Checkmarx One Reviews

Checkmarx is used to check the code from programmers and vulnerabilities in third-party software.

Checkmarx can be deployed on the cloud and on-premise. However, it depends on the version.

Checkmarx detected code sections that did not adhere to best practices. After being informed, the programmers were able to rectify some of the issues. Without Checkmarx, it is unlikely we would have identified these issues.

Utilizing the SCA module, I gained valuable insights into the vulnerabilities present in open-source Python libraries that individuals desire to use. As an information security consultant, I advise against employing Python libraries that contain known vulnerabilities. The SCA solution proved to be helpful in this regard.

The most valuable features of Checkmarx are the SCA module and the code-checking module. Additionally, the solutions are explanatory and helpful.

Checkmarx could improve the solution reports and false positives. The false positives could be reduced. For example, we have alerts that are tagged as vulnerabilities but when you drill down they are not. 

In a future release, the SCA module could have better documentation. It was difficult to know how to check the names of all the modules. It took me a lot of time and I needed help to be able to write the requirements file. More clarification would be helpful in the documentation, such as examples.

I have been using Checkmarx for approximately six months.

The stability is great.

I rate the stability of Checkmarx a ten out of ten.

The scalability of the solution is great. Everything I send to the solution is processed quickly.

We have five information security analysts and programmers using this solution.

We plan to increase our usage. We will install it on more networks.

I rate the scalability of Checkmarx a ten out of ten.

I found someone in the evening that logged in and answered my issues. They are responsive.

I rate the support of Checkmarx a ten out of ten.

Positive

We have one person for the maintenance of the solution but it is minimal and is not a full-time job.

I would advise others to ask for a demo of the solution and if it works well for their use case then purchase it.

I rate Checkmarx a nine out of ten.

We're more evaluating the solution rather than using it right now. We're resellers and it's something we'd like to offer to our clients.

I am aware of Checkmarx's portfolio, however, we've been playing exclusively with the SAST and with the AppSec Awareness platform, they're Codebashing platform. It's been a very positive experience overall.

The value you can get out of the speedy production may be worth the price tag.

The reporting could be better on the product. The need to be much more customizable including being customizable for various roles.

The pricing can get a bit expensive, depending on the company's size.

We've been working with this solution for some time. I have personally been working with the product for the last three or four months.

We haven't really extensively worked with any other products.

The cost might seem steep, however, it really depends on, first the size and requirements of your company. There are companies for which the speed of developing new features and developing them securely, is more valuable than for other organizations. 

This goes not only for Checkmarx. It goes for any automated desktop security platform in general. I definitely see the cases when the Checkmarx license is a reasonable expense. It just may not be for everyone.

We've been looking at SonarQube. We're looking into other options as we don't want exclusively to just offer Checkmarx to potential clients.

We looking for solutions more on the enterprise spectrum. Therefore, I would probably consider products such as Vericode. I would also consider the newer players, such as, for example, GitLab. 

We're resellers, however, we don't have an exclusive relationship with this company. We're looking at other products we can use and offer to our clients as well.

In our company, we do not have the Checkmarx solution running on production. We do have it, however, we only have a learning license, which is non-commercial.

On a scale from one to ten, I would rate this product at an eight. Overall, it's been a positive experience so far.

I am in charge of application security and Checkmarx is one of the products that I use in this capacity. We use this product for code scanning and static code analysis.

The user interface is modern and nice to use.

This product has very good reports.

Checkmarx integrates with a lot of different tools such as BitBucket and Jira.

There is good coverage for different languages.

I think that the configuration is a bit difficult and we required support from Checkmarx to complete it (there are a lot of manual, not documented configurations should be done, like direct changes in a Database for example).  This is the case, at least, if you are using the on-premises version. From my point of view, the configuration should be improved.

If it is a very large code base then we have a problem where we cannot scan it (if more then ~ 30 mb zip file provided - scan is crashes or takes a lot of time) . It seems to me that they have a problem with the number of code line scans.

In the future, I would like to see Checkmarx support a combination of dynamic and static code scanning (IAST)

I have been working with Checkmarx for about five months.

It works fine but if you have a file that is too big to scan then it takes a lot of time to run and sometimes crashes.

There is a problem with the memory, and scanning a large codebase should be done by dividing it into different files. For microservices with a small number of lines of code, it works well well. On the other hand, scanning a legacy solution such as a big monolith with millions of lines of code in it has been a problem. We need to make certain modifications to the files before we can upload them to the scan.

We have 80 users who are using Checkmarx.

They have very good technical support and we haven't had a problem with them. If you have a problem that you cannot handle on your own or you need to configure this product then you should have technical support.

The basic installation is easy for us but in our case, we had some additional configuration that had to be done to access our documents on the server. We were not able to complete it without help from Checkmarx because there are a lot of configuration options, and we had to make manual changes to the database as well. 

In summary, this is a good application that you can use to scan every code language. You can configure the scan because they provide the Checkmarx query language. These queries are very good and very flexible. It requires a knowledge of this language but you can reach and deal with it using most languages.

I would rate this solution an eight out of ten.

The primary use case is for a white-box penetration testing security. When we work with source code, it's a tool to help us conduct a deep analysis on a source code level. 

We push the zip file with source code to our own stent with the solution and receive a report. Also, we work with the interface to find the vulnerabilities we may have.

The most popular projects for us are the mobile application security assessment. We propose this option to our customers to check source code for iOS and Android mobile applications.

The most valuable features are the easy to understand interface, and it 's very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan.

We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project.

The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.

Checkmarx has tried to build a deeper analysis using IAST and SAST. They have a code version for developers. It would be good if they improve the combination of the two solutions. 

Both are good, but ISAT (Interactive Application Security Testing) is in progress and doesn't support the full spectrum of languages. A combination of the two solutions would achieve good results.

We have received some feedback from our customers who are receiving a large number of false positives. I believe that they can improve their engine to reduce false positives. It's better for reducing false positives when you use a compilation.

There are several levels and they are mapped to the different languages and some customers want to check when the developers will pass the training. There should be a questionnaire for the team lead to check the employees and how well they understand the material and the training. 

Also, they will want to add their own content to this solution.

I would like to see some improvements in technology to reduce false positives. This is only relevant to some use cases, not all. For example, there are several false positives for some languages, but it works in C#.

I have been using this solution since 2015.

This solution is stable and we have not had bugs or glitches. If it is set up according to the instructions, there will be no negative feedback from the customers.

The platform has regular updates.

This solution is scalable, but it depends on the package you have purchased as some do not allow you to expand. 

They have a great support team, and they can help you tune a solution. For our country, it is very important that they have Russian speaking support engineers and to have a quick response.

Also, they have a very good knowledge base. The resources are public on the Checkmarx website and they have good instructions and regulations on how you should tune the solution. It shows you where you can download the plug-ins, how to do it, and explains how they should be integrated.

We have some experience with AppScan and with SonarQube. We started with a trial and felt that Checkmarx was the best.

The initial setup is pretty simple, it's no problem to start using Checkmarx. It's a very good approach if you compare it with competitors.

It only takes a few hours to tune your Checkmarx solution. You may need more time for deeper integration when it comes to DLC integration, for example, when using plug-in build management, such as Jenkins. 

If you are scanning and you have the source code then you are good to start scanning in a few hours. Three to four hours is required for tasks done in source code.

We have one or two engineers who can work with the solution.

For some of our customers have more than 100 developers and a DevOps team.

This solution is expensive.

The customized package allows you to buy additional users at any time.

You could advise the vendor that you are in need of some more resources, and they can send you a trial license which lets you pay later. In the meantime, you can start working with the trial license.

They have subscriptions for licenses, but this is confidential information and I cannot share the price as per our non-disclosure agreement.

If you purchase a typical package then it is clear licensing with no hidden payments. You can add integration services for Checkmarx if you needed to, but it's optional.

The hardware is on the customer site. It could be virtual, or a physical server, or even cloud-based. You can choose what you want to use and there are still no hidden fees. Licensing and policy are clear.

We are resellers but we are also users of this product when we need to check source code because our main business activity is security assessments, not reselling.

We have many customers who have purchased this solution from our company. One of them is Softcell, a Ukrainian company.

With our approach, we need to find a way to reduce false positives. We don't have great resources to do this work long-term, and we need quick results. There are some projects that have a lot of false positives but we can reduce them by tuning during the scanning. 

Some of our customers like the Codebashing model. It's an additional model for learning for security practice for developers. They ask for additional tests to this model and want to receive the functionality to check the knowledge.

When you receive your product, you should start with testing and understand how it works according to your environment. This includes the language and what framework to choose because it is not a simple solution. You should understand that you should tune it.

The most effective approach is to implement SAST into the SDLC, (software development life cycle).

You should regularly check your source code, and check your security before every release. For infrastructure, security testing is not enough. There are several applications and static source code security is a must.

You should choose Checkmarx SAST for security checks and try to optimize it's build management or source code repository.

I would rate this solution a nine out of ten.

We use the product for static code analysis, supply chain, and container security.

The product's most valuable feature is static code and supply chain effect analysis. It provides a lot of visibility.

The product's reporting feature could be better. The feature works well for developers, but reports generated to be shared with external parties are poor, it lacks the details one gets when viewing the results directly from the Checkmarx One platform.

We have been using Checkmarx's on-premise version for four years. We switched to the cloud version recently.

I rate the product's stability a nine or ten out of ten.

We have 40 Checkmarx users in our organization. I rate its scalability a nine out of ten.

The technical support team promptly addresses the issues.

The initial setup process is easy.

I rate Checkmarx an eight out of ten.

We mainly use Checkmarx for accreditation, checking for vulnerabilities, and identifying areas in the code to fix some of the NIST 800 security controls.

The most valuable feature is that it actually identifies the different criteria you can set to meet whatever standards you're trying to get your system accredited for. It's also pretty intuitive and has a lot of good dashboards and metrics.

Checkmarx could be improved with more integration with third-party software.

I've been using Checkmarx for about six months.

We've had no issues with Checkmarx's stability.

I thought Checkmarx was pretty scalable.

My experience with Checkmarx's technical support has been very positive.

Positive

I found the setup pretty straightforward, though it took several days because the system engineers had to go through some different configuration settings to get it done.

We worked with Checkmarx when we ran into issues, and they were pretty responsive.

Checkmarx isn't accredited by the US government for DOD networks, so we've been forced to remove it from the network. I'd rate Checkmarx as seven out of ten.

We primarily use the solution for static analysis.

The visibility the solution gives you is great. It really gives you the ability to see what the root issues in the code actually are. 

The setup is fairly easy. We didn't struggle with the process at all.

The solution isn't exactly user-friendly. They could make the user experience a bit better in future builds. 

They could work to improve the user interface. Right now, it really is lacking.

We've been using this solution for six months. It's been less than a year and not very long just yet.

The solution is very stable. There aren't bugs or glitches. The solution doesn't freeze and it's not likely to crash. We find it very reliable.

It's my understanding that the solution is scalable. A company that needs to expand can do so.

We have about 100 people that use it in the company.

The technical support is fine. We've always had good experiences. We're satisfied with the level of service we are provided.

We didn't previously use a different solution. We've only ever used this product.

The initial setup is easy and straightforward. It's not complex.

We don't have to handle any maintenance. It's my understanding that Checkmarx handles it.

The pricing is rather reasonable. It's not the most expensive on the market.

We're a customer. We use the solution in our organization.

I'm not sure of which version of the solution we're using.

Overall, I'd rate the solution eight out of ten. We've had a pretty positive experience overall.

I am the founder and the chairman of an internationally certified cybersecurity research lab. I have a Ph.D. in cryptology and network security.

We are a strategic partner of Checkmarx. Our job is to help them develop solutions. Currently, we are developing some algorithms and strategic solutions for them. Checkmarx informs us about what is happening, in advance, before they launch a product. We are also one of their testers.

Aside from my occupation, I am an academic. Because of our status, we test products as well as their competition, for example, we45, AppScan, SonarQube, etc. I have to point out, from an academic and business point of view, there is a very serious competitive advantage to using Checkmarx. Even if there are multiple vulnerabilities in the source coding, Checkmarx is able to identify which lines need to be corrected and then proceeds to automatically remediate the situation. This is an outstanding advantage that none of the competition offers. 

The flexibility in regards to finding false-positives and false-negatives is amazing. Checkmarx can easily manage false-positives and negatives. You don't need to generate an additional platform if you would like to scan a mobile application from iOS or Android. With a single license, you are able to scan and test every platform. This is not possible with other competitive products. For instance, say you are using we45 — if you would like to scan an iOS application, you would have to generate an iOS platform first. With Checkmarx you don't need to do anything — take the source code, scan it and you're good to go. Last but not least, the incremental scanning capabilities are a mission-critical feature for developers. 

Also, the API and integrations are both very flexible.

Checkmarx is going to announce the cloud version very soon. Every product has something innovative at the moment. Presently, we are extremely satisfied and that's why Checkmarx has been the leader for the last few years, consecutively. This is the third year they have been recognized in the static code analysis world.

Micro-services need to be included in the next release; however, as a developer, I can assure you that micro-service methodology is going to be improved in the next version. Presently, they support micro-services, but the supporting methodology of the micro-services is not good enough at the moment.

I have been using Checkmarx for six years.

Checkmarx is stable. We investigate the stability of the competition as well. From my point of view, it is the best product on the market. It's relatively expensive, but it's the best product. Keep in mind, this is not my private comment. I respect the comments, results, and the statistics of Gartner and these are their findings.

Checkmarx has been selected as the front-runner by Gartner for the third year in a row — you bet it's scalable.

We give technical support in our territory; Checkmarx's technical support is also quite good. If you open a ticket with a question, they'll reply the same day.

The initial setup is not complex at all, it's straightforward and robust. If you decide to use Checkmarx, you'll be ready to go in one day.

If you wish to purchase Checkmarx, you should scan the same source code with a different product, compare them to their competition, and make a decision. This way, you can see the difference and understand the benefits of Checkmarx. Test and scan some lines of code in any programming language you wish, then do the same with a competitor. Checkmarx will produce far fewer false-positives compared to any other solution on the market. Other solutions will produce roughly 900 false-positives whereas Checkmarx will cut that number in half. I am not trying to sell this product to you, this is simply the reality of it.

From the technological side, I would give this solution a rating of ten. From a commercial aspect, because it's relatively expensive, I would give it a rating of eight. Overall, because I must choose one number between one and ten, I will give Checkmarx a rating of ten.

Day by day, they are improving this product. For example, one of the most important features missing was open sources, which they have now added. They were also missing code training facilities, but they have added those as well. They have a complimentary product now.