Checkmarx One Reviews

We're selling their licenses and their technologies. We have on-premises and cloud deployments. Its deployment depends on the customer requirements. 

It is used for a range of requirements for DevSecOps. It has been deployed to ensure that the development cycle delivers clean and secure code that is vulnerability-free. It is there as a part of the whole compliance and security process.

The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important. 

There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver.

I have been using this solution for two years.

Our customers are completely comfortable with the scalability of the technologies. They can deploy them initially in a relatively straightforward manner and then grow them into their organization quite successfully. We primarily have large customers.

Our team works with them. Their sales engineering team as well as their pre-sales capabilities are very good. They're clear. They work, and they're available, which is good. It is somewhat unusual in this business.

It depends on different technologies, but it is reasonably quite straightforward.

Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive.

They're a very good company to work with, and that's a very important aspect of any technology these days. You could find very nice technologies, but if the company is not good to work with, it could be of no use. You'll not be able to get it deployed, and you'll not get assistance. You will get bad value for good technology. Checkmarx is a nice, pleasant, and relatively easy company to work with. You will get a good return, and you will get a good partnership and relationship working with them.

I would rate Checkmarx an eight out of ten.

We are using multiple solutions for application security, and Checkmarx is one of them. We are a client-centric organization, and we are also providing support to clients for application security. Sometimes, we have our own production, and then we scan the customer information and provide application security. For a few clients, it is deployed on the cloud, and for a few customers, it is on-premises.

The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages.

They can support the remaining languages that are currently not supported. They can also
create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks.

It is stable, and it works.

It is scalable. Our clients are small, medium, and big enterprises. It is for all the categories.

Their support is good. I had discussions with them multiple times. We are getting proper support.

It is straightforward. It is not a big challenge. It doesn't take long.

I would rate Checkmarx a seven out of ten.

We're more evaluating the solution rather than using it right now. We're resellers and it's something we'd like to offer to our clients.

I am aware of Checkmarx's portfolio, however, we've been playing exclusively with the SAST and with the AppSec Awareness platform, they're Codebashing platform. It's been a very positive experience overall.

The value you can get out of the speedy production may be worth the price tag.

The reporting could be better on the product. The need to be much more customizable including being customizable for various roles.

The pricing can get a bit expensive, depending on the company's size.

We've been working with this solution for some time. I have personally been working with the product for the last three or four months.

We haven't really extensively worked with any other products.

The cost might seem steep, however, it really depends on, first the size and requirements of your company. There are companies for which the speed of developing new features and developing them securely, is more valuable than for other organizations. 

This goes not only for Checkmarx. It goes for any automated desktop security platform in general. I definitely see the cases when the Checkmarx license is a reasonable expense. It just may not be for everyone.

We've been looking at SonarQube. We're looking into other options as we don't want exclusively to just offer Checkmarx to potential clients.

We looking for solutions more on the enterprise spectrum. Therefore, I would probably consider products such as Vericode. I would also consider the newer players, such as, for example, GitLab. 

We're resellers, however, we don't have an exclusive relationship with this company. We're looking at other products we can use and offer to our clients as well.

In our company, we do not have the Checkmarx solution running on production. We do have it, however, we only have a learning license, which is non-commercial.

On a scale from one to ten, I would rate this product at an eight. Overall, it's been a positive experience so far.

We use Checkmarx for security vulnerability identification. We are using its latest version. We have a license to upgrade to the latest version. Whenever there is a new version, we update it to the latest version.

The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking.

We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code.

The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything.

I have been using this solution for two years. 

Its stability is okay.

We don't directly deal with the Checkmarx technical team. There is a support group available for that, and they work with the Checkmarx team. When we have any issues, we directly call our internal team, and they call the Checkmarx team. They get back to us pretty quickly. The response is very quick. There is no problem.

The initial setup was easy. Our project was quite big, and it took a bit longer. It took almost six hours. We could not do it as CI/CD pipeline because the pipeline expects a response in a short span of time, which was a challenge for us. We are now doing the Checkmarx review manually. We first run the code analysis, and, after the code analysis is over, we go for the pipeline. This is an overhead for us. 

It would be helpful if they can improve the speed of the analysis rate. We also need to find out from our side if there is a way to increase the wait time of the CI/CD pipeline and modify the timeout limit. It would then take 30 minutes to one hour rather than five or six hours. We should be able to adjust the timeout time, change the CI/CD settings, and go ahead with the integrated process. Currently, we cannot have an integrated system, and we also have to move from one script to the next script manually.

Even though we run it manually, it captures most of the things. We decided to go with Checkmarx two years ago, and we are continuing with it. 

I would rate Checkmarx a seven out of ten. There are a few things that can be improved in this solution.

We onboard clients with the solution. We install the product and do the first scan with them. We help developers with security and the best practices with their applications with this solution.

The most valued feature comes within the platform called Codebashing, it allows scanning code for security flaws. Our clients are able to learn from these scans and develop more secure code. The solution is easy to configure and user friendly as well. They also have support for a large variety of languages compared to other solutions and the product updates continuously.

I would like to see the DAST solution in the future. 

We have been using the solution for one year.

We had no issues and it has always worked at a top level of performance.

The solution is easy to intergate. It is plug and play and intergrates well with the pipeline and DevSecOps. Our main client is a big company and the solution works well.

The support is excellent.

The setup is very easy. There is a lot of information in the documents which makes the install not difficult at all.

The product saves you money by minimizing the time needed to figure out how to mitigate the problems by using such features such as The Best Fixed Location and the flow charts.

We evaluated Veracode before choosing Checkmarx.

Depending on the client, we could deploy the solution on the cloud or on-premise. I would recommend Checkmarx because you can learn from the scanning done. They have some of the best features which make the product wonderful. 

I rate Checkmarx a ten out of ten.

We primarily use the solution for static analysis.

The visibility the solution gives you is great. It really gives you the ability to see what the root issues in the code actually are. 

The setup is fairly easy. We didn't struggle with the process at all.

The solution isn't exactly user-friendly. They could make the user experience a bit better in future builds. 

They could work to improve the user interface. Right now, it really is lacking.

We've been using this solution for six months. It's been less than a year and not very long just yet.

The solution is very stable. There aren't bugs or glitches. The solution doesn't freeze and it's not likely to crash. We find it very reliable.

It's my understanding that the solution is scalable. A company that needs to expand can do so.

We have about 100 people that use it in the company.

The technical support is fine. We've always had good experiences. We're satisfied with the level of service we are provided.

We didn't previously use a different solution. We've only ever used this product.

The initial setup is easy and straightforward. It's not complex.

We don't have to handle any maintenance. It's my understanding that Checkmarx handles it.

The pricing is rather reasonable. It's not the most expensive on the market.

We're a customer. We use the solution in our organization.

I'm not sure of which version of the solution we're using.

Overall, I'd rate the solution eight out of ten. We've had a pretty positive experience overall.

I am in charge of application security and Checkmarx is one of the products that I use in this capacity. We use this product for code scanning and static code analysis.

The user interface is modern and nice to use.

This product has very good reports.

Checkmarx integrates with a lot of different tools such as BitBucket and Jira.

There is good coverage for different languages.

I think that the configuration is a bit difficult and we required support from Checkmarx to complete it (there are a lot of manual, not documented configurations should be done, like direct changes in a Database for example).  This is the case, at least, if you are using the on-premises version. From my point of view, the configuration should be improved.

If it is a very large code base then we have a problem where we cannot scan it (if more then ~ 30 mb zip file provided - scan is crashes or takes a lot of time) . It seems to me that they have a problem with the number of code line scans.

In the future, I would like to see Checkmarx support a combination of dynamic and static code scanning (IAST)

I have been working with Checkmarx for about five months.

It works fine but if you have a file that is too big to scan then it takes a lot of time to run and sometimes crashes.

There is a problem with the memory, and scanning a large codebase should be done by dividing it into different files. For microservices with a small number of lines of code, it works well well. On the other hand, scanning a legacy solution such as a big monolith with millions of lines of code in it has been a problem. We need to make certain modifications to the files before we can upload them to the scan.

We have 80 users who are using Checkmarx.

They have very good technical support and we haven't had a problem with them. If you have a problem that you cannot handle on your own or you need to configure this product then you should have technical support.

The basic installation is easy for us but in our case, we had some additional configuration that had to be done to access our documents on the server. We were not able to complete it without help from Checkmarx because there are a lot of configuration options, and we had to make manual changes to the database as well. 

In summary, this is a good application that you can use to scan every code language. You can configure the scan because they provide the Checkmarx query language. These queries are very good and very flexible. It requires a knowledge of this language but you can reach and deal with it using most languages.

I would rate this solution an eight out of ten.

We primarily use Checkmarx for application security and tracking.

The most valuable feature is the application tracking reporting.

From the user's perspective, the interface is pretty good. It will point out the exact line of code when an issue is found.

It is good in terms of coverage for different languages.

It is updated automatically so there is less maintenance.

The cost per user is high and should be reduced. Five years ago, it was a user-based model, which was significantly better. It would be great if we could distribute the cost equally between projects.

I have been working with Checkmarx for about two years.

This is a stable product.

It is scalable in terms of being able to run multiple instances for different products. We have approximately 10 users, which is the size of our application security team.

I would like to increase our usage of this product, but it will ultimately depend on the company's strategy.

Given the stability of Checmarx, it doesn't require a lot of communication with technical support. That said, we have been in touch with them for non-technical issues and they have a good team with a lot of Russian speakers.

Prior to using Checkmarx, I used AppScan but the concept is completely different. With Checkmarx, you are working with source code, whereas as with AppScan, you are working with binaries. You can say that AppScan is more like a dynamic security scan and Checkmarx is more static.

These products are quite different in terms of how you do the testing. Checkmarx is better from both a performance perspective and reporting a lower number of false positives.

We did not have any trouble with the initial setup. Our deployment was done within a couple of hours. The easiest thing to do is create a virtual machine and deploy it.

Our in-house IT staff was responsible for the implementation.

The number of users and coverage for languages will have an impact on the cost of the license. We would like to deploy it for the whole company but it's a question of spending thousands of dollars. Investing $200,000 or $300,000 would be an upper management decision.

The educational component is additional and costs approximately $100 per month for each user. This is too high so we did not agree to the service.

Overall, we are very satisfied with Checkmarx and it is a product that I recommend.

I would rate this solution an eight out of ten.