Checkmarx One Reviews

Our main uses of this solution are to ensure our required compliance policies are met, and that we are applying best practice.

This solution helps to remediate the compliance requirements we have. 

The product also increases the quality of the code the developers are able to implement. 

The main advantage of this solution is its centralized reporting functionality, which lets us track issues, then see and report on the priorities via a web portal.

We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process.

We have been using this solution for two years.

The stability of this solution depends on the size of application to be scanned, as larger files result in lower performance levels.

This solution is not very easily scalable, and seems to lack the capability to manage a high volume of applications.

The technical support team for this solution are very supportive and skilled. They also define SLA's for their customers.

We found the initial setup of this solution to be okay, but it is very reliant on server capacity.

We would recommend that organizations considering this solution think about the size of the project involved, as this product works best with very small-scale applications.

I would rate this solution a seven out of ten.

It is used for scanning for some other purposes. We needed Checkmarx to figure out some OS top ten issues in the codec.

The only thing I like is that Checkmarx does not need to compile. That's a good feature.

Checkmarx is not good because it has too many false positive issues. The software does not understand the code very well. It does not handle the process very well and misunderstands the logic, resulting in too many false positives. As per my experience, more than 80% of the issues are false positives, and it takes too much time to figure out which ones are true and which ones are false positives. 

Therefore, this is one of the areas of improvement for Checkmarx. It requires in-depth knowledge of the coding. 

I have been using Checkmarx for more than a year. We are using the latest version. 

I would rate it as four because the scanning engine can crash sometimes.

I would rate scalability a three out of ten. 

The technical support is not good because they charge an extra fee. If we pay them on a call basis, they will charge extra. We can only give them emails; if we have a problem, it takes over half a year to fix the issue. They're just too slow.

Neutral

The deployment is easy, but it may take around half an hour or even more because the software is huge. Also, good hardware performance is required, such as big memory and disk space.

It requires a lot of disk space and good hardware performance, and the speed is slow.

The deployment is pretty tough to do by myself.

It's expensive. I would give it a four out of ten.

We just calculated the speed of Checkmarx; it is around 40 lines of code per second. It's too slow, so we now use a Chinese software called XCheck, which is much better. It can scan around 2,000 or 5,000 lines per second, depending on the code complexity. XCheck is a product of a Chinese company called Tencent.

Overall, I would rate the solution a three out of ten. 

We use the solution on a developing project. Before we bring the code to production, we have to ensure its quality, and we use this solution. 

It's easy to use. The configuration is easy. 

It has all the features we need. 

We haven't had any issues with the solution so far. It is not missing any features. 

It takes too much time to check the code. The validation process needs to be sped up. 

There have been some configuration issues. We sometimes have failures. 

I've been using the solution for two and a half years at this point. 

We've had to deal with errors. When we blacklist or whitelist, we do have some issues. There are a few configuration issues. I'd rate the stability seven out of ten. It could be improved. 

I can't speak to the scalability. I don't deal with scaling. The usage is limited. We aren't attempting to expand it. We only do two to three processes at the same time. 

Technical support is okay. We are mostly happy with the help we get. We can directly connect with them.

Neutral

I'm also using SonarQube.

I did not handle the deployment directly. We have a team that manages the tool. I'm not aware of how many people are needed to maintain and deploy the solution. 

I don't deal with the pricing directly. I don't know the exact cost. 

I'm a customer and end-user.

I would recommend the solution to other users. I'd rate the solution eight out of ten. 

We primarily use Checkmarx for assessing vulnerabilities in applications.

What I like best about Checkmarx is that it has fewer false positives than other products, giving you better results.

One area for improvement in Checkmarx is pricing, as it's more expensive than other products.

I've used Checkmarx for four to five years.

Regarding Checkmarx stability, it's an eight out of ten.

Checkmarx is a scalable tool and much better scalability-wise than other products I used. I'm rating its scalability as eight out of ten.

We never had to contact the Checkmarx technical support team.

I was not involved in the initial setup for Checkmarx.

Checkmarx is comparatively costlier than other products, which is why some of the customers feel reluctant to go for it, though performance-wise, Checkmarx can compete with other products.

My company is in the service business, so it provides services to customers. For example, the customer uses SonarQube, so my company uses the same tool to execute vulnerability assessments.

I've worked on Checkmarx, NetSuite, Acunetix, and other application security tools used by customers.

My rating for Checkmarx is eight out of ten because it's a good product, and its only con is the cost, which is high for some customers.

I recommend Checkmarx to others because of its performance. The tool has better intelligent outcomes, and Checkmarx has better automation internally.

My company is a Checkmarx customer.

The best thing about Checkmarx is the amount of vulnerabilities that it can find compared to other free tools.

The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information. There are some cases where you have to go directly to the Checkmarx database to get the information that you want. The default module that provides statistics is basic, and you need more elaborate information to do vulnerability management. The tool has a limited scope.

It is easy to scale, you just have to pay. There are about 100 developers and security people using this solution in my company. 

The contract that we have is not directly with Checkmarx. It's with an intermediary company in Argentina, and they give us support. They are not very fast in answering our questions. They have a kind of first level support, but for more technical stuff they go directly to Checkmarx.

As with other tools, if you want more, you have to pay more. You have to pay for additional modules or functionalities. For instance, if you want to do some scanning to external dependencies of the software, you have to buy another tool provided by Checkmarx.

You have to pay for licenses for the number of projects that you want to scan and the number of users. I think you have to pay licenses for three features: the number of users, the projects, and I don't remember the other one.

We have two administrators who coordinate maintenance with the vendor.

My advice is that you need to estimate the right amount of licenses. That's very important because right now, our company needs more licenses, and that was not well estimated at the beginning. The other thing is to be clear about the features of this tool that you want or need.

I would rate this solution as a nine out of ten. 

When something happens in a test, then you need to know why. In many cases, you would have to run a scan and find all the problems, and then hand that off to development and have development go back and rewrite that code. If you had an issue with a particular aspect where you have a limited amount of personnel or knowledgeable personnel, based on the language that an application was written in, well, then you would need some type of assistance in order to rewrite that code in that particular language, with the limited knowledge that developer might have had. I assisted with that and helped with educating the developer on how to write that code. It was a two-pronged effort.

The number one use case would be a failed PEN test. Number two would be, "Hey, we have a waterfall DEV approach to our SDLC today. We want to become more agile around speed and quality of code." That would be the second. The third would be able to provide an appropriate availability of knowledge for training developers in secure coding.

Being able to have the breadth and depth of different kinds of support for different languages is excellent & many other solutions require you to compile the code prior to the scan, with CxSAST there is no need to compile code for a static analysis. If you didn't support a particular language that an application was written in, whether it was legacy code or a new agile code like Scala, JScript, PLSQL, or whatever, well, then you didn't get the business. If you were an organization that converted its SDLC from waterfall to agile, then you're going to need the ability to support multiple languages, even if they're not part of the company, thanks to that agility, that approach, that methodology. Supporting different languages was a high priority of the client.

The interactive application security testing, or IAST, where code scans are being ran on an application that lives in a runtime environment on a server or virtual machine, needs improvement.

There was limited support from different languages. It didn't support everything under the sun, so you would lose revenue since you didn't have support for Scala or some other language that your developer was fluent in. They needed to improve on language support. That is about it, really.

The dev team did everything that they said they were going to do. If they said they were going to hit a mark, they'd hit a mark. That release would come out. Typically, they would do four major releases a year, quarterly, with two-point releases in between, or based on any additional hotfixes that may be needed. In most cases, however, IAST was the part of the product that needed to be improved the most.

Codebashing is a really cool product from the aspect of teaching developers how to write secure code. However, it would be even cooler if you could not only point out and teach someone how to do it while also making the appropriate recommendation on how to rewrite the code itself, using machine learning or AI. Instead of you, the developer learning how to do it and then writing the code yourself, it'd be cooler if you could push a button, have it analyzed, scans the code, find the code, find the issue within the line of code, and then go ahead and automatically rewrite that code for you. Then, by repetition, it just teaches you through muscle memory how to do that as opposed to, "Hey, you've found this problem. This is where the problem's located, within this particular line of code." Right now, do you know how to rewrite Java? Well, if you're not familiar with how to do that, then go push on this button. Now, take this test and go through this exercise.” It doesn't make a recommendation. It's not like providing a script that fixes the problem. It's just teaching you on how to write the code in that form in that manner.

I’ve used the solution for about two or two and a half years. I worked directly with the company. However, I left about a year or a year and a half ago.

The SAST component was absolutely 100% stable. The SCA product is also very extremely stable. In fact, they leverage each other in a way that it complements the overall use. It gives the user a high-level view, a 10,000-foot view with the ability to see more under a magnifying glass if you think about it from high to low.

The other components, such as IAST and the Codebashing technology, and the developer education technology, it was all integrated with radio buttons and such. I never really had any customer or client, or anyone complains, or ever come to me and say, "Hey, look, the implementation that we completed last week, it's crashed on us," or anything that would show it to be less than stable.

Have there been instances specifically where a new customer came to us and didn't have something turned on? Yes. Is there an instance where a customer might have had something configured wrong based on frequency, scanning frequency, or the depth of how deep they need to scan within the lines of code? Yes. Those were all configuration modifications that were needed. However, it was a misconception thinking that maybe it was unstable, when in fact, just a few things needed to be tweaked.

With the largest installation scanning billions of lines of code each day, there are no known limitations of what the product can do, as long as the appropriate resources are allocated for the specific requirements. 

They have a customer success team and a customer success manager, and that's the liaison between the Development Team, Support Team, and the customer. That way, you're not sending an email to a black hole. It's not going to go into a queue where it goes to a black hole of 3,000 or 4,000 emails across the entire world. If that happened, you would have to sit there and wait for some type of response or appropriate time to hear from them. Instead, it goes to someone who's actually assigned to the account as a liaison to bring in the resources needed to help with whatever issue is on hand.

Positive

The deployment depended upon how complex the application was. If it was a very, very complex, customized application, then it would have to be instrumented by a DevOps professional that we provided. If it was a very simplistic or basic vanilla-type framework, as far as the application's concerned, then the customer could do it easily themselves.

There was no need for an integrator, reseller, or consultant. None of that was required or needed, or ever actually even requested. The only reason why any one of a particular stature would actually be part of the process was if they were under contract with that particular corporation or company. Otherwise, the organization provided the appropriate professional services, again, as a benefit to the customer to help ensure their success in using the technology.

Annually, the typical application scanning cost/setup would run anywhere from $75k to 150k, but that was dependent on the specific scanning requirements. 

There were no additional operating costs. There was a requirement or a request as a best practice for us to provide the appropriate professional services or implementation services to ensure that the product got off the ground by the time the licenses were purchased. 

I’d rate the solution eight out of ten based on ease of use, configuration, customer service, and response time. There are other products out there that are provided as a service where they will go, and you push a button, they collect the data, they review the data, yet there's no specific standard license agreement or SLA that says they're supposed to get back to you within a particular moment of time. Everything that Checkmarx does is instantaneous.

The main thing we find valuable about Checkmarx is the ease of use. It's easy to initiate scans and triage defects.

As the solution becomes more complex and feature rich, it takes more time to debug and resolve problems. Feature-wise, we have no complaints, but Checkmarx becomes harder to maintain as the product becomes more complex. When I talk to support, it takes them longer to fix the problem than it used to.

We've been using Checkmarx for five years now.

Checkmarx is stable. 

Checkmarx is scalable. We can add more engines without a problem.

Deploying Checkmarx isn't straightforward. It is a little complex, so it requires somebody well-versed in DevOps and Linux administration or Windows administration to do the setup.

We've seen a good return.

Checkmarx costs us around $132,000 annually.

We evaluated CAST, Fortify, and HCL AppScan, but the deciding factor was Checkmarx's ease of use. 

I rate Checkmarx eight out of 10. It's secure, easy to use, and Checkmarx regularly updates their rule sets. I'm happy with the main features of the product, but some of the additional features didn't work for us in the beginning, like scanning at the source code repository level, reporting, etc. There was a lot of back and forth before it started working, so that's why I deducted two points.

My advice for future Checkmarx users is to plan the initial deployment well. You will have to choose the right system configuration: CPUs, RAM, disk space, and backup policy. If you plan ahead, you won't have any issues trying to debug or when the size increases. 

I am representing Checkmarx as a reseller. I work with both the cloud and on-premises versions. I have been working with Checkmarx for more than twelve years.

Checkmarx is a must-use product due to the increasing number of cyber-attacks nowadays. The product's quality and performance justify its pricing, making it a worthwhile investment.

Checkmarx offers many valuable features, including Static Application Security Testing (SAST), Software Composition Analysis (SCA), Infrastructure as Code (IAC), Supply Chain Security, and API Security.

The Dynamic Application Security Testing (DAST) feature should be better. The technical support service could also improve in terms of their response time.

I have been working with Checkmarx since the early days of Checkmarx, which is more than 12 years.

I would rate the stability of Checkmarx at nine out of ten.

Checkmarx is scalable, and I would rate its scalability at nine out of ten.

The customer service and support should be quicker from my point of view. I would rate them eight out of ten.

Positive

I have been working with Checkmarx for over 12 years without switching to a competitor due to Checkmarx being the best product in the market.

The initial setup is straightforward, especially with the cloud version where no deployment is needed. The on-premises version requires some time and depends on the customer's environment.

In typical circumstances, one senior engineer is enough for implementation, but in special cases, maybe two engineers are needed.

Checkmarx is cost-effective. It is a must-use product in today's cyber security environment.

The pricing is relatively expensive due to the product's quality and performance, but it is worth it.

I chose Checkmarx over competitors due to ethical considerations and its superior functionality.

Checkmarx is plug-and-play and the best product in the market at the moment, as evidenced by reports such as Gartner's.

I'd rate the solution nine out of ten.