Checkmarx One Reviews

We are using it for static security scanning and static security testing. We also use it for code dependency analysis. We use two of the solution's tools for each variable.

The support the solution offers is very good. When we were evaluating tools, they were extremely helpful. They're always available and they always respond back to any queries.

The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database. I am able to be assured that when I am scanning my product those vulnerabilities are identified at very initial stages. It gives my development team more time to react.

The particular way the tool works for the scanning at the IDE level, is very expensive. It makes it very expensive to deploy this tool on to multiple different developers' machines. Right now, the way it scans, the request is raised to the IDE of the developer but then the actual scanning gets done in the centralized scan server. This increases the load on the scanning server and that will make it difficult to use Checkmarx at the developer end. That forces me to look for another solution for implementing at the developer IDE level. I would strongly recommend Checkmarx relook into their approach. 

From a technical point of view, it's better to integrate with other systems within my ecosystem. For example, when I'm connecting Checkmarx with my DevSecOps pipeline and then wiring Checkmarx with other security systems as well as the pipeline (and my defect management system), it provides the connectivity to some of the tools, but there are tools which are excluded. It would be nice if they were added to the solution itself, otherwise, it requires us to do custom development.

In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now. I would recommend much more flexibility in terms of dashboarding to help us customize more effectively.

Their licensing model is rigid and difficult to navigate.

I haven't been dealing with the solution for that long. We've only used it for one quarter - about three months.

Their licensing fees are rigid and this causes two main issues. One is a restriction in terms of scaling the product at an enterprise level. The number of licenses required for a sizable business is just too large. The solution forces a user to apply for the licenses not directly to the software and the software products are defined in a curious way. For that reason, I wouldn't say it's great at scaling.

So far, technical support at the initial level has been decent. We paid for their protection services, and, the protection tool is definitely very expensive. However, with the price tag comes more support and service. 

We'll have to see in the coming quarters once the protection services end if the support will continue to be at such a high level of attention.  

We were using AppScan. Checkmarx is much better than that particular tool. It has more functionality and offers much more support to its users.

It took about two to three days to deploy a basic portion of the solution. However, it takes more time in terms of configuring and fine-tuning the product so that it's useable. I would say it took us about two to three weeks of configuring before we could start our initial scans.

We bought that separate service from Checkmarx to help us out in terms of deploying and configuring the products.

This solution is definitely one of the more expensive tools. However, if I'm able to get value out of using it, I don't mind paying. 

They have protection services costs that are separate from the main license.

There are multiple components that are part of the product suite and there are different license costs for each of those components. Sometimes it can be a little difficult to understand. There are a lot of components an individual will need to buy to cover an organization's needs. It really should be more transparent and flexible. Their licensing model as of today is quite rigid. 

We're just a customer. We don't have a special relationship with the company.

I would definitely recommend Checkmarx, I find them much more feature-rich than other tools I've used in the past. 

I'd rate the solution eight out of ten.

We're selling their licenses and their technologies. We have on-premises and cloud deployments. Its deployment depends on the customer requirements. 

It is used for a range of requirements for DevSecOps. It has been deployed to ensure that the development cycle delivers clean and secure code that is vulnerability-free. It is there as a part of the whole compliance and security process.

The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important. 

There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver.

I have been using this solution for two years.

Our customers are completely comfortable with the scalability of the technologies. They can deploy them initially in a relatively straightforward manner and then grow them into their organization quite successfully. We primarily have large customers.

Our team works with them. Their sales engineering team as well as their pre-sales capabilities are very good. They're clear. They work, and they're available, which is good. It is somewhat unusual in this business.

It depends on different technologies, but it is reasonably quite straightforward.

Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive.

They're a very good company to work with, and that's a very important aspect of any technology these days. You could find very nice technologies, but if the company is not good to work with, it could be of no use. You'll not be able to get it deployed, and you'll not get assistance. You will get bad value for good technology. Checkmarx is a nice, pleasant, and relatively easy company to work with. You will get a good return, and you will get a good partnership and relationship working with them.

I would rate Checkmarx an eight out of ten.

When I had an issue that was causing trouble in my code, I would upload it to Checkmarx to perform static code analysis. I would then study the reports.

Using this product improved the stability of my code that went into production.

The most valuable feature is the scanning.

The reports are very good because they include details on the code level, and make suggestions about how to fix the problems.

You can't use it in the continuous delivery pipeline because the scanning takes too much time. Better integration with the CD pipeline would be helpful.

It reports a lot of false positives so you have to discriminate and take ones that are rated at either a one or a two. The lower-rated problems need to be discarded.

I used Checkmarx for about six months at my previous place of employment. I stopped using it about six months ago.

We had perhaps 100 users at my previous job.

I was not in contact with technical support.

I would rate this solution a seven out of ten.

This product helps us to deliver good quality software.

• Performs security checks for SAP Fiori applications
• Helps us check vulnerabilities in our SAP Fiori application
• Easy to use and master
• One of the most important tools in our building process

I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service.

This improvement is needed in order to follow up the growth and of SAP cloud platform, it is a Platform as a service created by SAP, many services have been added to SAP HANA Cloud Platform, like GIT repository, Jenkins, Translation etc.

So, if it is possible to add the Checkmarx as a service in this platform, it will be easy to perform security check directly without using a dedicated server.

Maybe this issue is related to our configuration. When we have many applications to check, I need to wait a long time in the queue.

We did encounter scalability issues. Maybe this is related to the stability issue mentioned above.

We haven't used anything else. This is our first solution.

I don’t know how to set up the product.

We did not look at any other options.

It is a good tool. I recommend it in order to ensure software quality.

It moved our organization towards being agile vs. waterfall.

Scan reviews can occur during the development lifecycle.

The areas in which this product needs to improve are:

• C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported.
• There were issues in regards to the JSP parsing.
• Defect report generation takes multiple hours for large projects.
• The Jenkins plugin does not work for projects that are larger than 4 million lines of code.
• The Eclipse plugin does not work.
• The hardware requirements for the tool add to the substantial cost of the solution and thus, increase the total cost of ownership.

• There seems to be a decline in the support team's responsiveness as our contract nears its end.

• We felt like we were the extended quality organization for Checkmarx as they frequently released poor quality patches that broke the existing functionality. A lot of the organizational hours, almost 1 FTE per year since Checkmarx was implemented, were spent to allow regression testing of the product. The Checkmarx SME team at my company had to do this testing to ensure that we do not expose product flaws to our user community.

We did encounter stability issues. The different versions of this product provide inconsistent results when the same piece of code is scanned.

We did not encounter any scalability issues.

The support team is knowledgeable. However, we still have tickets open from 2014. There is a lot of follow up required to get closure on issues.

Previously, we were using a different solution. We were leveraging multiple tools since we have code in multiple languages. Checkmarx advertised that they provide support for C, C+++, Java, etc. It turned out that they aren’t able to scan C and C++ for us. Our reason to switch to Checkmarx didn’t work out for us.

The initial setup was straightforward.

The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies.

I suggest using a trial term to run a gamut of scenarios that need to be leveraged before settling in with the Checkmarx solution.

We evaluated the Veracode option.

The product is not mature and ready for the enterprise usage yet. It is okay to use it when the support expectations are low and the code is in languages that require support only in Java and .NET.

We use the solution for dynamic application testing. 

I would like the product to include more debugging and developed tools. It needs to also add enhancements on the coding side. 

I have been working with the product for seven months. 

I would rate the product's stability a ten out of ten.

I would rate the product's scalability a ten out of ten. My company has 15 users for the produc. 

The solution's technical support is good. 

Positive

The tool's setup is very straightforward and I would rate it a ten out of ten. The product's deployment took one to two months to complete. We required the technical and development team which consisted of four to five people to handle the deployment. 

The solution's price is high and you pay based on the number of users. 

I would rate the product a ten out of ten. The solution is the best tool for developers and organizations. 

We are using Checkmarx for application code scanning, such as scanning for different leverages in the application code.

The solution has good performance, it is able to compute in 10 to 15 minutes. 

Checkmarx could improve the REST APIs by including automation.

I have been using Checkmarx for approximately one year.

Checkmarx is stable.

The scalability of Checkmarx is good, we can onboard easily.

We have approximately 200 people in my organization using this solution.

I have not contacted technical support. We have not required it.

I have used SonarQube previously.

The installation is straightforward and takes approximately 40 minutes.

I am able to do the implementation myself.

We have administrators and engineers that support and maintain the solution.

We have purchased an annual license to use this solution. The price is reasonable.

I rate Checkmarx a nine out of ten.

We use the solution for scanning the code for security.

One of the most valuable features is it is flexible. 

The integration could improve by including, for example, DevSecOps.

In an upcoming release, they could improve by adding support for more languages.

I have been using the solution for two years.

I have found the solution to be stable.

The scalability of the solution is good. We have approximately 4000 using the solution in my organization and they are mostly engineers.

The technical support we have experience was good but they could be faster.

I would recommend this solution to others.

I rate Checkmarx a six out of ten.