Checkmarx One Reviews

We have been using this product extensively for a lot of applications to identify as well as employ proper remediation which makes the application secure including information issues which might get neglected with a manual code review process.

Checkmarx pinpoints the vulnerability in the code and also presents the flow of malicious input across the application. It therefore makes it easier to identify these as well as fix them.

Checkmarx has the detailed description of all the vulnerabilities which it identifies after the source code scan. These descriptions are just a click away. Some of the descriptions were found to be missing or were not as elaborate as compared to other descriptions. Although, they could be found across various standard sources but it would save a lot of time for developers, if this was fixed.

We have not yet encountered any stability issues.

The solution provides high scalability. I am not sure about the limit of scans but it is sufficiently high. However, the issues which we faced were related to database backup. Unfortunately, Checkmarx doesn't do any automated backups which is quite inconvenient.

I would rate the technical support as average. We never had to communicate much with the technical team but based on my knowledge the response from their end was delayed.

I am not aware of any previous solutions.

The setup was straightforward.

It is a good product but a little overpriced.

I don't have much idea about other options since the organization had already purchased the product before I joined.

Better to look out for other products available in the market as well.

It moved our organization towards being agile vs. waterfall.

Scan reviews can occur during the development lifecycle.

The areas in which this product needs to improve are:

• C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported.
• There were issues in regards to the JSP parsing.
• Defect report generation takes multiple hours for large projects.
• The Jenkins plugin does not work for projects that are larger than 4 million lines of code.
• The Eclipse plugin does not work.
• The hardware requirements for the tool add to the substantial cost of the solution and thus, increase the total cost of ownership.

• There seems to be a decline in the support team's responsiveness as our contract nears its end.

• We felt like we were the extended quality organization for Checkmarx as they frequently released poor quality patches that broke the existing functionality. A lot of the organizational hours, almost 1 FTE per year since Checkmarx was implemented, were spent to allow regression testing of the product. The Checkmarx SME team at my company had to do this testing to ensure that we do not expose product flaws to our user community.

We did encounter stability issues. The different versions of this product provide inconsistent results when the same piece of code is scanned.

We did not encounter any scalability issues.

The support team is knowledgeable. However, we still have tickets open from 2014. There is a lot of follow up required to get closure on issues.

Previously, we were using a different solution. We were leveraging multiple tools since we have code in multiple languages. Checkmarx advertised that they provide support for C, C+++, Java, etc. It turned out that they aren’t able to scan C and C++ for us. Our reason to switch to Checkmarx didn’t work out for us.

The initial setup was straightforward.

The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies.

I suggest using a trial term to run a gamut of scenarios that need to be leveraged before settling in with the Checkmarx solution.

We evaluated the Veracode option.

The product is not mature and ready for the enterprise usage yet. It is okay to use it when the support expectations are low and the code is in languages that require support only in Java and .NET.

The process of remediating software security vulnerabilities can now be performed (ongoing) as portions of the application are being built in advance of being compiled. Among other benefits, this reduces the cost to fix the problem(s) as the fix can occur earlier in the SDLC.

The ability to identify a vulnerability, the optimal place for remediation and the correct syntax is very valuable. This feature helps ensure that the software fix is comprehensive and effective. The CxSuite is easy to use and because it provides the correct coding syntax to address a vulnerability, it helps improve the secure coding skill set among developers. The product can scan precompiled (source) code, as well as compiled (binary) code, delivering effectiveness and efficiency throughout the SDLC.

The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools.

The Checkmarx CxSuite covers a wide range of programming languages including many of the most popular languages used by developers today. As matter of general improvement, expanding coverage to languages (emerging, legacy) and open source frameworks will increase the overall effectiveness of product.

*2017 Update. A number of leading Open Source Frameworks are now supported.

The product is stable.

The product scales well.

The technical support is high quality. The support team is well versed in how best to configure, implement and operate the product.

I did not previously use a different solution.

The initial set up is straightforward. The product requires a fairly simple computing environment for operation.

The product licensing offers the flexibility to cover a wide range of environments. The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security.

We considered several other commercial-grade application security solutions. The Checkmarx solution offers an ideal combination of code coverage, functionality, usability and TCO.

The Checkmarx CxSuite product works well, delivers efficiency to the SDLC, and most important of all, it effectively improves application security.

It works!

During the trial period, we tried to build automated security development lifecycles with this product and with other products. We have achieved partial success with this.

The solution allows us to create custom rules for code checks. Without custom rules, the system couldn’t find anything serious in the custom code and libraries.

The main issue was the supported Windows OS for the installation. Windows is not appropriate for a big internet company’s infrastructure. Supporting a Windows machine, especially for this software, is inconvenient.

This product requires you to create your own rulesets. You have to do a lot of customization. The default rules do not work very well. In addition, it is impossible to analyze code with dynamic dependencies.

There were no problems with stability. The application was stable in our test cases.

There were no scalability issues, but keep in mind that our version can only scale on one server.

There is very good technical support. We have the support of two onsite engineers.

We are using other tools along with this solution.

The setup was simple. It mostly involved clicking the “Next” button in the Windows installer.

The pricing was not very good. This is just a framework which shouldn’t cost so much.

The product comes with very strange licensing options. They don’t let you exclude workplace licenses, which are useless for building automated systems.

Checkmarx saves us a lot of time. We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code.

The most valuable feature is that Checkmarx scans code for security vulnerabilities without needing to compile first.

Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”.

We encountered stability issues when scanning large code blocks. It consumes a lot of memory, and at times, Checkmarx services freeze and don’t work properly.

I don’t know of any scalability issues.

Just four words for the technical support team: “Checkmarx team is awesome”.

Before Checkmarx, we used HPE Security Fortify and IBM AppScan. We also tried several open-source scanning tools.

Overall, the initial setup is easy. Checkmarx provides an installer binary and we just need go through the wizard for an express installation. If we need an advanced configuration, we contact the Checkmarx support team.

I believe pricing is better compared to other commercial tools.

Yes, we compared Checkmarx features and benefits with IBM AppScan and HPE Security Fortify.

Personally, I recommend Checkmarx for static analysis.

As an InfoSec consulting company, we come across major challenging projects. Checkmarx has made life easy and my team is best at using it. It reduces manual efforts in using test cases against any vulnerability found during source code reviews. Apart from OWASP Top Ten, Checkmarx is quite intelligent to find the latest vulnerability and report it.

Some valuable features of this product are:

• Very comprehensive scanning
• Less false positive errors as compared to any other solution
• Incremental scanning
• Supports all major languages

Licensing models and Swift language support are the aspects in which this product needs to improve. Swift is a new language, in which major customers require support for lower prices.

I have not encountered any stability issues.

I have not encountered any scalability issues.

I have never used technical support, so can't comment. We ourselves are expert at it.

We have used no other product.

The setup process was simple.

It is the right price for quality delivery.

We did not evaluate other options, before choosing this product.

Go for it.

Cx gives you the ability to push SAST down much lower in the SDLC process. With the use of multiple IDE plugins and the ability to do "incremental" scanning, a scan of your latest code does not bog down your machine as it is offloaded.

It allows for SAST scanning of uncompiled code. Further, it natively integrates with all key repos formats (Git, TFS, SVN, Perforce, etc).

Meta data is always needed. More tutorials/videos for developers to fix their vulnerabilities is nice. Although the API is useful, I would like to see more functionality added.

I've had to restart services/bounce the VM on two rare occasions.

It scales very easy.

Customer Service:

Customer service is good. Engineers have been quick to get back to me regarding issues and custom work that I have performed.

Technical Support:

Technical support is very knowledgeable.

Initial setup couldn't be any easier. Cx has good documentation on environment requirements. As long as you meet those, the installation process takes maybe 30 minutes for an initial setup; perhaps a bit longer if you're adding multiple engines.

An in-house team implemented it.

Everything is negotiable. Checkmarx approached our dealings in good faith and clearly wanted to be around for awhile. It is much more inexpensive than some alternatives.

Before choosing, we also evaluated Fortify, IBM Appscan, Veracode, etc.

It provides us with code analysis.

It helps with vulnerability scanning of codes to prevent vulnerability of our applications.

I've used it for one year.

No issues encountered.

Straight forward. Easy to follow steps. 

I worked for an IT security firm and it was quite easy to setup the product for demo purposes virtually and even physically on the client premises

It was straightforward, as it has easy to follow steps. 

I worked for an IT security firm and it was quite easy to setup the product for demo purposes virtually and even physically on the client premises.

The license is fairly costly but worth the investment.

They're all as valuable as each other.

We have used this product to verify the dev department's code in order to minimize security holes.

It needs better role management.

I've used it for three years.

No issues encountered.

No issues encountered.

No issues encountered.

It's very good.

It's very good.

This is the only solution I have used.

Very straightforward.

I implemented it myself.

Licensing is expensive per X amount of lines in the code.

No other options were evaluated.

It provides a graphical view of any vulnerabilities.

I have used it as a consultant.

It could be improved with more reporting of false positives and the understanding of file references.

I've used it for one year.

No issues encountered.

No issues encountered.

One needs to be sure on the number of LOC that will be run and also the size of the code.

8/10.

8/10.

I have used Armorize codesecure.

It's a straightforward deployment, and it learns with time.

I implement it.