IT Central Station is now PeerSpot: Here's why

Checkmarx OverviewUNIXBusinessApplication

Checkmarx is #2 ranked solution in AST tools and #4 ranked solution in application security solutions. PeerSpot users give Checkmarx an average rating of 7.6 out of 10. Checkmarx is most commonly compared to SonarQube: Checkmarx vs SonarQube. Checkmarx is popular among the large enterprise segment, accounting for 75% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 24% of all views.
Checkmarx Buyer's Guide

Download the Checkmarx Buyer's Guide including reviews and more. Updated: August 2022

What is Checkmarx?

Checkmarx is a highly accurate and flexible static code analysis product that allows organizations to automatically scan uncompiled code and identify hundreds of security vulnerabilities in all major coding languages and software frameworks. Checkmarx is available as a standalone product and can be effectively integrated into the software development lifecycle (SDLC) to streamline vulnerability detection and remediation. Checkmarx is trusted by leading organizations such as SAP, Samsung, and Salesforce.com.

Checkmarx is a global leader in software security solutions for modern software development. Checkmarx delivers a comprehensive software security platform that unites with DevOps by scanning uncompiled source code for security vulnerabilities early in the development life cycle to reduce and remediate risk from software vulnerabilities. Using Checkmarx, teams avoid software security vulnerabilities managed via a single and unified dashboard without slowing down their delivery schedule.

Checkmarx balances the needs of the entire organization, delivering seamless security from the start and throughout the entire software development life cycle. Checkmarx can be deployed on-premises in a private data center or hosted via a public cloud.

Checkmarx Features

Some of Checkmarx’s features include:

  • Source code scanning: Detect and repair more vulnerabilities before you release your code.

  • Open-source scanning: Find and eliminate the risks in your open-source code.

  • Interactive code scanning: Scan for vulnerabilities and runtime threats.

  • Open-source security for infrastructure as code: Identify and fix insecure IaC configurations that put your application at risk.

Reviews from Real Users

Checkmarx stands out among its competitors for a number of reasons. Two major ones are its ability to enable developers to secure their code with a single management dashboard and its high-speed scanning abilities.

PeerSpot users note the effectiveness of these features. A CEO at a tech services company writes, “The most valuable features are the easy-to-understand interface, and it’s very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan. We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project. The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.”

A director at a tech services company notes, “The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important.”

A senior manager at a manufacturing company writes, “The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."

Checkmarx Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech

Case Study: Liveperson Implements Innovative Secure SDLC

Checkmarx Video

Checkmarx Pricing Advice

What users are saying about Checkmarx pricing:
  • "The average deal size was usually anywhere between $120K to $175K on an annual basis, which could be divided across 12 months."
  • "It's relatively expensive."
  • "The interface used to create custom rules comes at an additional cost."
  • "The price of Checkmarx could be reduced to match their competitors, it is expensive."
  • "Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."
  • Checkmarx Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    ScottDenton - PeerSpot reviewer
    Senior regional manager at AppDome
    Real User
    Supports different languages, has excellent support, and easily expands
    Pros and Cons
    • "The SAST component was absolutely 100% stable."
    • "The interactive application security testing, or IAST, the interactive part where you're looking at an application that lives in a runtime environment on a server or virtual machine, needs improvement."

    What is our primary use case?

    When something happens in a test, then you need to know why. In many cases, you would have to run a scan and find all the problems, and then hand that off to development and have development go back and rewrite that code. If you had an issue with a particular aspect where you have a limited amount of personnel or knowledgeable personnel, based on the language that an application was written in, well, then you would need some type of assistance in order to rewrite that code in that particular language, with the limited knowledge that developer might have had. I assisted with that and helped with educating the developer on how to write that code. It was a two-pronged effort.

    The number one use case would be a failed PEN test. Number two would be, "Hey, we have a waterfall DEV approach to our SDLC today. We want to become more agile around speed and quality of code." That would be the second. The third would be able to provide an appropriate availability of knowledge for training developers in secure coding.

    What is most valuable?

    Being able to have the breadth and depth of different kinds of support for different languages is excellent & many other solutions require you to compile the code prior to the scan, with CxSAST there is no need to compile code for a static analysis. If you didn't support a particular language that an application was written in, whether it was legacy code or a new agile code like Scala, JScript, PLSQL, or whatever, well, then you didn't get the business. If you were an organization that converted its SDLC from waterfall to agile, then you're going to need the ability to support multiple languages, even if they're not part of the company, thanks to that agility, that approach, that methodology. Supporting different languages was a high priority of the client.

    What needs improvement?

    The interactive application security testing, or IAST, where code scans are being ran on an application that lives in a runtime environment on a server or virtual machine, needs improvement.

    There was limited support from different languages. It didn't support everything under the sun, so you would lose revenue since you didn't have support for Scala or some other language that your developer was fluent in. They needed to improve on language support. That is about it, really.

    The dev team did everything that they said they were going to do. If they said they were going to hit a mark, they'd hit a mark. That release would come out. Typically, they would do four major releases a year, quarterly, with two-point releases in between, or based on any additional hotfixes that may be needed. In most cases, however, IAST was the part of the product that needed to be improved the most.

    Codebashing is a really cool product from the aspect of teaching developers how to write secure code. However, it would be even cooler if you could not only point out and teach someone how to do it while also making the appropriate recommendation on how to rewrite the code itself, using machine learning or AI. Instead of you, the developer learning how to do it and then writing the code yourself, it'd be cooler if you could push a button, have it analyzed, scans the code, find the code, find the issue within the line of code, and then go ahead and automatically rewrite that code for you. Then, by repetition, it just teaches you through muscle memory how to do that as opposed to, "Hey, you've found this problem. This is where the problem's located, within this particular line of code." Right now, do you know how to rewrite Java? Well, if you're not familiar with how to do that, then go push on this button. Now, take this test and go through this exercise.” It doesn't make a recommendation. It's not like providing a script that fixes the problem. It's just teaching you on how to write the code in that form in that manner.

    For how long have I used the solution?

    I’ve used the solution for about two or two and a half years. I worked directly with the company. However, I left about a year or a year and a half ago.

    Buyer's Guide
    Checkmarx
    August 2022
    Learn what your peers think about Checkmarx. Get advice and tips from experienced pros sharing their opinions. Updated: August 2022.
    620,600 professionals have used our research since 2012.

    What do I think about the stability of the solution?

    The SAST component was absolutely 100% stable. The SCA product is also very extremely stable. In fact, they leverage each other in a way that it complements the overall use. It gives the user a high-level view, a 10,000-foot view with the ability to see more under a magnifying glass if you think about it from high to low.

    The other components, such as IAST and the Codebashing technology, and the developer education technology, it was all integrated with radio buttons and such. I never really had any customer or client, or anyone complains, or ever come to me and say, "Hey, look, the implementation that we completed last week, it's crashed on us," or anything that would show it to be less than stable.

    Have there been instances specifically where a new customer came to us and didn't have something turned on? Yes. Is there an instance where a customer might have had something configured wrong based on frequency, scanning frequency, or the depth of how deep they need to scan within the lines of code? Yes. Those were all configuration modifications that were needed. However, it was a misconception thinking that maybe it was unstable, when in fact, just a few things needed to be tweaked.

    What do I think about the scalability of the solution?

    With the largest installation scanning billions of lines of code each day, there are no known limitations of what the product can do, as long as the appropriate resources are allocated for the specific requirements. 

    How are customer service and support?

    They have a customer success team and a customer success manager, and that's the liaison between the Development Team, Support Team, and the customer. That way, you're not sending an email to a black hole. It's not going to go into a queue where it goes to a black hole of 3,000 or 4,000 emails across the entire world. If that happened, you would have to sit there and wait for some type of response or appropriate time to hear from them. Instead, it goes to someone who's actually assigned to the account as a liaison to bring in the resources needed to help with whatever issue is on hand.

    How would you rate customer service and support?

    Positive

    How was the initial setup?

    The deployment depended upon how complex the application was. If it was a very, very complex, customized application, then it would have to be instrumented by a DevOps professional that we provided. If it was a very simplistic or basic vanilla-type framework, as far as the application's concerned, then the customer could do it easily themselves.

    What about the implementation team?

    There was no need for an integrator, reseller, or consultant. None of that was required or needed, or ever actually even requested. The only reason why any one of a particular stature would actually be part of the process was if they were under contract with that particular corporation or company. Otherwise, the organization provided the appropriate professional services, again, as a benefit to the customer to help ensure their success in using the technology.

    What's my experience with pricing, setup cost, and licensing?

    Annually, the typical application scanning cost/setup would run anywhere from $75k to 150k, but that was dependent on the specific scanning requirements. 

    There were no additional operating costs. There was a requirement or a request as a best practice for us to provide the appropriate professional services or implementation services to ensure that the product got off the ground by the time the licenses were purchased. 

    What other advice do I have?

    I’d rate the solution eight out of ten based on ease of use, configuration, customer service, and response time. There are other products out there that are provided as a service where they will go, and you push a button, they collect the data, they review the data, yet there's no specific standard license agreement or SLA that says they're supposed to get back to you within a particular moment of time. Everything that Checkmarx does is instantaneous.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Cybersecurity at a transportation company with 1,001-5,000 employees
    Real User
    No need to compile the code to execute static code analysis, but should be more container-friendly and optimized for the CI pipeline
    Pros and Cons
    • "I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy."
    • "They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server."

    What is our primary use case?

    I am using it for software assurance focused on security. I am using its latest version.

    How has it helped my organization?

    I use both the static code analysis and the open-source analysis engine. It gives visibility into weaknesses and the software that may be there in the source code and static analysis. It also gives some insights into the open source vulnerabilities that may be there in the codebase.

    What is most valuable?

    I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy. Typically when using SCA tools on C/C++ and C# you must compile the software for SCA to work. CX doesn’t require any compilation due to the way the tool does synthetic compilation to help find errors in code. Many times 3rd party assurance providers don’t have all the files to compile so CX comes in handy. 

    What needs improvement?

    They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server.

    I had several issues with the installation. It should just work out of the box.

    For how long have I used the solution?

    I have been using it off and on for about a year.

    What do I think about the stability of the solution?

    I've run into a few bugs here and there but i would recommend installing on virtual machine and snapshoting a working install. 

    What do I think about the scalability of the solution?

    My setup is standalone. They do have a scalable version, but it's not something I need.

    We're not using it a lot. Its usage is once a month. The way our organization works is that we don't do static code analysis every day. It's more on an as-needed basis. So, it's no fault of the Checkmarx tool. It's just not something that we've been working on.

    How are customer service and support?

    They were pretty good. I would rate them a four out of five, but I was using their salespeople. It wasn't their traditional tech support, so I can't really evaluate their traditional tech support. When they're selling something, they give you a lot more service instead of having to go through the support system.

    Which solution did I use previously and why did I switch?

    I still use other tools, so I just added it to the tool chest. I have Fortify, CodeSonar, etc  and I added Checkmarx as a different tool.

    How was the initial setup?

    I installed it. It's straightforward to install, but I had several issues with the installation. I don't know if it was with my environment or not. If it works properly, it's a simple install, but in my example, it did not work right off the bat. There was some troubleshooting that had to go on, which was a little frustrating.

    It took weeks. It required back and forth communication with support for a couple of days, but I wasn't actively working on it for days. I would run into a bug, send the log file, and go back and forth. It wasn't anything crazy, but it was a little frustrating. It should just work out of the box. It should be pretty straightforward where you just click the installer and go, but it wasn't.

    What about the implementation team?

    It was implemented in-house, and then I had to call support when needed.

    In terms of maintenance, it is pretty self-sustaining. You update it whenever it needs to be updated.

    What was our ROI?

    There hasn't been much return yet because we haven't used it much, but I have enough faith in it that I committed to it for multiple years. We are starting to use it more but not enough to state ROI yet

    What other advice do I have?

    I would rate it a seven out of ten. It's not the best tool on the market, but it provides some good capability for what it is.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Checkmarx
    August 2022
    Learn what your peers think about Checkmarx. Get advice and tips from experienced pros sharing their opinions. Updated: August 2022.
    620,600 professionals have used our research since 2012.
    Cuneyt KALPAKOGLU Phd. - PeerSpot reviewer
    Founder & Chairman at Endpoint-labs Cyber Security R&D
    Real User
    Top 5Leaderboard
    The flexibility in regards to finding false-positives and false-negatives is amazing
    Pros and Cons
    • "From my point of view, it is the best product on the market."
    • "Micro-services need to be included in the next release."

    What is our primary use case?

    I am the founder and the chairman of an internationally certified cybersecurity research lab. I have a Ph.D. in cryptology and network security.

    We are a strategic partner of Checkmarx. Our job is to help them develop solutions. Currently, we are developing some algorithms and strategic solutions for them. Checkmarx informs us about what is happening, in advance, before they launch a product. We are also one of their testers.

    What is most valuable?

    Aside from my occupation, I am an academic. Because of our status, we test products as well as their competition, for example, we45, AppScan, SonarQube, etc. I have to point out, from an academic and business point of view, there is a very serious competitive advantage to using Checkmarx. Even if there are multiple vulnerabilities in the source coding, Checkmarx is able to identify which lines need to be corrected and then proceeds to automatically remediate the situation. This is an outstanding advantage that none of the competition offers. 

    The flexibility in regards to finding false-positives and false-negatives is amazing. Checkmarx can easily manage false-positives and negatives. You don't need to generate an additional platform if you would like to scan a mobile application from iOS or Android. With a single license, you are able to scan and test every platform. This is not possible with other competitive products. For instance, say you are using we45 — if you would like to scan an iOS application, you would have to generate an iOS platform first. With Checkmarx you don't need to do anything — take the source code, scan it and you're good to go. Last but not least, the incremental scanning capabilities are a mission-critical feature for developers. 

    Also, the API and integrations are both very flexible.


    What needs improvement?

    Checkmarx is going to announce the cloud version very soon. Every product has something innovative at the moment. Presently, we are extremely satisfied and that's why Checkmarx has been the leader for the last few years, consecutively. This is the third year they have been recognized in the static code analysis world.

    Micro-services need to be included in the next release; however, as a developer, I can assure you that micro-service methodology is going to be improved in the next version. Presently, they support micro-services, but the supporting methodology of the micro-services is not good enough at the moment.

    For how long have I used the solution?

    I have been using Checkmarx for six years.

    What do I think about the stability of the solution?

    Checkmarx is stable. We investigate the stability of the competition as well. From my point of view, it is the best product on the market. It's relatively expensive, but it's the best product. Keep in mind, this is not my private comment. I respect the comments, results, and the statistics of Gartner and these are their findings.

    What do I think about the scalability of the solution?

    Checkmarx has been selected as the front-runner by Gartner for the third year in a row — you bet it's scalable.

    How are customer service and technical support?

    We give technical support in our territory; Checkmarx's technical support is also quite good. If you open a ticket with a question, they'll reply the same day.

    How was the initial setup?

    The initial setup is not complex at all, it's straightforward and robust. If you decide to use Checkmarx, you'll be ready to go in one day.

    What other advice do I have?

    If you wish to purchase Checkmarx, you should scan the same source code with a different product, compare them to their competition, and make a decision. This way, you can see the difference and understand the benefits of Checkmarx. Test and scan some lines of code in any programming language you wish, then do the same with a competitor. Checkmarx will produce far fewer false-positives compared to any other solution on the market. Other solutions will produce roughly 900 false-positives whereas Checkmarx will cut that number in half. I am not trying to sell this product to you, this is simply the reality of it.

    From the technological side, I would give this solution a rating of ten. From a commercial aspect, because it's relatively expensive, I would give it a rating of eight. Overall, because I must choose one number between one and ten, I will give Checkmarx a rating of ten.

    Day by day, they are improving this product. For example, one of the most important features missing was open sources, which they have now added. They were also missing code training facilities, but they have added those as well. They have a complimentary product now.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Senior Manager at a manufacturing company with 10,001+ employees
    Real User
    A stable solution for identifying security vulnerabilities but needs functionalities for identifying the run-time null values and doing static and dynamic code validation
    Pros and Cons
    • "The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."
    • "We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."

    What is our primary use case?

    We use Checkmarx for security vulnerability identification. We are using its latest version. We have a license to upgrade to the latest version. Whenever there is a new version, we update it to the latest version.

    What is most valuable?

    The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking.

    What needs improvement?

    We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code.

    The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything.

    For how long have I used the solution?

    I have been using this solution for two years. 

    What do I think about the stability of the solution?

    Its stability is okay.

    How are customer service and technical support?

    We don't directly deal with the Checkmarx technical team. There is a support group available for that, and they work with the Checkmarx team. When we have any issues, we directly call our internal team, and they call the Checkmarx team. They get back to us pretty quickly. The response is very quick. There is no problem.

    How was the initial setup?

    The initial setup was easy. Our project was quite big, and it took a bit longer. It took almost six hours. We could not do it as CI/CD pipeline because the pipeline expects a response in a short span of time, which was a challenge for us. We are now doing the Checkmarx review manually. We first run the code analysis, and, after the code analysis is over, we go for the pipeline. This is an overhead for us. 

    It would be helpful if they can improve the speed of the analysis rate. We also need to find out from our side if there is a way to increase the wait time of the CI/CD pipeline and modify the timeout limit. It would then take 30 minutes to one hour rather than five or six hours. We should be able to adjust the timeout time, change the CI/CD settings, and go ahead with the integrated process. Currently, we cannot have an integrated system, and we also have to move from one script to the next script manually.

    What other advice do I have?

    Even though we run it manually, it captures most of the things. We decided to go with Checkmarx two years ago, and we are continuing with it. 

    I would rate Checkmarx a seven out of ten. There are a few things that can be improved in this solution.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    General Manager at a consultancy with 51-200 employees
    Real User
    Top 5
    Intuitive interface, easy to set up, and saves us money by finding problems at an early stage
    Pros and Cons
    • "The UI is very intuitive and simple to use."
    • "Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve."

    What is our primary use case?

    We use Checkmarx for static analysis as part of our software development lifecycle. It is very important because it helps us identify the security flaws in the code at a very early stage. Ultimately, this helps in reducing costs.

    What is most valuable?

    The UI is very intuitive and simple to use. You don't need to know anything about the product before you being working with it.

    The interface used to audit issues is also simple to use.

    Compared to similar products, the code scanning time is fast.

    What needs improvement?

    Most the the static analysers come with pre-loaded rulesets. However, many times developers have to write their own custom rules. Writing custom rules in Checkmark is difficult because you need a different editor which is licensed separately. Besides not much training material is available on how to write the rules. 

    For how long have I used the solution?

    We have been using Checkmarx for almost four years.

    What do I think about the stability of the solution?

    It is pretty stable and we have not had any issues. We have a monitoring team that monitors the health of our infrastructure and we are alerted to any problems.

    What do I think about the scalability of the solution?

    We were able to scale easily and did not have any issues in doing so. At this team, we have between 70 and 80 applications that we are scanning with it.

    How are customer service and technical support?

    We have contacted technical support a couple of times and the issues were addressed in a timely manner.

    Which solution did I use previously and why did I switch?

    We have used other products and found that you have to spend considerable time fine-tuning the scanning engine. With Checkmarx, it is a lot less and I would say that this is one of the significant differences with this solution.

    The maintenance in terms of running the scans and fine-tuning the scans is very low.

    On the other hand, we have used other tools where writing custom rules is not so difficult to do.

    How was the initial setup?

    Checkmarx is pretty straightforward and very easy to set up.

    What about the implementation team?

    Our in-house team deployed and manages this product. I have one person who handles all of it, and the deployment can be completed within a day or two. As long as the infrastructure is ready, it can be done within a day.

    What was our ROI?

    Checkmarx helps us to find problems with source code at an early stage in the development, which saves us in terms of troubleshooting costs.

    What's my experience with pricing, setup cost, and licensing?

    The interface used to create custom rules comes at an additional cost.

    What other advice do I have?

    Checkmarx is probably one of the best static code analyzers available in the market at this point. It is very easy to deploy, use, and maintain. The amount of maintenance required is pretty low. It is absolutely a good tool that I can recommend.

    Checkmarx has added a lot of functionality since we began using it. This includes OSA, the open-source scan, a training module, and run-time protection.

    For static code analysis, we are only using Checkmarx and we plan to continue. 

    I would rate this solution a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Sr. Application Security Manager at a tech services company with 201-500 employees
    Real User
    Top 20Leaderboard
    Good interface and reporting capability, and it integrates well with other products
    Pros and Cons
    • "The user interface is modern and nice to use."
    • "If it is a very large code base then we have a problem where we cannot scan it."

    What is our primary use case?

    I am in charge of application security and Checkmarx is one of the products that I use in this capacity. We use this product for code scanning and static code analysis.

    What is most valuable?

    The user interface is modern and nice to use.

    This product has very good reports.

    Checkmarx integrates with a lot of different tools such as BitBucket and Jira.

    There is good coverage for different languages.

    What needs improvement?

    I think that the configuration is a bit difficult and we required support from Checkmarx to complete it (there are a lot of manual, not documented configurations should be done, like direct changes in a Database for example).  This is the case, at least, if you are using the on-premises version. From my point of view, the configuration should be improved.

    If it is a very large code base then we have a problem where we cannot scan it (if more then ~ 30 mb zip file provided - scan is crashes or takes a lot of time) . It seems to me that they have a problem with the number of code line scans.

    In the future, I would like to see Checkmarx support a combination of dynamic and static code scanning (IAST)

    For how long have I used the solution?

    I have been working with Checkmarx for about five months.

    What do I think about the stability of the solution?

    It works fine but if you have a file that is too big to scan then it takes a lot of time to run and sometimes crashes.

    There is a problem with the memory, and scanning a large codebase should be done by dividing it into different files. For microservices with a small number of lines of code, it works well well. On the other hand, scanning a legacy solution such as a big monolith with millions of lines of code in it has been a problem. We need to make certain modifications to the files before we can upload them to the scan.

    What do I think about the scalability of the solution?

    We have 80 users who are using Checkmarx.

    How are customer service and technical support?

    They have very good technical support and we haven't had a problem with them. If you have a problem that you cannot handle on your own or you need to configure this product then you should have technical support.

    How was the initial setup?

    The basic installation is easy for us but in our case, we had some additional configuration that had to be done to access our documents on the server. We were not able to complete it without help from Checkmarx because there are a lot of configuration options, and we had to make manual changes to the database as well. 

    What other advice do I have?

    In summary, this is a good application that you can use to scan every code language. You can configure the scan because they provide the Checkmarx query language. These queries are very good and very flexible. It requires a knowledge of this language but you can reach and deal with it using most languages.

    I would rate this solution an eight out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Peter Ejiofor - PeerSpot reviewer
    Chief Executive Officer at Ethnos ITSolutions
    Reseller
    Top 5Leaderboard
    Integrates well, overall good functionality, and highly reliable
    Pros and Cons
    • "The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera."
    • "Checkmarx could improve by reducing the price."

    What is our primary use case?

    Checkmarx is a source code application for development, which means from the source code level, you can use Checkmarx to detect your coding errors, and to detect vulnerabilities that could have come from the different tools that you were using to develop your application. At the source code level, you can prevent the weaknesses that the application can carry on the journey of its development and use.  

    Checkmarx helps the users to have a secure coding environment and experience, and a secure source code level of application. That main application can leverage or improve the service delivery to customers.

    What is most valuable?

    The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera. 

    The software languages that they support are one of the largest in the market.

    What needs improvement?

    Checkmarx could improve by reducing the price.

    For how long have I used the solution?

    I have been using Checkmarx within the past 12 months.

    What do I think about the stability of the solution?

    Checkmarx has been stable in my usage and I'm confident to recommend it to anybody.

    What do I think about the scalability of the solution?

    Checkmarx is very scalable. It can run for a small and large organizations.

    How are customer service and support?

    The technical support is good.

    I rate the support from Checkmarx a four out of five.

    How would you rate customer service and support?

    Positive

    How was the initial setup?

    The initial setup of Checkmarx is easy.

    I rate the initial setup of Checkmarx a four out of five.

    What about the implementation team?

    We use one engineer with the help of Checkmarx for support and deployment.

    What's my experience with pricing, setup cost, and licensing?

    The price of Checkmarx could be reduced to match their competitors, it is expensive.

    What other advice do I have?

    I strongly recommend Checkmarx to others. I have sold the solution for nearly eight years, and I'm not aware of any major complaints that the users have that could not be resolved.

    I rate Checkmarx an eight out of ten.

    The Checkmarx application is a live wire of technology delivery, and if your application is vulnerable, then the asset that your acquisition will run will also suffer vulnerability. Providing the scanning ability that shows the errors at the source code level is critical to have effective development of any critical application.

    I would recommend Checkmarx eight because it's very critical and integral to the improvement of technology and cyber security today. It's a critical tool in protecting cyberspace, your asset in cyberspace, and an application that runs nearly all human life today. Everything is driven by technology and application.

    Disclosure: My company has a business relationship with this vendor other than being a customer:
    Flag as inappropriate
    PeerSpot user
    Director at a tech services company with 11-50 employees
    Reseller
    Top 20
    Good features, good support, fair price, and good ability to deliver what customers require
    Pros and Cons
    • "The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important."
    • "There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."

    What is our primary use case?

    We're selling their licenses and their technologies. We have on-premises and cloud deployments. Its deployment depends on the customer requirements. 

    It is used for a range of requirements for DevSecOps. It has been deployed to ensure that the development cycle delivers clean and secure code that is vulnerability-free. It is there as a part of the whole compliance and security process.

    What is most valuable?

    The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important. 

    What needs improvement?

    There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver.

    For how long have I used the solution?

    I have been using this solution for two years.

    What do I think about the scalability of the solution?

    Our customers are completely comfortable with the scalability of the technologies. They can deploy them initially in a relatively straightforward manner and then grow them into their organization quite successfully. We primarily have large customers.

    How are customer service and technical support?

    Our team works with them. Their sales engineering team as well as their pre-sales capabilities are very good. They're clear. They work, and they're available, which is good. It is somewhat unusual in this business.

    How was the initial setup?

    It depends on different technologies, but it is reasonably quite straightforward.

    What's my experience with pricing, setup cost, and licensing?

    Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive.

    What other advice do I have?

    They're a very good company to work with, and that's a very important aspect of any technology these days. You could find very nice technologies, but if the company is not good to work with, it could be of no use. You'll not be able to get it deployed, and you'll not get assistance. You will get bad value for good technology. Checkmarx is a nice, pleasant, and relatively easy company to work with. You will get a good return, and you will get a good partnership and relationship working with them.

    I would rate Checkmarx an eight out of ten.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Buyer's Guide
    Download our free Checkmarx Report and get advice and tips from experienced pros sharing their opinions.
    Updated: August 2022
    Buyer's Guide
    Download our free Checkmarx Report and get advice and tips from experienced pros sharing their opinions.