Checkmarx One Reviews

I am representing Checkmarx as a reseller. I work with both the cloud and on-premises versions. I have been working with Checkmarx for more than twelve years.

Checkmarx is a must-use product due to the increasing number of cyber-attacks nowadays. The product's quality and performance justify its pricing, making it a worthwhile investment.

Checkmarx offers many valuable features, including Static Application Security Testing (SAST), Software Composition Analysis (SCA), Infrastructure as Code (IAC), Supply Chain Security, and API Security.

The Dynamic Application Security Testing (DAST) feature should be better. The technical support service could also improve in terms of their response time.

I have been working with Checkmarx since the early days of Checkmarx, which is more than 12 years.

I would rate the stability of Checkmarx at nine out of ten.

Checkmarx is scalable, and I would rate its scalability at nine out of ten.

The customer service and support should be quicker from my point of view. I would rate them eight out of ten.

Positive

I have been working with Checkmarx for over 12 years without switching to a competitor due to Checkmarx being the best product in the market.

The initial setup is straightforward, especially with the cloud version where no deployment is needed. The on-premises version requires some time and depends on the customer's environment.

In typical circumstances, one senior engineer is enough for implementation, but in special cases, maybe two engineers are needed.

Checkmarx is cost-effective. It is a must-use product in today's cyber security environment.

The pricing is relatively expensive due to the product's quality and performance, but it is worth it.

I chose Checkmarx over competitors due to ethical considerations and its superior functionality.

Checkmarx is plug-and-play and the best product in the market at the moment, as evidenced by reports such as Gartner's.

I'd rate the solution nine out of ten.

We use the solution for SAST and DAST testing.

Checkmarx has helped us deliver more secure products. We are able to do static code analysis with the tool before shipping our code to production. When the integration is in the pipeline, this tool gives us early notifications on code fixes.

Checkmarx gives you an overview of all security aspects of the codes and shows what code aspects you need to be looking into.

 I would like to see the tool’s pricing improved.

I have been working with the solution for three years. At present, I am using the latest version.

The solution is stable.

The solution is scalable. Around 50 developers in our organization are using it.

The solution was easy to setup since it had proper documentation.

The solution’s deployment was done by in-house members.

We got good ROI with the use of the solution. We have seen returns on PCI and other security aspects.

I would rate the solution’s pricing an eight out of ten. The tool’s pricing is higher than others and it is for the license alone.

I would rate the solution an eight out of ten since it fulfills most of the requirements. I recommend this tool to anyone who is willing to give it a try.

Checkmarx is a source code application for development, which means from the source code level, you can use Checkmarx to detect your coding errors, and to detect vulnerabilities that could have come from the different tools that you were using to develop your application. At the source code level, you can prevent the weaknesses that the application can carry on the journey of its development and use.  

Checkmarx helps the users to have a secure coding environment and experience, and a secure source code level of application. That main application can leverage or improve the service delivery to customers.

The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera. 

The software languages that they support are one of the largest in the market.

Checkmarx could improve by reducing the price.

I have been using Checkmarx within the past 12 months.

Checkmarx has been stable in my usage and I'm confident to recommend it to anybody.

Checkmarx is very scalable. It can run for a small and large organizations.

The technical support is good.

I rate the support from Checkmarx a four out of five.

Positive

The initial setup of Checkmarx is easy.

I rate the initial setup of Checkmarx a four out of five.

We use one engineer with the help of Checkmarx for support and deployment.

The price of Checkmarx could be reduced to match their competitors, it is expensive.

I strongly recommend Checkmarx to others. I have sold the solution for nearly eight years, and I'm not aware of any major complaints that the users have that could not be resolved.

I rate Checkmarx an eight out of ten.

The Checkmarx application is a live wire of technology delivery, and if your application is vulnerable, then the asset that your acquisition will run will also suffer vulnerability. Providing the scanning ability that shows the errors at the source code level is critical to have effective development of any critical application.

I would recommend Checkmarx eight because it's very critical and integral to the improvement of technology and cyber security today. It's a critical tool in protecting cyberspace, your asset in cyberspace, and an application that runs nearly all human life today. Everything is driven by technology and application.

I am using it for software assurance focused on security. I am using its latest version.

I use both the static code analysis and the open-source analysis engine. It gives visibility into weaknesses and the software that may be there in the source code and static analysis. It also gives some insights into the open source vulnerabilities that may be there in the codebase.

I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy. Typically when using SCA tools on C/C++ and C# you must compile the software for SCA to work. CX doesn’t require any compilation due to the way the tool does synthetic compilation to help find errors in code. Many times 3rd party assurance providers don’t have all the files to compile so CX comes in handy. 

They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server.

I had several issues with the installation. It should just work out of the box.

I have been using it off and on for about a year.

I've run into a few bugs here and there but i would recommend installing on virtual machine and snapshoting a working install. 

My setup is standalone. They do have a scalable version, but it's not something I need.

We're not using it a lot. Its usage is once a month. The way our organization works is that we don't do static code analysis every day. It's more on an as-needed basis. So, it's no fault of the Checkmarx tool. It's just not something that we've been working on.

They were pretty good. I would rate them a four out of five, but I was using their salespeople. It wasn't their traditional tech support, so I can't really evaluate their traditional tech support. When they're selling something, they give you a lot more service instead of having to go through the support system.

I still use other tools, so I just added it to the tool chest. I have Fortify, CodeSonar, etc  and I added Checkmarx as a different tool.

I installed it. It's straightforward to install, but I had several issues with the installation. I don't know if it was with my environment or not. If it works properly, it's a simple install, but in my example, it did not work right off the bat. There was some troubleshooting that had to go on, which was a little frustrating.

It took weeks. It required back and forth communication with support for a couple of days, but I wasn't actively working on it for days. I would run into a bug, send the log file, and go back and forth. It wasn't anything crazy, but it was a little frustrating. It should just work out of the box. It should be pretty straightforward where you just click the installer and go, but it wasn't.

It was implemented in-house, and then I had to call support when needed.

In terms of maintenance, it is pretty self-sustaining. You update it whenever it needs to be updated.

There hasn't been much return yet because we haven't used it much, but I have enough faith in it that I committed to it for multiple years. We are starting to use it more but not enough to state ROI yet

I would rate it a seven out of ten. It's not the best tool on the market, but it provides some good capability for what it is.

We are using Checkmarx for analyzing threats.

We are not using the latest version of Checkmarx because we faced some issues.

Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities.

SonarCube functions better in these areas.

I have used Checkmarx within the last 24 months.

The stability of Checkmarx could improve.

I would rate the stability of Checkmarx a six out of ten.

The solution is scalable, but other solutions are better.

We have 20 developers using this solution. We have a few projects left to use this solution and then we will move to something else next year.

The support could improve, it takes a long time for a response. The service we received was poor.

I am using Checkmarx in parallel with SonarQube.

We didn't like how long they took to implement the product. The installation was not intuitive. We were constantly having meetings and installation additional things.

The implementation process should improve.

We were helped by both the local partner and the vendor for the implementation.

We have two developers for the maintenance and support of Checkmarx.

We're using a commercial version of Checkmarx, and we paid for the solution for two years. The price is high and could be reduced.

The local distributor charges two times higher than in other countries.

The purchase of this solution was a mistake.

I would advise others to deploy the solution and to test all of the functionality before buying and do not trust the marketing from Checkmarx.

I rate Checkmarx a four out of ten.

Checkmarx is used to check the code from programmers and vulnerabilities in third-party software.

Checkmarx can be deployed on the cloud and on-premise. However, it depends on the version.

Checkmarx detected code sections that did not adhere to best practices. After being informed, the programmers were able to rectify some of the issues. Without Checkmarx, it is unlikely we would have identified these issues.

Utilizing the SCA module, I gained valuable insights into the vulnerabilities present in open-source Python libraries that individuals desire to use. As an information security consultant, I advise against employing Python libraries that contain known vulnerabilities. The SCA solution proved to be helpful in this regard.

The most valuable features of Checkmarx are the SCA module and the code-checking module. Additionally, the solutions are explanatory and helpful.

Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not. 

In a future release, the SCA module could have better documentation. It was difficult to know how to check the names of all the modules. It took me a lot of time and I needed help to be able to write the requirements file. More clarification would be helpful in the documentation, such as examples.

I have been using Checkmarx for approximately six months.

The stability is great.

I rate the stability of Checkmarx a ten out of ten.

The scalability of the solution is great. Everything I send to the solution is processed quickly.

We have five information security analysts and programmers using this solution.

We plan to increase our usage. We will install it on more networks.

I rate the scalability of Checkmarx a ten out of ten.

I found someone in the evening that logged in and answered my issues. They are responsive.

I rate the support of Checkmarx a ten out of ten.

Positive

We have one person for the maintenance of the solution but it is minimal and is not a full-time job.

I would advise others to ask for a demo of the solution and if it works well for their use case then purchase it.

I rate Checkmarx a nine out of ten.

We mainly use Checkmarx for accreditation, checking for vulnerabilities, and identifying areas in the code to fix some of the NIST 800 security controls.

The most valuable feature is that it actually identifies the different criteria you can set to meet whatever standards you're trying to get your system accredited for. It's also pretty intuitive and has a lot of good dashboards and metrics.

Checkmarx could be improved with more integration with third-party software.

I've been using Checkmarx for about six months.

We've had no issues with Checkmarx's stability.

I thought Checkmarx was pretty scalable.

My experience with Checkmarx's technical support has been very positive.

Positive

I found the setup pretty straightforward, though it took several days because the system engineers had to go through some different configuration settings to get it done.

We worked with Checkmarx when we ran into issues, and they were pretty responsive.

Checkmarx isn't accredited by the US government for DOD networks, so we've been forced to remove it from the network. I'd rate Checkmarx as seven out of ten.

We're more evaluating the solution rather than using it right now. We're resellers and it's something we'd like to offer to our clients.

I am aware of Checkmarx's portfolio, however, we've been playing exclusively with the SAST and with the AppSec Awareness platform, they're Codebashing platform. It's been a very positive experience overall.

The value you can get out of the speedy production may be worth the price tag.

The reporting could be better on the product. The need to be much more customizable including being customizable for various roles.

The pricing can get a bit expensive, depending on the company's size.

We've been working with this solution for some time. I have personally been working with the product for the last three or four months.

We haven't really extensively worked with any other products.

The cost might seem steep, however, it really depends on, first the size and requirements of your company. There are companies for which the speed of developing new features and developing them securely, is more valuable than for other organizations. 

This goes not only for Checkmarx. It goes for any automated desktop security platform in general. I definitely see the cases when the Checkmarx license is a reasonable expense. It just may not be for everyone.

We've been looking at SonarQube. We're looking into other options as we don't want exclusively to just offer Checkmarx to potential clients.

We looking for solutions more on the enterprise spectrum. Therefore, I would probably consider products such as Vericode. I would also consider the newer players, such as, for example, GitLab. 

We're resellers, however, we don't have an exclusive relationship with this company. We're looking at other products we can use and offer to our clients as well.

In our company, we do not have the Checkmarx solution running on production. We do have it, however, we only have a learning license, which is non-commercial.

On a scale from one to ten, I would rate this product at an eight. Overall, it's been a positive experience so far.