Checkmarx One Reviews

We use Checkmarx to review the source code for the external applications that we expose to the cloud or other servers on the internet.

We received two main benefits from Checkmarx:

1. Better Security
2. Saving Time

I recommend Checkmarx to be sure that your development has robust security. For your team management, Checkmarx has a very nice feature to check out manual staff in the process.

The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time.

Checkmarx could probably do something to improve their license model. If you have a small company, or if you have a small team with just one or two applications, the entry-level price is too high for such a company. 

You can find all the solutions offered by Checkmarx through other solutions providers. That is why this type of company needs to be more flexible. 

In this space, you have a security code and also you have a quality code. It is totally different in terms of investment. In terms of functionality, there are a lot of differences between the various competing products. 

With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too.

The problem with Checkmarx lies with the pricing and licensing, not the product itself. The product is very good.

Checkmarx is a good product, certainly stable.

The scalability is good. We haven't had any problems with it.

Our experience with technical support is good. They have a lot of expert staff on their customer service lines. We have had no problems with their technical support services.

We used Veracode for some time and it's also a good solution. Veracode fits better for small companies. It's more automatic.

Checkmarx is more complete and they have more features to support our development team and security team requirements.

In general, Checkmarx is a better solution, but it's more complicated, especially in terms of the price for a small company.

Our deployment of Checkmarx took a couple of days, at max, a week. 

The setup was a long time back, but I know that we did not use a reseller or consultant for the deployment.

We evaluated some products from a company in Spain. Checkmarx provided better functionality and options for us.

We have a small team. It is about four people in total. We do not require that many staff for the deployment and maintenance of Checkmarx.

We are testing the solution in a small local company. Our idea is to expand the use of it to our clients in the West.

In this space, you can have different points of view and if only you are looking for a solution to do a check in your auditory report, then you can choose anyone. 

If you really are worried about your business, i.e. about your development sites or development environments, Checkmarx is a great solution.

I would rate Checkmarx a nine out of ten because of the price, but technically for me, it is a 10. 

I would rate Checkmarx with a nine because it would be perfect at a more functional level, and could be better at providing these features for parity. 

If you research what Checkmarx is offering in their package distribution, you get exactly what they promise up front, so they are not lying.

Code scan. We performed periodic static code scans on copies of our Git repository to identify possible vulnerabilities.

Code consistency. It prompted our developers to fix code or document code they otherwise would not have done.

The consistency of code. Showed our team where they are inconsistent or where they have made simple omissions.

Dynamic testing. If it had that feature I would have liked to see more consideration of framework validations that we don't have to duplicate. These flags are false positives.

Our primary use case solution is for code scanning.

It has made our organization more efficient with our whole code scan/deployment process for our software applications.

The most valuable features are:

• Ease of use
• Dashboard
• Interface
• Report

I have not had an issue with stability of the product.

There have been no issues with scalability that I am aware of.

I have not needed the use of technical support.

Previously, we considered: Veracode, SonarQube, Fortify and IBM Security AppScan.

I was not involved in the initial setup of the solution.

One should consider:

• Visual studio
• Report generation
• If the solution can be on-prem
• Pricing

It is an expensive solution.

Be cautious of the one-year subscription date. Once it expires, your price will go up.

I have used it for source code scanning of security vulnerabilities. It seems to be a good tool. It gives the proper code flow of vulnerabilities and the number of occurrences.

We have scanned various applications with it. It works fine, although we need to check manually for false positive issues. 

After scanning, it shows in-depth code of where actual vulnerabilities are, which helps us to analyze them.

It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use.

It is very easy to insert the tool in the SDLC because there are a wide variety of ways to access the source-code, initiate scans, and review the results. The projects need not care about getting a tool, accessing the tool, and it is cheaper using it.

The most valuable feature for me is the Jenkins Plugin. We usually take a copy of the normal build job for Checkmarx so that:

1. we have all of the source code we need for the build, normal and generated source code;
2. we need only one technical user for scanning the projects (SVN access and Git access need to change the passwords every 90 days).

I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time).

Updating and debugging of queries is not very convenient.

In our last update to version 8.5.0, we had a problem with DB migration but,  overall, I must say it has been stable.

Regarding scalability, we have only one scan engine and our licence allows only two scans at the same time.

I would rate the technical support seven out of 10. When you first create a ticket you sometimes get questions that you wouldn't expect from first-level support.

None. I started with this product.

The initial setup was decribed very well and it was straightforward. We had only two small problems: implementing the SSL certificate, and getting access for LDAP users.

We got a special offer for a 30% reduction for three years, after our first year.

I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year).

I didn’t evaluate this or other solutions, but my team leader had experience with HPE Fortify and he said it is much more expensive, and the service even worse.

Before implementing the product I would evaluate if it is really necessary to scan so many different languages and frameworks. If not, I think there must be a cheaper solution for scanning Java-only applications (which are 90% of our applications).

• Put the vulnerability details area on the right side of the application or it may be changeable
• Save and reset screen configuration

Vulnerability details part.

• Vulnerability details: Reduce false positive results and improve it by providing more details how I can resolve the vulnerability.
• Implementing a blackout time for any user or teams: Needs improvement. I need to place limits for some users or teams within a specific time frame. For example, between 02:00 to 06:00. They can't start any scanning during that time, even if they have scanner privileges.

In the latest version, the session logout doesn't work properly.

We have two engine licenses, but we can't scan two projects at the same time.

I would give technical support a rating of 9/10.

We were using Fortify. Its software capability was limited in terms of mobile code scanning.

The initial setup was very easy.

We don't have any specific advice about these issues.

We evaluated Fortify and AppScan.

I don't like the latest license update. I can't set a limit for the reviewer account.

After a proper on-boarding, we can set up proper reports of code vulnerability and/or misconfiguration to developers.

Security can be part of the SDLC and reduce the cost of vulnerability remediation. Also, we got faster remediation time for high and critical vulnerability.

Valuable features include:

• Both automatic and manual code review (CxQL).
• The languages covered by the solution.

Integration into the SDLC (i.e. support for last version of SonarQube) could be added.

We had to lock the number of CPUs used to not crash the Checkmarx Audit.

We haven’t had scalability issues yet.

Professional service is really good. Support is too formal. Quickly answering it is not supported instead of developing a hot fix.

We didn’t really have a previous solution but Checkmarx was the best match for .NET support and scan without resolving the dependencies.

Setup was straightforward, but quickly you need complex fine tuning.

Include PS or deployment assistance in order not to miss true positive vulnerabilities. Really powerful tool, but it must be configured to match your application.

Ask to meet another customer with the same needs or the same kind of organization, to learn from their experience.

Now we have information about which specific sections have to be fixed. We can now remove the issue from most of the sections.

The solution communicates where to fix the issue for the purpose of less iterations.

The resolutions should also be provided. For example, if the user faces any problem regarding an installation due to the internal security policies of their company, there should be a resolution offered.

There were no stability issues.

There were no scalability issues.

I would give technical support a rating of 8/10.

We switched solutions due to the client's requirements.

I faced a few issues in the installation due to my local policies. The customer support was very helpful.

We looked at other tools, such as HPE Security and ZAP solutions.

Go for it, if you want testing on the code level.

This product helps us to deliver good quality software.

• Performs security checks for SAP Fiori applications
• Helps us check vulnerabilities in our SAP Fiori application
• Easy to use and master
• One of the most important tools in our building process

I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service.

This improvement is needed in order to follow up the growth and of SAP cloud platform, it is a Platform as a service created by SAP, many services have been added to SAP HANA Cloud Platform, like GIT repository, Jenkins, Translation etc.

So, if it is possible to add the Checkmarx as a service in this platform, it will be easy to perform security check directly without using a dedicated server.

Maybe this issue is related to our configuration. When we have many applications to check, I need to wait a long time in the queue.

We did encounter scalability issues. Maybe this is related to the stability issue mentioned above.

We haven't used anything else. This is our first solution.

I don’t know how to set up the product.

We did not look at any other options.

It is a good tool. I recommend it in order to ensure software quality.

For manual code testing, Checkmarx has been very helpful discarding false positives, filtering and removing a lot of files that are not presenting any threat, as well as indicating the files or functions that should be focused upon.

Checkmarx acts as the first checkpoint during our consulting for apps that are looking for a security assessment or Penetration Testing. It is also a game changer, giving the customer's results from each finding in the Checkmarx results.

• The export feature and presentation of the results.
• The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions).

• A wide variety of modern programming languages are supported, including mobile languages).

The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode.

Compiled code means that the code written is stored in binaries, for machine reading only. Tools like Veracode read only those binaries (compiled code).

Another way to have the code is “Source Code written only”, which is the only code format that Checkmarx accepts, a process where you don’t compile and everyone is able to read line by line the code.

When the workload contains so many source codes being scanned, and none of them present any progress, sometimes they seem to get stuck. There are also a considerable number of false positives (vulnerabilities that do not present a danger against the application or the user).

We have not encountered any scalability issues.

From both customer support and technical support, the response is very swift (less than a day) and the technical people are very skilled on the common issues concerning the management of the scanning tool, even with issues of server saturation and scanners stuck at a percentage.

I used to work mostly on checking the source code manually, and estimated the time of completion counting the lines of code to review. With Checkmarx that time was hugely reduced.

I also worked with Veracode, which I use for compiled code, but most of the customer’s applications have uncompiled code, so that is why I use Checkmarx more frequently.

The initial setup was complex. There is a curve of learning, and you also need technical knowledge on reviewing the results of Checkmarx’s work.

Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products to build a safe and stable application when it comes to inviting customers to use your online services.

We evaluated AppScan and Veracode. Neither covers the needs of my clients, the way I work, and the programming languages that Checkmarx covers.

I recommend to have a live session with the marketing team, to have a demo and to track all your doubts before purchasing. Checkmarx is a powerful tool but you need to be sure what you are using, and what it is for. You could use just 20% of what the tool can do, and therefore waste your money. So either fully learn how to use it and evaluate if it’s the right scanning tool to have, or go for a better and cheaper option.