Checkmarx Reviews

When something happens in a test, then you need to know why. In many cases, you would have to run a scan and find all the problems, and then hand that off to development and have development go back and rewrite that code. If you had an issue with a particular aspect where you have a limited amount of personnel or knowledgeable personnel, based on the language that an application was written in, well, then you would need some type of assistance in order to rewrite that code in that particular language, with the limited knowledge that developer might have had. I assisted with that and helped with educating the developer on how to write that code. It was a two-pronged effort.

The number one use case would be a failed PEN test. Number two would be, "Hey, we have a waterfall DEV approach to our SDLC today. We want to become more agile around speed and quality of code." That would be the second. The third would be able to provide an appropriate availability of knowledge for training developers in secure coding.

Being able to have the breadth and depth of different kinds of support for different languages is excellent & many other solutions require you to compile the code prior to the scan, with CxSAST there is no need to compile code for a static analysis. If you didn't support a particular language that an application was written in, whether it was legacy code or a new agile code like Scala, JScript, PLSQL, or whatever, well, then you didn't get the business. If you were an organization that converted its SDLC from waterfall to agile, then you're going to need the ability to support multiple languages, even if they're not part of the company, thanks to that agility, that approach, that methodology. Supporting different languages was a high priority of the client.

The interactive application security testing, or IAST, where code scans are being ran on an application that lives in a runtime environment on a server or virtual machine, needs improvement.

There was limited support from different languages. It didn't support everything under the sun, so you would lose revenue since you didn't have support for Scala or some other language that your developer was fluent in. They needed to improve on language support. That is about it, really.

The dev team did everything that they said they were going to do. If they said they were going to hit a mark, they'd hit a mark. That release would come out. Typically, they would do four major releases a year, quarterly, with two-point releases in between, or based on any additional hotfixes that may be needed. In most cases, however, IAST was the part of the product that needed to be improved the most.

Codebashing is a really cool product from the aspect of teaching developers how to write secure code. However, it would be even cooler if you could not only point out and teach someone how to do it while also making the appropriate recommendation on how to rewrite the code itself, using machine learning or AI. Instead of you, the developer learning how to do it and then writing the code yourself, it'd be cooler if you could push a button, have it analyzed, scans the code, find the code, find the issue within the line of code, and then go ahead and automatically rewrite that code for you. Then, by repetition, it just teaches you through muscle memory how to do that as opposed to, "Hey, you've found this problem. This is where the problem's located, within this particular line of code." Right now, do you know how to rewrite Java? Well, if you're not familiar with how to do that, then go push on this button. Now, take this test and go through this exercise.” It doesn't make a recommendation. It's not like providing a script that fixes the problem. It's just teaching you on how to write the code in that form in that manner.

I’ve used the solution for about two or two and a half years. I worked directly with the company. However, I left about a year or a year and a half ago.

The SAST component was absolutely 100% stable. The SCA product is also very extremely stable. In fact, they leverage each other in a way that it complements the overall use. It gives the user a high-level view, a 10,000-foot view with the ability to see more under a magnifying glass if you think about it from high to low.

The other components, such as IAST and the Codebashing technology, and the developer education technology, it was all integrated with radio buttons and such. I never really had any customer or client, or anyone complains, or ever come to me and say, "Hey, look, the implementation that we completed last week, it's crashed on us," or anything that would show it to be less than stable.

Have there been instances specifically where a new customer came to us and didn't have something turned on? Yes. Is there an instance where a customer might have had something configured wrong based on frequency, scanning frequency, or the depth of how deep they need to scan within the lines of code? Yes. Those were all configuration modifications that were needed. However, it was a misconception thinking that maybe it was unstable, when in fact, just a few things needed to be tweaked.

With the largest installation scanning billions of lines of code each day, there are no known limitations of what the product can do, as long as the appropriate resources are allocated for the specific requirements. 

They have a customer success team and a customer success manager, and that's the liaison between the Development Team, Support Team, and the customer. That way, you're not sending an email to a black hole. It's not going to go into a queue where it goes to a black hole of 3,000 or 4,000 emails across the entire world. If that happened, you would have to sit there and wait for some type of response or appropriate time to hear from them. Instead, it goes to someone who's actually assigned to the account as a liaison to bring in the resources needed to help with whatever issue is on hand.

Positive

The deployment depended upon how complex the application was. If it was a very, very complex, customized application, then it would have to be instrumented by a DevOps professional that we provided. If it was a very simplistic or basic vanilla-type framework, as far as the application's concerned, then the customer could do it easily themselves.

There was no need for an integrator, reseller, or consultant. None of that was required or needed, or ever actually even requested. The only reason why any one of a particular stature would actually be part of the process was if they were under contract with that particular corporation or company. Otherwise, the organization provided the appropriate professional services, again, as a benefit to the customer to help ensure their success in using the technology.

Annually, the typical application scanning cost/setup would run anywhere from $75k to 150k, but that was dependent on the specific scanning requirements. 

There were no additional operating costs. There was a requirement or a request as a best practice for us to provide the appropriate professional services or implementation services to ensure that the product got off the ground by the time the licenses were purchased. 

I’d rate the solution eight out of ten based on ease of use, configuration, customer service, and response time. There are other products out there that are provided as a service where they will go, and you push a button, they collect the data, they review the data, yet there's no specific standard license agreement or SLA that says they're supposed to get back to you within a particular moment of time. Everything that Checkmarx does is instantaneous.

I am using it for software assurance focused on security. I am using its latest version.

I use both the static code analysis and the open-source analysis engine. It gives visibility into weaknesses and the software that may be there in the source code and static analysis. It also gives some insights into the open source vulnerabilities that may be there in the codebase.

I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy. Typically when using SCA tools on C/C++ and C# you must compile the software for SCA to work. CX doesn’t require any compilation due to the way the tool does synthetic compilation to help find errors in code. Many times 3rd party assurance providers don’t have all the files to compile so CX comes in handy. 

They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server.

I had several issues with the installation. It should just work out of the box.

I have been using it off and on for about a year.

I've run into a few bugs here and there but i would recommend installing on virtual machine and snapshoting a working install. 

My setup is standalone. They do have a scalable version, but it's not something I need.

We're not using it a lot. Its usage is once a month. The way our organization works is that we don't do static code analysis every day. It's more on an as-needed basis. So, it's no fault of the Checkmarx tool. It's just not something that we've been working on.

They were pretty good. I would rate them a four out of five, but I was using their salespeople. It wasn't their traditional tech support, so I can't really evaluate their traditional tech support. When they're selling something, they give you a lot more service instead of having to go through the support system.

I still use other tools, so I just added it to the tool chest. I have Fortify, CodeSonar, etc  and I added Checkmarx as a different tool.

I installed it. It's straightforward to install, but I had several issues with the installation. I don't know if it was with my environment or not. If it works properly, it's a simple install, but in my example, it did not work right off the bat. There was some troubleshooting that had to go on, which was a little frustrating.

It took weeks. It required back and forth communication with support for a couple of days, but I wasn't actively working on it for days. I would run into a bug, send the log file, and go back and forth. It wasn't anything crazy, but it was a little frustrating. It should just work out of the box. It should be pretty straightforward where you just click the installer and go, but it wasn't.

It was implemented in-house, and then I had to call support when needed.

In terms of maintenance, it is pretty self-sustaining. You update it whenever it needs to be updated.

There hasn't been much return yet because we haven't used it much, but I have enough faith in it that I committed to it for multiple years. We are starting to use it more but not enough to state ROI yet

I would rate it a seven out of ten. It's not the best tool on the market, but it provides some good capability for what it is.

We are currently using the solution for scanning vulnerabilities. 

Checkmarx is more developer friendly. Developers are aware of how to use Checkmarx. It's not too complicated, and they can understand what the problem is in their code, and it helps them to write secure code. That's a big thing. It's not an obstacle for developers. They can easily write their code and make it more secure with Checkmarx. That's the main positive point.

A non-developer may struggle with the solution. 

Codebashing is the learning platform that comes bundled with Checkmarx. The thing with Codebashing is that they give you tips on how to write secure code. However, I saw other developers complain about this. Instead of telling you what the good practices are, it would be more helpful, when we are writing the code, alongside that code, to have Codebashing tell us where exactly we are going wrong and how to help secure code and if there are specific scenarios we should be considering. Basically, the integration needs to be better. 

There's a general lack of space. 

Checkmarx has a slightly difficult compilation with the CI/CD pipeline. If it could be easily integrated into the CI/CD pipeline, then it would be much easier for developers rather than being an extra step that developers have to take to make the code secure. 

We've used the solution since 2019.

The solution is stable and reliable. There are no bugs or glitches. It doesn't crash or freeze.

In general, it can scale. 

There are certain scenarios where scalability becomes an issue. I can't really give any examples, however, while it can scale, there may be hiccups. 

We may have up to a few hundred users on the solution. 

As far as I'm aware, there is a team at Checkmarx that we can contact and they are there to help us with some basic queries. It's not continuous support. It's more like they're there on the side, and we can contact them as and when required.

Positive

We have used and looked at a mix of options, including Veracode and FOSSA.

Right now, I don't really have a competing vendor in my company, so I can't compare. More importantly, I don't have that much experience with others to compare anything accurately.

I did not handle the initial setup and, therefore, cannot speak to how easy or difficult the process would be. 

The licensing is okay. I'd rate it 3.7 out of five. It is moderately priced yet not overly expensive. 

Right now, we are partners.

We have the solution deployed in the cloud and on-premises. It's a hybrid setup.

I'd rate the solution seven out of ten.

I'd recommend the product to other users. 

Checkmarx is a source code application for development, which means from the source code level, you can use Checkmarx to detect your coding errors, and to detect vulnerabilities that could have come from the different tools that you were using to develop your application. At the source code level, you can prevent the weaknesses that the application can carry on the journey of its development and use.  

Checkmarx helps the users to have a secure coding environment and experience, and a secure source code level of application. That main application can leverage or improve the service delivery to customers.

The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera. 

The software languages that they support are one of the largest in the market.

Checkmarx could improve by reducing the price.

I have been using Checkmarx within the past 12 months.

Checkmarx has been stable in my usage and I'm confident to recommend it to anybody.

Checkmarx is very scalable. It can run for a small and large organizations.

The technical support is good.

I rate the support from Checkmarx a four out of five.

Positive

The initial setup of Checkmarx is easy.

I rate the initial setup of Checkmarx a four out of five.

We use one engineer with the help of Checkmarx for support and deployment.

The price of Checkmarx could be reduced to match their competitors, it is expensive.

I strongly recommend Checkmarx to others. I have sold the solution for nearly eight years, and I'm not aware of any major complaints that the users have that could not be resolved.

I rate Checkmarx an eight out of ten.

The Checkmarx application is a live wire of technology delivery, and if your application is vulnerable, then the asset that your acquisition will run will also suffer vulnerability. Providing the scanning ability that shows the errors at the source code level is critical to have effective development of any critical application.

I would recommend Checkmarx eight because it's very critical and integral to the improvement of technology and cyber security today. It's a critical tool in protecting cyberspace, your asset in cyberspace, and an application that runs nearly all human life today. Everything is driven by technology and application.

We mainly use this solution for static comprehension testing.

We use it for non-functional insight because it's a security vulnerability scanner. We can use Checkmarx for scanning anytime on our code base. We integrated that as part of our build-a-pipeline, and it helps us detect early. We have piloted in few applications for the shift of testing. From a metric perspective, I am unsure how we benefited from the quantifiable data, but we did benefit.

The administration in Checkmarx is very good. You can create specific teams which give you access to specific projects.

The benefits could be improved. We are a banking company, so we focus on security. We use Checkmarx for multiple applications, and IAST is an interactive application security testing that Checkmarx claims; however, we have not explored it yet.

We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level. We want an option to group several projects and view them at a business level. Additional features could include a comprehensive dashboard and secret scanning capabilities.

We have been using this solution for four years. It is deployed on-premises.

I rate the stability a six out of ten. We've had some stability issues, which may have been because of how we deployed the solution. When multiple scans are running in multiple applications, it closes down. This also happens where there is a large code base. After it runs for about 35 minutes, it abruptly closes. We have been discussing this issue with the Checkmarx team for it to be fixed.

I rate the scalability a six out of ten, and we have 100 staff engineers using this solution.

Our Checkmarx team interacts with their technical support.

I've used Veracode, and there isn't a big difference between both solutions.

I rate the initial setup a seven out of ten. When we integrated it, we built a pipeline, which was done by a separate DevOps team. Checkmarx is installed at the enterprise level, and we have a Checkmarx Dev team that runs the solution.

I rate this solution an eight out of ten. I would recommend going for a piloting approach. With Checkmarx, you have different presets and can determine the security vulnerability standard. Also, check the stability before proceeding with the adoption.

Checkmarx is used to check the code from programmers and vulnerabilities in third-party software.

Checkmarx can be deployed on the cloud and on-premise. However, it depends on the version.

Checkmarx detected code sections that did not adhere to best practices. After being informed, the programmers were able to rectify some of the issues. Without Checkmarx, it is unlikely we would have identified these issues.

Utilizing the SCA module, I gained valuable insights into the vulnerabilities present in open-source Python libraries that individuals desire to use. As an information security consultant, I advise against employing Python libraries that contain known vulnerabilities. The SCA solution proved to be helpful in this regard.

The most valuable features of Checkmarx are the SCA module and the code-checking module. Additionally, the solutions are explanatory and helpful.

Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not. 

In a future release, the SCA module could have better documentation. It was difficult to know how to check the names of all the modules. It took me a lot of time and I needed help to be able to write the requirements file. More clarification would be helpful in the documentation, such as examples.

I have been using Checkmarx for approximately six months.

The stability is great.

I rate the stability of Checkmarx a ten out of ten.

The scalability of the solution is great. Everything I send to the solution is processed quickly.

We have five information security analysts and programmers using this solution.

We plan to increase our usage. We will install it on more networks.

I rate the scalability of Checkmarx a ten out of ten.

I found someone in the evening that logged in and answered my issues. They are responsive.

I rate the support of Checkmarx a ten out of ten.

Positive

We have one person for the maintenance of the solution but it is minimal and is not a full-time job.

I would advise others to ask for a demo of the solution and if it works well for their use case then purchase it.

I rate Checkmarx a nine out of ten.

It is used for scanning for some other purposes. We needed Checkmarx to figure out some OS top ten issues in the codec.

The only thing I like is that Checkmarx does not need to compile. That's a good feature.

Checkmarx is not good because it has too many false positive issues. The software does not understand the code very well. It does not handle the process very well and misunderstands the logic, resulting in too many false positives. As per my experience, more than 80% of the issues are false positives, and it takes too much time to figure out which ones are true and which ones are false positives. 

Therefore, this is one of the areas of improvement for Checkmarx. It requires in-depth knowledge of the coding. 

I have been using Checkmarx for more than a year. We are using the latest version. 

I would rate it as four because the scanning engine can crash sometimes.

I would rate scalability a three out of ten. 

The technical support is not good because they charge an extra fee. If we pay them on a call basis, they will charge extra. We can only give them emails; if we have a problem, it takes over half a year to fix the issue. They're just too slow.

Neutral

The deployment is easy, but it may take around half an hour or even more because the software is huge. Also, good hardware performance is required, such as big memory and disk space.

It requires a lot of disk space and good hardware performance, and the speed is slow.

The deployment is pretty tough to do by myself.

It's expensive. I would give it a four out of ten.

We just calculated the speed of Checkmarx; it is around 40 lines of code per second. It's too slow, so we now use a Chinese software called XCheck, which is much better. It can scan around 2,000 or 5,000 lines per second, depending on the code complexity. XCheck is a product of a Chinese company called Tencent.

Overall, I would rate the solution a three out of ten. 

We use the solution on a developing project. Before we bring the code to production, we have to ensure its quality, and we use this solution. 

It's easy to use. The configuration is easy. 

It has all the features we need. 

We haven't had any issues with the solution so far. It is not missing any features. 

It takes too much time to check the code. The validation process needs to be sped up. 

There have been some configuration issues. We sometimes have failures. 

I've been using the solution for two and a half years at this point. 

We've had to deal with errors. When we blacklist or whitelist, we do have some issues. There are a few configuration issues. I'd rate the stability seven out of ten. It could be improved. 

I can't speak to the scalability. I don't deal with scaling. The usage is limited. We aren't attempting to expand it. We only do two to three processes at the same time. 

Technical support is okay. We are mostly happy with the help we get. We can directly connect with them.

Neutral

I'm also using SonarQube.

I did not handle the deployment directly. We have a team that manages the tool. I'm not aware of how many people are needed to maintain and deploy the solution. 

I don't deal with the pricing directly. I don't know the exact cost. 

I'm a customer and end-user.

I would recommend the solution to other users. I'd rate the solution eight out of ten.