Checkmarx is plug-and-play and the best product in the market at the moment, as evidenced by reports such as Gartner's. I'd rate the solution nine out of ten.
To achieve better results, consider performing both native integration in the SCM tool and integration using the CI/CD solution. This helps gain visibility into the deployment stages and ensures comprehensive code scanning. I'd rate the solution eight out of ten.
If someone has too many applications, they can directly integrate Checkmarx into the CI/CD pipeline. We got the license and are running the solution for our customers. We do not charge our customers for the solution. Overall, I rate the product an eight out of ten.
My company is in the service business, so it provides services to customers. For example, the customer uses SonarQube, so my company uses the same tool to execute vulnerability assessments. I've worked on Checkmarx, NetSuite, Acunetix, and other application security tools used by customers. My rating for Checkmarx is eight out of ten because it's a good product, and its only con is the cost, which is high for some customers. I recommend Checkmarx to others because of its performance. The tool has better intelligent outcomes, and Checkmarx has better automation internally. My company is a Checkmarx customer.
Senior Software Engineering Manager at a financial services firm with 10,001+ employees
Real User
Top 20
2023-01-13T15:09:20Z
Jan 13, 2023
I rate this solution an eight out of ten. I would recommend going for a piloting approach. With Checkmarx, you have different presets and can determine the security vulnerability standard. Also, check the stability before proceeding with the adoption.
Software Engineer at a manufacturing company with 10,001+ employees
Real User
Top 10
2022-12-01T08:56:00Z
Dec 1, 2022
Right now, we are partners. We have the solution deployed in the cloud and on-premises. It's a hybrid setup. I'd rate the solution seven out of ten. I'd recommend the product to other users.
Security Architect at a financial services firm with 5,001-10,000 employees
Real User
Top 20
2022-10-06T15:42:53Z
Oct 6, 2022
We have two administrators who coordinate maintenance with the vendor. My advice is that you need to estimate the right amount of licenses. That's very important because right now, our company needs more licenses, and that was not well estimated at the beginning. The other thing is to be clear about the features of this tool that you want or need. I would rate this solution as a nine out of ten.
I’d rate the solution eight out of ten based on ease of use, configuration, customer service, and response time. There are other products out there that are provided as a service where they will go, and you push a button, they collect the data, they review the data, yet there's no specific standard license agreement or SLA that says they're supposed to get back to you within a particular moment of time. Everything that Checkmarx does is instantaneous.
I strongly recommend Checkmarx to others. I have sold the solution for nearly eight years, and I'm not aware of any major complaints that the users have that could not be resolved. I rate Checkmarx an eight out of ten. The Checkmarx application is a live wire of technology delivery, and if your application is vulnerable, then the asset that your acquisition will run will also suffer vulnerability. Providing the scanning ability that shows the errors at the source code level is critical to have effective development of any critical application. I would recommend Checkmarx eight because it's very critical and integral to the improvement of technology and cyber security today. It's a critical tool in protecting cyberspace, your asset in cyberspace, and an application that runs nearly all human life today. Everything is driven by technology and application.
I rate Checkmarx eight out of 10. It's secure, easy to use, and Checkmarx regularly updates their rule sets. I'm happy with the main features of the product, but some of the additional features didn't work for us in the beginning, like scanning at the source code repository level, reporting, etc. There was a lot of back and forth before it started working, so that's why I deducted two points. My advice for future Checkmarx users is to plan the initial deployment well. You will have to choose the right system configuration: CPUs, RAM, disk space, and backup policy. If you plan ahead, you won't have any issues trying to debug or when the size increases.
Techincal Lead of Developers at a government with 10,001+ employees
Real User
2022-04-29T23:13:01Z
Apr 29, 2022
Checkmarx isn't accredited by the US government for DOD networks, so we've been forced to remove it from the network. I'd rate Checkmarx as seven out of ten.
Head of IT Security Department at a energy/utilities company with 5,001-10,000 employees
Real User
2022-01-12T16:21:24Z
Jan 12, 2022
The purchase of this solution was a mistake. I would advise others to deploy the solution and to test all of the functionality before buying and do not trust the marketing from Checkmarx. I rate Checkmarx a four out of ten.
Engineer senior at a hospitality company with 10,001+ employees
Real User
2022-09-10T15:44:18Z
Sep 10, 2022
We would recommend that organizations considering this solution think about the size of the project involved, as this product works best with very small-scale applications. I would rate this solution a seven out of ten.
My advice to others is that Checkmarx is good compared to the other tools. However, they are all comparable, it depends on what languages they want to scan. Overall, Checkmarx is a decent solution. It would be a good idea to test other solutions. I rate Checkmarx
This solution is one of the easiest solutions I have used. We have professional services set it up for us but the scans are not enough for us. I rate Checkmarx an eight out of ten.
Director at a tech services company with 11-50 employees
Reseller
2021-03-09T22:51:35Z
Mar 9, 2021
They're a very good company to work with, and that's a very important aspect of any technology these days. You could find very nice technologies, but if the company is not good to work with, it could be of no use. You'll not be able to get it deployed, and you'll not get assistance. You will get bad value for good technology. Checkmarx is a nice, pleasant, and relatively easy company to work with. You will get a good return, and you will get a good partnership and relationship working with them. I would rate Checkmarx an eight out of ten.
Solution Manager at a computer software company with 201-500 employees
Reseller
2021-01-27T09:57:18Z
Jan 27, 2021
We're resellers, however, we don't have an exclusive relationship with this company. We're looking at other products we can use and offer to our clients as well. In our company, we do not have the Checkmarx solution running on production. We do have it, however, we only have a learning license, which is non-commercial. On a scale from one to ten, I would rate this product at an eight. Overall, it's been a positive experience so far.
Senior Manager at a manufacturing company with 10,001+ employees
Real User
2021-01-04T18:28:47Z
Jan 4, 2021
Even though we run it manually, it captures most of the things. We decided to go with Checkmarx two years ago, and we are continuing with it. I would rate Checkmarx a seven out of ten. There are a few things that can be improved in this solution.
Director of consultory at a non-tech company with 1,001-5,000 employees
Real User
2020-12-24T12:43:00Z
Dec 24, 2020
Depending on the client, we could deploy the solution on the cloud or on-premise. I would recommend Checkmarx because you can learn from the scanning done. They have some of the best features which make the product wonderful. I rate Checkmarx a ten out of ten.
Cyber Security Consultant at a computer software company with 5,001-10,000 employees
Consultant
2020-12-02T09:30:30Z
Dec 2, 2020
We're a customer. We use the solution in our organization. I'm not sure of which version of the solution we're using. Overall, I'd rate the solution eight out of ten. We've had a pretty positive experience overall.
Sr. Application Security Manager at a tech services company with 201-500 employees
Real User
2020-09-21T06:33:17Z
Sep 21, 2020
In summary, this is a good application that you can use to scan every code language. You can configure the scan because they provide the Checkmarx query language. These queries are very good and very flexible. It requires a knowledge of this language but you can reach and deal with it using most languages. I would rate this solution an eight out of ten.
General Manager at a consultancy with 51-200 employees
Real User
2020-09-13T07:02:21Z
Sep 13, 2020
Checkmarx is probably one of the best static code analyzers available in the market at this point. It is very easy to deploy, use, and maintain. The amount of maintenance required is pretty low. It is absolutely a good tool that I can recommend. Checkmarx has added a lot of functionality since we began using it. This includes OSA, the open-source scan, a training module, and run-time protection. For static code analysis, we are only using Checkmarx and we plan to continue. I would rate this solution a nine out of ten.
If you wish to purchase Checkmarx, you should scan the same source code with a different product, compare them to their competition, and make a decision. This way, you can see the difference and understand the benefits of Checkmarx. Test and scan some lines of code in any programming language you wish, then do the same with a competitor. Checkmarx will produce far fewer false-positives compared to any other solution on the market. Other solutions will produce roughly 900 false-positives whereas Checkmarx will cut that number in half. I am not trying to sell this product to you, this is simply the reality of it. From the technological side, I would give this solution a rating of ten. From a commercial aspect, because it's relatively expensive, I would give it a rating of eight. Overall, because I must choose one number between one and ten, I will give Checkmarx a rating of ten. Day by day, they are improving this product. For example, one of the most important features missing was open sources, which they have now added. They were also missing code training facilities, but they have added those as well. They have a complimentary product now.
We are resellers but we are also users of this product when we need to check source code because our main business activity is security assessments, not reselling. We have many customers who have purchased this solution from our company. One of them is Softcell, a Ukrainian company. With our approach, we need to find a way to reduce false positives. We don't have great resources to do this work long-term, and we need quick results. There are some projects that have a lot of false positives but we can reduce them by tuning during the scanning. Some of our customers like the Codebashing model. It's an additional model for learning for security practice for developers. They ask for additional tests to this model and want to receive the functionality to check the knowledge. When you receive your product, you should start with testing and understand how it works according to your environment. This includes the language and what framework to choose because it is not a simple solution. You should understand that you should tune it. The most effective approach is to implement SAST into the SDLC, (software development life cycle). You should regularly check your source code, and check your security before every release. For infrastructure, security testing is not enough. There are several applications and static source code security is a must. You should choose Checkmarx SAST for security checks and try to optimize it's build management or source code repository. I would rate this solution a nine out of ten.
We're just a customer. We don't have a special relationship with the company. I would definitely recommend Checkmarx, I find them much more feature-rich than other tools I've used in the past. I'd rate the solution eight out of ten.
Software Configuration Manager at a tech vendor with 501-1,000 employees
Real User
2019-06-19T05:02:00Z
Jun 19, 2019
From an administrative standpoint, I would rate Checkmarx with a five out of ten. From what my users are telling me, I'd give it an eight for the tool's ability to report on vulnerabilities in the user experience. I would rate Checkmarx with an eight on the user side and a five on the admin side. Customers need to work with Checkmarx to scale the system for their needs, i.e. work with their recommendations. The best practices that they have there. They have this formula to calculate how many CPUs and how much memory you need. The memory requirements are huge. We've got 64 GB machines to scan them. That's the low end of what they're recommending. Their processes do a lot of number crunching in memory. For a 4 million line code base, it's just going to consume a lot of time and a lot of resources. We are only using the source code scanner. We're not using the OSS scanner. We use Artifactory for our OSS repository, and Artifactory comes with its own built-in OSS scanner. We didn't need two OSS scanners.
Practice Head - IT Risk & Security Management Services at Suma Soft Private Limited
Real User
2019-05-16T16:17:00Z
May 16, 2019
My advice to any software development team using a different set of tools is to look at Checkmarx. It's a very good product. It's a great product, in fact. Any organization spending money on a subscription license should not look at it as a cost, rather, it should be seen as an investment. The Checkmarx solution can act as a resource that can help the development team to secure their application delivery. Be it an internal application for their own use, or applications being written for their customers. This solution tells us where, in our code, the "best-fix location" is. To put this into perspective, consider a particular piece of code where there are ten vulnerabilities detected. Perhaps it is an SQL injection vulnerability. This tool gives you specific locations and informs that if you fix the code in certain areas (e.g. in three specific locations) then the subsequent vulnerabilities will automatically be addressed. Therefore, you save on development effort because you do not need to fix all ten vulnerabilities specifically and independently. I would rate this product a nine out of ten.
We have a small team. It is about four people in total. We do not require that many staff for the deployment and maintenance of Checkmarx. We are testing the solution in a small local company. Our idea is to expand the use of it to our clients in the West. In this space, you can have different points of view and if only you are looking for a solution to do a check in your auditory report, then you can choose anyone. If you really are worried about your business, i.e. about your development sites or development environments, Checkmarx is a great solution. I would rate Checkmarx a nine out of ten because of the price, but technically for me, it is a 10. I would rate Checkmarx with a nine because it would be perfect at a more functional level, and could be better at providing these features for parity. If you research what Checkmarx is offering in their package distribution, you get exactly what they promise up front, so they are not lying.
Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.
Checkmarx One offers comprehensive application scanning across the SDLC:
Static Application Security Testing (SAST)
Software Composition Analysis (SCA)
API security
Dynamic Application Security Testing (DAST)
Container security
IaC security
Correlation,...
Checkmarx is plug-and-play and the best product in the market at the moment, as evidenced by reports such as Gartner's. I'd rate the solution nine out of ten.
To achieve better results, consider performing both native integration in the SCM tool and integration using the CI/CD solution. This helps gain visibility into the deployment stages and ensures comprehensive code scanning. I'd rate the solution eight out of ten.
I rate the overall product an eight out of ten.
If someone has too many applications, they can directly integrate Checkmarx into the CI/CD pipeline. We got the license and are running the solution for our customers. We do not charge our customers for the solution. Overall, I rate the product an eight out of ten.
I rate Checkmarx an eight out of ten.
I would rate the product a ten out of ten. The solution is the best tool for developers and organizations.
I'm a customer and end-user. I would recommend the solution to other users. I'd rate the solution eight out of ten.
I give the solution a nine out of ten.
I rate the solution a seven out of ten.
My company is in the service business, so it provides services to customers. For example, the customer uses SonarQube, so my company uses the same tool to execute vulnerability assessments. I've worked on Checkmarx, NetSuite, Acunetix, and other application security tools used by customers. My rating for Checkmarx is eight out of ten because it's a good product, and its only con is the cost, which is high for some customers. I recommend Checkmarx to others because of its performance. The tool has better intelligent outcomes, and Checkmarx has better automation internally. My company is a Checkmarx customer.
I rate this solution an eight out of ten. I would recommend going for a piloting approach. With Checkmarx, you have different presets and can determine the security vulnerability standard. Also, check the stability before proceeding with the adoption.
Right now, we are partners. We have the solution deployed in the cloud and on-premises. It's a hybrid setup. I'd rate the solution seven out of ten. I'd recommend the product to other users.
We have two administrators who coordinate maintenance with the vendor. My advice is that you need to estimate the right amount of licenses. That's very important because right now, our company needs more licenses, and that was not well estimated at the beginning. The other thing is to be clear about the features of this tool that you want or need. I would rate this solution as a nine out of ten.
I’d rate the solution eight out of ten based on ease of use, configuration, customer service, and response time. There are other products out there that are provided as a service where they will go, and you push a button, they collect the data, they review the data, yet there's no specific standard license agreement or SLA that says they're supposed to get back to you within a particular moment of time. Everything that Checkmarx does is instantaneous.
I strongly recommend Checkmarx to others. I have sold the solution for nearly eight years, and I'm not aware of any major complaints that the users have that could not be resolved. I rate Checkmarx an eight out of ten. The Checkmarx application is a live wire of technology delivery, and if your application is vulnerable, then the asset that your acquisition will run will also suffer vulnerability. Providing the scanning ability that shows the errors at the source code level is critical to have effective development of any critical application. I would recommend Checkmarx eight because it's very critical and integral to the improvement of technology and cyber security today. It's a critical tool in protecting cyberspace, your asset in cyberspace, and an application that runs nearly all human life today. Everything is driven by technology and application.
I rate Checkmarx eight out of 10. It's secure, easy to use, and Checkmarx regularly updates their rule sets. I'm happy with the main features of the product, but some of the additional features didn't work for us in the beginning, like scanning at the source code repository level, reporting, etc. There was a lot of back and forth before it started working, so that's why I deducted two points. My advice for future Checkmarx users is to plan the initial deployment well. You will have to choose the right system configuration: CPUs, RAM, disk space, and backup policy. If you plan ahead, you won't have any issues trying to debug or when the size increases.
Checkmarx isn't accredited by the US government for DOD networks, so we've been forced to remove it from the network. I'd rate Checkmarx as seven out of ten.
The purchase of this solution was a mistake. I would advise others to deploy the solution and to test all of the functionality before buying and do not trust the marketing from Checkmarx. I rate Checkmarx a four out of ten.
We would recommend that organizations considering this solution think about the size of the project involved, as this product works best with very small-scale applications. I would rate this solution a seven out of ten.
My advice to others is that Checkmarx is good compared to the other tools. However, they are all comparable, it depends on what languages they want to scan. Overall, Checkmarx is a decent solution. It would be a good idea to test other solutions. I rate Checkmarx
This solution is one of the easiest solutions I have used. We have professional services set it up for us but the scans are not enough for us. I rate Checkmarx an eight out of ten.
I would rate it a seven out of ten. It's not the best tool on the market, but it provides some good capability for what it is.
It has been working well. I would rate it a seven out of 10.
I rate Checkmarx a nine out of ten.
I rate Checkmarx eight out of 10. Until I get more extensive feedback from clients, I would rate it an eight.
I would absolutely recommend this solution. I would rate Checkmarx a nine out of 10.
I would recommend this solution to others. I rate Checkmarx a six out of ten.
They're a very good company to work with, and that's a very important aspect of any technology these days. You could find very nice technologies, but if the company is not good to work with, it could be of no use. You'll not be able to get it deployed, and you'll not get assistance. You will get bad value for good technology. Checkmarx is a nice, pleasant, and relatively easy company to work with. You will get a good return, and you will get a good partnership and relationship working with them. I would rate Checkmarx an eight out of ten.
We're resellers, however, we don't have an exclusive relationship with this company. We're looking at other products we can use and offer to our clients as well. In our company, we do not have the Checkmarx solution running on production. We do have it, however, we only have a learning license, which is non-commercial. On a scale from one to ten, I would rate this product at an eight. Overall, it's been a positive experience so far.
Even though we run it manually, it captures most of the things. We decided to go with Checkmarx two years ago, and we are continuing with it. I would rate Checkmarx a seven out of ten. There are a few things that can be improved in this solution.
Depending on the client, we could deploy the solution on the cloud or on-premise. I would recommend Checkmarx because you can learn from the scanning done. They have some of the best features which make the product wonderful. I rate Checkmarx a ten out of ten.
We're a customer. We use the solution in our organization. I'm not sure of which version of the solution we're using. Overall, I'd rate the solution eight out of ten. We've had a pretty positive experience overall.
Overall, we are very satisfied with Checkmarx and it is a product that I recommend. I would rate this solution an eight out of ten.
In summary, this is a good application that you can use to scan every code language. You can configure the scan because they provide the Checkmarx query language. These queries are very good and very flexible. It requires a knowledge of this language but you can reach and deal with it using most languages. I would rate this solution an eight out of ten.
Checkmarx is probably one of the best static code analyzers available in the market at this point. It is very easy to deploy, use, and maintain. The amount of maintenance required is pretty low. It is absolutely a good tool that I can recommend. Checkmarx has added a lot of functionality since we began using it. This includes OSA, the open-source scan, a training module, and run-time protection. For static code analysis, we are only using Checkmarx and we plan to continue. I would rate this solution a nine out of ten.
If you wish to purchase Checkmarx, you should scan the same source code with a different product, compare them to their competition, and make a decision. This way, you can see the difference and understand the benefits of Checkmarx. Test and scan some lines of code in any programming language you wish, then do the same with a competitor. Checkmarx will produce far fewer false-positives compared to any other solution on the market. Other solutions will produce roughly 900 false-positives whereas Checkmarx will cut that number in half. I am not trying to sell this product to you, this is simply the reality of it. From the technological side, I would give this solution a rating of ten. From a commercial aspect, because it's relatively expensive, I would give it a rating of eight. Overall, because I must choose one number between one and ten, I will give Checkmarx a rating of ten. Day by day, they are improving this product. For example, one of the most important features missing was open sources, which they have now added. They were also missing code training facilities, but they have added those as well. They have a complimentary product now.
I would rate this solution a seven out of ten.
This is a product that I recommend and I would rate it a seven out of ten.
I don't recall the exact version of the solution we are using. I would recommend the solution. I'd rate it eight out of ten.
We are resellers but we are also users of this product when we need to check source code because our main business activity is security assessments, not reselling. We have many customers who have purchased this solution from our company. One of them is Softcell, a Ukrainian company. With our approach, we need to find a way to reduce false positives. We don't have great resources to do this work long-term, and we need quick results. There are some projects that have a lot of false positives but we can reduce them by tuning during the scanning. Some of our customers like the Codebashing model. It's an additional model for learning for security practice for developers. They ask for additional tests to this model and want to receive the functionality to check the knowledge. When you receive your product, you should start with testing and understand how it works according to your environment. This includes the language and what framework to choose because it is not a simple solution. You should understand that you should tune it. The most effective approach is to implement SAST into the SDLC, (software development life cycle). You should regularly check your source code, and check your security before every release. For infrastructure, security testing is not enough. There are several applications and static source code security is a must. You should choose Checkmarx SAST for security checks and try to optimize it's build management or source code repository. I would rate this solution a nine out of ten.
We're just a customer. We don't have a special relationship with the company. I would definitely recommend Checkmarx, I find them much more feature-rich than other tools I've used in the past. I'd rate the solution eight out of ten.
From an administrative standpoint, I would rate Checkmarx with a five out of ten. From what my users are telling me, I'd give it an eight for the tool's ability to report on vulnerabilities in the user experience. I would rate Checkmarx with an eight on the user side and a five on the admin side. Customers need to work with Checkmarx to scale the system for their needs, i.e. work with their recommendations. The best practices that they have there. They have this formula to calculate how many CPUs and how much memory you need. The memory requirements are huge. We've got 64 GB machines to scan them. That's the low end of what they're recommending. Their processes do a lot of number crunching in memory. For a 4 million line code base, it's just going to consume a lot of time and a lot of resources. We are only using the source code scanner. We're not using the OSS scanner. We use Artifactory for our OSS repository, and Artifactory comes with its own built-in OSS scanner. We didn't need two OSS scanners.
If people are in need of static application security, then I would recommend this product. I would rate this solution an eight out of ten.
My advice to any software development team using a different set of tools is to look at Checkmarx. It's a very good product. It's a great product, in fact. Any organization spending money on a subscription license should not look at it as a cost, rather, it should be seen as an investment. The Checkmarx solution can act as a resource that can help the development team to secure their application delivery. Be it an internal application for their own use, or applications being written for their customers. This solution tells us where, in our code, the "best-fix location" is. To put this into perspective, consider a particular piece of code where there are ten vulnerabilities detected. Perhaps it is an SQL injection vulnerability. This tool gives you specific locations and informs that if you fix the code in certain areas (e.g. in three specific locations) then the subsequent vulnerabilities will automatically be addressed. Therefore, you save on development effort because you do not need to fix all ten vulnerabilities specifically and independently. I would rate this product a nine out of ten.
We have a small team. It is about four people in total. We do not require that many staff for the deployment and maintenance of Checkmarx. We are testing the solution in a small local company. Our idea is to expand the use of it to our clients in the West. In this space, you can have different points of view and if only you are looking for a solution to do a check in your auditory report, then you can choose anyone. If you really are worried about your business, i.e. about your development sites or development environments, Checkmarx is a great solution. I would rate Checkmarx a nine out of ten because of the price, but technically for me, it is a 10. I would rate Checkmarx with a nine because it would be perfect at a more functional level, and could be better at providing these features for parity. If you research what Checkmarx is offering in their package distribution, you get exactly what they promise up front, so they are not lying.
Be cautious of the one-year subscription date. Once it expires, your price will go up.