Checkmarx One Reviews

This product helps us to deliver good quality software.

• Performs security checks for SAP Fiori applications
• Helps us check vulnerabilities in our SAP Fiori application
• Easy to use and master
• One of the most important tools in our building process

I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service.

This improvement is needed in order to follow up the growth and of SAP cloud platform, it is a Platform as a service created by SAP, many services have been added to SAP HANA Cloud Platform, like GIT repository, Jenkins, Translation etc.

So, if it is possible to add the Checkmarx as a service in this platform, it will be easy to perform security check directly without using a dedicated server.

Maybe this issue is related to our configuration. When we have many applications to check, I need to wait a long time in the queue.

We did encounter scalability issues. Maybe this is related to the stability issue mentioned above.

We haven't used anything else. This is our first solution.

I don’t know how to set up the product.

We did not look at any other options.

It is a good tool. I recommend it in order to ensure software quality.

For manual code testing, Checkmarx has been very helpful discarding false positives, filtering and removing a lot of files that are not presenting any threat, as well as indicating the files or functions that should be focused upon.

Checkmarx acts as the first checkpoint during our consulting for apps that are looking for a security assessment or Penetration Testing. It is also a game changer, giving the customer's results from each finding in the Checkmarx results.

• The export feature and presentation of the results.
• The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions).

• A wide variety of modern programming languages are supported, including mobile languages).

The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode.

Compiled code means that the code written is stored in binaries, for machine reading only. Tools like Veracode read only those binaries (compiled code).

Another way to have the code is “Source Code written only”, which is the only code format that Checkmarx accepts, a process where you don’t compile and everyone is able to read line by line the code.

When the workload contains so many source codes being scanned, and none of them present any progress, sometimes they seem to get stuck. There are also a considerable number of false positives (vulnerabilities that do not present a danger against the application or the user).

We have not encountered any scalability issues.

From both customer support and technical support, the response is very swift (less than a day) and the technical people are very skilled on the common issues concerning the management of the scanning tool, even with issues of server saturation and scanners stuck at a percentage.

I used to work mostly on checking the source code manually, and estimated the time of completion counting the lines of code to review. With Checkmarx that time was hugely reduced.

I also worked with Veracode, which I use for compiled code, but most of the customer’s applications have uncompiled code, so that is why I use Checkmarx more frequently.

The initial setup was complex. There is a curve of learning, and you also need technical knowledge on reviewing the results of Checkmarx’s work.

Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products to build a safe and stable application when it comes to inviting customers to use your online services.

We evaluated AppScan and Veracode. Neither covers the needs of my clients, the way I work, and the programming languages that Checkmarx covers.

I recommend to have a live session with the marketing team, to have a demo and to track all your doubts before purchasing. Checkmarx is a powerful tool but you need to be sure what you are using, and what it is for. You could use just 20% of what the tool can do, and therefore waste your money. So either fully learn how to use it and evaluate if it’s the right scanning tool to have, or go for a better and cheaper option.

We have been using this product extensively for a lot of applications to identify as well as employ proper remediation which makes the application secure including information issues which might get neglected with a manual code review process.

Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application. It therefore makes it easier to identify these as well as fix them.

Checkmarx has the detailed description of all the vulnerabilities which it identifies after the source code scan. These descriptions are just a click away. Some of the descriptions were found to be missing or were not as elaborate as compared to other descriptions. Although, they could be found across various standard sources but it would save a lot of time for developers, if this was fixed.

We have not yet encountered any stability issues.

The solution provides high scalability. I am not sure about the limit of scans but it is sufficiently high. However, the issues which we faced were related to database backup. Unfortunately, Checkmarx doesn't do any automated backups which is quite inconvenient.

I would rate the technical support as average. We never had to communicate much with the technical team but based on my knowledge the response from their end was delayed.

I am not aware of any previous solutions.

The setup was straightforward.

It is a good product but a little overpriced.

I don't have much idea about other options since the organization had already purchased the product before I joined.

Better to look out for other products available in the market as well.

It moved our organization towards being agile vs. waterfall.

Scan reviews can occur during the development lifecycle.

The areas in which this product needs to improve are:

• C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported.
• There were issues in regards to the JSP parsing.
• Defect report generation takes multiple hours for large projects.
• The Jenkins plugin does not work for projects that are larger than 4 million lines of code.
• The Eclipse plugin does not work.
• The hardware requirements for the tool add to the substantial cost of the solution and thus, increase the total cost of ownership.

• There seems to be a decline in the support team's responsiveness as our contract nears its end.

• We felt like we were the extended quality organization for Checkmarx as they frequently released poor quality patches that broke the existing functionality. A lot of the organizational hours, almost 1 FTE per year since Checkmarx was implemented, were spent to allow regression testing of the product. The Checkmarx SME team at my company had to do this testing to ensure that we do not expose product flaws to our user community.

We did encounter stability issues. The different versions of this product provide inconsistent results when the same piece of code is scanned.

We did not encounter any scalability issues.

The support team is knowledgeable. However, we still have tickets open from 2014. There is a lot of follow up required to get closure on issues.

Previously, we were using a different solution. We were leveraging multiple tools since we have code in multiple languages. Checkmarx advertised that they provide support for C, C+++, Java, etc. It turned out that they aren’t able to scan C and C++ for us. Our reason to switch to Checkmarx didn’t work out for us.

The initial setup was straightforward.

The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies.

I suggest using a trial term to run a gamut of scenarios that need to be leveraged before settling in with the Checkmarx solution.

We evaluated the Veracode option.

The product is not mature and ready for the enterprise usage yet. It is okay to use it when the support expectations are low and the code is in languages that require support only in Java and .NET.

The process of remediating software security vulnerabilities can now be performed (ongoing) as portions of the application are being built in advance of being compiled. Among other benefits, this reduces the cost to fix the problem(s) as the fix can occur earlier in the SDLC.

The ability to identify a vulnerability, the optimal place for remediation and the correct syntax is very valuable. This feature helps ensure that the software fix is comprehensive and effective. The CxSuite is easy to use and because it provides the correct coding syntax to address a vulnerability, it helps improve the secure coding skill set among developers. The product can scan precompiled (source) code, as well as compiled (binary) code, delivering effectiveness and efficiency throughout the SDLC.

The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools.

The Checkmarx CxSuite covers a wide range of programming languages including many of the most popular languages used by developers today. As matter of general improvement, expanding coverage to languages (emerging, legacy) and open source frameworks will increase the overall effectiveness of product.

*2017 Update. A number of leading Open Source Frameworks are now supported.

The product is stable.

The product scales well.

The technical support is high quality. The support team is well versed in how best to configure, implement and operate the product.

I did not previously use a different solution.

The initial set up is straightforward. The product requires a fairly simple computing environment for operation.

The product licensing offers the flexibility to cover a wide range of environments. The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security.

We considered several other commercial-grade application security solutions. The Checkmarx solution offers an ideal combination of code coverage, functionality, usability and TCO.

The Checkmarx CxSuite product works well, delivers efficiency to the SDLC, and most important of all, it effectively improves application security.

It works!

During the trial period, we tried to build automated security development lifecycles with this product and with other products. We have achieved partial success with this.

The solution allows us to create custom rules for code checks. Without custom rules, the system couldn’t find anything serious in the custom code and libraries.

The main issue was the supported Windows OS for the installation. Windows is not appropriate for a big internet company’s infrastructure. Supporting a Windows machine, especially for this software, is inconvenient.

This product requires you to create your own rulesets. You have to do a lot of customization. The default rules do not work very well. In addition, it is impossible to analyze code with dynamic dependencies.

There were no problems with stability. The application was stable in our test cases.

There were no scalability issues, but keep in mind that our version can only scale on one server.

There is very good technical support. We have the support of two onsite engineers.

We are using other tools along with this solution.

The setup was simple. It mostly involved clicking the “Next” button in the Windows installer.

The pricing was not very good. This is just a framework which shouldn’t cost so much.

The product comes with very strange licensing options. They don’t let you exclude workplace licenses, which are useless for building automated systems.

Checkmarx saves us a lot of time. We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code.

The most valuable feature is that Checkmarx scans code for security vulnerabilities without needing to compile first.

Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”.

We encountered stability issues when scanning large code blocks. It consumes a lot of memory, and at times, Checkmarx services freeze and don’t work properly.

I don’t know of any scalability issues.

Just four words for the technical support team: “Checkmarx team is awesome”.

Before Checkmarx, we used HPE Security Fortify and IBM AppScan. We also tried several open-source scanning tools.

Overall, the initial setup is easy. Checkmarx provides an installer binary and we just need go through the wizard for an express installation. If we need an advanced configuration, we contact the Checkmarx support team.

I believe pricing is better compared to other commercial tools.

Yes, we compared Checkmarx features and benefits with IBM AppScan and HPE Security Fortify.

Personally, I recommend Checkmarx for static analysis.

As an InfoSec consulting company, we come across major challenging projects. Checkmarx has made life easy and my team is best at using it. It reduces manual efforts in using test cases against any vulnerability found during source code reviews. Apart from OWASP Top Ten, Checkmarx is quite intelligent to find the latest vulnerability and report it.

Some valuable features of this product are:

• Very comprehensive scanning
• Less false positive errors as compared to any other solution
• Incremental scanning
• Supports all major languages

Licensing models and Swift language support are the aspects in which this product needs to improve. Swift is a new language, in which major customers require support for lower prices.

I have not encountered any stability issues.

I have not encountered any scalability issues.

I have never used technical support, so can't comment. We ourselves are expert at it.

We have used no other product.

The setup process was simple.

It is the right price for quality delivery.

We did not evaluate other options, before choosing this product.

Go for it.