Senior Software Engineer at a tech vendor with 10,001+ employees
Real User
Top 10
Nov 18, 2025
Checkmarx One is doing great, but there is a need for UI improvement so we can get the exact error over there on our Bitbucket itself. Additionally, if you can improve the speed optimization, it takes around 30 to 40 minutes for checking a build. If you can make it within five minutes or 10 minutes, that would be great. This feature is something I want from your side. Integration with Checkmarx One is easy, so it is not complicated. However, reporting is complicated because it takes a lot of time to report the errors and it makes around 40 to 50 minutes for a build. After we push the code, it will give around 40 to 50 minutes. Therefore, you need to work on the reporting part and apart from that, it is doing a great job here. You are doing a great job in checking the code quality, bug fixing, vulnerabilities, and security aspects. However, one thing you have to improve is your reporting time should be less. It takes around 40 to 50 minutes, so you need to reduce it to within 10 to 20 minutes.
In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically. It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.
The Dynamic Application Security Testing (DAST) feature should be better. The technical support service could also improve in terms of their response time.
Checkmarx needs improvement in its Dynamic Application Security Testing (DAST) and API security features. The DAST solution uses the OWASP Zap engine, which is less powerful compared to other market solutions like Fortify's WebInspect. Additionally, the API security solution does not provide comprehensive results, and the secret scanning feature also needs enhancement. Furthermore, the container security and infrastructure as code scanning features are not mature enough and require significant improvements.
We can run only one project at a time. We haven't tested multiple projects at the same time. Currently, not all the projects are visible under one pane. We handle one-time projects. As a manager, I do not have the overall visibility of all projects simultaneously. I have already raised a support ticket requesting the ability to manage all projects from a single pane. There may be an option for it. However, I am not aware of it. The solution must provide more integration with different platforms.
Java Developer at a security firm with 51-200 employees
Real User
Nov 1, 2023
The product's reporting feature could be better. The feature works well for developers, but reports generated to be shared with external parties are poor, it lacks the details one gets when viewing the results directly from the Checkmarx One platform.
System Engineer at a tech vendor with 10,001+ employees
Real User
Apr 26, 2023
We haven't had any issues with the solution so far. It is not missing any features. It takes too much time to check the code. The validation process needs to be sped up. There have been some configuration issues. We sometimes have failures.
Technical Lead at a computer software company with 10,001+ employees
Real User
Feb 22, 2023
The solution sometimes reports a false auditable code or false positive. This is not a bug but something within the software's operation that should be addressed.
Senior Software Engineering Manager at a financial services firm with 10,001+ employees
Real User
Jan 13, 2023
The benefits could be improved. We are a banking company, so we focus on security. We use Checkmarx for multiple applications, and IAST is an interactive application security testing that Checkmarx claims; however, we have not explored it yet. We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level. We want an option to group several projects and view them at a business level. Additional features could include a comprehensive dashboard and secret scanning capabilities.
A non-developer may struggle with the solution. Codebashing is the learning platform that comes bundled with Checkmarx. The thing with Codebashing is that they give you tips on how to write secure code. However, I saw other developers complain about this. Instead of telling you what the good practices are, it would be more helpful, when we are writing the code, alongside that code, to have Codebashing tell us where exactly we are going wrong and how to help secure code and if there are specific scenarios we should be considering. Basically, the integration needs to be better. There's a general lack of space. Checkmarx has a slightly difficult compilation with the CI/CD pipeline. If it could be easily integrated into the CI/CD pipeline, then it would be much easier for developers rather than being an extra step that developers have to take to make the code secure.
Security Architect at a financial services firm with 5,001-10,000 employees
Real User
Oct 6, 2022
The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information. There are some cases where you have to go directly to the Checkmarx database to get the information that you want. The default module that provides statistics is basic, and you need more elaborate information to do vulnerability management. The tool has a limited scope.
The interactive application security testing, or IAST, where code scans are being ran on an application that lives in a runtime environment on a server or virtual machine, needs improvement. There was limited support from different languages. It didn't support everything under the sun, so you would lose revenue since you didn't have support for Scala or some other language that your developer was fluent in. They needed to improve on language support. That is about it, really. The dev team did everything that they said they were going to do. If they said they were going to hit a mark, they'd hit a mark. That release would come out. Typically, they would do four major releases a year, quarterly, with two-point releases in between, or based on any additional hotfixes that may be needed. In most cases, however, IAST was the part of the product that needed to be improved the most. Codebashing is a really cool product from the aspect of teaching developers how to write secure code. However, it would be even cooler if you could not only point out and teach someone how to do it while also making the appropriate recommendation on how to rewrite the code itself, using machine learning or AI. Instead of you, the developer learning how to do it and then writing the code yourself, it'd be cooler if you could push a button, have it analyzed, scans the code, find the code, find the issue within the line of code, and then go ahead and automatically rewrite that code for you. Then, by repetition, it just teaches you through muscle memory how to do that as opposed to, "Hey, you've found this problem. This is where the problem's located, within this particular line of code." Right now, do you know how to rewrite Java? Well, if you're not familiar with how to do that, then go push on this button. Now, take this test and go through this exercise.” It doesn't make a recommendation. It's not like providing a script that fixes the problem. It's just teaching you on how to write the code in that form in that manner.
As the solution becomes more complex and feature rich, it takes more time to debug and resolve problems. Feature-wise, we have no complaints, but Checkmarx becomes harder to maintain as the product becomes more complex. When I talk to support, it takes them longer to fix the problem than it used to.
Cybersecurity at a transportation company with 1,001-5,000 employees
Real User
Apr 27, 2022
They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server. I had several issues with the installation. It should just work out of the box.
Security at a tech services company with 51-200 employees
Real User
Feb 9, 2022
Its user interface could be improved and made more friendly. When we change a window, the session times out, and we have to log in again. It can be improved from this aspect.
Head of IT Security Department at a energy/utilities company with 5,001-10,000 employees
Real User
Jan 12, 2022
Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities. SonarCube functions better in these areas.
Senior Cybersecurity Solution Architect at a computer software company with 51-200 employees
Real User
Oct 13, 2021
I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features. So most of my customers would love to have consolidated vendors who cover all application security to lower operational overhead.
Director at a tech services company with 11-50 employees
Reseller
Mar 9, 2021
There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver.
They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks.
Solution Manager at a computer software company with 201-500 employees
Reseller
Jan 27, 2021
The reporting could be better on the product. The need to be much more customizable including being customizable for various roles. The pricing can get a bit expensive, depending on the company's size.
Senior Manager at a manufacturing company with 10,001+ employees
Real User
Jan 4, 2021
We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything.
Cyber Security Consultant at a computer software company with 5,001-10,000 employees
Consultant
Dec 2, 2020
The solution isn't exactly user-friendly. They could make the user experience a bit better in future builds. They could work to improve the user interface. Right now, it really is lacking.
Vice President Of Technology at a computer software company with 5,001-10,000 employees
Vendor
Sep 21, 2020
The cost per user is high and should be reduced. Five years ago, it was a user-based model, which was significantly better. It would be great if we could distribute the cost equally between projects.
Sr. Application Security Manager at a tech services company with 201-500 employees
Real User
Sep 21, 2020
I think that the configuration is a bit difficult and we required support from Checkmarx to complete it (there are a lot of manual, not documented configurations should be done, like direct changes in a Database for example). This is the case, at least, if you are using the on-premises version. From my point of view, the configuration should be improved. If it is a very large code base then we have a problem where we cannot scan it (if more then ~ 30 mb zip file provided - scan is crashes or takes a lot of time) . It seems to me that they have a problem with the number of code line scans. In the future, I would like to see Checkmarx support a combination of dynamic and static code scanning (IAST)
General Manager at a consultancy with 51-200 employees
Real User
Sep 13, 2020
Most the the static analysers come with pre-loaded rulesets. However, many times developers have to write their own custom rules. Writing custom rules in Checkmark is difficult because you need a different editor which is licensed separately. Besides not much training material is available on how to write the rules.
Checkmarx is going to announce the cloud version very soon. Every product has something innovative at the moment. Presently, we are extremely satisfied and that's why Checkmarx has been the leader for the last few years, consecutively. This is the third year they have been recognized in the static code analysis world. Micro-services need to be included in the next release; however, as a developer, I can assure you that micro-service methodology is going to be improved in the next version. Presently, they support micro-services, but the supporting methodology of the micro-services is not good enough at the moment.
Senior Security Engineer at a pharma/biotech company with 501-1,000 employees
Real User
Aug 19, 2020
You can't use it in the continuous delivery pipeline because the scanning takes too much time. Better integration with the CD pipeline would be helpful. It reports a lot of false positives so you have to discriminate and take ones that are rated at either a one or a two. The lower-rated problems need to be discarded.
Technical Lead at a tech services company with 1,001-5,000 employees
Real User
Jul 5, 2020
Honestly speaking, we do not have much experience in this tool yet as we just started using it a couple of months ago. I personally am still just diving into the data. It may be too early to tell if there are improvements that need to be made. The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated.
Checkmarx has tried to build a deeper analysis using IAST and SAST. They have a code version for developers. It would be good if they improve the combination of the two solutions. Both are good, but ISAT (Interactive Application Security Testing) is in progress and doesn't support the full spectrum of languages. A combination of the two solutions would achieve good results. We have received some feedback from our customers who are receiving a large number of false positives. I believe that they can improve their engine to reduce false positives. It's better for reducing false positives when you use a compilation. There are several levels and they are mapped to the different languages and some customers want to check when the developers will pass the training. There should be a questionnaire for the team lead to check the employees and how well they understand the material and the training. Also, they will want to add their own content to this solution. I would like to see some improvements in technology to reduce false positives. This is only relevant to some use cases, not all. For example, there are several false positives for some languages, but it works in C#.
The particular way the tool works for the scanning at the IDE level, is very expensive. It makes it very expensive to deploy this tool on to multiple different developers' machines. Right now, the way it scans, the request is raised to the IDE of the developer but then the actual scanning gets done in the centralized scan server. This increases the load on the scanning server and that will make it difficult to use Checkmarx at the developer end. That forces me to look for another solution for implementing at the developer IDE level. I would strongly recommend Checkmarx relook into their approach. From a technical point of view, it's better to integrate with other systems within my ecosystem. For example, when I'm connecting Checkmarx with my DevSecOps pipeline and then wiring Checkmarx with other security systems as well as the pipeline (and my defect management system), it provides the connectivity to some of the tools, but there are tools which are excluded. It would be nice if they were added to the solution itself, otherwise, it requires us to do custom development. In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now. I would recommend much more flexibility in terms of dashboarding to help us customize more effectively. Their licensing model is rigid and difficult to navigate.
Software Configuration Manager at a tech vendor with 501-1,000 employees
Real User
Jun 19, 2019
One of the biggest heartaches that we have is that all of our Windows servers are on an automated upgrade. Whenever Windows upgrades, we lose the order of the ciphers and it brings down the Checkmarx webpage. Our company policy is that we upgrade our servers at a minimum of once a month, if not more. It's a hassle to keep up on that. The ciphers are such a pain to manage. To set up a cipher connection, there's a tool out there called IIS Crypto. We just run that tool to set the best practices. It forces us to reboot the server. We haven't figured out how to automate the whole thing yet. There have been some Windows updates that haven't triggered this issue where the ciphers get messed up. The only thing we're running is TLS2. At that higher level, everything is just a pain. All of our servers are built out through code. In other words, we use Ansible and Jenkins to automatically create machines. Everything is virtual these days. It's either virtual in-house or virtual in the cloud. The issue with Checkmarx is the next pain point, i.e. their installation procedure is GUI-based. They've got a command line for upgrades. I haven't seen the command line for the initial install. My last statement on Checkmarx is Windows would not be my choice for any kind of server implementation. I'm not a Windows fan at all. Every other tool in our company is Linux-based and our target systems are Linux as well. I don't have the experience and the knowledge of working on a Windows system compared to my Linux knowledge. Checkmarx being Windows only is a hindrance as well. Another problem is: why can't I choose PostgreSQL? I would like to have an additional feature added to the product to support either PostgreSQL or MySQL. Those are the two free databases that are enterprise-ready.
Cyber Security Analyst at a tech vendor with 1,001-5,000 employees
Vendor
May 22, 2019
It would be really helpful if the level of confidence was included, with respect to identified issues. Some competitors have this feature, and it helps a lot to concentrate on the real findings.
Practice Head - IT Risk & Security Management Services at Suma Soft Private Limited
Real User
May 16, 2019
The reports are good, but they still need to be improved considering what the UI offers. For example, the UI will suggest the "best-fix location", whereas this information is not captured in the reports.
Checkmarx could probably do something to improve their license model. If you have a small company, or if you have a small team with just one or two applications, the entry-level price is too high for such a company. You can find all the solutions offered by Checkmarx through other solutions providers. That is why this type of company needs to be more flexible. In this space, you have a security code and also you have a quality code. It is totally different in terms of investment. In terms of functionality, there are a lot of differences between the various competing products. With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too. The problem with Checkmarx lies with the pricing and licensing, not the product itself. The product is very good.
Principal Software Engineer; Practice Lead at a comms service provider with 10,001+ employees
Real User
Feb 1, 2019
Dynamic testing. If it had that feature I would have liked to see more consideration of framework validations that we don't have to duplicate. These flags are false positives.
Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.
Checkmarx One offers comprehensive application scanning across the SDLC:
Static Application Security Testing (SAST)
Software Composition Analysis (SCA)
API security
Dynamic Application Security Testing (DAST)
Container security
IaC security
Correlation, prioritization, and risk...
Checkmarx One is doing great, but there is a need for UI improvement so we can get the exact error over there on our Bitbucket itself. Additionally, if you can improve the speed optimization, it takes around 30 to 40 minutes for checking a build. If you can make it within five minutes or 10 minutes, that would be great. This feature is something I want from your side. Integration with Checkmarx One is easy, so it is not complicated. However, reporting is complicated because it takes a lot of time to report the errors and it makes around 40 to 50 minutes for a build. After we push the code, it will give around 40 to 50 minutes. Therefore, you need to work on the reporting part and apart from that, it is doing a great job here. You are doing a great job in checking the code quality, bug fixing, vulnerabilities, and security aspects. However, one thing you have to improve is your reporting time should be less. It takes around 40 to 50 minutes, so you need to reduce it to within 10 to 20 minutes.
In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically. It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.
The Dynamic Application Security Testing (DAST) feature should be better. The technical support service could also improve in terms of their response time.
Checkmarx needs improvement in its Dynamic Application Security Testing (DAST) and API security features. The DAST solution uses the OWASP Zap engine, which is less powerful compared to other market solutions like Fortify's WebInspect. Additionally, the API security solution does not provide comprehensive results, and the secret scanning feature also needs enhancement. Furthermore, the container security and infrastructure as code scanning features are not mature enough and require significant improvements.
I can't create a business case with multiple-factor authentication.
We can run only one project at a time. We haven't tested multiple projects at the same time. Currently, not all the projects are visible under one pane. We handle one-time projects. As a manager, I do not have the overall visibility of all projects simultaneously. I have already raised a support ticket requesting the ability to manage all projects from a single pane. There may be an option for it. However, I am not aware of it. The solution must provide more integration with different platforms.
Checkmarx could improve by reducing the price.
The product's reporting feature could be better. The feature works well for developers, but reports generated to be shared with external parties are poor, it lacks the details one gets when viewing the results directly from the Checkmarx One platform.
I would like the product to include more debugging and developed tools. It needs to also add enhancements on the coding side.
We haven't had any issues with the solution so far. It is not missing any features. It takes too much time to check the code. The validation process needs to be sped up. There have been some configuration issues. We sometimes have failures.
The plugins for the development environment have room for improvements such as for Android Studio and X code.
The solution sometimes reports a false auditable code or false positive. This is not a bug but something within the software's operation that should be addressed.
One area for improvement in Checkmarx is pricing, as it's more expensive than other products.
The benefits could be improved. We are a banking company, so we focus on security. We use Checkmarx for multiple applications, and IAST is an interactive application security testing that Checkmarx claims; however, we have not explored it yet. We want to have a holistic view of the portfolio-level dashboard and not just an individual technical project level. We want an option to group several projects and view them at a business level. Additional features could include a comprehensive dashboard and secret scanning capabilities.
A non-developer may struggle with the solution. Codebashing is the learning platform that comes bundled with Checkmarx. The thing with Codebashing is that they give you tips on how to write secure code. However, I saw other developers complain about this. Instead of telling you what the good practices are, it would be more helpful, when we are writing the code, alongside that code, to have Codebashing tell us where exactly we are going wrong and how to help secure code and if there are specific scenarios we should be considering. Basically, the integration needs to be better. There's a general lack of space. Checkmarx has a slightly difficult compilation with the CI/CD pipeline. If it could be easily integrated into the CI/CD pipeline, then it would be much easier for developers rather than being an extra step that developers have to take to make the code secure.
The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information. There are some cases where you have to go directly to the Checkmarx database to get the information that you want. The default module that provides statistics is basic, and you need more elaborate information to do vulnerability management. The tool has a limited scope.
We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process.
The interactive application security testing, or IAST, where code scans are being ran on an application that lives in a runtime environment on a server or virtual machine, needs improvement. There was limited support from different languages. It didn't support everything under the sun, so you would lose revenue since you didn't have support for Scala or some other language that your developer was fluent in. They needed to improve on language support. That is about it, really. The dev team did everything that they said they were going to do. If they said they were going to hit a mark, they'd hit a mark. That release would come out. Typically, they would do four major releases a year, quarterly, with two-point releases in between, or based on any additional hotfixes that may be needed. In most cases, however, IAST was the part of the product that needed to be improved the most. Codebashing is a really cool product from the aspect of teaching developers how to write secure code. However, it would be even cooler if you could not only point out and teach someone how to do it while also making the appropriate recommendation on how to rewrite the code itself, using machine learning or AI. Instead of you, the developer learning how to do it and then writing the code yourself, it'd be cooler if you could push a button, have it analyzed, scans the code, find the code, find the issue within the line of code, and then go ahead and automatically rewrite that code for you. Then, by repetition, it just teaches you through muscle memory how to do that as opposed to, "Hey, you've found this problem. This is where the problem's located, within this particular line of code." Right now, do you know how to rewrite Java? Well, if you're not familiar with how to do that, then go push on this button. Now, take this test and go through this exercise.” It doesn't make a recommendation. It's not like providing a script that fixes the problem. It's just teaching you on how to write the code in that form in that manner.
As the solution becomes more complex and feature rich, it takes more time to debug and resolve problems. Feature-wise, we have no complaints, but Checkmarx becomes harder to maintain as the product becomes more complex. When I talk to support, it takes them longer to fix the problem than it used to.
Checkmarx could improve the speed of the scans.
Checkmarx could be improved with more integration with third-party software.
They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server. I had several issues with the installation. It should just work out of the box.
Its user interface could be improved and made more friendly. When we change a window, the session times out, and we have to log in again. It can be improved from this aspect.
Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities. SonarCube functions better in these areas.
Checkmarx could improve the REST APIs by including automation.
I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features. So most of my customers would love to have consolidated vendors who cover all application security to lower operational overhead.
Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model.
The integration could improve by including, for example, DevSecOps. In an upcoming release, they could improve by adding support for more languages.
There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver.
They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks.
The reporting could be better on the product. The need to be much more customizable including being customizable for various roles. The pricing can get a bit expensive, depending on the company's size.
We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything.
I would like to see the DAST solution in the future.
The solution isn't exactly user-friendly. They could make the user experience a bit better in future builds. They could work to improve the user interface. Right now, it really is lacking.
The cost per user is high and should be reduced. Five years ago, it was a user-based model, which was significantly better. It would be great if we could distribute the cost equally between projects.
I think that the configuration is a bit difficult and we required support from Checkmarx to complete it (there are a lot of manual, not documented configurations should be done, like direct changes in a Database for example). This is the case, at least, if you are using the on-premises version. From my point of view, the configuration should be improved. If it is a very large code base then we have a problem where we cannot scan it (if more then ~ 30 mb zip file provided - scan is crashes or takes a lot of time) . It seems to me that they have a problem with the number of code line scans. In the future, I would like to see Checkmarx support a combination of dynamic and static code scanning (IAST)
Most the the static analysers come with pre-loaded rulesets. However, many times developers have to write their own custom rules. Writing custom rules in Checkmark is difficult because you need a different editor which is licensed separately. Besides not much training material is available on how to write the rules.
Checkmarx is going to announce the cloud version very soon. Every product has something innovative at the moment. Presently, we are extremely satisfied and that's why Checkmarx has been the leader for the last few years, consecutively. This is the third year they have been recognized in the static code analysis world. Micro-services need to be included in the next release; however, as a developer, I can assure you that micro-service methodology is going to be improved in the next version. Presently, they support micro-services, but the supporting methodology of the micro-services is not good enough at the moment.
You can't use it in the continuous delivery pipeline because the scanning takes too much time. Better integration with the CD pipeline would be helpful. It reports a lot of false positives so you have to discriminate and take ones that are rated at either a one or a two. The lower-rated problems need to be discarded.
I would like to see the rate of false positives reduced. Checkmarx needs support for more languages, including COBOL.
Honestly speaking, we do not have much experience in this tool yet as we just started using it a couple of months ago. I personally am still just diving into the data. It may be too early to tell if there are improvements that need to be made. The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated.
Checkmarx has tried to build a deeper analysis using IAST and SAST. They have a code version for developers. It would be good if they improve the combination of the two solutions. Both are good, but ISAT (Interactive Application Security Testing) is in progress and doesn't support the full spectrum of languages. A combination of the two solutions would achieve good results. We have received some feedback from our customers who are receiving a large number of false positives. I believe that they can improve their engine to reduce false positives. It's better for reducing false positives when you use a compilation. There are several levels and they are mapped to the different languages and some customers want to check when the developers will pass the training. There should be a questionnaire for the team lead to check the employees and how well they understand the material and the training. Also, they will want to add their own content to this solution. I would like to see some improvements in technology to reduce false positives. This is only relevant to some use cases, not all. For example, there are several false positives for some languages, but it works in C#.
The particular way the tool works for the scanning at the IDE level, is very expensive. It makes it very expensive to deploy this tool on to multiple different developers' machines. Right now, the way it scans, the request is raised to the IDE of the developer but then the actual scanning gets done in the centralized scan server. This increases the load on the scanning server and that will make it difficult to use Checkmarx at the developer end. That forces me to look for another solution for implementing at the developer IDE level. I would strongly recommend Checkmarx relook into their approach. From a technical point of view, it's better to integrate with other systems within my ecosystem. For example, when I'm connecting Checkmarx with my DevSecOps pipeline and then wiring Checkmarx with other security systems as well as the pipeline (and my defect management system), it provides the connectivity to some of the tools, but there are tools which are excluded. It would be nice if they were added to the solution itself, otherwise, it requires us to do custom development. In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now. I would recommend much more flexibility in terms of dashboarding to help us customize more effectively. Their licensing model is rigid and difficult to navigate.
One of the biggest heartaches that we have is that all of our Windows servers are on an automated upgrade. Whenever Windows upgrades, we lose the order of the ciphers and it brings down the Checkmarx webpage. Our company policy is that we upgrade our servers at a minimum of once a month, if not more. It's a hassle to keep up on that. The ciphers are such a pain to manage. To set up a cipher connection, there's a tool out there called IIS Crypto. We just run that tool to set the best practices. It forces us to reboot the server. We haven't figured out how to automate the whole thing yet. There have been some Windows updates that haven't triggered this issue where the ciphers get messed up. The only thing we're running is TLS2. At that higher level, everything is just a pain. All of our servers are built out through code. In other words, we use Ansible and Jenkins to automatically create machines. Everything is virtual these days. It's either virtual in-house or virtual in the cloud. The issue with Checkmarx is the next pain point, i.e. their installation procedure is GUI-based. They've got a command line for upgrades. I haven't seen the command line for the initial install. My last statement on Checkmarx is Windows would not be my choice for any kind of server implementation. I'm not a Windows fan at all. Every other tool in our company is Linux-based and our target systems are Linux as well. I don't have the experience and the knowledge of working on a Windows system compared to my Linux knowledge. Checkmarx being Windows only is a hindrance as well. Another problem is: why can't I choose PostgreSQL? I would like to have an additional feature added to the product to support either PostgreSQL or MySQL. Those are the two free databases that are enterprise-ready.
It would be really helpful if the level of confidence was included, with respect to identified issues. Some competitors have this feature, and it helps a lot to concentrate on the real findings.
The reports are good, but they still need to be improved considering what the UI offers. For example, the UI will suggest the "best-fix location", whereas this information is not captured in the reports.
Checkmarx could probably do something to improve their license model. If you have a small company, or if you have a small team with just one or two applications, the entry-level price is too high for such a company. You can find all the solutions offered by Checkmarx through other solutions providers. That is why this type of company needs to be more flexible. In this space, you have a security code and also you have a quality code. It is totally different in terms of investment. In terms of functionality, there are a lot of differences between the various competing products. With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too. The problem with Checkmarx lies with the pricing and licensing, not the product itself. The product is very good.
Dynamic testing. If it had that feature I would have liked to see more consideration of framework validations that we don't have to duplicate. These flags are false positives.