Checkmarx Software Composition Analysis Reviews

We have many third-party libraries in our organization. I used Checkmarx Software Composition Analysis to identify all the libraries we use and determine whether they are used or unused within the application.

Checkmarx Software Composition Analysis provides identification of libraries and suggestions for version upgrades. It has improved identification capabilities, scalability, and integration with AI, such as the AI-powered suggestions.

The solution could improve by determining the success factor of an upgrade, which is currently lacking.

I have used the solution for one year starting last year.

I would rate the stability as eight because, while it has been working fine, there might be unforeseen cases.

Checkmarx Software Composition Analysis provides excellent scalability and solutions for applications, including SaaS solutions and code batching.

Their support is really good. I had a good interaction, and they provided solutions for issues encountered during the POC phase, including a global release.

Positive

Checkmarx is a straightforward integration, especially with GitHub and Jenkins. Using their documentation, even those with limited in-depth knowledge can manage integrations.

Different teams were required for deployment, including the Cloud team, GitHub team, and application teams.

We were able to reduce the number of vulnerable libraries by 50%, leading to significant operational improvement.

Pricing is complex and high for small organizations but offers great benefits for larger organizations. It is notably different compared to competitors like GitHub Advanced Security.

I have interacted with GitHub Advanced Security.

I would recommend Checkmarx Software Composition Analysis to others and rate it overall at eight out of ten.

We use SCA for security scanning and routing. The replica is really good. It's supposed to measure vulnerabilities.

We use SCA to scan our code for vulnerabilities on a regular basis. Every new release is assessed for vulnerabilities using Checkmarx's SCA tool.

It has helped us identify and fix security vulnerabilities in our code. For example, we were able to fix a SQL injection vulnerability that could have been exploited by attackers.

In my experience, a valuable feature is configurability. Moreover, it is easy to understand security results and to scan for vulnerabilities, and also we can access databases to load our information for presentation purposes.  So, basically, database configuration on the back end. We use in-house installation.

To make the list of the vulnerabilities more clear and exposed to the users in order to see. Sometimes, we see issues high-level issues vulnerabilities that are not really issues, the interpretation of scanning. Meaning, like, outside, it's not really the issue. But it surfaces as an issue, so we probably may have a database of the errors of the vulnerabilities to expose and maybe even provide some feedback on how valuable the vulnerability is. I'm doing that. So, basically, one area that could be improved is the way that false positives are handled.  

In future releases, if we could create a clear RESTful API to just extract the scanning data on user-added applications and presentations.

We've been using Checkmarx for two years in our organization.

I would rate the stability an eight out of ten.

I would rate the scalability a seven out of ten.

The customer service and support were good.

Positive

The setup was not difficult with the help of the technical support. They were very helpful.

Overall, I would rate the solution an eight out of ten.

Checkmarx Software Composition Analysis is a good tool I have used in multiple projects, especially in banking and insurance domains. It is a good tool for static code review and SAST analysis. I want to understand the cost of the other tools in the market compared to Checkmarx Software Composition Analysis because our company needs to make recommendations to our customers. Considering the budget of our company's customers, we need to make recommendations to them.

My company uses the tool to support banking applications by indulging in static code analysis.

The most valuable feature of the solution stems from the rules it offers. I also like the coverage it provides while having to deal with fewer false positives.

The DAST component of the tool requires some improvements. The tool's DAST component is not much required in the integration processes with the CI/CD pipelines. IDE plugins to scan codes should be available to developers who are involved in development purposes.

Some of the recommendations provided by the product are generic. Even if the recommendations provided by the product are of low level, the appropriate ones can help users deal with vulnerabilities.

From an improvement perspective, the product should try to align its pricing model with the other tools available in the market.

I have experience with Checkmarx Software Composition Analysis for two years.

It is a stable solution.

It is a scalable solution.

Around six to seven people in my company use the product. The number of users of the product may vary depending on the project my company chooses.

I have experience with Veracode and other tools. I also have experience with open-source products like SonarQube. From the coverage point of view, Checkmarx is the best product compared to other tools . Checkmarx is costlier than the other tools in the market. My company always recommends Checkmarx to others, but considering the budget issues, some people opt for products  with the lowest price.

The product's initial setup phase was straightforward.

The solution is deployed on the cloud.

The product provides 80 to 90 percent security to our company.

I evaluated SonarQube and Veracode against Checkmarx Software Composition Analysis.

I am more into the SAST side, which is related to Checkmarx Software Composition Analysis. Checkmarx recently introduced DAST and software composition analysis, but I am not aware much about it.

Checkmarx Software Composition Analysis is a good tool with many rules, ensuring that the product offers vulnerability detection and provides good coverage.

Though my company has not integrated Checkmarx Software Composition Analysis into SDLC, we do plan to do it in the future.

The product helped our company deal with a major security breach when we had to deal with a lot of SQL-related issues stemming from some of the codes, which were written earlier not using a proper framework, owing to which there were many vulnerabilities in respect to LDAP, cross-site attacks and SQL injection.

The product's most effective part for identifying vulnerabilities stems from the tool's SAST capabilities.

The product's dashboard has improved our company's vulnerability management processes. The tool shows a proper dashboard and offers frequent remediation options and proper compliance status, which helps to know about the number of vulnerabilities and the dashboards.

The accuracy of the product's vulnerability detection is 95 percent.

At an organizational level, the product is hosted on the cloud. In my company, we use the product to scan reports.

I don't see anything complex in the solution from the maintenance point of view.

The product is deployed in a single location where multiple people use it. The product can be described as an access-based solution. For a particular project or depending on an assignment, access is given to certain people for a month or two. After the completion of a project or assignment, the product's access to a person is removed and given to another person who needs the solution for another project.

I recommend the product to those who plan to use it.

It is one of the best tools in the market. The product provides good coverage and ensures that the users experience a return on investment from its use in their environment. The tool is also helpful in dealing with vulnerabilities and false positives.

I rate the overall tool a nine out of ten.

I use it to check software library versions for potential vulnerabilities.

I appreciate the user-friendly interface. The GUI is excellent, providing detailed information on outdated versions, including version numbers and the flow of library calls. This allows me to plan and prioritize library changes based on potential vulnerabilities, even if the affected library is indirectly used in my project. The tool offers specific guidance on addressing these issues.       

Personally, I currently use it as a standalone tool without integrating it with other systems, and it meets my needs adequately. They should add a "what if" feature to the application. 

Currently, when the tool identifies issues and suggests updates, if I want to explore different scenarios, I need to prepare another file, turn it into a ZIP, and run the analysis again. It would be more convenient if there was a "what if" option in the GUI. This feature could simulate a run, allowing me to quickly check the impact of changing one or more files or versions without the need for a full rerun.

I have been using Checkmarx Software Composition Analysis for the past one year. 

It is stable 

It is scalable.

I reached out to the integrator when I needed help, and he provided excellent support. He was customer-friendly, knowledgeable, and responsive. Whether through email or phone calls, he assisted me in understanding and using the application effectively.

Positive

The initial setup is straightforward.

We have a license. The usage is limited to one, two, three, five, or ten people. It is currently used for all projects, and there are plans to increase its usage.

Once you become familiar with how to use it, the application is very user-friendly. It's stable, regularly updated, and provides detailed information about identified issues, such as which Common Vulnerabilities and Exposures (CVE) is problematic and how to prevent or resolve the issue. It's an excellent tool.

Basically, I review the code of the developer and find the vulnerability in that, and then I get back to the developer to resolve and remediate the vulnerability on the dashboard. We also review the source code of the developer just as if some developer cracked the code for the kind of product development or production phase, or initial phase. We then review Checkmarx with the support of the developer and get it corrected right away at that time.

The integration part is easy. It will also be compatible with a developer because a lot of tools are needed to write code, just like in Java. And then, users have the Eclipse software tool that writes code in Java, while Checkmarx also supports integration with Eclipse. So it becomes much easier for developers to find the vulnerabilities and see if they are correct or if they need to be correct. Checkmarx will highlight those lines and words which will be vulnerable on that code. They will highlight, and they will prompt, but we have to correct it.

There are crashes in the solution. API security is an area with shortcomings that needs improvement.

I have been using Checkmarx Software Composition Analysis for a year.

It's a stable solution right now. So, right now, they are growing as a company.

It's a scalable product.

I have contacted technical support, and I have a good impression of them since they provide support twenty-four hours a day and seven days a week.

I'm using Rapid7 and Qualys right now. I am in the learning phase of Qualys. I also use Arcon PAM.

The initial setup is straightforward. It's easy to deploy for our customers. The time taken for deployment depends on the company's side and the complexity of the network and the hardware. So, considering the thing we do, then we can do the setup in one to two hours.

The deployment is done on-premise and on the cloud.

My customers need to pay for the licensing part, and they need to opt for an annual subscription.

I recommend the solution to other people who want to start using it.

If the dashboard is completed, then it will be in production and used at our end. Also, it will be a good product in the market for SaaS test and API security. Since the dashboard is in beta form right now, I rate the overall solution a nine out of ten.

We use Checkmarx Software Composition Analysis for scanning software for security vulnerabilities.

The most valuable feature of Checkmarx Software Composition Analysis is the comprehensive security scan.

Parts of the implementation process could improve by making it more user-friendly.

I have been using Checkmarx Software Composition Analysis for approximately two years.

The solution is highly stable.

The scalability of Checkmarx Software Composition Analysis is good.

The support from the vendor has been helpful.

I rate the support from Checkmarx Software Composition Analysis a nine out of ten.

Positive

I have not used similar solutions to Checkmarx Software Composition Analysis.

The initial installation of the Checkmarx Software Composition Analysis was uncomplicated. However, we faced some difficulties while implementing the high availability feature. However, as far as the standard setup is concerned, it was effortless.

The license model is somewhat perplexing as it comprises multiple aspects that can be confusing for customers. The model is determined by the number of registered users and the number of projects being scanned, along with a third component that adds to the complexity.

The price of the solution can be in the expensive range.

It's essential to consider that using a tool similar to Checkmarx Software Composition Analysis for scanning versus establishing policies for acceptable critical or high risks application moves to production are different critical components. Therefore, it's crucial to create appropriate policies outside the tool and subsequently contemplate the enforcement of those policies.

There is a necessity for process development to support the tool, and this requirement is not unique to this solution but rather applies to all tools.

I rate Checkmarx Software Composition Analysis a nine out of ten.

We have the tool integrated into our CI/CD pipeline. 

The tool's visual scan analysis shows me all the libraries' vulnerabilities and license types. It helps identify the most complex issues with licenses. It provides good visibility. SCA shows me all libraries that are vulnerable and the extent of their vulnerability.

The tool's most valuable feature is visibility. Not only does it identify vulnerabilities and their severity, but it also provides solutions for fixing them.

The solution's remediation recommendations have been very beneficial in our development process. They provide better visibility into the types of vulnerabilities that can be fixed and offer guidance on addressing them.

Checkmarx Software Composition Analysis should improve dynamic analysis. 

I have been using the product for six months. 

I rate the solution's stability a nine out of ten. 

I rate the product's scalability a nine out of ten. 

I haven't contacted the tool's support. It has good documentation. I rate its availability of information a nine out of ten. 

Checkmarx Software Composition Analysis shows fewer false positives than Fortify SCA. 

I rate Checkmarx Software Composition Analysis' ease of deployment a nine out of ten. 

I rate the solution a ten out of ten. I would highly recommend it to others. 

The purpose of software composition analysis is to identify any open-source components that may contain vulnerabilities. It is especially important because, nowadays, developers often download algorithms from the internet while they are developing software, but these downloaded components need to be scanned for vulnerabilities.

Additionally, developers may not pay close attention to open-source components' legal and licensing aspects, which can cause serious problems. Therefore, it is necessary to use software composition analysis as protection, and Checkmarx's SCA tool is very beneficial for this purpose.

The most valuable feature is that it can ensure the security of the software when downloading open-source components from the internet. It is the first and foremost benefit. Secondly, even though these components may be shared or free, there can still be license issues, and young developers may not pay attention to this aspect, which can be very dangerous and lead to serious penalties in the future.

In terms of time and quality of support, Checkmarx SCA needs improvement. The quality of support people needs improvement.

We have been using it since the first day it was released. We always use the latest version.

The software is very stable and works very well.

It is a very scalable product.

This is the most critical point for me. Their support was much better in the past, like last year or two years ago. As compared to the previous timeline, I feel that their support should be much better.

The initial setup is very easy.

From my point of view, according to the value they generate for the customers, it is not expensive. But as compared to competitive products in the market, it is gradually becoming more expensive. It's like choosing between a BMW and a cheaper car.

So, it's worth the money someone spends to use this product.

It's one of the best in the market, honestly.

Overall, I would rate the product a nine out of ten. And I didn't score it ten because of the weakness in the support. I know from the past that the support used to be better because I had been working with Checkmarx for over ten years.

Checkmarx Software Composition Analysis is used for detecting vulnerabilities in the open source software component of a project.

What's most valuable in Checkmarx Software Composition Analysis is that it provides security from the start. In the traditional approach, an enterprise or company validates the solution before launching to a production environment, but in the modern approach, security must be checked and provided from the beginning and from the design, and this is where Checkmarx Software Composition Analysis comes in. The solution helps you make sure that every open-source application that you use is secure, and that there's no vulnerability inside that open-source application.

In terms of areas for improvement, what could be improved in Checkmarx Software Composition Analysis is pricing because customers always compare the pricing among secure DevOps solutions in the market. Checkmarx Software Composition Analysis has a lot of competitors yet its features aren't much different. Pricing is the first thing customers consider, and from a partner perspective, if you can offer affordable pricing to your customers, it's more likely you'll have a winning deal.

The performance of Checkmarx Software Composition Analysis also needs improvement because sometimes, it's slow, and in particular, scanning could take several hours.

I've been working with Checkmarx Software Composition Analysis since August, last year.

In terms of the stability of Checkmarx Software Composition Analysis, I've experienced a performance bottleneck, for example, it's been slow. My company has two clouds in Europe and the United States, and when I use the cloud that's based in Europe, sometimes its performance isn't good. When I perform a scan, it takes a long time. It particularly takes several hours for the scan to be completed.

At the moment, customers can use Checkmarx Software Composition Analysis for unlimited projects, so in terms of internal capacity and scalability, those areas are good.

Checkmarx Software Composition Analysis has very good technical support.

The initial setup for Checkmarx Software Composition Analysis was straightforward. On a scale of one to five, I'm rating the setup a five.

Pricing for Checkmarx Software Composition Analysis needs to be competitive.

My company is a Checkmarx Software Composition Analysis partner.

The solution is cloud-based, so it doesn't have a specific version. When Checkmarx markets a product, the product version isn't mentioned.

Checkmarx Software Composition Analysis is SaaS, so the customer just gets the account then he can log onto the platform and use it online.

My advice to anyone looking into implementing the solution is that you need to know about open-source security, particularly open-source software fundamentals. It's knowing not just open-source vulnerabilities which Checkmarx Software Composition Analysis scans, but legal information as well. The solution doesn't just detect vulnerabilities. It also detects legal risks, for example, if you're using a copyrighted open-source license or a permissive license, etc.

I'm rating Checkmarx Software Composition Analysis ten out of ten.

We use it for scanning .NET and Java applications. We are using its latest version.

One of the strong points of this solution is that it allows you to incorporate it into a CICB pipeline. It has the ability to do incremental scans. If you scan a very large application, it might take two hours to do the initial scan. The subsequent scans, as people are making changes to the app, scan the Delta and are very fast. That's a really nice implementation. The way they have incorporated the functionality of the incremental scans is something to be aware of. It is quite good.

It has been very solid. We haven't really had any issues, and it does what it advertises to do very nicely.

Its pricing can be improved. It is a little bit high priced. It would be better if it was a little less expensive.

It is a good tool, and we're still figuring out how to fully leverage it. There are some questions regarding whether it can scan the MuleSoft code. We don't know if this is a gap in the tool or something else. This is one thing that we're just working through right now, and I am not ready to conclude that there is a weakness there. MuleSoft is kind of its own beast, and we're trying to see how we get it to work with Checkmarx.

I have been using this solution for maybe three months.

It is still in the early stages, but it is performing as expected. It has been very solid and stable. We haven't had any problems with it. We've used it maybe against a dozen projects. We might have done a hundred scans. 

They provided some technical support during the installation. They clarified some questions and were very responsive.

The initial setup was straightforward. It took maybe three to five days.

It was implemented in-house.

It is a little bit high priced. It would be better if it was a little less expensive.

I would rate Checkmarx Software Composition Analysis a nine out of ten.