IT Central Station is now PeerSpot: Here's why

What needs improvement with Checkmarx?

Please share with the community what you think needs improvement with Checkmarx.

What are its weaknesses? What would you like to see changed in a future version?

PeerSpot user
2626 Answers

reviewer1711191 - PeerSpot reviewer
Real User

They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server. I had several issues with the installation. It should just work out of the box.

reviewer1108275 - PeerSpot reviewer
Top 5Real User

Its user interface could be improved and made more friendly. When we change a window, the session times out, and we have to log in again. It can be improved from this aspect.

reviewer932058 - PeerSpot reviewer
Top 20Real User

Checkmarx could improve the REST APIs by including automation.

reviewer1646475 - PeerSpot reviewer
Top 20Real User

I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features. So most of my customers would love to have consolidated vendors who cover all application security to lower operational overhead.

reviewer1672218 - PeerSpot reviewer
Real User

Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model.

reviewer1398084 - PeerSpot reviewer
Real User

The integration could improve by including, for example, DevSecOps. In an upcoming release, they could improve by adding support for more languages.

reviewer1355637 - PeerSpot reviewer
Top 20Reseller

There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver.

reviewer1521882 - PeerSpot reviewer
Real User

They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks.

reviewer1477026 - PeerSpot reviewer
Top 20Reseller

The reporting could be better on the product. The need to be much more customizable including being customizable for various roles. The pricing can get a bit expensive, depending on the company's size.

reviewer1479747 - PeerSpot reviewer
Real User

We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything.

reviewer1192836 - PeerSpot reviewer
Top 5Reseller

I would like to see the DAST solution in the future.

Antoine Rime - PeerSpot reviewer
Top 20Consultant

The solution isn't exactly user-friendly. They could make the user experience a bit better in future builds. They could work to improve the user interface. Right now, it really is lacking.

reviewer1410597 - PeerSpot reviewer
Top 5Real User

The cost per user is high and should be reduced. Five years ago, it was a user-based model, which was significantly better. It would be great if we could distribute the cost equally between projects.

reviewer1263726 - PeerSpot reviewer
Top 20LeaderboardReal User

I think that the configuration is a bit difficult and we required support from Checkmarx to complete it (there are a lot of manual, not documented configurations should be done, like direct changes in a Database for example). This is the case, at least, if you are using the on-premises version. From my point of view, the configuration should be improved. If it is a very large code base then we have a problem where we cannot scan it (if more then ~ 30 mb zip file provided - scan is crashes or takes a lot of time) . It seems to me that they have a problem with the number of code line scans. In the future, I would like to see Checkmarx support a combination of dynamic and static code scanning (IAST)

reviewer1415661 - PeerSpot reviewer
Top 5Real User

Most the the static analysers come with pre-loaded rulesets. However, many times developers have to write their own custom rules. Writing custom rules in Checkmark is difficult because you need a different editor which is licensed separately. Besides not much training material is available on how to write the rules.

Cuneyt KALPAKOGLU Phd. - PeerSpot reviewer
Top 5LeaderboardReal User

Checkmarx is going to announce the cloud version very soon. Every product has something innovative at the moment. Presently, we are extremely satisfied and that's why Checkmarx has been the leader for the last few years, consecutively. This is the third year they have been recognized in the static code analysis world. Micro-services need to be included in the next release; however, as a developer, I can assure you that micro-service methodology is going to be improved in the next version. Presently, they support micro-services, but the supporting methodology of the micro-services is not good enough at the moment.

Samuel Baguma - PeerSpot reviewer
Top 20Real User

You can't use it in the continuous delivery pipeline because the scanning takes too much time. Better integration with the CD pipeline would be helpful. It reports a lot of false positives so you have to discriminate and take ones that are rated at either a one or a two. The lower-rated problems need to be discarded.

reviewer1286010 - PeerSpot reviewer

I would like to see the rate of false positives reduced. Checkmarx needs support for more languages, including COBOL.

reviewer1375824 - PeerSpot reviewer
Real User

Honestly speaking, we do not have much experience in this tool yet as we just started using it a couple of months ago. I personally am still just diving into the data. It may be too early to tell if there are improvements that need to be made. The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated.

reviewer971370 - PeerSpot reviewer
Top 5LeaderboardReal User

Checkmarx has tried to build a deeper analysis using IAST and SAST. They have a code version for developers. It would be good if they improve the combination of the two solutions. Both are good, but ISAT (Interactive Application Security Testing) is in progress and doesn't support the full spectrum of languages. A combination of the two solutions would achieve good results. We have received some feedback from our customers who are receiving a large number of false positives. I believe that they can improve their engine to reduce false positives. It's better for reducing false positives when you use a compilation. There are several levels and they are mapped to the different languages and some customers want to check when the developers will pass the training. There should be a questionnaire for the team lead to check the employees and how well they understand the material and the training. Also, they will want to add their own content to this solution. I would like to see some improvements in technology to reduce false positives. This is only relevant to some use cases, not all. For example, there are several false positives for some languages, but it works in C#.

Deepak Kamra - PeerSpot reviewer
Top 20Real User

The particular way the tool works for the scanning at the IDE level, is very expensive. It makes it very expensive to deploy this tool on to multiple different developers' machines. Right now, the way it scans, the request is raised to the IDE of the developer but then the actual scanning gets done in the centralized scan server. This increases the load on the scanning server and that will make it difficult to use Checkmarx at the developer end. That forces me to look for another solution for implementing at the developer IDE level. I would strongly recommend Checkmarx relook into their approach. From a technical point of view, it's better to integrate with other systems within my ecosystem. For example, when I'm connecting Checkmarx with my DevSecOps pipeline and then wiring Checkmarx with other security systems as well as the pipeline (and my defect management system), it provides the connectivity to some of the tools, but there are tools which are excluded. It would be nice if they were added to the solution itself, otherwise, it requires us to do custom development. In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now. I would recommend much more flexibility in terms of dashboarding to help us customize more effectively. Their licensing model is rigid and difficult to navigate.

Don Robbins - PeerSpot reviewer
Real User

One of the biggest heartaches that we have is that all of our Windows servers are on an automated upgrade. Whenever Windows upgrades, we lose the order of the ciphers and it brings down the Checkmarx webpage. Our company policy is that we upgrade our servers at a minimum of once a month, if not more. It's a hassle to keep up on that. The ciphers are such a pain to manage. To set up a cipher connection, there's a tool out there called IIS Crypto. We just run that tool to set the best practices. It forces us to reboot the server. We haven't figured out how to automate the whole thing yet. There have been some Windows updates that haven't triggered this issue where the ciphers get messed up. The only thing we're running is TLS2. At that higher level, everything is just a pain. All of our servers are built out through code. In other words, we use Ansible and Jenkins to automatically create machines. Everything is virtual these days. It's either virtual in-house or virtual in the cloud. The issue with Checkmarx is the next pain point, i.e. their installation procedure is GUI-based. They've got a command line for upgrades. I haven't seen the command line for the initial install. My last statement on Checkmarx is Windows would not be my choice for any kind of server implementation. I'm not a Windows fan at all. Every other tool in our company is Linux-based and our target systems are Linux as well. I don't have the experience and the knowledge of working on a Windows system compared to my Linux knowledge. Checkmarx being Windows only is a hindrance as well. Another problem is: why can't I choose PostgreSQL? I would like to have an additional feature added to the product to support either PostgreSQL or MySQL. Those are the two free databases that are enterprise-ready.

CyberSecAn08987 - PeerSpot reviewer
Real User

It would be really helpful if the level of confidence was included, with respect to identified issues. Some competitors have this feature, and it helps a lot to concentrate on the real findings.

Milind Dharmadhikari - PeerSpot reviewer
Real User

The reports are good, but they still need to be improved considering what the UI offers. For example, the UI will suggest the "best-fix location", whereas this information is not captured in the reports.

EduardoBeltran - PeerSpot reviewer
Real User

Checkmarx could probably do something to improve their license model. If you have a small company, or if you have a small team with just one or two applications, the entry-level price is too high for such a company. You can find all the solutions offered by Checkmarx through other solutions providers. That is why this type of company needs to be more flexible. In this space, you have a security code and also you have a quality code. It is totally different in terms of investment. In terms of functionality, there are a lot of differences between the various competing products. With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too. The problem with Checkmarx lies with the pricing and licensing, not the product itself. The product is very good.

reviewer1002378 - PeerSpot reviewer
Real User

Dynamic testing. If it had that feature I would have liked to see more consideration of framework validations that we don't have to duplicate. These flags are false positives.

Buyer's Guide
May 2022
Learn what your peers think about Checkmarx. Get advice and tips from experienced pros sharing their opinions. Updated: May 2022.
599,220 professionals have used our research since 2012.