IT Central Station is now PeerSpot: Here's why

Checkmarx OverviewUNIXBusinessApplication

Checkmarx is #2 ranked solution in AST tools and #4 ranked solution in application security solutions. PeerSpot users give Checkmarx an average rating of 7.6 out of 10. Checkmarx is most commonly compared to SonarQube: Checkmarx vs SonarQube. Checkmarx is popular among the large enterprise segment, accounting for 75% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 24% of all views.
Checkmarx Buyer's Guide

Download the Checkmarx Buyer's Guide including reviews and more. Updated: August 2022

What is Checkmarx?

Checkmarx is a highly accurate and flexible static code analysis product that allows organizations to automatically scan uncompiled code and identify hundreds of security vulnerabilities in all major coding languages and software frameworks. Checkmarx is available as a standalone product and can be effectively integrated into the software development lifecycle (SDLC) to streamline vulnerability detection and remediation. Checkmarx is trusted by leading organizations such as SAP, Samsung, and Salesforce.com.

Checkmarx is a global leader in software security solutions for modern software development. Checkmarx delivers a comprehensive software security platform that unites with DevOps by scanning uncompiled source code for security vulnerabilities early in the development life cycle to reduce and remediate risk from software vulnerabilities. Using Checkmarx, teams avoid software security vulnerabilities managed via a single and unified dashboard without slowing down their delivery schedule.

Checkmarx balances the needs of the entire organization, delivering seamless security from the start and throughout the entire software development life cycle. Checkmarx can be deployed on-premises in a private data center or hosted via a public cloud.

Checkmarx Features

Some of Checkmarx’s features include:

  • Source code scanning: Detect and repair more vulnerabilities before you release your code.

  • Open-source scanning: Find and eliminate the risks in your open-source code.

  • Interactive code scanning: Scan for vulnerabilities and runtime threats.

  • Open-source security for infrastructure as code: Identify and fix insecure IaC configurations that put your application at risk.

Reviews from Real Users

Checkmarx stands out among its competitors for a number of reasons. Two major ones are its ability to enable developers to secure their code with a single management dashboard and its high-speed scanning abilities.

PeerSpot users note the effectiveness of these features. A CEO at a tech services company writes, “The most valuable features are the easy-to-understand interface, and it’s very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan. We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project. The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.”

A director at a tech services company notes, “The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important.”

A senior manager at a manufacturing company writes, “The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."

Checkmarx Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech

Case Study: Liveperson Implements Innovative Secure SDLC

Checkmarx Video

Archived Checkmarx Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Senior Software Engineer at a computer software company with 10,001+ employees
Consultant
Simple to use interface, but it needs to have support for more languages

What is our primary use case?

We use Checkmarx for scanning our source code.

What is most valuable?

The most valuable feature is the simple user interface.

What needs improvement?

I would like to see the rate of false positives reduced.

Checkmarx needs support for more languages, including COBOL.

What do I think about the stability of the solution?

The stability is fine.

Buyer's Guide
Checkmarx
August 2022
Learn what your peers think about Checkmarx. Get advice and tips from experienced pros sharing their opinions. Updated: August 2022.
621,548 professionals have used our research since 2012.

How are customer service and support?

I have not been in contact with technical support.

What other advice do I have?

This is a product that I recommend and I would rate it a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Technical Lead at a tech services company with 1,001-5,000 employees
Real User
User friendly with a good interface and excellent at detecting vulnerabilities
Pros and Cons
  • "The user interface is excellent. It's very user friendly."
  • "The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated."

What is our primary use case?

We use this solution to check our systems for any vulnerabilities in our applications. Currently, I'm working on a banking tool, which is aligned with the menu. Our system was created 30 years ago and still is running in the market and doing well. However, currently, there are so many changes happening. Any solution coming into the technology needs to have a security check to ensure everything is safe. 

What is most valuable?

The reporting on the solution is very good. The reports we get are very self-explanatory. They aren't complex or confusing. They will tell us if we are facing vulnerabilities and where. From the reporting, it's quite easy to find the problems and fix them.

The solution overall is very good at detecting and pinpointing vulnerabilities in the code.

The user interface is excellent. It's very user friendly.

The solution offers good training documentation so we know how to handle problems as they arise.

What needs improvement?

Honestly speaking, we do not have much experience in this tool yet as we just started using it a couple of months ago. I personally am still just diving into the data. It may be too early to tell if there are improvements that need to be made.

The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated.

For how long have I used the solution?

I've only been using the solution for three months. It hasn't been too long yet. I'm new to the position. My organization, however, has been using the solution for quite a while.

What do I think about the scalability of the solution?

We have different team members on the solution in the UK and India. It's only available to those directly involved in the security aspects of our company.

How are customer service and technical support?

We have our own in-house team that manages a lot of issues that may come up on the solution. 

The thing is, security is a major concern for us. We cannot exactly contact their team about a lot of things as we do have process guidelines and we need to follow these processes if we run into issues. If we have problems, we have an expert that can sit right next to us and figure out a solution. This helps us better manage the tool and the security surrounding it, rather than, for example, calling up the company and having a random help desk technician try and assist us.

How was the initial setup?

For our purposes, the initial set up was not complex. It was fairly easy to plug the solution into our build processes and pipelines. We haven't had any issues with configurations or anything like that. It's been very straightforward.

The deployment is very fast and only takes about 15 minutes or so.

We manage the solution ourselves. However, if I personally want to access it, I do need to contact specific team members. Only specific individuals have access. It's not accessible to everyone in the organization. 

What about the implementation team?

A specific team in our organization handled the initial setup and holds the license for the product.

Which other solutions did I evaluate?

I've looked at SonarQube. The basic difference between the two solutions is that Checkmarx is a bit more intelligent and can detect vulnerabilities better and faster than SonarQube. SonarQube is more focused on code and style formatting or code complexity. It depends on the priorities of the organization, as each has its own unique benefits.

What other advice do I have?

I don't recall the exact version of the solution we are using.

I would recommend the solution. I'd rate it eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Checkmarx
August 2022
Learn what your peers think about Checkmarx. Get advice and tips from experienced pros sharing their opinions. Updated: August 2022.
621,548 professionals have used our research since 2012.
Vice President at Arisglobal Software Pvt Ltd
Real User
Very good technical support, good vulnerability protection upgrades, and rich in features
Pros and Cons
  • "The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database."
  • "In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."

What is our primary use case?

We are using it for static security scanning and static security testing. We also use it for code dependency analysis. We use two of the solution's tools for each variable.

What is most valuable?

The support the solution offers is very good. When we were evaluating tools, they were extremely helpful. They're always available and they always respond back to any queries.

The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database. I am able to be assured that when I am scanning my product those vulnerabilities are identified at very initial stages. It gives my development team more time to react.

What needs improvement?

The particular way the tool works for the scanning at the IDE level, is very expensive. It makes it very expensive to deploy this tool on to multiple different developers' machines. Right now, the way it scans, the request is raised to the IDE of the developer but then the actual scanning gets done in the centralized scan server. This increases the load on the scanning server and that will make it difficult to use Checkmarx at the developer end. That forces me to look for another solution for implementing at the developer IDE level. I would strongly recommend Checkmarx relook into their approach. 

From a technical point of view, it's better to integrate with other systems within my ecosystem. For example, when I'm connecting Checkmarx with my DevSecOps pipeline and then wiring Checkmarx with other security systems as well as the pipeline (and my defect management system), it provides the connectivity to some of the tools, but there are tools which are excluded. It would be nice if they were added to the solution itself, otherwise, it requires us to do custom development.

In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now. I would recommend much more flexibility in terms of dashboarding to help us customize more effectively.

Their licensing model is rigid and difficult to navigate.

For how long have I used the solution?

I haven't been dealing with the solution for that long. We've only used it for one quarter - about three months.

What do I think about the scalability of the solution?

Their licensing fees are rigid and this causes two main issues. One is a restriction in terms of scaling the product at an enterprise level. The number of licenses required for a sizable business is just too large. The solution forces a user to apply for the licenses not directly to the software and the software products are defined in a curious way. For that reason, I wouldn't say it's great at scaling.

How are customer service and technical support?

So far, technical support at the initial level has been decent. We paid for their protection services, and, the protection tool is definitely very expensive. However, with the price tag comes more support and service. 

We'll have to see in the coming quarters once the protection services end if the support will continue to be at such a high level of attention.  

Which solution did I use previously and why did I switch?

We were using IBM AppScan. Checkmarx is much better than that particular tool. It has more functionality and offers much more support to its users than IBM.

How was the initial setup?

It took about two to three days to deploy a basic portion of the solution. However, it takes more time in terms of configuring and fine-tuning the product so that it's useable. I would say it took us about two to three weeks of configuring before we could start our initial scans.

What about the implementation team?

We bought that separate service from Checkmarx to help us out in terms of deploying and configuring the products.

What's my experience with pricing, setup cost, and licensing?

This solution is definitely one of the more expensive tools. However, if I'm able to get value out of using it, I don't mind paying. 

They have protection services costs that are separate from the main license.

There are multiple components that are part of the product suite and there are different license costs for each of those components. Sometimes it can be a little difficult to understand. There are a lot of components an individual will need to buy to cover an organization's needs. It really should be more transparent and flexible. Their licensing model as of today is quite rigid. 

What other advice do I have?

We're just a customer. We don't have a special relationship with the company.

I would definitely recommend Checkmarx, I find them much more feature-rich than other tools I've used in the past. 

I'd rate the solution eight out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
CEO at a tech services company with 11-50 employees
Real User
Top 5Leaderboard
Easy interface that is user friendly, quick scanning, and good technical support
Pros and Cons
  • "The most valuable features are the easy to understand interface, and it 's very user-friendly."
  • "We have received some feedback from our customers who are receiving a large number of false positives."

What is our primary use case?

The primary use case is for a white-box penetration testing security. When we work with source code, it's a tool to help us conduct a deep analysis on a source code level. 

We push the zip file with source code to our own stent with the solution and receive a report. Also, we work with the interface to find the vulnerabilities we may have.

The most popular projects for us are the mobile application security assessment. We propose this option to our customers to check source code for iOS and Android mobile applications.

What is most valuable?

The most valuable features are the easy to understand interface, and it 's very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan.

We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project.

The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.

What needs improvement?

Checkmarx has tried to build a deeper analysis using IAST and SAST. They have a code version for developers. It would be good if they improve the combination of the two solutions. 

Both are good, but ISAT (Interactive Application Security Testing) is in progress and doesn't support the full spectrum of languages. A combination of the two solutions would achieve good results.

We have received some feedback from our customers who are receiving a large number of false positives. I believe that they can improve their engine to reduce false positives. It's better for reducing false positives when you use a compilation.

There are several levels and they are mapped to the different languages and some customers want to check when the developers will pass the training. There should be a questionnaire for the team lead to check the employees and how well they understand the material and the training. 

Also, they will want to add their own content to this solution.

I would like to see some improvements in technology to reduce false positives. This is only relevant to some use cases, not all. For example, there are several false positives for some languages, but it works in C#.

For how long have I used the solution?

I have been using this solution since 2015.

What do I think about the stability of the solution?

This solution is stable and we have not had bugs or glitches. If it is set up according to the instructions, there will be no negative feedback from the customers.

The platform has regular updates.

What do I think about the scalability of the solution?

This solution is scalable, but it depends on the package you have purchased as some do not allow you to expand. 

How are customer service and technical support?

They have a great support team, and they can help you tune a solution. For our country, it is very important that they have Russian speaking support engineers and to have a quick response.

Also, they have a very good knowledge base. The resources are public on the Checkmarx website and they have good instructions and regulations on how you should tune the solution. It shows you where you can download the plug-ins, how to do it, and explains how they should be integrated.

Which solution did I use previously and why did I switch?

We have some experience with HPP AppScan, and with SonarQube. We started with a trial and felt that Checkmarx was the best.

How was the initial setup?

The initial setup is pretty simple, it's no problem to start using Checkmarx. It's a very good approach if you compare it with competitors.

It only takes a few hours to tune your Checkmarx solution. You may need more time for deeper integration when it comes to DLC integration, for example, when using plug-in build management, such as Jenkins. 

If you are scanning and you have the source code then you are good to start scanning in a few hours. Three to four hours is required for tasks done in source code.

We have one or two engineers who can work with the solution.

For some of our customers have more than 100 developers and a DevOps team.

What's my experience with pricing, setup cost, and licensing?

This solution is expensive.

The customized package allows you to buy additional users at any time.

You could advise the vendor that you are in need of some more resources, and they can send you a trial license which lets you pay later. In the meantime, you can start working with the trial license.

They have subscriptions for licenses, but this is confidential information and I cannot share the price as per our non-disclosure agreement.

If you purchase a typical package then it is clear licensing with no hidden payments. You can add integration services for Checkmarx if you needed to, but it's optional.

The hardware is on the customer site. It could be virtual, or a physical server, or even cloud-based. You can choose what you want to use and there are still no hidden fees. Licensing and policy are clear.

What other advice do I have?

We are resellers but we are also users of this product when we need to check source code because our main business activity is security assessments, not reselling.

We have many customers who have purchased this solution from our company. One of them is Softcell, a Ukrainian company.

With our approach, we need to find a way to reduce false positives. We don't have great resources to do this work long-term, and we need quick results. There are some projects that have a lot of false positives but we can reduce them by tuning during the scanning. 

Some of our customers like the Codebashing model. It's an additional model for learning for security practice for developers. They ask for additional tests to this model and want to receive the functionality to check the knowledge.

When you receive your product, you should start with testing and understand how it works according to your environment. This includes the language and what framework to choose because it is not a simple solution. You should understand that you should tune it.

The most effective approach is to implement SAST into the SDLC, (software development life cycle).

You should regularly check your source code, and check your security before every release. For infrastructure, security testing is not enough. There are several applications and static source code security is a must.

You should choose Checkmarx SAST for security checks and try to optimize it's build management or source code repository.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Software Configuration Manager at a tech vendor with 501-1,000 employees
Real User
Works well with Windows servers but no Linux support and takes too long to scan files
Pros and Cons
  • "Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before."
  • "Checkmarx being Windows only is a hindrance. Another problem is: why can't I choose PostgreSQL?"

What is our primary use case?

The primary use that we have for Checkmarx is the evaluation of source code vulnerabilities.

We use Git to connect to Checkmarx. We don't use GitHub. We use our own self-hosted Git. We're just using generic Git. One of the biggest thorns in our side is managing that aspect of it. It wouldn't matter if it was GitHub or Bitbucket or any of the other tools that you can use to connect Git to Checkmarx. The issue is the same. 

The tool is good at telling us what repository we're connected to, but it is horrible in telling us what branch we're connected to.

How has it helped my organization?

I haven't been monitoring how well our projects have been at reducing vulnerabilities. Checkmarx is one that you have to actively follow, and my position doesn't require that I do that. I set up the tool, and then I let other people use it.

I'm the system administrator of the tool rather than an active user of it. This product has room for improvement in administration.

Adding users is kind of a pain. We need a more automated way of adding users. User administration for the IDs can be improved, they can make it a more automated feature set so that you can add users more quickly and easily. 

Most tools that I'm dealing with today have a mechanism where people can self-enroll.

What is most valuable?

I'm more of the admin as opposed to a user of Checkmarx. Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before.

What needs improvement?

One of the biggest heartaches that we have is that all of our Windows servers are on an automated upgrade. Whenever Windows upgrades, we lose the order of the ciphers and it brings down the Checkmarx webpage. 

Our company policy is that we upgrade our servers at a minimum of once a month, if not more. It's a hassle to keep up on that. The ciphers are such a pain to manage.

To set up a cipher connection, there's a tool out there called IIS Crypto. We just run that tool to set the best practices. It forces us to reboot the server. We haven't figured out how to automate the whole thing yet. 

There have been some Windows updates that haven't triggered this issue where the ciphers get messed up. The only thing we're running is TLS2. At that higher level, everything is just a pain.

All of our servers are built out through code. In other words, we use Ansible and Jenkins to automatically create machines. Everything is virtual these days. It's either virtual in-house or virtual in the cloud. 

The issue with Checkmarx is the next pain point, i.e. their installation procedure is GUI-based. They've got a command line for upgrades. I haven't seen the command line for the initial install.

My last statement on Checkmarx is Windows would not be my choice for any kind of server implementation. I'm not a Windows fan at all. Every other tool in our company is Linux-based and our target systems are Linux as well.

I don't have the experience and the knowledge of working on a Windows system compared to my Linux knowledge. Checkmarx being Windows only is a hindrance as well.

Another problem is: why can't I choose PostgreSQL? I would like to have an additional feature added to the product to support either PostgreSQL or MySQL. Those are the two free databases that are enterprise-ready.

For how long have I used the solution?

We've been using Checkmarx for two to three years since we fully put it into production.

What do I think about the stability of the solution?

Checkmarx is a stable product, especially based on the number of updates that we receive. Every time we get a new update or a hotfix, I'm very much in the loop on getting that information. Compared to some other products, it doesn't have the churn that others do, i.e. in the number of updates and patches that we have to apply to it.

We're licensed for 100 users. Primarily we use Checkmarx for developers, managers, architects, and maybe some of the design folk, but not QA. This would solely be in the realm of development and architecture. 

There is no plan for us to increase our usage of Checkmarx. We're trying to get as many scans as possible. One of the issues that we have is the concept of an incremental scan. The more of the incremental that you do, the slower the service becomes.

When you go in and you look at the last result: it's your baseline or your full scan, followed by applying each incremental. The more of the incrementals that you have, the slower Checkmarx gets.

They've come up with a recommendation for users to do one full scan a week and maybe six incremental scans. This needs to be worked on to get the performance better on this particular tool.

What do I think about the scalability of the solution?

Checkmarx can scale up very easily. Anything that can be automated can be scaled. If I can automate it, I can scale it. Under the hood, it does the management of the scan engines well.

We have some large code bases, that according to the Checkmarx internal people, based on the number of lines of code, everything is 100% optimized hardware-wise. The fastest that the scan should take is 13 hours. That's a full scan, an incremental is a little different.

The problem with Checkmarx from that standpoint is, in our most active code base, we want it to be scanned frequently. At one point in time, it was taking up to 26 hours to do a single scan. We were scanning twice a week or four times a week. 

That same code base has two separate instances of itself. A long time ago they started as a common code base and then they split. Now, in essence, we have two products based on the same code base. We had to scan them twice a week.

How are customer service and technical support?

The customer service on the phone so far with Checkmarx has been good. We've had more issues with other projects that have gone into the cloud than with this particular instance. 

It's mostly email until you scream enough with Checkmarx or you go through your salesperson. It's a little bit of a burden to get to them. 

For the most part, the people that I have dealt with know their stuff, and we haven't had any problems. It's been a challenge. We did try to do things that no one else had tried before according to them, and so we ended up having setbacks because of trying new things. 

Which solution did I use previously and why did I switch?

The tool that we were using before was AppScan.

How was the initial setup?

The initial setup of Checkmarx is straightforward. We did a bunch of things that shot ourselves in the foot that we weren't expecting. We were initially trying to put Checkmarx in the cloud. We were even putting Checkmarx into an Azure system until we found out that Azure, with the Microsoft SQL engine, does not support what Checkmarx requires. 

The Azure implementation of SQL does not allow the USE statement. Extremely odd. Maybe Microsoft figured out if you can't use USE, that means you have to have more databases and so they can charge more. Microsoft Oracle and IBM have been pulling that crap for years. They're making a lot of money.

It probably took us a couple of months to go through all of the issues, basically trying to find a home for SQL. We ended up creating a Microsoft SQL server in Amazon.

What about the implementation team?

With Amazon's RDB, you can use Oracle, PostgreSQL, Sybase, Microsoft SQL, etc. as its RDB engines. Depending on whether you already have a license, or if you want to pay for the license when you set up the instance, you can do either. 

We had the license. We just created an instance in the Amazon cloud.

What's my experience with pricing, setup cost, and licensing?

I've got 100 licenses for Checkmarx. As people come and go, it's a hassle to add and remove them. In this day and age, it's such a meaningless time-waster.

Which other solutions did I evaluate?

We were previously working with Azure. We switched because of their implementation of SQL Server. Checkmarx uses statements to move from database to database. Azure does not support that in its implementation at this time. 

Time will tell and Microsoft does improve their code over time.

What other advice do I have?

From an administrative standpoint, I would rate Checkmarx with a five out of ten. From what my users are telling me, I'd give it an eight for the tool's ability to report on vulnerabilities in the user experience. 

I would rate Checkmarx with an eight on the user side and a five on the admin side.

Customers need to work with Checkmarx to scale the system for their needs, i.e. work with their recommendations. The best practices that they have there. 

They have this formula to calculate how many CPUs and how much memory you need. The memory requirements are huge. We've got 64 GB machines to scan them.

That's the low end of what they're recommending. Their processes do a lot of number crunching in memory. For a 4 million line code base, it's just going to consume a lot of time and a lot of resources. 

We are only using the source code scanner. We're not using the OSS scanner. We use Artifactory for our OSS repository, and Artifactory comes with its own built-in OSS scanner. We didn't need two OSS scanners.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Cyber Security Analyst at a tech vendor with 1,001-5,000 employees
Real User
The static operation security has been able to identify more security issues since implementing this solution
Pros and Cons
  • "Our static operation security has been able to identify more security issues since implementing this solution."
  • "It would be really helpful if the level of confidence was included, with respect to identified issues."

What is our primary use case?

Our primary use case for this solution is SAST, Static Application Security Testing.

How has it helped my organization?

Our static operation security has been able to identify more security issues since implementing this solution.

What is most valuable?

There are many good features like site integration, but the most valuable feature for us is the XL scan of source code. 

What needs improvement?

It would be really helpful if the level of confidence was included, with respect to identified issues. Some competitors have this feature, and it helps a lot to concentrate on the real findings.

For how long have I used the solution?

One year.

What do I think about the stability of the solution?

In general, stability is good, although sometimes it crashes. We use this product daily, and I would rate the stability a four out of five.

What do I think about the scalability of the solution?

The scalability is very good.

How are customer service and technical support?

Technical support for this solution is very effective. Each time we have had questions, the answers they provided have been very clear and comprehensive.

Which solution did I use previously and why did I switch?

Prior to this solution, we were using IBM Security AppScan. We had many, many issues with the application, along with complaints about the deployment time. The main reason we switched is that it was not updated, and it did not support certain technologies. For example, it did not support Visual Studio 2017, so we had to switch to a new solution.

How was the initial setup?

The initial setup for this solution is straightforward.

It took less that one day to deploy.

What about the implementation team?

We handled the implementation in-house.

What was our ROI?

We have not yet seen ROI.

Which other solutions did I evaluate?

We did evaluate other options.

What other advice do I have?

If people are in need of static application security, then I would recommend this product.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Practice Head - IT Risk & Security Management Services at Suma Soft Private Limited
Real User
Enables us to find vulnerabilities in our software before the development cycle is complete
Pros and Cons
  • "The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete."
  • "The reports are good, but they still need to be improved considering what the UI offers."

What is our primary use case?

My team uses this product extensively for application vulnerability assessment. This solution is for static application security testing and is used within our software development process.

As the software developers are creating solutions, they are able to identify vulnerabilities while the application is being written, rather than after the entire development is over.  

We were interested in having the raw source code scanned, so that was the primary requirement and that is where Checkmarx comes in. We do not need any precompiled libraries, or compiled source code, to be checked by the source code analysis solution.

We have a security team that uses this product to scan source code, rather than have the developers handle it. We do not have any developer licenses (i.e. the SDLC Edition). Instead, the security team identifies the vulnerabilities and shares the report with the development team.

How has it helped my organization?

The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete.

As an example, an application may contain three hundred thousand lines of code that was written over two or three months. Rather than having to examine the entire product for vulnerabilities, we are able to assess weaknesses and identify vulnerabilities in, say, five hundred or one thousand lines of code. This is really advantageous for us.

What is most valuable?

There are many features, but first is the fact that it is easy to use, and not complicated.

One of the cool features is that it identifies the development technology that we are using on its own, whether it is Java or .NET or otherwise, it identifies it by itself.

The most important aspect is that it shows us exactly, on which particular line, the vulnerability is.

The user interface is very intuitive and it offers help on the fly.

What needs improvement?

The reports are good, but they still need to be improved considering what the UI offers. For example, the UI will suggest the "best-fix location", whereas this information is not captured in the reports.

For how long have I used the solution?

A couple of years.

What do I think about the stability of the solution?

We have not observed any issues, such as the application crashing, with respect to the stability of this solution.

What do I think about the scalability of the solution?

The solution is quite scalable. We are not using the SDLC edition, but with that version, the developers can use different plugins and initiate the scan from their own development environment.

There are three or four members in our security team who use this tool. At the current time, we are happy with this solution and do not plan to increase its usage to the point where we need a different license.

How are customer service and technical support?

We have found the technical support to be good. Whenever anyone has an issue, we write directly to Checkmarx.com and they issue a support ID. Most of the time we receive a quick response.

We are currently based in India, and they have increased their team size in India with a couple of people providing support. It covers the Indian subcontinent as well. With this increase, our tickets are answered very quickly as compared to what we used to get.

Which solution did I use previously and why did I switch?

I do not have recent, hands-on experience with this tool but, I have used it in the past and my team now uses it extensively. We did not use a tool previous to this one, and we plan to continue using this because we are getting good results.

We use this solution for static application security testing. For dynamic testing, we use the Netsparker solution.

How was the initial setup?

The initial setup is pretty simple and straightforward, and it does not take more than fifteen minutes, maximum. The entire deployment was completed in not more than half an hour.

Not many people are required for deployment or maintenance. We have not done much since the original installation. When a new version comes in, any member of the security team can update the solution. In that way, a single person can maintain it. Within my team, it is a Senior Security Analyst who maintains this solution for us.

What about the implementation team?

It is a very simple tool and we do not have a complex environment. It is installed on a standalone machine.

We do not have an integrated solution. This is a standalone solution that is used with the Security Gate. The installation was completed in-house, by our team only.

What was our ROI?

We have seen ROI, but quantifying it in terms of the numbers is difficult. The biggest advantage we have seen is that we're able to develop and deliver secure solutions, in a faster time. We used to test our applications efficiently, and we still do, but there used to be a period of rework required. Now, that does not happen. We are able to identify the issues and address them while the development is in progress.

What's my experience with pricing, setup cost, and licensing?

We have a subscription license that is on a yearly basis, and it's a pretty competitive solution. I don't know of any additional costs, beyond the standard licensing fees, for our version of the software.

In the case of the SDLC edition, which is a higher version, there may be some professional support that is required. Otherwise, any license that they provide is just an annual subscription fee.

Which other solutions did I evaluate?

We evaluated the Fortify Static Code Analyzer and IBM Security AppScan, but our evaluation was not fully completed. We were happy with what we were seeing with Checkmarx, so we did not go ahead with the others.

What other advice do I have?

My advice to any software development team using a different set of tools is to look at Checkmarx. It's a very good product. It's a great product, in fact. Any organization spending money on a subscription license should not look at it as a cost, rather, it should be seen as an investment. The Checkmarx solution can act as a resource that can help the development team to secure their application delivery. Be it an internal application for their own use, or applications being written for their customers.

This solution tells us where, in our code, the "best-fix location" is. To put this into perspective, consider a particular piece of code where there are ten vulnerabilities detected. Perhaps it is an SQL injection vulnerability. This tool gives you specific locations and informs that if you fix the code in certain areas (e.g. in three specific locations) then the subsequent vulnerabilities will automatically be addressed. Therefore, you save on development effort because you do not need to fix all ten vulnerabilities specifically and independently.

I would rate this product a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Director and Co-Founder at Ushiro-tec
Real User
The Best Fix Location & Payments Features Can Save Time Mitigating Network Configurations
Pros and Cons
  • "The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time."
  • "With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too."

What is our primary use case?

We use Checkmarx to review the source code for the external applications that we expose to the cloud or other servers on the internet.

How has it helped my organization?

We received two main benefits from Checkmarx:

  1. Better Security
  2. Saving Time

I recommend Checkmarx to be sure that your development has robust security. For your team management, Checkmarx has a very nice feature to check out manual staff in the process.

What is most valuable?

The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time.

What needs improvement?

Checkmarx could probably do something to improve their license model. If you have a small company, or if you have a small team with just one or two applications, the entry-level price is too high for such a company. 

You can find all the solutions offered by Checkmarx through other solutions providers. That is why this type of company needs to be more flexible. 

In this space, you have a security code and also you have a quality code. It is totally different in terms of investment. In terms of functionality, there are a lot of differences between the various competing products. 

With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too.

The problem with Checkmarx lies with the pricing and licensing, not the product itself. The product is very good.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

Checkmarx is a good product, certainly stable.

What do I think about the scalability of the solution?

The scalability is good. We haven't had any problems with it.

How are customer service and technical support?

Our experience with technical support is good. They have a lot of expert staff on their customer service lines. We have had no problems with their technical support services.

Which solution did I use previously and why did I switch?

We used Veracode for some time and it's also a good solution. Veracode fits better for small companies. It's more automatic.

Checkmarx is more complete and they have more features to support our development team and security team requirements.

In general, Checkmarx is a better solution, but it's more complicated, especially in terms of the price for a small company.

How was the initial setup?

Our deployment of Checkmarx took a couple of days, at max, a week. 

What about the implementation team?

The setup was a long time back, but I know that we did not use a reseller or consultant for the deployment.

Which other solutions did I evaluate?

We evaluated some products from a company in Spain. Checkmarx provided better functionality and options for us.

What other advice do I have?

We have a small team. It is about four people in total. We do not require that many staff for the deployment and maintenance of Checkmarx.

We are testing the solution in a small local company. Our idea is to expand the use of it to our clients in the West.

In this space, you can have different points of view and if only you are looking for a solution to do a check in your auditory report, then you can choose anyone. 

If you really are worried about your business, i.e. about your development sites or development environments, Checkmarx is a great solution.

I would rate Checkmarx a nine out of ten because of the price, but technically for me, it is a 10. 

I would rate Checkmarx with a nine because it would be perfect at a more functional level, and could be better at providing these features for parity. 

If you research what Checkmarx is offering in their package distribution, you get exactly what they promise up front, so they are not lying.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Principal Software Engineer; Practice Lead at a comms service provider with 10,001+ employees
Real User
I like the code consistency feature, but it should have a dynamic testing feature to avoid false duplicates

What is our primary use case?

Code scan. We performed periodic static code scans on copies of our Git repository to identify possible vulnerabilities.

How has it helped my organization?

Code consistency. It prompted our developers to fix code or document code they otherwise would not have done.

What is most valuable?

The consistency of code. Showed our team where they are inconsistent or where they have made simple omissions.

What needs improvement?

Dynamic testing. If it had that feature I would have liked to see more consideration of framework validations that we don't have to duplicate. These flags are false positives.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Business Analyst at a tech services company with 201-500 employees
Real User
It made our organization more efficient with our whole code scan/deployment process for our software applications.

What is our primary use case?

Our primary use case solution is for code scanning.

How has it helped my organization?

It has made our organization more efficient with our whole code scan/deployment process for our software applications.

What is most valuable?

The most valuable features are:

  • Ease of use
  • Dashboard
  • Interface
  • Report

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

I have not had an issue with stability of the product.

What do I think about the scalability of the solution?

There have been no issues with scalability that I am aware of.

How are customer service and technical support?

I have not needed the use of technical support.

Which solution did I use previously and why did I switch?

Previously, we considered: Veracode, SonarQube, Fortify and IBM Security AppScan.

How was the initial setup?

I was not involved in the initial setup of the solution.

What was our ROI?

One should consider:

  • Visual studio
  • Report generation
  • If the solution can be on-prem
  • Pricing

What's my experience with pricing, setup cost, and licensing?

It is an expensive solution.

What other advice do I have?

Be cautious of the one-year subscription date. Once it expires, your price will go up.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Ankur Sood - PeerSpot reviewer
Technical Architect at Photon Interactive
MSP
It gives the proper code flow of vulnerabilities and the number of occurrences

What is our primary use case?

I have used it for source code scanning of security vulnerabilities. It seems to be a good tool. It gives the proper code flow of vulnerabilities and the number of occurrences.

How has it helped my organization?

We have scanned various applications with it. It works fine, although we need to check manually for false positive issues. 

What is most valuable?

After scanning, it shows in-depth code of where actual vulnerabilities are, which helps us to analyze them.

What needs improvement?

It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user683181 - PeerSpot reviewer
Security Source Code Analyst at a tech services company with 10,001+ employees
Real User
Easy to insert in the SDLC, but the CxAudit tool has room for improvement
Pros and Cons
  • "The most valuable feature for me is the Jenkins Plugin."
  • "I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time)."
  • "Updating and debugging of queries is not very convenient."

How has it helped my organization?

It is very easy to insert the tool in the SDLC because there are a wide variety of ways to access the source-code, initiate scans, and review the results. The projects need not care about getting a tool, accessing the tool, and it is cheaper using it.

What is most valuable?

The most valuable feature for me is the Jenkins Plugin. We usually take a copy of the normal build job for Checkmarx so that:

  1. we have all of the source code we need for the build, normal and generated source code;
  2. we need only one technical user for scanning the projects (SVN access and Git access need to change the passwords every 90 days).

What needs improvement?

I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time).

Updating and debugging of queries is not very convenient.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

In our last update to version 8.5.0, we had a problem with DB migration but,  overall, I must say it has been stable.

What do I think about the scalability of the solution?

Regarding scalability, we have only one scan engine and our licence allows only two scans at the same time.

How are customer service and technical support?

I would rate the technical support seven out of 10. When you first create a ticket you sometimes get questions that you wouldn't expect from first-level support.

Which solution did I use previously and why did I switch?

None. I started with this product.

How was the initial setup?

The initial setup was decribed very well and it was straightforward. We had only two small problems: implementing the SSL certificate, and getting access for LDAP users.

What's my experience with pricing, setup cost, and licensing?

We got a special offer for a 30% reduction for three years, after our first year.

I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year).

Which other solutions did I evaluate?

I didn’t evaluate this or other solutions, but my team leader had experience with HPE Fortify and he said it is much more expensive, and the service even worse.

What other advice do I have?

Before implementing the product I would evaluate if it is really necessary to scan so many different languages and frameworks. If not, I think there must be a cheaper solution for scanning Java-only applications (which are 90% of our applications).

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Yafes Duygulutuna - PeerSpot reviewer
Sr. Security Engineer at SugarCRM
Real User
Security testing solution with vulnerability details and planned blackout times.
Pros and Cons
  • "Vulnerability details is valuable."
  • "Implementing a blackout time for any user or teams: Needs improvement."

How has it helped my organization?

  • Put the vulnerability details area on the right side of the application or it may be changeable
  • Save and reset screen configuration

What is most valuable?

Vulnerability details part.

What needs improvement?

  • Vulnerability details: Reduce false positive results and improve it by providing more details how I can resolve the vulnerability.
  • Implementing a blackout time for any user or teams: Needs improvement. I need to place limits for some users or teams within a specific time frame. For example, between 02:00 to 06:00. They can't start any scanning during that time, even if they have scanner privileges.

What do I think about the stability of the solution?

In the latest version, the session logout doesn't work properly.

What do I think about the scalability of the solution?

We have two engine licenses, but we can't scan two projects at the same time.

How are customer service and technical support?

I would give technical support a rating of 9/10.

Which solution did I use previously and why did I switch?

We were using Fortify. Its software capability was limited in terms of mobile code scanning.

How was the initial setup?

The initial setup was very easy.

What's my experience with pricing, setup cost, and licensing?

We don't have any specific advice about these issues.

Which other solutions did I evaluate?

We evaluated Fortify and AppScan.

What other advice do I have?

I don't like the latest license update. I can't set a limit for the reviewer account.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user692304 - PeerSpot reviewer
Responsable du Pôle Sécurité des Applications at a tech company with 51-200 employees
Vendor
Both automatic and manual code review are possible. We can set up proper reports of code vulnerability.
Pros and Cons
  • "Both automatic and manual code review (CxQL) are valuable."
  • "Integration into the SDLC (i.e. support for last version of SonarQube) could be added."

How has it helped my organization?

After a proper on-boarding, we can set up proper reports of code vulnerability and/or misconfiguration to developers.

Security can be part of the SDLC and reduce the cost of vulnerability remediation. Also, we got faster remediation time for high and critical vulnerability.

What is most valuable?

Valuable features include:

  • Both automatic and manual code review (CxQL).
  • The languages covered by the solution.

What needs improvement?

Integration into the SDLC (i.e. support for last version of SonarQube) could be added.

What do I think about the stability of the solution?

We had to lock the number of CPUs used to not crash the Checkmarx Audit.

What do I think about the scalability of the solution?

We haven’t had scalability issues yet.

How are customer service and technical support?

Professional service is really good. Support is too formal. Quickly answering it is not supported instead of developing a hot fix.

Which solution did I use previously and why did I switch?

We didn’t really have a previous solution but Checkmarx was the best match for .NET support and scan without resolving the dependencies.

How was the initial setup?

Setup was straightforward, but quickly you need complex fine tuning.

What's my experience with pricing, setup cost, and licensing?

Include PS or deployment assistance in order not to miss true positive vulnerabilities. Really powerful tool, but it must be configured to match your application.

What other advice do I have?

Ask to meet another customer with the same needs or the same kind of organization, to learn from their experience.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user607392 - PeerSpot reviewer
Security test engineer at a tech vendor with 10,001+ employees
Vendor
Communicates where to fix the issue for less iterations. Resolutions should be provided for installation issues due to internal security policies.
Pros and Cons
  • "The solution communicates where to fix the issue for the purpose of less iterations."
  • "The resolutions should also be provided. For example, if the user faces any problem regarding an installation due to the internal security policies of their company, there should be a resolution offered."

How has it helped my organization?

Now we have information about which specific sections have to be fixed. We can now remove the issue from most of the sections.

What is most valuable?

The solution communicates where to fix the issue for the purpose of less iterations.

What needs improvement?

The resolutions should also be provided. For example, if the user faces any problem regarding an installation due to the internal security policies of their company, there should be a resolution offered.

What do I think about the stability of the solution?

There were no stability issues.

What do I think about the scalability of the solution?

There were no scalability issues.

How are customer service and technical support?

I would give technical support a rating of 8/10.

Which solution did I use previously and why did I switch?

We switched solutions due to the client's requirements.

What's my experience with pricing, setup cost, and licensing?

I faced a few issues in the installation due to my local policies. The customer support was very helpful.

Which other solutions did I evaluate?

We looked at other tools, such as HPE Security and ZAP solutions.

What other advice do I have?

Go for it, if you want testing on the code level.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user618132 - PeerSpot reviewer
SAP FIORI / HCP Consultant at Silveo
Consultant
Helps us check vulnerabilities in our applications. I would like to integrate it as a service along with the cloud platform.
Pros and Cons
  • "Helps us check vulnerabilities in our SAP Fiori application."
  • "I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service."

How has it helped my organization?

This product helps us to deliver good quality software.

What is most valuable?

  • Performs security checks for SAP Fiori applications
  • Helps us check vulnerabilities in our SAP Fiori application
  • Easy to use and master
  • One of the most important tools in our building process

What needs improvement?

I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service.

This improvement is needed in order to follow up the growth and of SAP cloud platform, it is a Platform as a service created by SAP, many services have been added to SAP HANA Cloud Platform, like GIT repository, Jenkins, Translation etc.

So, if it is possible to add the Checkmarx as a service in this platform, it will be easy to perform security check directly without using a dedicated server.

What do I think about the stability of the solution?

Maybe this issue is related to our configuration. When we have many applications to check, I need to wait a long time in the queue.

What do I think about the scalability of the solution?

We did encounter scalability issues. Maybe this is related to the stability issue mentioned above.

Which solution did I use previously and why did I switch?

We haven't used anything else. This is our first solution.

How was the initial setup?

I don’t know how to set up the product.

Which other solutions did I evaluate?

We did not look at any other options.

What other advice do I have?

It is a good tool. I recommend it in order to ensure software quality.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Gustavo_Gonzalez - PeerSpot reviewer
Technical Program Manager at a engineering company with 10,001+ employees
Real User
Acts as the first check point during our consulting for apps that are looking for a security assessment or Penetration Testing.
Pros and Cons
  • "The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions)."
  • "The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode."

How has it helped my organization?

For manual code testing, Checkmarx has been very helpful discarding false positives, filtering and removing a lot of files that are not presenting any threat, as well as indicating the files or functions that should be focused upon.

Checkmarx acts as the first checkpoint during our consulting for apps that are looking for a security assessment or Penetration Testing. It is also a game changer, giving the customer's results from each finding in the Checkmarx results.

What is most valuable?

  • The export feature and presentation of the results.
  • The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions).
  • A wide variety of modern programming languages are supported, including mobile languages).

What needs improvement?

The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode.

Compiled code means that the code written is stored in binaries, for machine reading only. Tools like Veracode read only those binaries (compiled code).

Another way to have the code is “Source Code written only”, which is the only code format that Checkmarx accepts, a process where you don’t compile and everyone is able to read line by line the code.

What do I think about the stability of the solution?

When the workload contains so many source codes being scanned, and none of them present any progress, sometimes they seem to get stuck. There are also a considerable number of false positives (vulnerabilities that do not present a danger against the application or the user).

What do I think about the scalability of the solution?

We have not encountered any scalability issues.

How are customer service and technical support?

From both customer support and technical support, the response is very swift (less than a day) and the technical people are very skilled on the common issues concerning the management of the scanning tool, even with issues of server saturation and scanners stuck at a percentage.

Which solution did I use previously and why did I switch?

I used to work mostly on checking the source code manually, and estimated the time of completion counting the lines of code to review. With Checkmarx that time was hugely reduced.

I also worked with Veracode, which I use for compiled code, but most of the customer’s applications have uncompiled code, so that is why I use Checkmarx more frequently.

How was the initial setup?

The initial setup was complex. There is a curve of learning, and you also need technical knowledge on reviewing the results of Checkmarx’s work.

What's my experience with pricing, setup cost, and licensing?

Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products to build a safe and stable application when it comes to inviting customers to use your online services.

Which other solutions did I evaluate?

We evaluated IBM AppScan and Veracode. Neither covers the needs of my clients, the way I work, and the programming languages that Checkmarx covers.

What other advice do I have?

I recommend to have a live session with the marketing team, to have a demo and to track all your doubts before purchasing. Checkmarx is a powerful tool but you need to be sure what you are using, and what it is for. You could use just 20% of what the tool can do, and therefore waste your money. So either fully learn how to use it and evaluate if it’s the right scanning tool to have, or go for a better and cheaper option.

Disclosure: My company has a business relationship with this vendor other than being a customer: We support together a huge list of clients, we have credentials and provide support to each business and division. So, we have the capacity to escalate any trouble or problem in case it is necessary. We have our own community and are able to provide and remove access to users.
PeerSpot user
it_user547335 - PeerSpot reviewer
Innovation Consultant (Security Analyst) at a tech services company with 1,001-5,000 employees
Consultant
It makes it easier to identify code vulnerabilities by presenting the flow of malicious input and fixing it.
Pros and Cons
  • "Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application."
  • "Some of the descriptions were found to be missing or were not as elaborate as compared to other descriptions. Although, they could be found across various standard sources but it would save a lot of time for developers, if this was fixed."

How has it helped my organization?

We have been using this product extensively for a lot of applications to identify as well as employ proper remediation which makes the application secure including information issues which might get neglected with a manual code review process.

What is most valuable?

Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application. It therefore makes it easier to identify these as well as fix them.

What needs improvement?

Checkmarx has the detailed description of all the vulnerabilities which it identifies after the source code scan. These descriptions are just a click away. Some of the descriptions were found to be missing or were not as elaborate as compared to other descriptions. Although, they could be found across various standard sources but it would save a lot of time for developers, if this was fixed.

What do I think about the stability of the solution?

We have not yet encountered any stability issues.

What do I think about the scalability of the solution?

The solution provides high scalability. I am not sure about the limit of scans but it is sufficiently high. However, the issues which we faced were related to database backup. Unfortunately, Checkmarx doesn't do any automated backups which is quite inconvenient.

How are customer service and technical support?

I would rate the technical support as average. We never had to communicate much with the technical team but based on my knowledge the response from their end was delayed.

Which solution did I use previously and why did I switch?

I am not aware of any previous solutions.

How was the initial setup?

The setup was straightforward.

What's my experience with pricing, setup cost, and licensing?

It is a good product but a little overpriced.

Which other solutions did I evaluate?

I don't have much idea about other options since the organization had already purchased the product before I joined.

What other advice do I have?

Better to look out for other products available in the market as well.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user598917 - PeerSpot reviewer
Senior Manager at a financial services firm
Vendor
We felt like we were the extended quality organization as they frequently released poor quality patches that broke the existing functionality.
Pros and Cons
  • "Scan reviews can occur during the development lifecycle."
  • "C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported."

How has it helped my organization?

It moved our organization towards being agile vs. waterfall.

What is most valuable?

Scan reviews can occur during the development lifecycle.

What needs improvement?

The areas in which this product needs to improve are:

  • C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported.
  • There were issues in regards to the JSP parsing.
  • Defect report generation takes multiple hours for large projects.
  • The Jenkins plugin does not work for projects that are larger than 4 million lines of code.
  • The Eclipse plugin does not work.
  • The hardware requirements for the tool add to the substantial cost of the solution and thus, increase the total cost of ownership.
  • There seems to be a decline in the support team's responsiveness as our contract nears its end.

  • We felt like we were the extended quality organization for Checkmarx as they frequently released poor quality patches that broke the existing functionality. A lot of the organizational hours, almost 1 FTE per year since Checkmarx was implemented, were spent to allow regression testing of the product. The Checkmarx SME team at my company had to do this testing to ensure that we do not expose product flaws to our user community.

What do I think about the stability of the solution?

We did encounter stability issues. The different versions of this product provide inconsistent results when the same piece of code is scanned.

What do I think about the scalability of the solution?

We did not encounter any scalability issues.

How are customer service and technical support?

The support team is knowledgeable. However, we still have tickets open from 2014. There is a lot of follow up required to get closure on issues.

Which solution did I use previously and why did I switch?

Previously, we were using a different solution. We were leveraging multiple tools since we have code in multiple languages. Checkmarx advertised that they provide support for C, C+++, Java, etc. It turned out that they aren’t able to scan C and C++ for us. Our reason to switch to Checkmarx didn’t work out for us.

How was the initial setup?

The initial setup was straightforward.

What's my experience with pricing, setup cost, and licensing?

The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies.

I suggest using a trial term to run a gamut of scenarios that need to be leveraged before settling in with the Checkmarx solution.

Which other solutions did I evaluate?

We evaluated the Veracode option.

What other advice do I have?

The product is not mature and ready for the enterprise usage yet. It is okay to use it when the support expectations are low and the code is in languages that require support only in Java and .NET.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Robert V. Jones - PeerSpot reviewer
Founder at a tech company with 51-200 employees
Real User
It can scan precompiled (source) code, as well as compiled (binary) code.
Pros and Cons
  • "The process of remediating software security vulnerabilities can now be performed (ongoing) as portions of the application are being built in advance of being compiled."
  • "The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools."

How has it helped my organization?

The process of remediating software security vulnerabilities can now be performed (ongoing) as portions of the application are being built in advance of being compiled. Among other benefits, this reduces the cost to fix the problem(s) as the fix can occur earlier in the SDLC.

What is most valuable?

The ability to identify a vulnerability, the optimal place for remediation and the correct syntax is very valuable. This feature helps ensure that the software fix is comprehensive and effective. The CxSuite is easy to use and because it provides the correct coding syntax to address a vulnerability, it helps improve the secure coding skill set among developers. The product can scan precompiled (source) code, as well as compiled (binary) code, delivering effectiveness and efficiency throughout the SDLC.

What needs improvement?

The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools.

The Checkmarx CxSuite covers a wide range of programming languages including many of the most popular languages used by developers today. As matter of general improvement, expanding coverage to languages (emerging, legacy) and open source frameworks will increase the overall effectiveness of product.

*2017 Update. A number of leading Open Source Frameworks are now supported.

What do I think about the stability of the solution?

The product is stable.

What do I think about the scalability of the solution?

The product scales well.

How are customer service and technical support?

The technical support is high quality. The support team is well versed in how best to configure, implement and operate the product.

Which solution did I use previously and why did I switch?

I did not previously use a different solution.

How was the initial setup?

The initial set up is straightforward. The product requires a fairly simple computing environment for operation.

What's my experience with pricing, setup cost, and licensing?

The product licensing offers the flexibility to cover a wide range of environments. The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security.

Which other solutions did I evaluate?

We considered several other commercial-grade application security solutions. The Checkmarx solution offers an ideal combination of code coverage, functionality, usability and TCO.

What other advice do I have?

The Checkmarx CxSuite product works well, delivers efficiency to the SDLC, and most important of all, it effectively improves application security.

It works!

Disclosure: My company has a business relationship with this vendor other than being a customer: My company is a Checkmarx Certified Partner.
PeerSpot user

The software and application security should be the mandatory thing because most of the applications crash because of virus or harmful attacks. I was also getting the virus issue in my application then https://avastsupportnumber.co.uk/avast-customer-support avast customer service helped me a lot.

it_user592359 - PeerSpot reviewer
SRE Vice Group Manager at a tech services company with 10,001+ employees
Real User
We can create custom rules for code checks. You have to do a lot of customization.
Pros and Cons
  • "The solution allows us to create custom rules for code checks."
  • "This product requires you to create your own rulesets. You have to do a lot of customization."

How has it helped my organization?

During the trial period, we tried to build automated security development lifecycles with this product and with other products. We have achieved partial success with this.

What is most valuable?

The solution allows us to create custom rules for code checks. Without custom rules, the system couldn’t find anything serious in the custom code and libraries.

What needs improvement?

The main issue was the supported Windows OS for the installation. Windows is not appropriate for a big internet company’s infrastructure. Supporting a Windows machine, especially for this software, is inconvenient.

This product requires you to create your own rulesets. You have to do a lot of customization. The default rules do not work very well. In addition, it is impossible to analyze code with dynamic dependencies.

What do I think about the stability of the solution?

There were no problems with stability. The application was stable in our test cases.

What do I think about the scalability of the solution?

There were no scalability issues, but keep in mind that our version can only scale on one server.

How are customer service and technical support?

There is very good technical support. We have the support of two onsite engineers.

Which solution did I use previously and why did I switch?

We are using other tools along with this solution.

How was the initial setup?

The setup was simple. It mostly involved clicking the “Next” button in the Windows installer.

What's my experience with pricing, setup cost, and licensing?

The pricing was not very good. This is just a framework which shouldn’t cost so much.

The product comes with very strange licensing options. They don’t let you exclude workplace licenses, which are useless for building automated systems.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user531780 - PeerSpot reviewer
Senior Software Security Analyst at a financial services firm with 1,001-5,000 employees
Vendor
It scans code for security vulnerabilities without needing to compile first. It reports many false positives.
Pros and Cons
  • "We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code."
  • "Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”."

How has it helped my organization?

Checkmarx saves us a lot of time. We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code.

What is most valuable?

The most valuable feature is that Checkmarx scans code for security vulnerabilities without needing to compile first.

What needs improvement?

Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”.

What do I think about the stability of the solution?

We encountered stability issues when scanning large code blocks. It consumes a lot of memory, and at times, Checkmarx services freeze and don’t work properly.

What do I think about the scalability of the solution?

I don’t know of any scalability issues.

How are customer service and technical support?

Just four words for the technical support team: “Checkmarx team is awesome”.

Which solution did I use previously and why did I switch?

Before Checkmarx, we used HPE Security Fortify and IBM AppScan. We also tried several open-source scanning tools.

How was the initial setup?

Overall, the initial setup is easy. Checkmarx provides an installer binary and we just need go through the wizard for an express installation. If we need an advanced configuration, we contact the Checkmarx support team.

What's my experience with pricing, setup cost, and licensing?

I believe pricing is better compared to other commercial tools.

Which other solutions did I evaluate?

Yes, we compared Checkmarx features and benefits with IBM AppScan and HPE Security Fortify.

What other advice do I have?

Personally, I recommend Checkmarx for static analysis.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user538254 - PeerSpot reviewer
Assistant Manager Business Development at a tech services company with 501-1,000 employees
Consultant
It offers comprehensive and incremental scanning, and supports all major languages.
Pros and Cons
  • "Less false positive errors as compared to any other solution."
  • "Licensing models and Swift language support are the aspects in which this product needs to improve. Swift is a new language, in which major customers require support for lower prices."

How has it helped my organization?

As an InfoSec consulting company, we come across major challenging projects. Checkmarx has made life easy and my team is best at using it. It reduces manual efforts in using test cases against any vulnerability found during source code reviews. Apart from OWASP Top Ten, Checkmarx is quite intelligent to find the latest vulnerability and report it.

What is most valuable?

Some valuable features of this product are:

  • Very comprehensive scanning
  • Less false positive errors as compared to any other solution
  • Incremental scanning
  • Supports all major languages

What needs improvement?

Licensing models and Swift language support are the aspects in which this product needs to improve. Swift is a new language, in which major customers require support for lower prices.

What do I think about the stability of the solution?

I have not encountered any stability issues.

What do I think about the scalability of the solution?

I have not encountered any scalability issues.

How are customer service and technical support?

I have never used technical support, so can't comment. We ourselves are expert at it.

Which solution did I use previously and why did I switch?

We have used no other product.

How was the initial setup?

The setup process was simple.

What's my experience with pricing, setup cost, and licensing?

It is the right price for quality delivery.

Which other solutions did I evaluate?

We did not evaluate other options, before choosing this product.

What other advice do I have?

Go for it.

Disclosure: My company has a business relationship with this vendor other than being a customer: We're the primary resellers of the product in India and Middle East region.
PeerSpot user
PeerSpot user
Senior Software Security Analyst at a financial services firm with 1,001-5,000 employees
Vendor
It allows for SAST scanning of uncompiled code. More API functionality should be added.
Pros and Cons
  • "It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc)."
  • "Meta data is always needed."

Improvements to My Organization

Cx gives you the ability to push SAST down much lower in the SDLC process. With the use of multiple IDE plugins and the ability to do "incremental" scanning, a scan of your latest code does not bog down your machine as it is offloaded.

Valuable Features

It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc).

Room for Improvement

Meta data is always needed. More tutorials/videos for developers to fix their vulnerabilities is nice. Although the API is useful, I would like to see more functionality added.

Stability Issues

I've had to restart services/bounce the VM on two rare occasions.

Scalability Issues

It scales very easy.

Customer Service and Technical Support

Customer Service:

Customer service is good. Engineers have been quick to get back to me regarding issues and custom work that I have performed.

Technical Support:

Technical support is very knowledgeable.

Initial Setup

Initial setup couldn't be any easier. Cx has good documentation on environment requirements. As long as you meet those, the installation process takes maybe 30 minutes for an initial setup; perhaps a bit longer if you're adding multiple engines.

Implementation Team

An in-house team implemented it.

Pricing, Setup Cost and Licensing

Everything is negotiable. Checkmarx approached our dealings in good faith and clearly wanted to be around for awhile. It is much more inexpensive than some alternatives.

Other Solutions Considered

Before choosing, we also evaluated Fortify, IBM Appscan, Veracode, etc.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user326337 - PeerSpot reviewer
it_user326337Customer Success Manager at IT Central Station
Consultant

Hi Joe,
Given that you've continued to successfully use Checkmarx for an extended period of time since you contributed to our discussion that compares the solution to Veracode,

How does your experience compare one year later?

(See the discussion thread here:
https://www.itcentralstation.com/questions/checkmarx-or-veracode-which-should-we-choose)

Looking forward to your feedback

it_user332898 - PeerSpot reviewer
Full Stack Developer at a tech services company with 51-200 employees
Consultant
It helps with vulnerability scanning of codes to prevent vulnerability of our applications.

What is most valuable?

It provides us with code analysis.

How has it helped my organization?

It helps with vulnerability scanning of codes to prevent vulnerability of our applications.

For how long have I used the solution?

I've used it for one year.

What was my experience with deployment of the solution?

No issues encountered.

Which solution did I use previously and why did I switch?

Straight forward. Easy to follow steps. 

I worked for an IT security firm and it was quite easy to setup the product for demo purposes virtually and even physically on the client premises

How was the initial setup?

It was straightforward, as it has easy to follow steps. 

I worked for an IT security firm and it was quite easy to setup the product for demo purposes virtually and even physically on the client premises.

What's my experience with pricing, setup cost, and licensing?

The license is fairly costly but worth the investment.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partners
PeerSpot user
it_user327456 - PeerSpot reviewer
Co-Founder, CTO at a tech services company with 51-200 employees
Consultant
It allows us to verify the dev department's code in order to minimize security holes, but it needs better role management.

What is most valuable?

They're all as valuable as each other.

How has it helped my organization?

We have used this product to verify the dev department's code in order to minimize security holes.

What needs improvement?

It needs better role management.

For how long have I used the solution?

I've used it for three years.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

It's very good.

Technical Support:

It's very good.

Which solution did I use previously and why did I switch?

This is the only solution I have used.

How was the initial setup?

Very straightforward.

What about the implementation team?

I implemented it myself.

What's my experience with pricing, setup cost, and licensing?

Licensing is expensive per X amount of lines in the code.

Which other solutions did I evaluate?

No other options were evaluated.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are providing leads to Checkmarx.
PeerSpot user
it_user327456 - PeerSpot reviewer
it_user327456Co-Founder, CTO at a tech services company with 51-200 employees
Consultant

Going for another POC with Checkmarx... This time implementing it with Jira, to open an automatic flow for better mitigation SLA and for Infosec visibility

it_user245397 - PeerSpot reviewer
Cyber-Ark Consultant at a tech services company with 51-200 employees
Consultant
It is a very good product, but it needs a better understanding of file references.

What is most valuable?

It provides a graphical view of any vulnerabilities.

How has it helped my organization?

I have used it as a consultant.

What needs improvement?

It could be improved with more reporting of false positives and the understanding of file references.

For how long have I used the solution?

I've used it for one year.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

One needs to be sure on the number of LOC that will be run and also the size of the code.

How are customer service and technical support?

Customer Service:

8/10.

Technical Support:

8/10.

Which solution did I use previously and why did I switch?

I have used Armorize codesecure.

How was the initial setup?

It's a straightforward deployment, and it learns with time.

What about the implementation team?

I implement it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Checkmarx Report and get advice and tips from experienced pros sharing their opinions.
Updated: August 2022
Buyer's Guide
Download our free Checkmarx Report and get advice and tips from experienced pros sharing their opinions.