Checkmarx One Reviews

We have integrated Checkmarx into all the company's development pipelines. We use it to scan more than 4,000 repositories and around 25,000 pipelines. 

The integration is particularly useful as it works directly with several common SCM solutions in the market, such as GitHub and Bitbucket, and with CI/CD tools like Jenkins and GoCD. This allows us to register repositories quickly and scan code efficiently in our development process.

Checkmarx helps developers improve the maturity of their coding practices and brings a security mindset to development teams, product managers, and business areas. 

It aids in identifying and mitigating vulnerabilities early in the development cycle, enhancing the overall security posture of the organization.

We use the solution to validate the source code and do SAST and security analysis. Checkmarx dynamics code analysis improved our software security posture by showcasing vulnerabilities within the code and identifying or providing recommendations on how to improve.

The solution's user interface could be improved because it seems outdated. The solution should integrate with AI and machine learning.

Our company uses the solution to check the vulnerabilities in our products at the build level. We capture, identify potential issues and fixes, and publish reports on a weekly basis. 

We work in the banking industry and have a license for 100 users.

The report function is the solution's greatest asset. We can configure reports in our build pipeline. We set them to publish scores and consolidate all the pod answers. We go through reports to understand issues and next steps. We get availability of code by clicking on that particular section. 

We are able to speed up services because the semi-application is done in the report.

The solution is very easy to navigate. 

When something happens in a test, then you need to know why. In many cases, you would have to run a scan and find all the problems, and then hand that off to development and have development go back and rewrite that code. If you had an issue with a particular aspect where you have a limited amount of personnel or knowledgeable personnel, based on the language that an application was written in, well, then you would need some type of assistance in order to rewrite that code in that particular language, with the limited knowledge that developer might have had. I assisted with that and helped with educating the developer on how to write that code. It was a two-pronged effort.

The number one use case would be a failed PEN test. Number two would be, "Hey, we have a waterfall DEV approach to our SDLC today. We want to become more agile around speed and quality of code." That would be the second. The third would be able to provide an appropriate availability of knowledge for training developers in secure coding.

Being able to have the breadth and depth of different kinds of support for different languages is excellent & many other solutions require you to compile the code prior to the scan, with CxSAST there is no need to compile code for a static analysis. If you didn't support a particular language that an application was written in, whether it was legacy code or a new agile code like Scala, JScript, PLSQL, or whatever, well, then you didn't get the business. If you were an organization that converted its SDLC from waterfall to agile, then you're going to need the ability to support multiple languages, even if they're not part of the company, thanks to that agility, that approach, that methodology. Supporting different languages was a high priority of the client.

The main thing we find valuable about Checkmarx is the ease of use. It's easy to initiate scans and triage defects.

As the solution becomes more complex and feature rich, it takes more time to debug and resolve problems. Feature-wise, we have no complaints, but Checkmarx becomes harder to maintain as the product becomes more complex. When I talk to support, it takes them longer to fix the problem than it used to.

For manual code testing, Checkmarx has been very helpful discarding false positives, filtering and removing a lot of files that are not presenting any threat, as well as indicating the files or functions that should be focused upon.

Checkmarx acts as the first checkpoint during our consulting for apps that are looking for a security assessment or Penetration Testing. It is also a game changer, giving the customer's results from each finding in the Checkmarx results.

• The export feature and presentation of the results.
• The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions).

• A wide variety of modern programming languages are supported, including mobile languages).

We mainly use this solution for static comprehension testing.

We use it for non-functional insight because it's a security vulnerability scanner. We can use Checkmarx for scanning anytime on our code base. We integrated that as part of our build-a-pipeline, and it helps us detect early. We have piloted in few applications for the shift of testing. From a metric perspective, I am unsure how we benefited from the quantifiable data, but we did benefit.

Our main uses of this solution are to ensure our required compliance policies are met, and that we are applying best practice.

This solution helps to remediate the compliance requirements we have. 

The product also increases the quality of the code the developers are able to implement.