Checkmarx One Reviews

The process of remediating software security vulnerabilities can now be performed (ongoing) as portions of the application are being built in advance of being compiled. Among other benefits, this reduces the cost to fix the problem(s) as the fix can occur earlier in the SDLC.

The ability to identify a vulnerability, the optimal place for remediation and the correct syntax is very valuable. This feature helps ensure that the software fix is comprehensive and effective. The CxSuite is easy to use and because it provides the correct coding syntax to address a vulnerability, it helps improve the secure coding skill set among developers. The product can scan precompiled (source) code, as well as compiled (binary) code, delivering effectiveness and efficiency throughout the SDLC.

The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools.

The Checkmarx CxSuite covers a wide range of programming languages including many of the most popular languages used by developers today. As matter of general improvement, expanding coverage to languages (emerging, legacy) and open source frameworks will increase the overall effectiveness of product.

*2017 Update. A number of leading Open Source Frameworks are now supported.

The product is stable.

The product scales well.

The technical support is high quality. The support team is well versed in how best to configure, implement and operate the product.

I did not previously use a different solution.

The initial set up is straightforward. The product requires a fairly simple computing environment for operation.

The product licensing offers the flexibility to cover a wide range of environments. The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security.

We considered several other commercial-grade application security solutions. The Checkmarx solution offers an ideal combination of code coverage, functionality, usability and TCO.

The Checkmarx CxSuite product works well, delivers efficiency to the SDLC, and most important of all, it effectively improves application security.

It works!

We use the solution for SAST and DAST testing.

Checkmarx has helped us deliver more secure products. We are able to do static code analysis with the tool before shipping our code to production. When the integration is in the pipeline, this tool gives us early notifications on code fixes.

Checkmarx gives you an overview of all security aspects of the codes and shows what code aspects you need to be looking into.

 I would like to see the tool’s pricing improved.

I have been working with the solution for three years. At present, I am using the latest version.

The solution is stable.

The solution is scalable. Around 50 developers in our organization are using it.

The solution was easy to setup since it had proper documentation.

The solution’s deployment was done by in-house members.

We got good ROI with the use of the solution. We have seen returns on PCI and other security aspects.

I would rate the solution’s pricing an eight out of ten. The tool’s pricing is higher than others and it is for the license alone.

I would rate the solution an eight out of ten since it fulfills most of the requirements. I recommend this tool to anyone who is willing to give it a try.

We use the product for static code analysis, supply chain, and container security.

The product's most valuable feature is static code and supply chain effect analysis. It provides a lot of visibility.

The product's reporting feature could be better. The feature works well for developers, but reports generated to be shared with external parties are poor, it lacks the details one gets when viewing the results directly from the Checkmarx One platform.

We have been using Checkmarx's on-premise version for four years. We switched to the cloud version recently.

I rate the product's stability a nine or ten out of ten.

We have 40 Checkmarx users in our organization. I rate its scalability a nine out of ten.

The technical support team promptly addresses the issues.

The initial setup process is easy.

I rate Checkmarx an eight out of ten.

We're more evaluating the solution rather than using it right now. We're resellers and it's something we'd like to offer to our clients.

I am aware of Checkmarx's portfolio, however, we've been playing exclusively with the SAST and with the AppSec Awareness platform, they're Codebashing platform. It's been a very positive experience overall.

The value you can get out of the speedy production may be worth the price tag.

The reporting could be better on the product. The need to be much more customizable including being customizable for various roles.

The pricing can get a bit expensive, depending on the company's size.

We've been working with this solution for some time. I have personally been working with the product for the last three or four months.

We haven't really extensively worked with any other products.

The cost might seem steep, however, it really depends on, first the size and requirements of your company. There are companies for which the speed of developing new features and developing them securely, is more valuable than for other organizations. 

This goes not only for Checkmarx. It goes for any automated desktop security platform in general. I definitely see the cases when the Checkmarx license is a reasonable expense. It just may not be for everyone.

We've been looking at SonarQube. We're looking into other options as we don't want exclusively to just offer Checkmarx to potential clients.

We looking for solutions more on the enterprise spectrum. Therefore, I would probably consider products such as Vericode. I would also consider the newer players, such as, for example, GitLab. 

We're resellers, however, we don't have an exclusive relationship with this company. We're looking at other products we can use and offer to our clients as well.

In our company, we do not have the Checkmarx solution running on production. We do have it, however, we only have a learning license, which is non-commercial.

On a scale from one to ten, I would rate this product at an eight. Overall, it's been a positive experience so far.

We use Checkmarx for security vulnerability identification. We are using its latest version. We have a license to upgrade to the latest version. Whenever there is a new version, we update it to the latest version.

The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking.

We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code.

The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything.

I have been using this solution for two years. 

Its stability is okay.

We don't directly deal with the Checkmarx technical team. There is a support group available for that, and they work with the Checkmarx team. When we have any issues, we directly call our internal team, and they call the Checkmarx team. They get back to us pretty quickly. The response is very quick. There is no problem.

The initial setup was easy. Our project was quite big, and it took a bit longer. It took almost six hours. We could not do it as CI/CD pipeline because the pipeline expects a response in a short span of time, which was a challenge for us. We are now doing the Checkmarx review manually. We first run the code analysis, and, after the code analysis is over, we go for the pipeline. This is an overhead for us. 

It would be helpful if they can improve the speed of the analysis rate. We also need to find out from our side if there is a way to increase the wait time of the CI/CD pipeline and modify the timeout limit. It would then take 30 minutes to one hour rather than five or six hours. We should be able to adjust the timeout time, change the CI/CD settings, and go ahead with the integrated process. Currently, we cannot have an integrated system, and we also have to move from one script to the next script manually.

Even though we run it manually, it captures most of the things. We decided to go with Checkmarx two years ago, and we are continuing with it. 

I would rate Checkmarx a seven out of ten. There are a few things that can be improved in this solution.

We use the solution for dynamic application testing. 

I would like the product to include more debugging and developed tools. It needs to also add enhancements on the coding side. 

I have been working with the product for seven months. 

I would rate the product's stability a ten out of ten.

I would rate the product's scalability a ten out of ten. My company has 15 users for the produc. 

The solution's technical support is good. 

Positive

The tool's setup is very straightforward and I would rate it a ten out of ten. The product's deployment took one to two months to complete. We required the technical and development team which consisted of four to five people to handle the deployment. 

The solution's price is high and you pay based on the number of users. 

I would rate the product a ten out of ten. The solution is the best tool for developers and organizations. 

Our primary use case for this solution is SAST, Static Application Security Testing.

Our static operation security has been able to identify more security issues since implementing this solution.

There are many good features like site integration, but the most valuable feature for us is the XL scan of source code. 

It would be really helpful if the level of confidence was included, with respect to identified issues. Some competitors have this feature, and it helps a lot to concentrate on the real findings.

In general, stability is good, although sometimes it crashes. We use this product daily, and I would rate the stability a four out of five.

The scalability is very good.

Technical support for this solution is very effective. Each time we have had questions, the answers they provided have been very clear and comprehensive.

Prior to this solution, we were using IBM Security AppScan. We had many, many issues with the application, along with complaints about the deployment time. The main reason we switched is that it was not updated, and it did not support certain technologies. For example, it did not support Visual Studio 2017, so we had to switch to a new solution.

The initial setup for this solution is straightforward.

It took less that one day to deploy.

We handled the implementation in-house.

We have not yet seen ROI.

We did evaluate other options.

If people are in need of static application security, then I would recommend this product.

I would rate this solution an eight out of ten.

Cx gives you the ability to push SAST down much lower in the SDLC process. With the use of multiple IDE plugins and the ability to do "incremental" scanning, a scan of your latest code does not bog down your machine as it is offloaded.

It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc).

Meta data is always needed. More tutorials/videos for developers to fix their vulnerabilities is nice. Although the API is useful, I would like to see more functionality added.

I've had to restart services/bounce the VM on two rare occasions.

It scales very easy.

Customer Service:

Customer service is good. Engineers have been quick to get back to me regarding issues and custom work that I have performed.

Technical Support:

Technical support is very knowledgeable.

Initial setup couldn't be any easier. Cx has good documentation on environment requirements. As long as you meet those, the installation process takes maybe 30 minutes for an initial setup; perhaps a bit longer if you're adding multiple engines.

An in-house team implemented it.

Everything is negotiable. Checkmarx approached our dealings in good faith and clearly wanted to be around for awhile. It is much more inexpensive than some alternatives.

Before choosing, we also evaluated Fortify, IBM Appscan, Veracode, etc.