What needs improvement with Checkmarx?

Checkmarx could improve by reducing the price.

The Dynamic Application Security Testing (DAST) feature should be better. The technical support service could also improve in terms of their response time.

Checkmarx needs improvement in its Dynamic Application Security Testing (DAST) and API security features. The DAST solution uses the OWASP Zap engine, which is less powerful compared to other market solutions like Fortify's WebInspect. Additionally, the API security solution does not provide comprehensive results, and the secret scanning feature also needs enhancement. Furthermore, the container security and infrastructure as code scanning features are not mature enough and require significant improvements.

I can't create a business case with multiple-factor authentication.

We can run only one project at a time. We haven't tested multiple projects at the same time. Currently, not all the projects are visible under one pane. We handle one-time projects. As a manager, I do not have the overall visibility of all projects simultaneously. I have already raised a support ticket requesting the ability to manage all projects from a single pane. There may be an option for it. However, I am not aware of it. The solution must provide more integration with different platforms.

The product's reporting feature could be better. The feature works well for developers, but reports generated to be shared with external parties are poor, it lacks the details one gets when viewing the results directly from the Checkmarx One platform.

I would like the product to include more debugging and developed tools. It needs to also add enhancements on the coding side.

We haven't had any issues with the solution so far. It is not missing any features. It takes too much time to check the code. The validation process needs to be sped up. There have been some configuration issues. We sometimes have failures.

The plugins for the development environment have room for improvements such as for Android Studio and X code.

The solution sometimes reports a false auditable code or false positive. This is not a bug but something within the software's operation that should be addressed.

One area for improvement in Checkmarx is pricing, as it's more expensive than other products.

The benefits could be improved. We are a banking company, so we focus on security. We use Checkmarx for multiple applications, and IAST is an interactive application security testing that Checkmarx claims; however, we have not explored it yet. We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level. We want an option to group several projects and view them at a business level. Additional features could include a comprehensive dashboard and secret scanning capabilities.

A non-developer may struggle with the solution. Codebashing is the learning platform that comes bundled with Checkmarx. The thing with Codebashing is that they give you tips on how to write secure code. However, I saw other developers complain about this. Instead of telling you what the good practices are, it would be more helpful, when we are writing the code, alongside that code, to have Codebashing tell us where exactly we are going wrong and how to help secure code and if there are specific scenarios we should be considering. Basically, the integration needs to be better. There's a general lack of space. Checkmarx has a slightly difficult compilation with the CI/CD pipeline. If it could be easily integrated into the CI/CD pipeline, then it would be much easier for developers rather than being an extra step that developers have to take to make the code secure.

The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information. There are some cases where you have to go directly to the Checkmarx database to get the information that you want. The default module that provides statistics is basic, and you need more elaborate information to do vulnerability management. The tool has a limited scope.

As the solution becomes more complex and feature rich, it takes more time to debug and resolve problems. Feature-wise, we have no complaints, but Checkmarx becomes harder to maintain as the product becomes more complex. When I talk to support, it takes them longer to fix the problem than it used to.

Checkmarx could be improved with more integration with third-party software.

Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities. SonarCube functions better in these areas.

We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process.

The interactive application security testing, or IAST, where code scans are being ran on an application that lives in a runtime environment on a server or virtual machine, needs improvement. There was limited support from different languages. It didn't support everything under the sun, so you would lose revenue since you didn't have support for Scala or some other language that your developer was fluent in. They needed to improve on language support. That is about it, really. The dev team did everything that they said they were going to do. If they said they were going to hit a mark, they'd hit a mark. That release would come out. Typically, they would do four major releases a year, quarterly, with two-point releases in between, or based on any additional hotfixes that may be needed. In most cases, however, IAST was the part of the product that needed to be improved the most. Codebashing is a really cool product from the aspect of teaching developers how to write secure code. However, it would be even cooler if you could not only point out and teach someone how to do it while also making the appropriate recommendation on how to rewrite the code itself, using machine learning or AI. Instead of you, the developer learning how to do it and then writing the code yourself, it'd be cooler if you could push a button, have it analyzed, scans the code, find the code, find the issue within the line of code, and then go ahead and automatically rewrite that code for you. Then, by repetition, it just teaches you through muscle memory how to do that as opposed to, "Hey, you've found this problem. This is where the problem's located, within this particular line of code." Right now, do you know how to rewrite Java? Well, if you're not familiar with how to do that, then go push on this button. Now, take this test and go through this exercise.” It doesn't make a recommendation. It's not like providing a script that fixes the problem. It's just teaching you on how to write the code in that form in that manner.

Checkmarx could improve the speed of the scans.

They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server. I had several issues with the installation. It should just work out of the box.

Its user interface could be improved and made more friendly. When we change a window, the session times out, and we have to log in again. It can be improved from this aspect.

Checkmarx could improve the REST APIs by including automation.

I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features. So most of my customers would love to have consolidated vendors who cover all application security to lower operational overhead.

Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model.

The integration could improve by including, for example, DevSecOps. In an upcoming release, they could improve by adding support for more languages.

There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver.

They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks.

The reporting could be better on the product. The need to be much more customizable including being customizable for various roles. The pricing can get a bit expensive, depending on the company's size.

We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything.

I would like to see the DAST solution in the future.

The solution isn't exactly user-friendly. They could make the user experience a bit better in future builds. They could work to improve the user interface. Right now, it really is lacking.

The cost per user is high and should be reduced. Five years ago, it was a user-based model, which was significantly better. It would be great if we could distribute the cost equally between projects.

I think that the configuration is a bit difficult and we required support from Checkmarx to complete it (there are a lot of manual, not documented configurations should be done, like direct changes in a Database for example). This is the case, at least, if you are using the on-premises version. From my point of view, the configuration should be improved. If it is a very large code base then we have a problem where we cannot scan it (if more then ~ 30 mb zip file provided - scan is crashes or takes a lot of time) . It seems to me that they have a problem with the number of code line scans. In the future, I would like to see Checkmarx support a combination of dynamic and static code scanning (IAST)

Most the the static analysers come with pre-loaded rulesets. However, many times developers have to write their own custom rules. Writing custom rules in Checkmark is difficult because you need a different editor which is licensed separately. Besides not much training material is available on how to write the rules.

Checkmarx is going to announce the cloud version very soon. Every product has something innovative at the moment. Presently, we are extremely satisfied and that's why Checkmarx has been the leader for the last few years, consecutively. This is the third year they have been recognized in the static code analysis world. Micro-services need to be included in the next release; however, as a developer, I can assure you that micro-service methodology is going to be improved in the next version. Presently, they support micro-services, but the supporting methodology of the micro-services is not good enough at the moment.

You can't use it in the continuous delivery pipeline because the scanning takes too much time. Better integration with the CD pipeline would be helpful. It reports a lot of false positives so you have to discriminate and take ones that are rated at either a one or a two. The lower-rated problems need to be discarded.

I would like to see the rate of false positives reduced. Checkmarx needs support for more languages, including COBOL.

Honestly speaking, we do not have much experience in this tool yet as we just started using it a couple of months ago. I personally am still just diving into the data. It may be too early to tell if there are improvements that need to be made. The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated.

Checkmarx has tried to build a deeper analysis using IAST and SAST. They have a code version for developers. It would be good if they improve the combination of the two solutions. Both are good, but ISAT (Interactive Application Security Testing) is in progress and doesn't support the full spectrum of languages. A combination of the two solutions would achieve good results. We have received some feedback from our customers who are receiving a large number of false positives. I believe that they can improve their engine to reduce false positives. It's better for reducing false positives when you use a compilation. There are several levels and they are mapped to the different languages and some customers want to check when the developers will pass the training. There should be a questionnaire for the team lead to check the employees and how well they understand the material and the training. Also, they will want to add their own content to this solution. I would like to see some improvements in technology to reduce false positives. This is only relevant to some use cases, not all. For example, there are several false positives for some languages, but it works in C#.

The particular way the tool works for the scanning at the IDE level, is very expensive. It makes it very expensive to deploy this tool on to multiple different developers' machines. Right now, the way it scans, the request is raised to the IDE of the developer but then the actual scanning gets done in the centralized scan server. This increases the load on the scanning server and that will make it difficult to use Checkmarx at the developer end. That forces me to look for another solution for implementing at the developer IDE level. I would strongly recommend Checkmarx relook into their approach. From a technical point of view, it's better to integrate with other systems within my ecosystem. For example, when I'm connecting Checkmarx with my DevSecOps pipeline and then wiring Checkmarx with other security systems as well as the pipeline (and my defect management system), it provides the connectivity to some of the tools, but there are tools which are excluded. It would be nice if they were added to the solution itself, otherwise, it requires us to do custom development. In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now. I would recommend much more flexibility in terms of dashboarding to help us customize more effectively. Their licensing model is rigid and difficult to navigate.

One of the biggest heartaches that we have is that all of our Windows servers are on an automated upgrade. Whenever Windows upgrades, we lose the order of the ciphers and it brings down the Checkmarx webpage. Our company policy is that we upgrade our servers at a minimum of once a month, if not more. It's a hassle to keep up on that. The ciphers are such a pain to manage. To set up a cipher connection, there's a tool out there called IIS Crypto. We just run that tool to set the best practices. It forces us to reboot the server. We haven't figured out how to automate the whole thing yet. There have been some Windows updates that haven't triggered this issue where the ciphers get messed up. The only thing we're running is TLS2. At that higher level, everything is just a pain. All of our servers are built out through code. In other words, we use Ansible and Jenkins to automatically create machines. Everything is virtual these days. It's either virtual in-house or virtual in the cloud. The issue with Checkmarx is the next pain point, i.e. their installation procedure is GUI-based. They've got a command line for upgrades. I haven't seen the command line for the initial install. My last statement on Checkmarx is Windows would not be my choice for any kind of server implementation. I'm not a Windows fan at all. Every other tool in our company is Linux-based and our target systems are Linux as well. I don't have the experience and the knowledge of working on a Windows system compared to my Linux knowledge. Checkmarx being Windows only is a hindrance as well. Another problem is: why can't I choose PostgreSQL? I would like to have an additional feature added to the product to support either PostgreSQL or MySQL. Those are the two free databases that are enterprise-ready.

It would be really helpful if the level of confidence was included, with respect to identified issues. Some competitors have this feature, and it helps a lot to concentrate on the real findings.

The reports are good, but they still need to be improved considering what the UI offers. For example, the UI will suggest the "best-fix location", whereas this information is not captured in the reports.

Checkmarx could probably do something to improve their license model. If you have a small company, or if you have a small team with just one or two applications, the entry-level price is too high for such a company. You can find all the solutions offered by Checkmarx through other solutions providers. That is why this type of company needs to be more flexible. In this space, you have a security code and also you have a quality code. It is totally different in terms of investment. In terms of functionality, there are a lot of differences between the various competing products. With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too. The problem with Checkmarx lies with the pricing and licensing, not the product itself. The product is very good.

Dynamic testing. If it had that feature I would have liked to see more consideration of framework validations that we don't have to duplicate. These flags are false positives.