Checkmarx One Reviews

The primary use that we have for Checkmarx is the evaluation of source code vulnerabilities.

We use Git to connect to Checkmarx. We don't use GitHub. We use our own self-hosted Git. We're just using generic Git. One of the biggest thorns in our side is managing that aspect of it. It wouldn't matter if it was GitHub or Bitbucket or any of the other tools that you can use to connect Git to Checkmarx. The issue is the same. 

The tool is good at telling us what repository we're connected to, but it is horrible in telling us what branch we're connected to.

I haven't been monitoring how well our projects have been at reducing vulnerabilities. Checkmarx is one that you have to actively follow, and my position doesn't require that I do that. I set up the tool, and then I let other people use it.

I'm the system administrator of the tool rather than an active user of it. This product has room for improvement in administration.

Adding users is kind of a pain. We need a more automated way of adding users. User administration for the IDs can be improved, they can make it a more automated feature set so that you can add users more quickly and easily. 

Most tools that I'm dealing with today have a mechanism where people can self-enroll.

I'm more of the admin as opposed to a user of Checkmarx. Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before.

One of the biggest heartaches that we have is that all of our Windows servers are on an automated upgrade. Whenever Windows upgrades, we lose the order of the ciphers and it brings down the Checkmarx webpage. 

Our company policy is that we upgrade our servers at a minimum of once a month, if not more. It's a hassle to keep up on that. The ciphers are such a pain to manage.

To set up a cipher connection, there's a tool out there called IIS Crypto. We just run that tool to set the best practices. It forces us to reboot the server. We haven't figured out how to automate the whole thing yet. 

There have been some Windows updates that haven't triggered this issue where the ciphers get messed up. The only thing we're running is TLS2. At that higher level, everything is just a pain.

All of our servers are built out through code. In other words, we use Ansible and Jenkins to automatically create machines. Everything is virtual these days. It's either virtual in-house or virtual in the cloud. 

The issue with Checkmarx is the next pain point, i.e. their installation procedure is GUI-based. They've got a command line for upgrades. I haven't seen the command line for the initial install.

My last statement on Checkmarx is Windows would not be my choice for any kind of server implementation. I'm not a Windows fan at all. Every other tool in our company is Linux-based and our target systems are Linux as well.

I don't have the experience and the knowledge of working on a Windows system compared to my Linux knowledge. Checkmarx being Windows only is a hindrance as well.

Another problem is: why can't I choose PostgreSQL? I would like to have an additional feature added to the product to support either PostgreSQL or MySQL. Those are the two free databases that are enterprise-ready.

Checkmarx is a stable product, especially based on the number of updates that we receive. Every time we get a new update or a hotfix, I'm very much in the loop on getting that information. Compared to some other products, it doesn't have the churn that others do, i.e. in the number of updates and patches that we have to apply to it.

We're licensed for 100 users. Primarily we use Checkmarx for developers, managers, architects, and maybe some of the design folk, but not QA. This would solely be in the realm of development and architecture. 

There is no plan for us to increase our usage of Checkmarx. We're trying to get as many scans as possible. One of the issues that we have is the concept of an incremental scan. The more of the incremental that you do, the slower the service becomes.

When you go in and you look at the last result: it's your baseline or your full scan, followed by applying each incremental. The more of the incrementals that you have, the slower Checkmarx gets.

They've come up with a recommendation for users to do one full scan a week and maybe six incremental scans. This needs to be worked on to get the performance better on this particular tool.

Checkmarx can scale up very easily. Anything that can be automated can be scaled. If I can automate it, I can scale it. Under the hood, it does the management of the scan engines well.

We have some large code bases, that according to the Checkmarx internal people, based on the number of lines of code, everything is 100% optimized hardware-wise. The fastest that the scan should take is 13 hours. That's a full scan, an incremental is a little different.

The problem with Checkmarx from that standpoint is, in our most active code base, we want it to be scanned frequently. At one point in time, it was taking up to 26 hours to do a single scan. We were scanning twice a week or four times a week. 

That same code base has two separate instances of itself. A long time ago they started as a common code base and then they split. Now, in essence, we have two products based on the same code base. We had to scan them twice a week.

The customer service on the phone so far with Checkmarx has been good. We've had more issues with other projects that have gone into the cloud than with this particular instance. 

It's mostly email until you scream enough with Checkmarx or you go through your salesperson. It's a little bit of a burden to get to them. 

For the most part, the people that I have dealt with know their stuff, and we haven't had any problems. It's been a challenge. We did try to do things that no one else had tried before according to them, and so we ended up having setbacks because of trying new things. 

The tool that we were using before was AppScan.

The initial setup of Checkmarx is straightforward. We did a bunch of things that shot ourselves in the foot that we weren't expecting. We were initially trying to put Checkmarx in the cloud. We were even putting Checkmarx into an Azure system until we found out that Azure, with the Microsoft SQL engine, does not support what Checkmarx requires. 

The Azure implementation of SQL does not allow the USE statement. Extremely odd. Maybe Microsoft figured out if you can't use USE, that means you have to have more databases and so they can charge more. Microsoft Oracle and IBM have been pulling that crap for years. They're making a lot of money.

It probably took us a couple of months to go through all of the issues, basically trying to find a home for SQL. We ended up creating a Microsoft SQL server in Amazon.

With Amazon's RDB, you can use Oracle, PostgreSQL, Sybase, Microsoft SQL, etc. as its RDB engines. Depending on whether you already have a license, or if you want to pay for the license when you set up the instance, you can do either. 

We had the license. We just created an instance in the Amazon cloud.

I've got 100 licenses for Checkmarx. As people come and go, it's a hassle to add and remove them. In this day and age, it's such a meaningless time-waster.

We were previously working with Azure. We switched because of their implementation of SQL Server. Checkmarx uses statements to move from database to database. Azure does not support that in its implementation at this time. 

Time will tell and Microsoft does improve their code over time.

From an administrative standpoint, I would rate Checkmarx with a five out of ten. From what my users are telling me, I'd give it an eight for the tool's ability to report on vulnerabilities in the user experience. 

I would rate Checkmarx with an eight on the user side and a five on the admin side.

Customers need to work with Checkmarx to scale the system for their needs, i.e. work with their recommendations. The best practices that they have there. 

They have this formula to calculate how many CPUs and how much memory you need. The memory requirements are huge. We've got 64 GB machines to scan them.

That's the low end of what they're recommending. Their processes do a lot of number crunching in memory. For a 4 million line code base, it's just going to consume a lot of time and a lot of resources. 

We are only using the source code scanner. We're not using the OSS scanner. We use Artifactory for our OSS repository, and Artifactory comes with its own built-in OSS scanner. We didn't need two OSS scanners.

Our primary use case for this solution is SAST, Static Application Security Testing.

Our static operation security has been able to identify more security issues since implementing this solution.

There are many good features like site integration, but the most valuable feature for us is the XL scan of source code. 

It would be really helpful if the level of confidence was included, with respect to identified issues. Some competitors have this feature, and it helps a lot to concentrate on the real findings.

In general, stability is good, although sometimes it crashes. We use this product daily, and I would rate the stability a four out of five.

The scalability is very good.

Technical support for this solution is very effective. Each time we have had questions, the answers they provided have been very clear and comprehensive.

Prior to this solution, we were using IBM Security AppScan. We had many, many issues with the application, along with complaints about the deployment time. The main reason we switched is that it was not updated, and it did not support certain technologies. For example, it did not support Visual Studio 2017, so we had to switch to a new solution.

The initial setup for this solution is straightforward.

It took less that one day to deploy.

We handled the implementation in-house.

We have not yet seen ROI.

We did evaluate other options.

If people are in need of static application security, then I would recommend this product.

I would rate this solution an eight out of ten.

My team uses this product extensively for application vulnerability assessment. This solution is for static application security testing and is used within our software development process.

As the software developers are creating solutions, they are able to identify vulnerabilities while the application is being written, rather than after the entire development is over.  

We were interested in having the raw source code scanned, so that was the primary requirement and that is where Checkmarx comes in. We do not need any precompiled libraries, or compiled source code, to be checked by the source code analysis solution.

We have a security team that uses this product to scan source code, rather than have the developers handle it. We do not have any developer licenses (i.e. the SDLC Edition). Instead, the security team identifies the vulnerabilities and shares the report with the development team.

The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete.

As an example, an application may contain three hundred thousand lines of code that was written over two or three months. Rather than having to examine the entire product for vulnerabilities, we are able to assess weaknesses and identify vulnerabilities in, say, five hundred or one thousand lines of code. This is really advantageous for us.

There are many features, but first is the fact that it is easy to use, and not complicated.

One of the cool features is that it identifies the development technology that we are using on its own, whether it is Java or .NET or otherwise, it identifies it by itself.

The most important aspect is that it shows us exactly, on which particular line, the vulnerability is.

The user interface is very intuitive and it offers help on the fly.

The reports are good, but they still need to be improved considering what the UI offers. For example, the UI will suggest the "best-fix location", whereas this information is not captured in the reports.

We have not observed any issues, such as the application crashing, with respect to the stability of this solution.

The solution is quite scalable. We are not using the SDLC edition, but with that version, the developers can use different plugins and initiate the scan from their own development environment.

There are three or four members in our security team who use this tool. At the current time, we are happy with this solution and do not plan to increase its usage to the point where we need a different license.

We have found the technical support to be good. Whenever anyone has an issue, we write directly to Checkmarx.com and they issue a support ID. Most of the time we receive a quick response.

We are currently based in India, and they have increased their team size in India with a couple of people providing support. It covers the Indian subcontinent as well. With this increase, our tickets are answered very quickly as compared to what we used to get.

I do not have recent, hands-on experience with this tool but, I have used it in the past and my team now uses it extensively. We did not use a tool previous to this one, and we plan to continue using this because we are getting good results.

We use this solution for static application security testing. For dynamic testing, we use the Netsparker solution.

The initial setup is pretty simple and straightforward, and it does not take more than fifteen minutes, maximum. The entire deployment was completed in not more than half an hour.

Not many people are required for deployment or maintenance. We have not done much since the original installation. When a new version comes in, any member of the security team can update the solution. In that way, a single person can maintain it. Within my team, it is a Senior Security Analyst who maintains this solution for us.

It is a very simple tool and we do not have a complex environment. It is installed on a standalone machine.

We do not have an integrated solution. This is a standalone solution that is used with the Security Gate. The installation was completed in-house, by our team only.

We have seen ROI, but quantifying it in terms of the numbers is difficult. The biggest advantage we have seen is that we're able to develop and deliver secure solutions, in a faster time. We used to test our applications efficiently, and we still do, but there used to be a period of rework required. Now, that does not happen. We are able to identify the issues and address them while the development is in progress.

We have a subscription license that is on a yearly basis, and it's a pretty competitive solution. I don't know of any additional costs, beyond the standard licensing fees, for our version of the software.

In the case of the SDLC edition, which is a higher version, there may be some professional support that is required. Otherwise, any license that they provide is just an annual subscription fee.

We evaluated the Fortify Static Code Analyzer and IBM Security AppScan, but our evaluation was not fully completed. We were happy with what we were seeing with Checkmarx, so we did not go ahead with the others.

My advice to any software development team using a different set of tools is to look at Checkmarx. It's a very good product. It's a great product, in fact. Any organization spending money on a subscription license should not look at it as a cost, rather, it should be seen as an investment. The Checkmarx solution can act as a resource that can help the development team to secure their application delivery. Be it an internal application for their own use, or applications being written for their customers.

This solution tells us where, in our code, the "best-fix location" is. To put this into perspective, consider a particular piece of code where there are ten vulnerabilities detected. Perhaps it is an SQL injection vulnerability. This tool gives you specific locations and informs that if you fix the code in certain areas (e.g. in three specific locations) then the subsequent vulnerabilities will automatically be addressed. Therefore, you save on development effort because you do not need to fix all ten vulnerabilities specifically and independently.

I would rate this product a nine out of ten.

We use Checkmarx to review the source code for the external applications that we expose to the cloud or other servers on the internet.

We received two main benefits from Checkmarx:

1. Better Security
2. Saving Time

I recommend Checkmarx to be sure that your development has robust security. For your team management, Checkmarx has a very nice feature to check out manual staff in the process.

The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time.

Checkmarx could probably do something to improve their license model. If you have a small company, or if you have a small team with just one or two applications, the entry-level price is too high for such a company. 

You can find all the solutions offered by Checkmarx through other solutions providers. That is why this type of company needs to be more flexible. 

In this space, you have a security code and also you have a quality code. It is totally different in terms of investment. In terms of functionality, there are a lot of differences between the various competing products. 

With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too.

The problem with Checkmarx lies with the pricing and licensing, not the product itself. The product is very good.

Checkmarx is a good product, certainly stable.

The scalability is good. We haven't had any problems with it.

Our experience with technical support is good. They have a lot of expert staff on their customer service lines. We have had no problems with their technical support services.

We used Veracode for some time and it's also a good solution. Veracode fits better for small companies. It's more automatic.

Checkmarx is more complete and they have more features to support our development team and security team requirements.

In general, Checkmarx is a better solution, but it's more complicated, especially in terms of the price for a small company.

Our deployment of Checkmarx took a couple of days, at max, a week. 

The setup was a long time back, but I know that we did not use a reseller or consultant for the deployment.

We evaluated some products from a company in Spain. Checkmarx provided better functionality and options for us.

We have a small team. It is about four people in total. We do not require that many staff for the deployment and maintenance of Checkmarx.

We are testing the solution in a small local company. Our idea is to expand the use of it to our clients in the West.

In this space, you can have different points of view and if only you are looking for a solution to do a check in your auditory report, then you can choose anyone. 

If you really are worried about your business, i.e. about your development sites or development environments, Checkmarx is a great solution.

I would rate Checkmarx a nine out of ten because of the price, but technically for me, it is a 10. 

I would rate Checkmarx with a nine because it would be perfect at a more functional level, and could be better at providing these features for parity. 

If you research what Checkmarx is offering in their package distribution, you get exactly what they promise up front, so they are not lying.

Code scan. We performed periodic static code scans on copies of our Git repository to identify possible vulnerabilities.

Code consistency. It prompted our developers to fix code or document code they otherwise would not have done.

The consistency of code. Showed our team where they are inconsistent or where they have made simple omissions.

Dynamic testing. If it had that feature I would have liked to see more consideration of framework validations that we don't have to duplicate. These flags are false positives.

Our primary use case solution is for code scanning.

It has made our organization more efficient with our whole code scan/deployment process for our software applications.

The most valuable features are:

• Ease of use
• Dashboard
• Interface
• Report

I have not had an issue with stability of the product.

There have been no issues with scalability that I am aware of.

I have not needed the use of technical support.

Previously, we considered: Veracode, SonarQube, Fortify and IBM Security AppScan.

I was not involved in the initial setup of the solution.

One should consider:

• Visual studio
• Report generation
• If the solution can be on-prem
• Pricing

It is an expensive solution.

Be cautious of the one-year subscription date. Once it expires, your price will go up.

I have used it for source code scanning of security vulnerabilities. It seems to be a good tool. It gives the proper code flow of vulnerabilities and the number of occurrences.

We have scanned various applications with it. It works fine, although we need to check manually for false positive issues. 

After scanning, it shows in-depth code of where actual vulnerabilities are, which helps us to analyze them.

It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use.

It is very easy to insert the tool in the SDLC because there are a wide variety of ways to access the source-code, initiate scans, and review the results. The projects need not care about getting a tool, accessing the tool, and it is cheaper using it.

The most valuable feature for me is the Jenkins Plugin. We usually take a copy of the normal build job for Checkmarx so that:

1. we have all of the source code we need for the build, normal and generated source code;
2. we need only one technical user for scanning the projects (SVN access and Git access need to change the passwords every 90 days).

I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time).

Updating and debugging of queries is not very convenient.

In our last update to version 8.5.0, we had a problem with DB migration but,  overall, I must say it has been stable.

Regarding scalability, we have only one scan engine and our licence allows only two scans at the same time.

I would rate the technical support seven out of 10. When you first create a ticket you sometimes get questions that you wouldn't expect from first-level support.

None. I started with this product.

The initial setup was decribed very well and it was straightforward. We had only two small problems: implementing the SSL certificate, and getting access for LDAP users.

We got a special offer for a 30% reduction for three years, after our first year.

I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year).

I didn’t evaluate this or other solutions, but my team leader had experience with HPE Fortify and he said it is much more expensive, and the service even worse.

Before implementing the product I would evaluate if it is really necessary to scan so many different languages and frameworks. If not, I think there must be a cheaper solution for scanning Java-only applications (which are 90% of our applications).