Checkmarx One Reviews

We use this solution to check our systems for any vulnerabilities in our applications. Currently, I'm working on a banking tool, which is aligned with the menu. Our system was created 30 years ago and still is running in the market and doing well. However, currently, there are so many changes happening. Any solution coming into the technology needs to have a security check to ensure everything is safe. 

The reporting on the solution is very good. The reports we get are very self-explanatory. They aren't complex or confusing. They will tell us if we are facing vulnerabilities and where. From the reporting, it's quite easy to find the problems and fix them.

The solution overall is very good at detecting and pinpointing vulnerabilities in the code.

The user interface is excellent. It's very user friendly.

The solution offers good training documentation so we know how to handle problems as they arise.

Honestly speaking, we do not have much experience in this tool yet as we just started using it a couple of months ago. I personally am still just diving into the data. It may be too early to tell if there are improvements that need to be made.

The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated.

I've only been using the solution for three months. It hasn't been too long yet. I'm new to the position. My organization, however, has been using the solution for quite a while.

We have different team members on the solution in the UK and India. It's only available to those directly involved in the security aspects of our company.

We have our own in-house team that manages a lot of issues that may come up on the solution. 

The thing is, security is a major concern for us. We cannot exactly contact their team about a lot of things as we do have process guidelines and we need to follow these processes if we run into issues. If we have problems, we have an expert that can sit right next to us and figure out a solution. This helps us better manage the tool and the security surrounding it, rather than, for example, calling up the company and having a random help desk technician try and assist us.

For our purposes, the initial set up was not complex. It was fairly easy to plug the solution into our build processes and pipelines. We haven't had any issues with configurations or anything like that. It's been very straightforward.

The deployment is very fast and only takes about 15 minutes or so.

We manage the solution ourselves. However, if I personally want to access it, I do need to contact specific team members. Only specific individuals have access. It's not accessible to everyone in the organization. 

A specific team in our organization handled the initial setup and holds the license for the product.

I've looked at SonarQube. The basic difference between the two solutions is that Checkmarx is a bit more intelligent and can detect vulnerabilities better and faster than SonarQube. SonarQube is more focused on code and style formatting or code complexity. It depends on the priorities of the organization, as each has its own unique benefits.

I don't recall the exact version of the solution we are using.

I would recommend the solution. I'd rate it eight out of ten.

Cx gives you the ability to push SAST down much lower in the SDLC process. With the use of multiple IDE plugins and the ability to do "incremental" scanning, a scan of your latest code does not bog down your machine as it is offloaded.

It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc).

Meta data is always needed. More tutorials/videos for developers to fix their vulnerabilities is nice. Although the API is useful, I would like to see more functionality added.

I've had to restart services/bounce the VM on two rare occasions.

It scales very easy.

Customer Service:

Customer service is good. Engineers have been quick to get back to me regarding issues and custom work that I have performed.

Technical Support:

Technical support is very knowledgeable.

Initial setup couldn't be any easier. Cx has good documentation on environment requirements. As long as you meet those, the installation process takes maybe 30 minutes for an initial setup; perhaps a bit longer if you're adding multiple engines.

An in-house team implemented it.

Everything is negotiable. Checkmarx approached our dealings in good faith and clearly wanted to be around for awhile. It is much more inexpensive than some alternatives.

Before choosing, we also evaluated Fortify, IBM Appscan, Veracode, etc.

We use the solution on a developing project. Before we bring the code to production, we have to ensure its quality, and we use this solution. 

It's easy to use. The configuration is easy. 

It has all the features we need. 

We haven't had any issues with the solution so far. It is not missing any features. 

It takes too much time to check the code. The validation process needs to be sped up. 

There have been some configuration issues. We sometimes have failures. 

I've been using the solution for two and a half years at this point. 

We've had to deal with errors. When we blacklist or whitelist, we do have some issues. There are a few configuration issues. I'd rate the stability seven out of ten. It could be improved. 

I can't speak to the scalability. I don't deal with scaling. The usage is limited. We aren't attempting to expand it. We only do two to three processes at the same time. 

Technical support is okay. We are mostly happy with the help we get. We can directly connect with them.

Neutral

I'm also using SonarQube.

I did not handle the deployment directly. We have a team that manages the tool. I'm not aware of how many people are needed to maintain and deploy the solution. 

I don't deal with the pricing directly. I don't know the exact cost. 

I'm a customer and end-user.

I would recommend the solution to other users. I'd rate the solution eight out of ten. 

We primarily use Checkmarx for assessing vulnerabilities in applications.

What I like best about Checkmarx is that it has fewer false positives than other products, giving you better results.

One area for improvement in Checkmarx is pricing, as it's more expensive than other products.

I've used Checkmarx for four to five years.

Regarding Checkmarx stability, it's an eight out of ten.

Checkmarx is a scalable tool and much better scalability-wise than other products I used. I'm rating its scalability as eight out of ten.

We never had to contact the Checkmarx technical support team.

I was not involved in the initial setup for Checkmarx.

Checkmarx is comparatively costlier than other products, which is why some of the customers feel reluctant to go for it, though performance-wise, Checkmarx can compete with other products.

My company is in the service business, so it provides services to customers. For example, the customer uses SonarQube, so my company uses the same tool to execute vulnerability assessments.

I've worked on Checkmarx, NetSuite, Acunetix, and other application security tools used by customers.

My rating for Checkmarx is eight out of ten because it's a good product, and its only con is the cost, which is high for some customers.

I recommend Checkmarx to others because of its performance. The tool has better intelligent outcomes, and Checkmarx has better automation internally.

My company is a Checkmarx customer.

We use Checkmarx as a code analysis tool.

We have always used some kind of code analysis tool and Checkmarx has been working for us at this time. We like the tool.

The most valuable feature of Checkmarx are the automation and information that it provides in the reports.

I am using Checkmarx for approximately two years.

The stability of Checkmarx could improve. We're having issues with it, but we don't want to upgrade to the newest version until we make sure that the issues we're having now aren't present in the newer version.

The scan reliability sometimes is impacted and we sometimes have to restart the services to allow scans out of the queue.

Checkmarx needs to be more scalable for large enterprise companies.

I have used the support from Checkmarx.

I rate the support from Checkmarx a seven out of ten.

Neutral

I was previously using Fortify but they were antiquated. They were not updating the solution on a regular basis.

The initial setup of Checkmarx is straightforward. The implementation of Checkmarx does not take long because we have a process for it.

We have four people that maintain Checkmarx in our company. We have professional services but I did most of the deployment myself.

My advice to others is that Checkmarx is good compared to the other tools. However, they are all comparable, it depends on what languages they want to scan. Overall, Checkmarx is a decent solution. It would be a good idea to test other solutions.

I rate Checkmarx

I am using it for software assurance focused on security. I am using its latest version.

I use both the static code analysis and the open-source analysis engine. It gives visibility into weaknesses and the software that may be there in the source code and static analysis. It also gives some insights into the open source vulnerabilities that may be there in the codebase.

I like that you don't have to compile the code in order to execute static code analysis. So, it's very handy. Typically when using SCA tools on C/C++ and C# you must compile the software for SCA to work. CX doesn’t require any compilation due to the way the tool does synthetic compilation to help find errors in code. Many times 3rd party assurance providers don’t have all the files to compile so CX comes in handy. 

They should make it more container-friendly and optimized for the CI pipeline. They should make it a little less heavy. Right now, it requires a SQL database, and the way the tool works is that it has an engine and then it has an analysis database in which it stores the information. So, it is pretty heavy from that perspective because you have to have a full SQL Server. They're working on something called Checkmarx Light, which is a slim-down version. They haven't released it yet, but that's what we need. There should be something a little more slimmed down that can just run the analysis and output the results in a format that's readable as opposed to having a full, really big, and thick deployment with a full database server.

I had several issues with the installation. It should just work out of the box.

I have been using it off and on for about a year.

I've run into a few bugs here and there but i would recommend installing on virtual machine and snapshoting a working install. 

My setup is standalone. They do have a scalable version, but it's not something I need.

We're not using it a lot. Its usage is once a month. The way our organization works is that we don't do static code analysis every day. It's more on an as-needed basis. So, it's no fault of the Checkmarx tool. It's just not something that we've been working on.

They were pretty good. I would rate them a four out of five, but I was using their salespeople. It wasn't their traditional tech support, so I can't really evaluate their traditional tech support. When they're selling something, they give you a lot more service instead of having to go through the support system.

I still use other tools, so I just added it to the tool chest. I have Fortify, CodeSonar, etc  and I added Checkmarx as a different tool.

I installed it. It's straightforward to install, but I had several issues with the installation. I don't know if it was with my environment or not. If it works properly, it's a simple install, but in my example, it did not work right off the bat. There was some troubleshooting that had to go on, which was a little frustrating.

It took weeks. It required back and forth communication with support for a couple of days, but I wasn't actively working on it for days. I would run into a bug, send the log file, and go back and forth. It wasn't anything crazy, but it was a little frustrating. It should just work out of the box. It should be pretty straightforward where you just click the installer and go, but it wasn't.

It was implemented in-house, and then I had to call support when needed.

In terms of maintenance, it is pretty self-sustaining. You update it whenever it needs to be updated.

There hasn't been much return yet because we haven't used it much, but I have enough faith in it that I committed to it for multiple years. We are starting to use it more but not enough to state ROI yet

I would rate it a seven out of ten. It's not the best tool on the market, but it provides some good capability for what it is.

It is very easy to insert the tool in the SDLC because there are a wide variety of ways to access the source-code, initiate scans, and review the results. The projects need not care about getting a tool, accessing the tool, and it is cheaper using it.

The most valuable feature for me is the Jenkins Plugin. We usually take a copy of the normal build job for Checkmarx so that:

1. we have all of the source code we need for the build, normal and generated source code;
2. we need only one technical user for scanning the projects (SVN access and Git access need to change the passwords every 90 days).

I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time).

Updating and debugging of queries is not very convenient.

In our last update to version 8.5.0, we had a problem with DB migration but,  overall, I must say it has been stable.

Regarding scalability, we have only one scan engine and our licence allows only two scans at the same time.

I would rate the technical support seven out of 10. When you first create a ticket you sometimes get questions that you wouldn't expect from first-level support.

None. I started with this product.

The initial setup was decribed very well and it was straightforward. We had only two small problems: implementing the SSL certificate, and getting access for LDAP users.

We got a special offer for a 30% reduction for three years, after our first year.

I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year).

I didn’t evaluate this or other solutions, but my team leader had experience with HPE Fortify and he said it is much more expensive, and the service even worse.

Before implementing the product I would evaluate if it is really necessary to scan so many different languages and frameworks. If not, I think there must be a cheaper solution for scanning Java-only applications (which are 90% of our applications).

We are using Checkmarx for analyzing threats.

We are not using the latest version of Checkmarx because we faced some issues.

Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities.

SonarCube functions better in these areas.

I have used Checkmarx within the last 24 months.

The stability of Checkmarx could improve.

I would rate the stability of Checkmarx a six out of ten.

The solution is scalable, but other solutions are better.

We have 20 developers using this solution. We have a few projects left to use this solution and then we will move to something else next year.

The support could improve, it takes a long time for a response. The service we received was poor.

I am using Checkmarx in parallel with SonarQube.

We didn't like how long they took to implement the product. The installation was not intuitive. We were constantly having meetings and installation additional things.

The implementation process should improve.

We were helped by both the local partner and the vendor for the implementation.

We have two developers for the maintenance and support of Checkmarx.

We're using a commercial version of Checkmarx, and we paid for the solution for two years. The price is high and could be reduced.

The local distributor charges two times higher than in other countries.

The purchase of this solution was a mistake.

I would advise others to deploy the solution and to test all of the functionality before buying and do not trust the marketing from Checkmarx.

I rate Checkmarx a four out of ten.