Checkmarx One Reviews

Checkmarx is a source code application for development, which means from the source code level, you can use Checkmarx to detect your coding errors, and to detect vulnerabilities that could have come from the different tools that you were using to develop your application. At the source code level, you can prevent the weaknesses that the application can carry on the journey of its development and use.  

Checkmarx helps the users to have a secure coding environment and experience, and a secure source code level of application. That main application can leverage or improve the service delivery to customers.

The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera. 

The software languages that they support are one of the largest in the market.

Checkmarx could improve by reducing the price.

I have been using Checkmarx within the past 12 months.

Checkmarx has been stable in my usage and I'm confident to recommend it to anybody.

Checkmarx is very scalable. It can run for a small and large organizations.

The technical support is good.

I rate the support from Checkmarx a four out of five.

Positive

The initial setup of Checkmarx is easy.

I rate the initial setup of Checkmarx a four out of five.

We use one engineer with the help of Checkmarx for support and deployment.

The price of Checkmarx could be reduced to match their competitors, it is expensive.

I strongly recommend Checkmarx to others. I have sold the solution for nearly eight years, and I'm not aware of any major complaints that the users have that could not be resolved.

I rate Checkmarx an eight out of ten.

The Checkmarx application is a live wire of technology delivery, and if your application is vulnerable, then the asset that your acquisition will run will also suffer vulnerability. Providing the scanning ability that shows the errors at the source code level is critical to have effective development of any critical application.

I would recommend Checkmarx eight because it's very critical and integral to the improvement of technology and cyber security today. It's a critical tool in protecting cyberspace, your asset in cyberspace, and an application that runs nearly all human life today. Everything is driven by technology and application.

I am using it for software assurance focused on security. I am using its latest version.

I use both the static code analysis and the open-source analysis engine. It gives visibility into weaknesses and the software that may be there in the source code and static analysis. It also gives some insights into the open source vulnerabilities that may be there in the codebase.

I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy. Typically when using SCA tools on C/C++ and C# you must compile the software for SCA to work. CX doesn’t require any compilation due to the way the tool does synthetic compilation to help find errors in code. Many times 3rd party assurance providers don’t have all the files to compile so CX comes in handy. 

They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server.

I had several issues with the installation. It should just work out of the box.

I have been using it off and on for about a year.

I've run into a few bugs here and there but i would recommend installing on virtual machine and snapshoting a working install. 

My setup is standalone. They do have a scalable version, but it's not something I need.

We're not using it a lot. Its usage is once a month. The way our organization works is that we don't do static code analysis every day. It's more on an as-needed basis. So, it's no fault of the Checkmarx tool. It's just not something that we've been working on.

They were pretty good. I would rate them a four out of five, but I was using their salespeople. It wasn't their traditional tech support, so I can't really evaluate their traditional tech support. When they're selling something, they give you a lot more service instead of having to go through the support system.

I still use other tools, so I just added it to the tool chest. I have Fortify, CodeSonar, etc  and I added Checkmarx as a different tool.

I installed it. It's straightforward to install, but I had several issues with the installation. I don't know if it was with my environment or not. If it works properly, it's a simple install, but in my example, it did not work right off the bat. There was some troubleshooting that had to go on, which was a little frustrating.

It took weeks. It required back and forth communication with support for a couple of days, but I wasn't actively working on it for days. I would run into a bug, send the log file, and go back and forth. It wasn't anything crazy, but it was a little frustrating. It should just work out of the box. It should be pretty straightforward where you just click the installer and go, but it wasn't.

It was implemented in-house, and then I had to call support when needed.

In terms of maintenance, it is pretty self-sustaining. You update it whenever it needs to be updated.

There hasn't been much return yet because we haven't used it much, but I have enough faith in it that I committed to it for multiple years. We are starting to use it more but not enough to state ROI yet

I would rate it a seven out of ten. It's not the best tool on the market, but it provides some good capability for what it is.

We are using Checkmarx for analyzing threats.

We are not using the latest version of Checkmarx because we faced some issues.

Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities.

SonarCube functions better in these areas.

I have used Checkmarx within the last 24 months.

The stability of Checkmarx could improve.

I would rate the stability of Checkmarx a six out of ten.

The solution is scalable, but other solutions are better.

We have 20 developers using this solution. We have a few projects left to use this solution and then we will move to something else next year.

The support could improve, it takes a long time for a response. The service we received was poor.

I am using Checkmarx in parallel with SonarQube.

We didn't like how long they took to implement the product. The installation was not intuitive. We were constantly having meetings and installation additional things.

The implementation process should improve.

We were helped by both the local partner and the vendor for the implementation.

We have two developers for the maintenance and support of Checkmarx.

We're using a commercial version of Checkmarx, and we paid for the solution for two years. The price is high and could be reduced.

The local distributor charges two times higher than in other countries.

The purchase of this solution was a mistake.

I would advise others to deploy the solution and to test all of the functionality before buying and do not trust the marketing from Checkmarx.

I rate Checkmarx a four out of ten.

Checkmarx is used to check the code from programmers and vulnerabilities in third-party software.

Checkmarx can be deployed on the cloud and on-premise. However, it depends on the version.

Checkmarx detected code sections that did not adhere to best practices. After being informed, the programmers were able to rectify some of the issues. Without Checkmarx, it is unlikely we would have identified these issues.

Utilizing the SCA module, I gained valuable insights into the vulnerabilities present in open-source Python libraries that individuals desire to use. As an information security consultant, I advise against employing Python libraries that contain known vulnerabilities. The SCA solution proved to be helpful in this regard.

The most valuable features of Checkmarx are the SCA module and the code-checking module. Additionally, the solutions are explanatory and helpful.

Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not. 

In a future release, the SCA module could have better documentation. It was difficult to know how to check the names of all the modules. It took me a lot of time and I needed help to be able to write the requirements file. More clarification would be helpful in the documentation, such as examples.

I have been using Checkmarx for approximately six months.

The stability is great.

I rate the stability of Checkmarx a ten out of ten.

The scalability of the solution is great. Everything I send to the solution is processed quickly.

We have five information security analysts and programmers using this solution.

We plan to increase our usage. We will install it on more networks.

I rate the scalability of Checkmarx a ten out of ten.

I found someone in the evening that logged in and answered my issues. They are responsive.

I rate the support of Checkmarx a ten out of ten.

Positive

We have one person for the maintenance of the solution but it is minimal and is not a full-time job.

I would advise others to ask for a demo of the solution and if it works well for their use case then purchase it.

I rate Checkmarx a nine out of ten.

We use the solution on a developing project. Before we bring the code to production, we have to ensure its quality, and we use this solution. 

It's easy to use. The configuration is easy. 

It has all the features we need. 

We haven't had any issues with the solution so far. It is not missing any features. 

It takes too much time to check the code. The validation process needs to be sped up. 

There have been some configuration issues. We sometimes have failures. 

I've been using the solution for two and a half years at this point. 

We've had to deal with errors. When we blacklist or whitelist, we do have some issues. There are a few configuration issues. I'd rate the stability seven out of ten. It could be improved. 

I can't speak to the scalability. I don't deal with scaling. The usage is limited. We aren't attempting to expand it. We only do two to three processes at the same time. 

Technical support is okay. We are mostly happy with the help we get. We can directly connect with them.

Neutral

I'm also using SonarQube.

I did not handle the deployment directly. We have a team that manages the tool. I'm not aware of how many people are needed to maintain and deploy the solution. 

I don't deal with the pricing directly. I don't know the exact cost. 

I'm a customer and end-user.

I would recommend the solution to other users. I'd rate the solution eight out of ten. 

We use Checkmarx as a code analysis tool.

We have always used some kind of code analysis tool and Checkmarx has been working for us at this time. We like the tool.

The most valuable feature of Checkmarx are the automation and information that it provides in the reports.

I am using Checkmarx for approximately two years.

The stability of Checkmarx could improve. We're having issues with it, but we don't want to upgrade to the newest version until we make sure that the issues we're having now aren't present in the newer version.

The scan reliability sometimes is impacted and we sometimes have to restart the services to allow scans out of the queue.

Checkmarx needs to be more scalable for large enterprise companies.

I have used the support from Checkmarx.

I rate the support from Checkmarx a seven out of ten.

Neutral

I was previously using Fortify but they were antiquated. They were not updating the solution on a regular basis.

The initial setup of Checkmarx is straightforward. The implementation of Checkmarx does not take long because we have a process for it.

We have four people that maintain Checkmarx in our company. We have professional services but I did most of the deployment myself.

My advice to others is that Checkmarx is good compared to the other tools. However, they are all comparable, it depends on what languages they want to scan. Overall, Checkmarx is a decent solution. It would be a good idea to test other solutions.

I rate Checkmarx

We mainly use Checkmarx for accreditation, checking for vulnerabilities, and identifying areas in the code to fix some of the NIST 800 security controls.

The most valuable feature is that it actually identifies the different criteria you can set to meet whatever standards you're trying to get your system accredited for. It's also pretty intuitive and has a lot of good dashboards and metrics.

Checkmarx could be improved with more integration with third-party software.

I've been using Checkmarx for about six months.

We've had no issues with Checkmarx's stability.

I thought Checkmarx was pretty scalable.

My experience with Checkmarx's technical support has been very positive.

Positive

I found the setup pretty straightforward, though it took several days because the system engineers had to go through some different configuration settings to get it done.

We worked with Checkmarx when we ran into issues, and they were pretty responsive.

Checkmarx isn't accredited by the US government for DOD networks, so we've been forced to remove it from the network. I'd rate Checkmarx as seven out of ten.

We're more evaluating the solution rather than using it right now. We're resellers and it's something we'd like to offer to our clients.

I am aware of Checkmarx's portfolio, however, we've been playing exclusively with the SAST and with the AppSec Awareness platform, they're Codebashing platform. It's been a very positive experience overall.

The value you can get out of the speedy production may be worth the price tag.

The reporting could be better on the product. The need to be much more customizable including being customizable for various roles.

The pricing can get a bit expensive, depending on the company's size.

We've been working with this solution for some time. I have personally been working with the product for the last three or four months.

We haven't really extensively worked with any other products.

The cost might seem steep, however, it really depends on, first the size and requirements of your company. There are companies for which the speed of developing new features and developing them securely, is more valuable than for other organizations. 

This goes not only for Checkmarx. It goes for any automated desktop security platform in general. I definitely see the cases when the Checkmarx license is a reasonable expense. It just may not be for everyone.

We've been looking at SonarQube. We're looking into other options as we don't want exclusively to just offer Checkmarx to potential clients.

We looking for solutions more on the enterprise spectrum. Therefore, I would probably consider products such as Vericode. I would also consider the newer players, such as, for example, GitLab. 

We're resellers, however, we don't have an exclusive relationship with this company. We're looking at other products we can use and offer to our clients as well.

In our company, we do not have the Checkmarx solution running on production. We do have it, however, we only have a learning license, which is non-commercial.

On a scale from one to ten, I would rate this product at an eight. Overall, it's been a positive experience so far.