Checkmarx One Reviews

The primary use that we have for Checkmarx is the evaluation of source code vulnerabilities.

We use Git to connect to Checkmarx. We don't use GitHub. We use our own self-hosted Git. We're just using generic Git. One of the biggest thorns in our side is managing that aspect of it. It wouldn't matter if it was GitHub or Bitbucket or any of the other tools that you can use to connect Git to Checkmarx. The issue is the same. 

The tool is good at telling us what repository we're connected to, but it is horrible in telling us what branch we're connected to.

I haven't been monitoring how well our projects have been at reducing vulnerabilities. Checkmarx is one that you have to actively follow, and my position doesn't require that I do that. I set up the tool, and then I let other people use it.

I'm the system administrator of the tool rather than an active user of it. This product has room for improvement in administration.

Adding users is kind of a pain. We need a more automated way of adding users. User administration for the IDs can be improved, they can make it a more automated feature set so that you can add users more quickly and easily. 

Most tools that I'm dealing with today have a mechanism where people can self-enroll.

I'm more of the admin as opposed to a user of Checkmarx. Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before.

One of the biggest heartaches that we have is that all of our Windows servers are on an automated upgrade. Whenever Windows upgrades, we lose the order of the ciphers and it brings down the Checkmarx webpage. 

Our company policy is that we upgrade our servers at a minimum of once a month, if not more. It's a hassle to keep up on that. The ciphers are such a pain to manage.

To set up a cipher connection, there's a tool out there called IIS Crypto. We just run that tool to set the best practices. It forces us to reboot the server. We haven't figured out how to automate the whole thing yet. 

There have been some Windows updates that haven't triggered this issue where the ciphers get messed up. The only thing we're running is TLS2. At that higher level, everything is just a pain.

All of our servers are built out through code. In other words, we use Ansible and Jenkins to automatically create machines. Everything is virtual these days. It's either virtual in-house or virtual in the cloud. 

The issue with Checkmarx is the next pain point, i.e. their installation procedure is GUI-based. They've got a command line for upgrades. I haven't seen the command line for the initial install.

My last statement on Checkmarx is Windows would not be my choice for any kind of server implementation. I'm not a Windows fan at all. Every other tool in our company is Linux-based and our target systems are Linux as well.

I don't have the experience and the knowledge of working on a Windows system compared to my Linux knowledge. Checkmarx being Windows only is a hindrance as well.

Another problem is: why can't I choose PostgreSQL? I would like to have an additional feature added to the product to support either PostgreSQL or MySQL. Those are the two free databases that are enterprise-ready.

Checkmarx is a stable product, especially based on the number of updates that we receive. Every time we get a new update or a hotfix, I'm very much in the loop on getting that information. Compared to some other products, it doesn't have the churn that others do, i.e. in the number of updates and patches that we have to apply to it.

We're licensed for 100 users. Primarily we use Checkmarx for developers, managers, architects, and maybe some of the design folk, but not QA. This would solely be in the realm of development and architecture. 

There is no plan for us to increase our usage of Checkmarx. We're trying to get as many scans as possible. One of the issues that we have is the concept of an incremental scan. The more of the incremental that you do, the slower the service becomes.

When you go in and you look at the last result: it's your baseline or your full scan, followed by applying each incremental. The more of the incrementals that you have, the slower Checkmarx gets.

They've come up with a recommendation for users to do one full scan a week and maybe six incremental scans. This needs to be worked on to get the performance better on this particular tool.

Checkmarx can scale up very easily. Anything that can be automated can be scaled. If I can automate it, I can scale it. Under the hood, it does the management of the scan engines well.

We have some large code bases, that according to the Checkmarx internal people, based on the number of lines of code, everything is 100% optimized hardware-wise. The fastest that the scan should take is 13 hours. That's a full scan, an incremental is a little different.

The problem with Checkmarx from that standpoint is, in our most active code base, we want it to be scanned frequently. At one point in time, it was taking up to 26 hours to do a single scan. We were scanning twice a week or four times a week. 

That same code base has two separate instances of itself. A long time ago they started as a common code base and then they split. Now, in essence, we have two products based on the same code base. We had to scan them twice a week.

The customer service on the phone so far with Checkmarx has been good. We've had more issues with other projects that have gone into the cloud than with this particular instance. 

It's mostly email until you scream enough with Checkmarx or you go through your salesperson. It's a little bit of a burden to get to them. 

For the most part, the people that I have dealt with know their stuff, and we haven't had any problems. It's been a challenge. We did try to do things that no one else had tried before according to them, and so we ended up having setbacks because of trying new things. 

The tool that we were using before was AppScan.

The initial setup of Checkmarx is straightforward. We did a bunch of things that shot ourselves in the foot that we weren't expecting. We were initially trying to put Checkmarx in the cloud. We were even putting Checkmarx into an Azure system until we found out that Azure, with the Microsoft SQL engine, does not support what Checkmarx requires. 

The Azure implementation of SQL does not allow the USE statement. Extremely odd. Maybe Microsoft figured out if you can't use USE, that means you have to have more databases and so they can charge more. Microsoft Oracle and IBM have been pulling that crap for years. They're making a lot of money.

It probably took us a couple of months to go through all of the issues, basically trying to find a home for SQL. We ended up creating a Microsoft SQL server in Amazon.

With Amazon's RDB, you can use Oracle, PostgreSQL, Sybase, Microsoft SQL, etc. as its RDB engines. Depending on whether you already have a license, or if you want to pay for the license when you set up the instance, you can do either. 

We had the license. We just created an instance in the Amazon cloud.

I've got 100 licenses for Checkmarx. As people come and go, it's a hassle to add and remove them. In this day and age, it's such a meaningless time-waster.

We were previously working with Azure. We switched because of their implementation of SQL Server. Checkmarx uses statements to move from database to database. Azure does not support that in its implementation at this time. 

Time will tell and Microsoft does improve their code over time.

From an administrative standpoint, I would rate Checkmarx with a five out of ten. From what my users are telling me, I'd give it an eight for the tool's ability to report on vulnerabilities in the user experience. 

I would rate Checkmarx with an eight on the user side and a five on the admin side.

Customers need to work with Checkmarx to scale the system for their needs, i.e. work with their recommendations. The best practices that they have there. 

They have this formula to calculate how many CPUs and how much memory you need. The memory requirements are huge. We've got 64 GB machines to scan them.

That's the low end of what they're recommending. Their processes do a lot of number crunching in memory. For a 4 million line code base, it's just going to consume a lot of time and a lot of resources. 

We are only using the source code scanner. We're not using the OSS scanner. We use Artifactory for our OSS repository, and Artifactory comes with its own built-in OSS scanner. We didn't need two OSS scanners.

We are currently using the solution for scanning code-level vulnerabilities. 

Checkmarx is more developer friendly. Developers are aware of how to use Checkmarx. It's not too complicated, and they can understand what the problem is in their code, and it helps them to write secure code. That's a big thing. It's not an obstacle for developers. They can easily write their code and make it more secure with Checkmarx. That's the main positive point.

A non-developer may struggle with the solution. 

Codebashing is the learning platform that comes bundled with Checkmarx. The thing with Codebashing is that they give you tips on how to write secure code. However, I saw other developers complain about this. Instead of telling you what the good practices are, it would be more helpful, when we are writing the code, alongside that code, to have Codebashing tell us where exactly we are going wrong and how to help secure code and if there are specific scenarios we should be considering. Basically, the integration needs to be better. 

There's a general lack of space. 

Checkmarx has a slightly difficult compilation with the CI/CD pipeline. If it could be easily integrated into the CI/CD pipeline, then it would be much easier for developers rather than being an extra step that developers have to take to make the code secure. 

We've used the solution since 2019.

The solution is stable and reliable. There are no bugs or glitches. It doesn't crash or freeze.

In general, it can scale. 

There are certain scenarios where scalability becomes an issue. I can't really give any examples, however, while it can scale, there may be hiccups. 

We may have up to a few hundred users on the solution. 

As far as I'm aware, there is a team at Checkmarx that we can contact and they are there to help us with some basic queries. It's not continuous support. It's more like they're there on the side, and we can contact them as and when required.

Positive

We have used and looked at a mix of options, including Veracode and FOSSA.

Right now, I don't really have a competing vendor in my company, so I can't compare. More importantly, I don't have that much experience with others to compare anything accurately.

I did not handle the initial setup and, therefore, cannot speak to how easy or difficult the process would be. 

The licensing is okay. I'd rate it 3.7 out of five. It is moderately priced yet not overly expensive. 

Right now, we are partners.

We have the solution deployed in the cloud and on-premises. It's a hybrid setup.

I'd rate the solution seven out of ten.

I'd recommend the product to other users. 

Whenever a web application needs to be moved into production, a static code analysis or source code review must be done. The analyst runs several tools on the web application and collects details. Completing a source code review for a particular application will take around five working days.

Since we moved to Checkmarx, it has reduced the time significantly. Usually, we get the report within a day. It lists all the critical vulnerabilities and provides remediation. We provide suggestions to the customers and the project owners to fix the loopholes immediately so that we can move to production. Sometimes, the life cycle is reduced from five days to one day.

Static code reviews are small projects. Previously, with a team of four analysts, we did two project reviews every month. Since we started using the solution, we could do four projects every week with the same team.

It is very easy for the analyst to have everything in a consolidated single pane of glass. Previously, they ran multiple tools. They used one tool for source code analysis and another for static code review. Then, I manually verified each result. Since we moved to Checkmarx, it has been very easy for the analyst.

The tool gives us a shareable report that can be easily shared with management once the product is done. The solution’s performance and the consolidated information it provides are valuable. The platform is completely on the cloud. There are no scalability or connectivity issues. The platform is stable. It can be accessed from anywhere.

We used open-source tools before. We had to deploy the tools in the customers' environment to establish the connection between the tools and their product application. Since Checkmarx is a SaaS-based platform, we need only the forward connection from Checkmarx to the tool. The tool handles everything else. We just need a single firewall rule to be enabled on the platform to establish the connection.

The deployment is very simple. We need just one rule to forward the web application to Checkmarx. The scanning engine is very good. Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%. The tool has greatly reduced the time and effort our analysts need to do their tasks. It's very useful if we need to perform a short-term project. It is greatly helpful in fixing loopholes and vulnerabilities swiftly.

We can run only one project at a time. We haven't tested multiple projects at the same time. Currently, not all the projects are visible under one pane. We handle one-time projects. As a manager, I do not have the overall visibility of all projects simultaneously. I have already raised a support ticket requesting the ability to manage all projects from a single pane. There may be an option for it. However, I am not aware of it. The solution must provide more integration with different platforms.

I have been using the solution for three months.

I rate the tool's stability an eight out of ten.

The tool is scalable since it is a cloud-based solution. We have served over 100 customers.

The setup is straightforward. Our analysts had a training for half a day. They were able to use the product form the next day. We just need to purchase a license. Since it is a SaaS-based solution, no additional deployment is required. We only need to enable the firewall rule.

The solution helps us push the application into production much sooner than anticipated. If we have a web application that needs to go live, traditionally, it takes 15 days to a month to push it into production after all the security checks. If the other teams can patch the vulnerabilities as soon as we suggest them, Checkmarx can help us push the product into production within a week. It's very easy to rescan.

If someone has too many applications, they can directly integrate Checkmarx into the CI/CD pipeline. We got the license and are running the solution for our customers. We do not charge our customers for the solution. Overall, I rate the product an eight out of ten.

It is used for scanning for some other purposes. We needed Checkmarx to figure out some OS top ten issues in the codec.

The only thing I like is that Checkmarx does not need to compile. That's a good feature.

Checkmarx is not good because it has too many false positive issues. The software does not understand the code very well. It does not handle the process very well and misunderstands the logic, resulting in too many false positives. As per my experience, more than 80% of the issues are false positives, and it takes too much time to figure out which ones are true and which ones are false positives. 

Therefore, this is one of the areas of improvement for Checkmarx. It requires in-depth knowledge of the coding. 

I have been using Checkmarx for more than a year. We are using the latest version. 

I would rate it as four because the scanning engine can crash sometimes.

I would rate scalability a three out of ten. 

The technical support is not good because they charge an extra fee. If we pay them on a call basis, they will charge extra. We can only give them emails; if we have a problem, it takes over half a year to fix the issue. They're just too slow.

Neutral

The deployment is easy, but it may take around half an hour or even more because the software is huge. Also, good hardware performance is required, such as big memory and disk space.

It requires a lot of disk space and good hardware performance, and the speed is slow.

The deployment is pretty tough to do by myself.

It's expensive. I would give it a four out of ten.

We just calculated the speed of Checkmarx; it is around 40 lines of code per second. It's too slow, so we now use a Chinese software called XCheck, which is much better. It can scan around 2,000 or 5,000 lines per second, depending on the code complexity. XCheck is a product of a Chinese company called Tencent.

Overall, I would rate the solution a three out of ten. 

One use case is when a development team finishes, or even in the middle of, development. They run Checkmarx, which shows potential vulnerabilities. If they don't understand something, they consult with me. 

I explain what Checkmarx is highlighting, why it's "shouting" as we say, the specific vulnerability, and the problem it found in the code. Then, together, we explore the code and decide if it's a valid issue requiring a fix. 

We also discuss how to fix it, or if it's a false positive because, in their environment, the problem either cannot exist or doesn't exist in the way they use their software.

We also have another use case. When a software company, like an integration company, does a project for us, we request them to run their code through Checkmarx. If they don't have their own tool, we run it on our Checkmarx and provide them with the report. We request, or rather insist, that they fix most, if not all, of the problems Checkmarx finds. 

These might be issues they didn't consider, but we put it in the contract that they have to submit their software to a "code check," meaning they can use Checkmarx or another approved tool. If they don't have a tool or refuse, then it's okay. The key is to have it in the contract and signed. 

Otherwise, fixing the software later becomes difficult, especially when the project is nearing completion. That's why we do it when the integration begins, so there's still time to address the issues. If you wait until the very end, it's too late.

The solution improved the efficiency of our code security reviews. It helps tremendously because it finds hundreds of potential problems sometimes. When the development teams fix them, or even some of them, it significantly enhances the security of the software. 

For example, we had a project, an outsourced one, that provided code written in PHP and included dozens of open-source utilities, libraries, and the like. Their server-side code was in PHP, and their client-side was in JavaScript. Both sides also used many libraries and utilities.

When we ran Checkmarx, it found numerous problems in both their code and the third-party software, including hundreds of high- and medium-severity issues in the PHP code. I didn't dig into the specifics; I just said, "Look, it found hundreds of high and medium problems. You need to reduce them. Before testing starts, you need to provide us the code again, and we'll run it again."

They started fixing it, and while I didn't follow up on the specific fixes, perhaps they removed some libraries. As long as the number of high and medium problems in the Checkmarx report decreased, it meant they were making progress. They hadn't finished yet, though.

After they fixed about half of the problems, we allowed them to start integration. However, they still need to fix the remaining issues, and hopefully, they will.

The most valuable feature is that Checkmarx specifies the exact line of code where it finds the problem. They show it in the report, the exact line or two lines. They also show where the problem starts and where it's used. 

Even if it's used later in routines or messages during the computation, they show both sides. For example, they show the user input and where it's being used, even if it's saved in a different file. 

They follow the code, the function code, the method code, and all the calls until it's used because they have all the code mapped. So, they show where it starts, where it's being used, and they say it hasn't been checked all the way. They prove it, not just say it, by showing exactly where the issue is. 

Even if you don't know the software, like third-party software you want to fix or modify, you know where to start looking in the code.

As for the UI, it's okay. You give it the code, it runs, and it's pretty good.

There's one thing Checkmarx can maybe fix, actually two things.

First, when we first ran it on a big project, there wasn't enough memory on the computer. It originally ran with eight gigabytes, and now it runs with 32. The software stopped at some point, and while I don't think it said it ran out of memory, it just said "stopped" and something else. 

We had to go to the logs and send them to the integrator, and eventually, they found a memory issue in the logs and recommended increasing the memory. We doubled it once, and it didn't seem enough. We doubled it again, and it helped.

So, even if the software reaches capacity on the computer, even though it writes it in the logs, it should also give an indication in the GUI to the person running it, saying "not enough memory" or "not enough disk space."

Another problem is that when it's scanning and it has an internal problem, for example, it cannot check something, or an internal bug or internal problem, it's being found in the logs, but there's no indication to the user. Now, this is good for them because the user runs it, gets a report, everything's fine.

But in a way, it's not good for them because the user doesn't know there's a problem since they don't check the logs. Because mostly, only the manager looks at the logs and only if there's a problem being reported. You run a process, get a report, but in the logs, there might be an indication that it couldn't check several files or understand something. There's a problem, an internal problem that can be fixed, but nobody knows about it because we don't look at the code. The user doesn't look at the logs; only the business manager does, but they don't know because the user doesn't report it, because the user doesn't know.

So, my suggestion for them is this: if they have problems, they should say, 'Here is the report,' but also indicate to the user somewhere, perhaps in the GUI, not necessarily in the report itself, 'We found 100 problems while looking at your code. Please provide us the logs so we can try to fix those.' Then they can ask if the user has any problems. This way, users would know to send them their logs, and they could improve their software, meaning fix the problems.

Now, they may not want to do this because they'll get flooded with millions of responses and millions of problems from all over the world. They would have to fix them, and people might get angry, asking why they provided a report when there were hidden problems. People might say, 'How come you gave me a report with seven or eight problems when analyzing it, there were internal problems with your code? So it's not a perfect report.'"

So, these internal issues are logged but not communicated to the user through the Checkmarx interface (GUI) or report.

The solution also has a few false positives. So, if they had an easier way for users to send an email directly, instead of just opening a ticket. Because when we open a ticket, they want all the logs and everything, and it becomes a hassle.

Perhaps they could implement an easier system where users can send a snippet of the code, along with an explanation of why they believe it's a false positive, referencing the specific report. 

This way, Checkmarx could analyze the information and the development team could potentially fix the product in those areas. It wouldn't require them to necessarily respond to the user, but I'm not sure if that's feasible for most companies. 

I have been using it for one year. 

If you have enough memory, it's scalable. You need a lot of memory for it to be scalable. 

Once you have enough memory, it is stable and scalable, and there are one or two parameters you can modify to make it even more scalable. Scalability is relatively fine.

For the scanning option, the default is to use only one main language, but you can request multiple languages. It's scalable.

Nowadays, nearly all the developers, when they finish development, either they or the team leader runs it, and they have to fix the problems.

The customer service and support are okay because the thing is, we spoke with the integrator, so we didn't reach Checkmarx tech support.

Positive

The setup was done by an integration company. 

I would definitely recommend it. It's an excellent solution.  

Overall, I would rate the solution a nine out of ten because there is always room for improvement. 

Checkmarx could perhaps give more examples of solutions in the reports. It's very good, but sometimes the solutions they give are not necessarily relevant to the code or how it's written. 

So, Checkmarx should give more examples of solutions. Although, it's not that bad because they give a few, one or two. And if you want more, you can look online. But it would help if they could refine it and give additional options for solutions.

The best thing about Checkmarx is the amount of vulnerabilities that it can find compared to other free tools.

The statistics module has a function that allows you to show some statistics, but I think it's limited. Maybe it needs more information. There are some cases where you have to go directly to the Checkmarx database to get the information that you want. The default module that provides statistics is basic, and you need more elaborate information to do vulnerability management. The tool has a limited scope.

It is easy to scale, you just have to pay. There are about 100 developers and security people using this solution in my company. 

The contract that we have is not directly with Checkmarx. It's with an intermediary company in Argentina, and they give us support. They are not very fast in answering our questions. They have a kind of first level support, but for more technical stuff they go directly to Checkmarx.

As with other tools, if you want more, you have to pay more. You have to pay for additional modules or functionalities. For instance, if you want to do some scanning to external dependencies of the software, you have to buy another tool provided by Checkmarx.

You have to pay for licenses for the number of projects that you want to scan and the number of users. I think you have to pay licenses for three features: the number of users, the projects, and I don't remember the other one.

We have two administrators who coordinate maintenance with the vendor.

My advice is that you need to estimate the right amount of licenses. That's very important because right now, our company needs more licenses, and that was not well estimated at the beginning. The other thing is to be clear about the features of this tool that you want or need.

I would rate this solution as a nine out of ten. 

My team uses this product extensively for application vulnerability assessment. This solution is for static application security testing and is used within our software development process.

As the software developers are creating solutions, they are able to identify vulnerabilities while the application is being written, rather than after the entire development is over.  

We were interested in having the raw source code scanned, so that was the primary requirement and that is where Checkmarx comes in. We do not need any precompiled libraries, or compiled source code, to be checked by the source code analysis solution.

We have a security team that uses this product to scan source code, rather than have the developers handle it. We do not have any developer licenses (i.e. the SDLC Edition). Instead, the security team identifies the vulnerabilities and shares the report with the development team.

The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete.

As an example, an application may contain three hundred thousand lines of code that was written over two or three months. Rather than having to examine the entire product for vulnerabilities, we are able to assess weaknesses and identify vulnerabilities in, say, five hundred or one thousand lines of code. This is really advantageous for us.

There are many features, but first is the fact that it is easy to use, and not complicated.

One of the cool features is that it identifies the development technology that we are using on its own, whether it is Java or .NET or otherwise, it identifies it by itself.

The most important aspect is that it shows us exactly, on which particular line, the vulnerability is.

The user interface is very intuitive and it offers help on the fly.

The reports are good, but they still need to be improved considering what the UI offers. For example, the UI will suggest the "best-fix location", whereas this information is not captured in the reports.

We have not observed any issues, such as the application crashing, with respect to the stability of this solution.

The solution is quite scalable. We are not using the SDLC edition, but with that version, the developers can use different plugins and initiate the scan from their own development environment.

There are three or four members in our security team who use this tool. At the current time, we are happy with this solution and do not plan to increase its usage to the point where we need a different license.

We have found the technical support to be good. Whenever anyone has an issue, we write directly to Checkmarx.com and they issue a support ID. Most of the time we receive a quick response.

We are currently based in India, and they have increased their team size in India with a couple of people providing support. It covers the Indian subcontinent as well. With this increase, our tickets are answered very quickly as compared to what we used to get.

I do not have recent, hands-on experience with this tool but, I have used it in the past and my team now uses it extensively. We did not use a tool previous to this one, and we plan to continue using this because we are getting good results.

We use this solution for static application security testing. For dynamic testing, we use the Netsparker solution.

The initial setup is pretty simple and straightforward, and it does not take more than fifteen minutes, maximum. The entire deployment was completed in not more than half an hour.

Not many people are required for deployment or maintenance. We have not done much since the original installation. When a new version comes in, any member of the security team can update the solution. In that way, a single person can maintain it. Within my team, it is a Senior Security Analyst who maintains this solution for us.

It is a very simple tool and we do not have a complex environment. It is installed on a standalone machine.

We do not have an integrated solution. This is a standalone solution that is used with the Security Gate. The installation was completed in-house, by our team only.

We have seen ROI, but quantifying it in terms of the numbers is difficult. The biggest advantage we have seen is that we're able to develop and deliver secure solutions, in a faster time. We used to test our applications efficiently, and we still do, but there used to be a period of rework required. Now, that does not happen. We are able to identify the issues and address them while the development is in progress.

We have a subscription license that is on a yearly basis, and it's a pretty competitive solution. I don't know of any additional costs, beyond the standard licensing fees, for our version of the software.

In the case of the SDLC edition, which is a higher version, there may be some professional support that is required. Otherwise, any license that they provide is just an annual subscription fee.

We evaluated the Fortify Static Code Analyzer and IBM Security AppScan, but our evaluation was not fully completed. We were happy with what we were seeing with Checkmarx, so we did not go ahead with the others.

My advice to any software development team using a different set of tools is to look at Checkmarx. It's a very good product. It's a great product, in fact. Any organization spending money on a subscription license should not look at it as a cost, rather, it should be seen as an investment. The Checkmarx solution can act as a resource that can help the development team to secure their application delivery. Be it an internal application for their own use, or applications being written for their customers.

This solution tells us where, in our code, the "best-fix location" is. To put this into perspective, consider a particular piece of code where there are ten vulnerabilities detected. Perhaps it is an SQL injection vulnerability. This tool gives you specific locations and informs that if you fix the code in certain areas (e.g. in three specific locations) then the subsequent vulnerabilities will automatically be addressed. Therefore, you save on development effort because you do not need to fix all ten vulnerabilities specifically and independently.

I would rate this product a nine out of ten.

I am representing Checkmarx as a reseller. I work with both the cloud and on-premises versions. I have been working with Checkmarx for more than twelve years.

Checkmarx is a must-use product due to the increasing number of cyber-attacks nowadays. The product's quality and performance justify its pricing, making it a worthwhile investment.

Checkmarx offers many valuable features, including Static Application Security Testing (SAST), Software Composition Analysis (SCA), Infrastructure as Code (IAC), Supply Chain Security, and API Security.

The Dynamic Application Security Testing (DAST) feature should be better. The technical support service could also improve in terms of their response time.

I have been working with Checkmarx since the early days of Checkmarx, which is more than 12 years.

I would rate the stability of Checkmarx at nine out of ten.

Checkmarx is scalable, and I would rate its scalability at nine out of ten.

The customer service and support should be quicker from my point of view. I would rate them eight out of ten.

Positive

I have been working with Checkmarx for over 12 years without switching to a competitor due to Checkmarx being the best product in the market.

The initial setup is straightforward, especially with the cloud version where no deployment is needed. The on-premises version requires some time and depends on the customer's environment.

In typical circumstances, one senior engineer is enough for implementation, but in special cases, maybe two engineers are needed.

Checkmarx is cost-effective. It is a must-use product in today's cyber security environment.

The pricing is relatively expensive due to the product's quality and performance, but it is worth it.

I chose Checkmarx over competitors due to ethical considerations and its superior functionality.

Checkmarx is plug-and-play and the best product in the market at the moment, as evidenced by reports such as Gartner's.

I'd rate the solution nine out of ten.