IT Central Station is now PeerSpot: Here's why

Checkmarx Room for Improvement

Cybersecurity at a transportation company with 1,001-5,000 employees

They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server.

I had several issues with the installation. It should just work out of the box.

View full review »
Cuneyt KALPAKOGLU Phd. - PeerSpot reviewer
Founder & Chairman at Endpoint-labs Cyber Security R&D

Checkmarx is going to announce the cloud version very soon. Every product has something innovative at the moment. Presently, we are extremely satisfied and that's why Checkmarx has been the leader for the last few years, consecutively. This is the third year they have been recognized in the static code analysis world.

Micro-services need to be included in the next release; however, as a developer, I can assure you that micro-service methodology is going to be improved in the next version. Presently, they support micro-services, but the supporting methodology of the micro-services is not good enough at the moment.

View full review »
Technical Lead at a tech services company with 1,001-5,000 employees

Honestly speaking, we do not have much experience in this tool yet as we just started using it a couple of months ago. I personally am still just diving into the data. It may be too early to tell if there are improvements that need to be made.

The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated.

View full review »
Buyer's Guide
June 2022
Learn what your peers think about Checkmarx. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
607,332 professionals have used our research since 2012.
Senior Manager at a manufacturing company with 10,001+ employees

We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code.

The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything.

View full review »
General Manager at a consultancy with 51-200 employees

Most the the static analysers come with pre-loaded rulesets. However, many times developers have to write their own custom rules. Writing custom rules in Checkmark is difficult because you need a different editor which is licensed separately. Besides not much training material is available on how to write the rules. 

View full review »
Sr. Application Security Manager at a tech services company with 201-500 employees

I think that the configuration is a bit difficult and we required support from Checkmarx to complete it (there are a lot of manual, not documented configurations should be done, like direct changes in a Database for example).  This is the case, at least, if you are using the on-premises version. From my point of view, the configuration should be improved.

If it is a very large code base then we have a problem where we cannot scan it (if more then ~ 30 mb zip file provided - scan is crashes or takes a lot of time) . It seems to me that they have a problem with the number of code line scans.

In the future, I would like to see Checkmarx support a combination of dynamic and static code scanning (IAST)

View full review »
Peter Ejiofor - PeerSpot reviewer
Chief Executive Officer at Ethnos ITSolutions

Checkmarx could improve by reducing the price.

View full review »
Director at a tech services company with 11-50 employees

There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver.

View full review »
Vice President Of Technology at a computer software company with 5,001-10,000 employees

The cost per user is high and should be reduced. Five years ago, it was a user-based model, which was significantly better. It would be great if we could distribute the cost equally between projects.

View full review »
Solution Manager at a computer software company with 201-500 employees

The reporting could be better on the product. The need to be much more customizable including being customizable for various roles.

The pricing can get a bit expensive, depending on the company's size.

View full review »
Antoine Rime - PeerSpot reviewer
Cyber Security Consultant at a computer software company with 5,001-10,000 employees

The solution isn't exactly user-friendly. They could make the user experience a bit better in future builds. 

They could work to improve the user interface. Right now, it really is lacking.

View full review »
Director of consultory at a non-tech company with 1,001-5,000 employees

I would like to see the DAST solution in the future. 

View full review »
Head of IT Security Department at a tech services company with 501-1,000 employees

Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities.

SonarCube functions better in these areas.

View full review »
San K - PeerSpot reviewer
Senior Group Leader at Infosys

As the solution becomes more complex and feature rich, it takes more time to debug and resolve problems. Feature-wise, we have no complaints, but Checkmarx becomes harder to maintain as the product becomes more complex. When I talk to support, it takes them longer to fix the problem than it used to.

View full review »
Security at a tech services company with 51-200 employees

Its user interface could be improved and made more friendly. 

When we change a window, the session times out, and we have to log in again. It can be improved from this aspect.

View full review »
Information Security Architect at a tech services company with 1,001-5,000 employees

They can support the remaining languages that are currently not supported. They can also
create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks.

View full review »
Senior Cybersecurity Solution Architect at a computer software company with 51-200 employees

I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features. So most of my customers would love to have consolidated vendors who cover all application security to lower operational overhead.

View full review »
Techincal Lead of Developers at a government with 10,001+ employees

Checkmarx could be improved with more integration with third-party software.

View full review »
Samuel Baguma - PeerSpot reviewer
Senior Security Engineer at a pharma/biotech company with 501-1,000 employees

You can't use it in the continuous delivery pipeline because the scanning takes too much time. Better integration with the CD pipeline would be helpful.

It reports a lot of false positives so you have to discriminate and take ones that are rated at either a one or a two. The lower-rated problems need to be discarded.

View full review »
Le Viet - PeerSpot reviewer
Security Consultant at VNCS

Checkmarx could improve the speed of the scans.

View full review »
AVP, aPaaS Engineer at a financial services firm with 10,001+ employees

Checkmarx could improve the REST APIs by including automation.

View full review »
Director and Co-Founder at a tech services company with 11-50 employees

Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model.

View full review »
Procurement Analyst at a pharma/biotech company with 10,001+ employees

The integration could improve by including, for example, DevSecOps.

In an upcoming release, they could improve by adding support for more languages.

View full review »
Senior Software Engineer at a computer software company with 10,001+ employees

I would like to see the rate of false positives reduced.

Checkmarx needs support for more languages, including COBOL.

View full review »
Buyer's Guide
June 2022
Learn what your peers think about Checkmarx. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
607,332 professionals have used our research since 2012.