Checkmarx OverviewUNIXBusinessApplication

Checkmarx is the #5 ranked solution in AST tools and #8 ranked solution in application security solutions. PeerSpot users give Checkmarx an average rating of 7.6 out of 10. Checkmarx is most commonly compared to SonarQube: Checkmarx vs SonarQube. Checkmarx is popular among the large enterprise segment, accounting for 75% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 22% of all views.
Checkmarx Buyer's Guide

Download the Checkmarx Buyer's Guide including reviews and more. Updated: June 2023

What is Checkmarx?

Checkmarx is a highly accurate and flexible static code analysis product that allows organizations to automatically scan uncompiled code and identify hundreds of security vulnerabilities in all major coding languages and software frameworks. Checkmarx is available as a standalone product and can be effectively integrated into the software development lifecycle (SDLC) to streamline vulnerability detection and remediation. Checkmarx is trusted by leading organizations such as SAP, Samsung, and Salesforce.com.

Checkmarx is a global leader in software security solutions for modern software development. Checkmarx delivers a comprehensive software security platform that unites with DevOps by scanning uncompiled source code for security vulnerabilities early in the development life cycle to reduce and remediate risk from software vulnerabilities. Using Checkmarx, teams avoid software security vulnerabilities managed via a single and unified dashboard without slowing down their delivery schedule.

Checkmarx balances the needs of the entire organization, delivering seamless security from the start and throughout the entire software development life cycle. Checkmarx can be deployed on-premises in a private data center or hosted via a public cloud.

Checkmarx Features

Some of Checkmarx’s features include:

  • Source code scanning: Detect and repair more vulnerabilities before you release your code.

  • Open-source scanning: Find and eliminate the risks in your open-source code.

  • Interactive code scanning: Scan for vulnerabilities and runtime threats.

  • Open-source security for infrastructure as code: Identify and fix insecure IaC configurations that put your application at risk.

Reviews from Real Users

Checkmarx stands out among its competitors for a number of reasons. Two major ones are its ability to enable developers to secure their code with a single management dashboard and its high-speed scanning abilities.

PeerSpot users note the effectiveness of these features. A CEO at a tech services company writes, “The most valuable features are the easy-to-understand interface, and it’s very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan. We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project. The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.”

A director at a tech services company notes, “The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important.”

A senior manager at a manufacturing company writes, “The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."

Checkmarx Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech

Case Study: Liveperson Implements Innovative Secure SDLC

Checkmarx Video

Checkmarx Pricing Advice

What users are saying about Checkmarx pricing:
  • "The average deal size was usually anywhere between $120K to $175K on an annual basis, which could be divided across 12 months."
  • "The price of Checkmarx could be reduced to match their competitors, it is expensive."
  • Checkmarx Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    ScottDenton - PeerSpot reviewer
    Senior regional manager at AppDome
    Real User
    Top 20
    Supports different languages, has excellent support, and easily expands
    Pros and Cons
    • "The SAST component was absolutely 100% stable."
    • "The interactive application security testing, or IAST, the interactive part where you're looking at an application that lives in a runtime environment on a server or virtual machine, needs improvement."

    What is our primary use case?

    When something happens in a test, then you need to know why. In many cases, you would have to run a scan and find all the problems, and then hand that off to development and have development go back and rewrite that code. If you had an issue with a particular aspect where you have a limited amount of personnel or knowledgeable personnel, based on the language that an application was written in, well, then you would need some type of assistance in order to rewrite that code in that particular language, with the limited knowledge that developer might have had. I assisted with that and helped with educating the developer on how to write that code. It was a two-pronged effort.

    The number one use case would be a failed PEN test. Number two would be, "Hey, we have a waterfall DEV approach to our SDLC today. We want to become more agile around speed and quality of code." That would be the second. The third would be able to provide an appropriate availability of knowledge for training developers in secure coding.

    What is most valuable?

    Being able to have the breadth and depth of different kinds of support for different languages is excellent & many other solutions require you to compile the code prior to the scan, with CxSAST there is no need to compile code for a static analysis. If you didn't support a particular language that an application was written in, whether it was legacy code or a new agile code like Scala, JScript, PLSQL, or whatever, well, then you didn't get the business. If you were an organization that converted its SDLC from waterfall to agile, then you're going to need the ability to support multiple languages, even if they're not part of the company, thanks to that agility, that approach, that methodology. Supporting different languages was a high priority of the client.

    What needs improvement?

    The interactive application security testing, or IAST, where code scans are being ran on an application that lives in a runtime environment on a server or virtual machine, needs improvement.

    There was limited support from different languages. It didn't support everything under the sun, so you would lose revenue since you didn't have support for Scala or some other language that your developer was fluent in. They needed to improve on language support. That is about it, really.

    The dev team did everything that they said they were going to do. If they said they were going to hit a mark, they'd hit a mark. That release would come out. Typically, they would do four major releases a year, quarterly, with two-point releases in between, or based on any additional hotfixes that may be needed. In most cases, however, IAST was the part of the product that needed to be improved the most.

    Codebashing is a really cool product from the aspect of teaching developers how to write secure code. However, it would be even cooler if you could not only point out and teach someone how to do it while also making the appropriate recommendation on how to rewrite the code itself, using machine learning or AI. Instead of you, the developer learning how to do it and then writing the code yourself, it'd be cooler if you could push a button, have it analyzed, scans the code, find the code, find the issue within the line of code, and then go ahead and automatically rewrite that code for you. Then, by repetition, it just teaches you through muscle memory how to do that as opposed to, "Hey, you've found this problem. This is where the problem's located, within this particular line of code." Right now, do you know how to rewrite Java? Well, if you're not familiar with how to do that, then go push on this button. Now, take this test and go through this exercise.” It doesn't make a recommendation. It's not like providing a script that fixes the problem. It's just teaching you on how to write the code in that form in that manner.

    For how long have I used the solution?

    I’ve used the solution for about two or two and a half years. I worked directly with the company. However, I left about a year or a year and a half ago.

    Buyer's Guide
    Checkmarx
    June 2023
    Learn what your peers think about Checkmarx. Get advice and tips from experienced pros sharing their opinions. Updated: June 2023.
    708,461 professionals have used our research since 2012.

    What do I think about the stability of the solution?

    The SAST component was absolutely 100% stable. The SCA product is also very extremely stable. In fact, they leverage each other in a way that it complements the overall use. It gives the user a high-level view, a 10,000-foot view with the ability to see more under a magnifying glass if you think about it from high to low.

    The other components, such as IAST and the Codebashing technology, and the developer education technology, it was all integrated with radio buttons and such. I never really had any customer or client, or anyone complains, or ever come to me and say, "Hey, look, the implementation that we completed last week, it's crashed on us," or anything that would show it to be less than stable.

    Have there been instances specifically where a new customer came to us and didn't have something turned on? Yes. Is there an instance where a customer might have had something configured wrong based on frequency, scanning frequency, or the depth of how deep they need to scan within the lines of code? Yes. Those were all configuration modifications that were needed. However, it was a misconception thinking that maybe it was unstable, when in fact, just a few things needed to be tweaked.

    What do I think about the scalability of the solution?

    With the largest installation scanning billions of lines of code each day, there are no known limitations of what the product can do, as long as the appropriate resources are allocated for the specific requirements. 

    How are customer service and support?

    They have a customer success team and a customer success manager, and that's the liaison between the Development Team, Support Team, and the customer. That way, you're not sending an email to a black hole. It's not going to go into a queue where it goes to a black hole of 3,000 or 4,000 emails across the entire world. If that happened, you would have to sit there and wait for some type of response or appropriate time to hear from them. Instead, it goes to someone who's actually assigned to the account as a liaison to bring in the resources needed to help with whatever issue is on hand.

    How would you rate customer service and support?

    Positive

    How was the initial setup?

    The deployment depended upon how complex the application was. If it was a very, very complex, customized application, then it would have to be instrumented by a DevOps professional that we provided. If it was a very simplistic or basic vanilla-type framework, as far as the application's concerned, then the customer could do it easily themselves.

    What about the implementation team?

    There was no need for an integrator, reseller, or consultant. None of that was required or needed, or ever actually even requested. The only reason why any one of a particular stature would actually be part of the process was if they were under contract with that particular corporation or company. Otherwise, the organization provided the appropriate professional services, again, as a benefit to the customer to help ensure their success in using the technology.

    What's my experience with pricing, setup cost, and licensing?

    Annually, the typical application scanning cost/setup would run anywhere from $75k to 150k, but that was dependent on the specific scanning requirements. 

    There were no additional operating costs. There was a requirement or a request as a best practice for us to provide the appropriate professional services or implementation services to ensure that the product got off the ground by the time the licenses were purchased. 

    What other advice do I have?

    I’d rate the solution eight out of ten based on ease of use, configuration, customer service, and response time. There are other products out there that are provided as a service where they will go, and you push a button, they collect the data, they review the data, yet there's no specific standard license agreement or SLA that says they're supposed to get back to you within a particular moment of time. Everything that Checkmarx does is instantaneous.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Cybersecurity at a transportation company with 1,001-5,000 employees
    Real User
    Top 20
    No need to compile the code to execute static code analysis, but should be more container-friendly and optimized for the CI pipeline
    Pros and Cons
    • "I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy."
    • "They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server."

    What is our primary use case?

    I am using it for software assurance focused on security. I am using its latest version.

    How has it helped my organization?

    I use both the static code analysis and the open-source analysis engine. It gives visibility into weaknesses and the software that may be there in the source code and static analysis. It also gives some insights into the open source vulnerabilities that may be there in the codebase.

    What is most valuable?

    I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy. Typically when using SCA tools on C/C++ and C# you must compile the software for SCA to work. CX doesn’t require any compilation due to the way the tool does synthetic compilation to help find errors in code. Many times 3rd party assurance providers don’t have all the files to compile so CX comes in handy. 

    What needs improvement?

    They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server.

    I had several issues with the installation. It should just work out of the box.

    For how long have I used the solution?

    I have been using it off and on for about a year.

    What do I think about the stability of the solution?

    I've run into a few bugs here and there but i would recommend installing on virtual machine and snapshoting a working install. 

    What do I think about the scalability of the solution?

    My setup is standalone. They do have a scalable version, but it's not something I need.

    We're not using it a lot. Its usage is once a month. The way our organization works is that we don't do static code analysis every day. It's more on an as-needed basis. So, it's no fault of the Checkmarx tool. It's just not something that we've been working on.

    How are customer service and support?

    They were pretty good. I would rate them a four out of five, but I was using their salespeople. It wasn't their traditional tech support, so I can't really evaluate their traditional tech support. When they're selling something, they give you a lot more service instead of having to go through the support system.

    Which solution did I use previously and why did I switch?

    I still use other tools, so I just added it to the tool chest. I have Fortify, CodeSonar, etc  and I added Checkmarx as a different tool.

    How was the initial setup?

    I installed it. It's straightforward to install, but I had several issues with the installation. I don't know if it was with my environment or not. If it works properly, it's a simple install, but in my example, it did not work right off the bat. There was some troubleshooting that had to go on, which was a little frustrating.

    It took weeks. It required back and forth communication with support for a couple of days, but I wasn't actively working on it for days. I would run into a bug, send the log file, and go back and forth. It wasn't anything crazy, but it was a little frustrating. It should just work out of the box. It should be pretty straightforward where you just click the installer and go, but it wasn't.

    What about the implementation team?

    It was implemented in-house, and then I had to call support when needed.

    In terms of maintenance, it is pretty self-sustaining. You update it whenever it needs to be updated.

    What was our ROI?

    There hasn't been much return yet because we haven't used it much, but I have enough faith in it that I committed to it for multiple years. We are starting to use it more but not enough to state ROI yet

    What other advice do I have?

    I would rate it a seven out of ten. It's not the best tool on the market, but it provides some good capability for what it is.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Checkmarx
    June 2023
    Learn what your peers think about Checkmarx. Get advice and tips from experienced pros sharing their opinions. Updated: June 2023.
    708,461 professionals have used our research since 2012.
    Souhardyya Biswas - PeerSpot reviewer
    Software Engineer at a manufacturing company with 10,001+ employees
    Real User
    Top 10
    Developer-friendly and reliable but a non-developer may struggle
    Pros and Cons
    • "It's not an obstacle for developers. They can easily write their code and make it more secure with Checkmarx."
    • "Checkmarx has a slightly difficult compilation with the CI/CD pipeline."

    What is our primary use case?

    We are currently using the solution for scanning vulnerabilities. 

    What is most valuable?

    Checkmarx is more developer friendly. Developers are aware of how to use Checkmarx. It's not too complicated, and they can understand what the problem is in their code, and it helps them to write secure code. That's a big thing. It's not an obstacle for developers. They can easily write their code and make it more secure with Checkmarx. That's the main positive point.

    What needs improvement?

    A non-developer may struggle with the solution. 

    Codebashing is the learning platform that comes bundled with Checkmarx. The thing with Codebashing is that they give you tips on how to write secure code. However, I saw other developers complain about this. Instead of telling you what the good practices are, it would be more helpful, when we are writing the code, alongside that code, to have Codebashing tell us where exactly we are going wrong and how to help secure code and if there are specific scenarios we should be considering. Basically, the integration needs to be better. 

    There's a general lack of space. 

    Checkmarx has a slightly difficult compilation with the CI/CD pipeline. If it could be easily integrated into the CI/CD pipeline, then it would be much easier for developers rather than being an extra step that developers have to take to make the code secure. 

    For how long have I used the solution?

    We've used the solution since 2019.

    What do I think about the stability of the solution?

    The solution is stable and reliable. There are no bugs or glitches. It doesn't crash or freeze.

    What do I think about the scalability of the solution?

    In general, it can scale. 

    There are certain scenarios where scalability becomes an issue. I can't really give any examples, however, while it can scale, there may be hiccups. 

    We may have up to a few hundred users on the solution. 

    How are customer service and support?

    As far as I'm aware, there is a team at Checkmarx that we can contact and they are there to help us with some basic queries. It's not continuous support. It's more like they're there on the side, and we can contact them as and when required.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We have used and looked at a mix of options, including Veracode and FOSSA.

    Right now, I don't really have a competing vendor in my company, so I can't compare. More importantly, I don't have that much experience with others to compare anything accurately.

    How was the initial setup?

    I did not handle the initial setup and, therefore, cannot speak to how easy or difficult the process would be. 

    What's my experience with pricing, setup cost, and licensing?

    The licensing is okay. I'd rate it 3.7 out of five. It is moderately priced yet not overly expensive. 

    What other advice do I have?

    Right now, we are partners.

    We have the solution deployed in the cloud and on-premises. It's a hybrid setup.

    I'd rate the solution seven out of ten.

    I'd recommend the product to other users. 

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Peter Ejiofor - PeerSpot reviewer
    Chief Executive Officer at Ethnos ITSolutions
    Reseller
    Top 5Leaderboard
    Integrates well, overall good functionality, and highly reliable
    Pros and Cons
    • "The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera."
    • "Checkmarx could improve by reducing the price."

    What is our primary use case?

    Checkmarx is a source code application for development, which means from the source code level, you can use Checkmarx to detect your coding errors, and to detect vulnerabilities that could have come from the different tools that you were using to develop your application. At the source code level, you can prevent the weaknesses that the application can carry on the journey of its development and use.  

    Checkmarx helps the users to have a secure coding environment and experience, and a secure source code level of application. That main application can leverage or improve the service delivery to customers.

    What is most valuable?

    The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera. 

    The software languages that they support are one of the largest in the market.

    What needs improvement?

    Checkmarx could improve by reducing the price.

    For how long have I used the solution?

    I have been using Checkmarx within the past 12 months.

    What do I think about the stability of the solution?

    Checkmarx has been stable in my usage and I'm confident to recommend it to anybody.

    What do I think about the scalability of the solution?

    Checkmarx is very scalable. It can run for a small and large organizations.

    How are customer service and support?

    The technical support is good.

    I rate the support from Checkmarx a four out of five.

    How would you rate customer service and support?

    Positive

    How was the initial setup?

    The initial setup of Checkmarx is easy.

    I rate the initial setup of Checkmarx a four out of five.

    What about the implementation team?

    We use one engineer with the help of Checkmarx for support and deployment.

    What's my experience with pricing, setup cost, and licensing?

    The price of Checkmarx could be reduced to match their competitors, it is expensive.

    What other advice do I have?

    I strongly recommend Checkmarx to others. I have sold the solution for nearly eight years, and I'm not aware of any major complaints that the users have that could not be resolved.

    I rate Checkmarx an eight out of ten.

    The Checkmarx application is a live wire of technology delivery, and if your application is vulnerable, then the asset that your acquisition will run will also suffer vulnerability. Providing the scanning ability that shows the errors at the source code level is critical to have effective development of any critical application.

    I would recommend Checkmarx eight because it's very critical and integral to the improvement of technology and cyber security today. It's a critical tool in protecting cyberspace, your asset in cyberspace, and an application that runs nearly all human life today. Everything is driven by technology and application.

    Disclosure: My company has a business relationship with this vendor other than being a customer:
    PeerSpot user
    KannanPadmanabhan - PeerSpot reviewer
    Senior Software Engineering Manager at a financial services firm with 10,001+ employees
    Real User
    Top 20
    Used for static comprehension testing and helps us detect vulnerabilities early
    Pros and Cons
    • "The administration in Checkmarx is very good."
    • "We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level."

    What is our primary use case?

    We mainly use this solution for static comprehension testing.

    How has it helped my organization?

    We use it for non-functional insight because it's a security vulnerability scanner. We can use Checkmarx for scanning anytime on our code base. We integrated that as part of our build-a-pipeline, and it helps us detect early. We have piloted in few applications for the shift of testing. From a metric perspective, I am unsure how we benefited from the quantifiable data, but we did benefit.

    What is most valuable?

    The administration in Checkmarx is very good. You can create specific teams which give you access to specific projects.

    What needs improvement?

    The benefits could be improved. We are a banking company, so we focus on security. We use Checkmarx for multiple applications, and IAST is an interactive application security testing that Checkmarx claims; however, we have not explored it yet.

    We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level. We want an option to group several projects and view them at a business level. Additional features could include a comprehensive dashboard and secret scanning capabilities.

    For how long have I used the solution?

    We have been using this solution for four years. It is deployed on-premises.

    What do I think about the stability of the solution?

    I rate the stability a six out of ten. We've had some stability issues, which may have been because of how we deployed the solution. When multiple scans are running in multiple applications, it closes down. This also happens where there is a large code base. After it runs for about 35 minutes, it abruptly closes. We have been discussing this issue with the Checkmarx team for it to be fixed.

    What do I think about the scalability of the solution?

    I rate the scalability a six out of ten, and we have 100 staff engineers using this solution.

    How are customer service and support?

    Our Checkmarx team interacts with their technical support.

    Which solution did I use previously and why did I switch?

    I've used Veracode, and there isn't a big difference between both solutions.

    How was the initial setup?

    I rate the initial setup a seven out of ten. When we integrated it, we built a pipeline, which was done by a separate DevOps team. Checkmarx is installed at the enterprise level, and we have a Checkmarx Dev team that runs the solution.

    What other advice do I have?

    I rate this solution an eight out of ten. I would recommend going for a piloting approach. With Checkmarx, you have different presets and can determine the security vulnerability standard. Also, check the stability before proceeding with the adoption.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Penetration Tester & Information Security Expert at a comms service provider with 11-50 employees
    Real User
    Responsive support, useful code-checking module, and high availability
    Pros and Cons
    • "The most valuable features of Checkmarx are the SCA module and the code-checking module. Additionally, the solutions are explanatory and helpful."
    • "Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not."

    What is our primary use case?

    Checkmarx is used to check the code from programmers and vulnerabilities in third-party software.

    Checkmarx can be deployed on the cloud and on-premise. However, it depends on the version.

    How has it helped my organization?

    Checkmarx detected code sections that did not adhere to best practices. After being informed, the programmers were able to rectify some of the issues. Without Checkmarx, it is unlikely we would have identified these issues.

    Utilizing the SCA module, I gained valuable insights into the vulnerabilities present in open-source Python libraries that individuals desire to use. As an information security consultant, I advise against employing Python libraries that contain known vulnerabilities. The SCA solution proved to be helpful in this regard.

    What is most valuable?

    The most valuable features of Checkmarx are the SCA module and the code-checking module. Additionally, the solutions are explanatory and helpful.

    What needs improvement?

    Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not. 

    In a future release, the SCA module could have better documentation. It was difficult to know how to check the names of all the modules. It took me a lot of time and I needed help to be able to write the requirements file. More clarification would be helpful in the documentation, such as examples.

    For how long have I used the solution?

    I have been using Checkmarx for approximately six months.

    What do I think about the stability of the solution?

    The stability is great.

    I rate the stability of Checkmarx a ten out of ten.

    What do I think about the scalability of the solution?

    The scalability of the solution is great. Everything I send to the solution is processed quickly.

    We have five information security analysts and programmers using this solution.

    We plan to increase our usage. We will install it on more networks.

    I rate the scalability of Checkmarx a ten out of ten.

    How are customer service and support?

    I found someone in the evening that logged in and answered my issues. They are responsive.

    I rate the support of Checkmarx a ten out of ten.

    How would you rate customer service and support?

    Positive

    What other advice do I have?

    We have one person for the maintenance of the solution but it is minimal and is not a full-time job.

    I would advise others to ask for a demo of the solution and if it works well for their use case then purchase it.

    I rate Checkmarx a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: consultant
    Flag as inappropriate
    PeerSpot user
    Senior Engineer at a computer software company with 5,001-10,000 employees
    Real User
    Top 10
    Requires in-depth knowledge of coding and bad stability
    Pros and Cons
    • "The only thing I like is that Checkmarx does not need to compile."
    • "Checkmarx is not good because it has too many false positive issues."

    What is our primary use case?

    It is used for scanning for some other purposes. We needed Checkmarx to figure out some OS top ten issues in the codec.

    What is most valuable?

    The only thing I like is that Checkmarx does not need to compile. That's a good feature.

    What needs improvement?

    Checkmarx is not good because it has too many false positive issues. The software does not understand the code very well. It does not handle the process very well and misunderstands the logic, resulting in too many false positives. As per my experience, more than 80% of the issues are false positives, and it takes too much time to figure out which ones are true and which ones are false positives. 

    Therefore, this is one of the areas of improvement for Checkmarx. It requires in-depth knowledge of the coding. 

    For how long have I used the solution?

    I have been using Checkmarx for more than a year. We are using the latest version. 

    What do I think about the stability of the solution?

    I would rate it as four because the scanning engine can crash sometimes.

    What do I think about the scalability of the solution?

    I would rate scalability a three out of ten. 

    How are customer service and support?

    The technical support is not good because they charge an extra fee. If we pay them on a call basis, they will charge extra. We can only give them emails; if we have a problem, it takes over half a year to fix the issue. They're just too slow.

    How would you rate customer service and support?

    Neutral

    How was the initial setup?

    The deployment is easy, but it may take around half an hour or even more because the software is huge. Also, good hardware performance is required, such as big memory and disk space.

    It requires a lot of disk space and good hardware performance, and the speed is slow.

    What about the implementation team?

    The deployment is pretty tough to do by myself.

    What's my experience with pricing, setup cost, and licensing?

    It's expensive. I would give it a four out of ten.

    Which other solutions did I evaluate?

    We just calculated the speed of Checkmarx; it is around 40 lines of code per second. It's too slow, so we now use a Chinese software called XCheck, which is much better. It can scan around 2,000 or 5,000 lines per second, depending on the code complexity. XCheck is a product of a Chinese company called Tencent.

    What other advice do I have?

    Overall, I would rate the solution a three out of ten. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    System Engineer at a tech vendor with 10,001+ employees
    Real User
    Top 20
    Easy to use, configurable, and has all the features we need
    Pros and Cons
    • "It has all the features we need."
    • "The validation process needs to be sped up."

    What is our primary use case?

    We use the solution on a developing project. Before we bring the code to production, we have to ensure its quality, and we use this solution. 

    What is most valuable?

    It's easy to use. The configuration is easy. 

    It has all the features we need. 

    What needs improvement?

    We haven't had any issues with the solution so far. It is not missing any features. 

    It takes too much time to check the code. The validation process needs to be sped up. 

    There have been some configuration issues. We sometimes have failures. 

    For how long have I used the solution?

    I've been using the solution for two and a half years at this point. 

    What do I think about the stability of the solution?

    We've had to deal with errors. When we blacklist or whitelist, we do have some issues. There are a few configuration issues. I'd rate the stability seven out of ten. It could be improved. 

    What do I think about the scalability of the solution?

    I can't speak to the scalability. I don't deal with scaling. The usage is limited. We aren't attempting to expand it. We only do two to three processes at the same time. 

    How are customer service and support?

    Technical support is okay. We are mostly happy with the help we get. We can directly connect with them.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    I'm also using SonarQube.

    How was the initial setup?

    I did not handle the deployment directly. We have a team that manages the tool. I'm not aware of how many people are needed to maintain and deploy the solution. 

    What's my experience with pricing, setup cost, and licensing?

    I don't deal with the pricing directly. I don't know the exact cost. 

    What other advice do I have?

    I'm a customer and end-user.

    I would recommend the solution to other users. I'd rate the solution eight out of ten. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Checkmarx Report and get advice and tips from experienced pros sharing their opinions.
    Updated: June 2023
    Buyer's Guide
    Download our free Checkmarx Report and get advice and tips from experienced pros sharing their opinions.