user interface
Pros and Cons
- "The most valuable feature of Checkmarx is the user interface, it is very easy to use. We do not need to configure anything, we only have to scan to see the results."
- "Checkmarx could improve the speed of the scans."
What is our primary use case?
Checkmarx is used for application security, we can detect the stability and other details on how to fix issues.
What is most valuable?
The most valuable feature of Checkmarx is the user interface, it is very easy to use. We do not need to configure anything, we only have to scan to see the results.
What needs improvement?
Checkmarx could improve the speed of the scans.
For how long have I used the solution?
I have been using Checkmarx for approximately half a year.
What do I think about the scalability of the solution?
We have five people in our company that uses Checkmarx, we do not plan to increase usage.
How are customer service and support?
I have used the support from Checkmarx.
Which solution did I use previously and why did I switch?
I have not used another before Checkmarx.
How was the initial setup?
The initial setup of Checkmarx was very easy. The process took approximately one hour. We only need to provide information.
What about the implementation team?
We have five people that are supporting Checkmarx in our company.
What other advice do I have?
This solution is one of the easiest solutions I have used. We have professional services set it up for us but the scans are not enough for us.
I rate Checkmarx an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
General Manager at a consultancy with 51-200 employees
Intuitive interface, easy to set up, and saves us money by finding problems at an early stage
Pros and Cons
- "The UI is very intuitive and simple to use."
- "Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve."
What is our primary use case?
We use Checkmarx for static analysis as part of our software development lifecycle. It is very important because it helps us identify the security flaws in the code at a very early stage. Ultimately, this helps in reducing costs.
What is most valuable?
The UI is very intuitive and simple to use. You don't need to know anything about the product before you being working with it.
The interface used to audit issues is also simple to use.
Compared to similar products, the code scanning time is fast.
What needs improvement?
Most the the static analysers come with pre-loaded rulesets. However, many times developers have to write their own custom rules. Writing custom rules in Checkmark is difficult because you need a different editor which is licensed separately. Besides not much training material is available on how to write the rules.
For how long have I used the solution?
We have been using Checkmarx for almost four years.
What do I think about the stability of the solution?
It is pretty stable and we have not had any issues. We have a monitoring team that monitors the health of our infrastructure and we are alerted to any problems.
What do I think about the scalability of the solution?
We were able to scale easily and did not have any issues in doing so. At this team, we have between 70 and 80 applications that we are scanning with it.
How are customer service and technical support?
We have contacted technical support a couple of times and the issues were addressed in a timely manner.
Which solution did I use previously and why did I switch?
We have used other products and found that you have to spend considerable time fine-tuning the scanning engine. With Checkmarx, it is a lot less and I would say that this is one of the significant differences with this solution.
The maintenance in terms of running the scans and fine-tuning the scans is very low.
On the other hand, we have used other tools where writing custom rules is not so difficult to do.
How was the initial setup?
Checkmarx is pretty straightforward and very easy to set up.
What about the implementation team?
Our in-house team deployed and manages this product. I have one person who handles all of it, and the deployment can be completed within a day or two. As long as the infrastructure is ready, it can be done within a day.
What was our ROI?
Checkmarx helps us to find problems with source code at an early stage in the development, which saves us in terms of troubleshooting costs.
What's my experience with pricing, setup cost, and licensing?
The interface used to create custom rules comes at an additional cost.
What other advice do I have?
Checkmarx is probably one of the best static code analyzers available in the market at this point. It is very easy to deploy, use, and maintain. The amount of maintenance required is pretty low. It is absolutely a good tool that I can recommend.
Checkmarx has added a lot of functionality since we began using it. This includes OSA, the open-source scan, a training module, and run-time protection.
For static code analysis, we are only using Checkmarx and we plan to continue.
I would rate this solution a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Business Analyst at a tech services company with 201-500 employees
It made our organization more efficient with our whole code scan/deployment process for our software applications.
Pros and Cons
- "It is a stable product."
- "Most valuable features include: ease of use, dashboard. interface and the ability to report."
- "It is an expensive solution."
What is our primary use case?
Our primary use case solution is for code scanning.
How has it helped my organization?
It has made our organization more efficient with our whole code scan/deployment process for our software applications.
What is most valuable?
The most valuable features are:
- Ease of use
- Dashboard
- Interface
- Report
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
I have not had an issue with stability of the product.
What do I think about the scalability of the solution?
There have been no issues with scalability that I am aware of.
How are customer service and technical support?
I have not needed the use of technical support.
Which solution did I use previously and why did I switch?
Previously, we considered: Veracode, SonarQube, Fortify and IBM Security AppScan.
How was the initial setup?
I was not involved in the initial setup of the solution.
What was our ROI?
One should consider:
- Visual studio
- Report generation
- If the solution can be on-prem
- Pricing
What's my experience with pricing, setup cost, and licensing?
It is an expensive solution.
What other advice do I have?
Be cautious of the one-year subscription date. Once it expires, your price will go up.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
SRE Vice Group Manager at a tech services company with 10,001+ employees
We can create custom rules for code checks. You have to do a lot of customization.
Pros and Cons
- "The solution allows us to create custom rules for code checks."
- "This product requires you to create your own rulesets. You have to do a lot of customization."
How has it helped my organization?
During the trial period, we tried to build automated security development lifecycles with this product and with other products. We have achieved partial success with this.
What is most valuable?
The solution allows us to create custom rules for code checks. Without custom rules, the system couldn’t find anything serious in the custom code and libraries.
What needs improvement?
The main issue was the supported Windows OS for the installation. Windows is not appropriate for a big internet company’s infrastructure. Supporting a Windows machine, especially for this software, is inconvenient.
This product requires you to create your own rulesets. You have to do a lot of customization. The default rules do not work very well. In addition, it is impossible to analyze code with dynamic dependencies.
What do I think about the stability of the solution?
There were no problems with stability. The application was stable in our test cases.
What do I think about the scalability of the solution?
There were no scalability issues, but keep in mind that our version can only scale on one server.
How are customer service and technical support?
There is very good technical support. We have the support of two onsite engineers.
Which solution did I use previously and why did I switch?
We are using other tools along with this solution.
How was the initial setup?
The setup was simple. It mostly involved clicking the “Next” button in the Windows installer.
What's my experience with pricing, setup cost, and licensing?
The pricing was not very good. This is just a framework which shouldn’t cost so much.
The product comes with very strange licensing options. They don’t let you exclude workplace licenses, which are useless for building automated systems.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Cybersecurity Solution Architect at a computer software company with 51-200 employees
Integrates well with other security solutions
Pros and Cons
- "It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security."
- "I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features."
What is our primary use case?
Checkmarx is used only for static application security testing (SAST), and it can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security.
What needs improvement?
I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features. So most of my customers would love to have consolidated vendors who cover all application security to lower operational overhead.
For how long have I used the solution?
I'm a solution architect, not an end-user. I'm selling Checkmarx. This is the first year I've done business with Checkmarx. In the past five years, I worked a lot with Fortify and Micro Focus. I currently have two customers running Checkmarx, and one more is evaluating the product.
How was the initial setup?
Setting up Checkmarx should be relatively straightforward. It takes a little more time for the DevOps team to enable everything, but overall deployment should take less than a week, including preparation and implementation.
What's my experience with pricing, setup cost, and licensing?
Most of my customers opted for a perpetual license. They prefer to pay the highest amount upfront for the perpetual license and then pay for additional support annually.
What other advice do I have?
I rate Checkmarx eight out of 10. Until I get more extensive feedback from clients, I would rate it an eight.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Information Security Architect at a tech services company with 1,001-5,000 employees
Gives less number of false positives and supports most of the languages, but need to support remaining languages and create a model to identify zero-day attacks
Pros and Cons
- "The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages."
- "They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks."
What is our primary use case?
We are using multiple solutions for application security, and Checkmarx is one of them. We are a client-centric organization, and we are also providing support to clients for application security. Sometimes, we have our own production, and then we scan the customer information and provide application security. For a few clients, it is deployed on the cloud, and for a few customers, it is on-premises.
What is most valuable?
The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages.
What needs improvement?
They can support the remaining languages that are currently not supported. They can also
create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks.
What do I think about the stability of the solution?
It is stable, and it works.
What do I think about the scalability of the solution?
It is scalable. Our clients are small, medium, and big enterprises. It is for all the categories.
How are customer service and technical support?
Their support is good. I had discussions with them multiple times. We are getting proper support.
How was the initial setup?
It is straightforward. It is not a big challenge. It doesn't take long.
What's my experience with pricing, setup cost, and licensing?
I would rate Checkmarx a seven out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Download our free Checkmarx One Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Vulnerability Management Static Code Analysis API Security DevSecOps Risk-Based Vulnerability ManagementPopular Comparisons
SonarQube Server (formerly SonarQube)
Veracode
GitLab
Mend.io
Fortify on Demand
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
Acunetix
PortSwigger Burp Suite Professional
GitHub Advanced Security
HCL AppScan
Qualys Web Application Scanning
GitHub
Klocwork
Buyer's Guide
Download our free Checkmarx One Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between Veracode and Checkmarx?
- Checkmarx or Veracode. Which should we choose?
- What is the Biggest Difference Between Checkmarx and Fortify?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- Which application security solutions include both vulnerability scans and quality checks?
Going for another POC with Checkmarx... This time implementing it with Jira, to open an automatic flow for better mitigation SLA and for Infosec visibility