Checkmarx One Reviews

Checkmarx is used only for static application security testing (SAST), and it can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security.

I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features. So most of my customers would love to have consolidated vendors who cover all application security to lower operational overhead.

I'm a solution architect, not an end-user. I'm selling Checkmarx. This is the first year I've done business with Checkmarx. In the past five years, I worked a lot with Fortify and Micro Focus. I currently have two customers running Checkmarx, and one more is evaluating the product.

Setting up Checkmarx should be relatively straightforward. It takes a little more time for the DevOps team to enable everything, but overall deployment should take less than a week, including preparation and implementation. 

Most of my customers opted for a perpetual license. They prefer to pay the highest amount upfront for the perpetual license and then pay for additional support annually.

I rate Checkmarx eight out of 10. Until I get more extensive feedback from clients, I would rate it an eight.

We use Checkmarx for static analysis as part of our software development lifecycle. It is very important because it helps us identify the security flaws in the code at a very early stage. Ultimately, this helps in reducing costs.

The UI is very intuitive and simple to use. You don't need to know anything about the product before you being working with it.

The interface used to audit issues is also simple to use.

Compared to similar products, the code scanning time is fast.

Most the the static analysers come with pre-loaded rulesets. However, many times developers have to write their own custom rules. Writing custom rules in Checkmark is difficult because you need a different editor which is licensed separately. Besides not much training material is available on how to write the rules. 

We have been using Checkmarx for almost four years.

It is pretty stable and we have not had any issues. We have a monitoring team that monitors the health of our infrastructure and we are alerted to any problems.

We were able to scale easily and did not have any issues in doing so. At this team, we have between 70 and 80 applications that we are scanning with it.

We have contacted technical support a couple of times and the issues were addressed in a timely manner.

We have used other products and found that you have to spend considerable time fine-tuning the scanning engine. With Checkmarx, it is a lot less and I would say that this is one of the significant differences with this solution.

The maintenance in terms of running the scans and fine-tuning the scans is very low.

On the other hand, we have used other tools where writing custom rules is not so difficult to do.

Checkmarx is pretty straightforward and very easy to set up.

Our in-house team deployed and manages this product. I have one person who handles all of it, and the deployment can be completed within a day or two. As long as the infrastructure is ready, it can be done within a day.

Checkmarx helps us to find problems with source code at an early stage in the development, which saves us in terms of troubleshooting costs.

The interface used to create custom rules comes at an additional cost.

Checkmarx is probably one of the best static code analyzers available in the market at this point. It is very easy to deploy, use, and maintain. The amount of maintenance required is pretty low. It is absolutely a good tool that I can recommend.

Checkmarx has added a lot of functionality since we began using it. This includes OSA, the open-source scan, a training module, and run-time protection.

For static code analysis, we are only using Checkmarx and we plan to continue. 

I would rate this solution a nine out of ten.

Code scan. We performed periodic static code scans on copies of our Git repository to identify possible vulnerabilities.

Code consistency. It prompted our developers to fix code or document code they otherwise would not have done.

The consistency of code. Showed our team where they are inconsistent or where they have made simple omissions.

Dynamic testing. If it had that feature I would have liked to see more consideration of framework validations that we don't have to duplicate. These flags are false positives.

It is very useful because it fits our requirements. It is also easy to use. It is not complex, and we are satisfied with the results.

Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model.

I have been using this solution for a couple of years.

It is pretty stable.

It has the capability to scale very easily. It is not a problem.

Their support is good. It has a good webpage with a lot of details.

It is very easy to set up. It takes a couple of days. It is not an issue.

It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing. 

I would absolutely recommend this solution. I would rate Checkmarx a nine out of 10.

During the trial period, we tried to build automated security development lifecycles with this product and with other products. We have achieved partial success with this.

The solution allows us to create custom rules for code checks. Without custom rules, the system couldn’t find anything serious in the custom code and libraries.

The main issue was the supported Windows OS for the installation. Windows is not appropriate for a big internet company’s infrastructure. Supporting a Windows machine, especially for this software, is inconvenient.

This product requires you to create your own rulesets. You have to do a lot of customization. The default rules do not work very well. In addition, it is impossible to analyze code with dynamic dependencies.

There were no problems with stability. The application was stable in our test cases.

There were no scalability issues, but keep in mind that our version can only scale on one server.

There is very good technical support. We have the support of two onsite engineers.

We are using other tools along with this solution.

The setup was simple. It mostly involved clicking the “Next” button in the Windows installer.

The pricing was not very good. This is just a framework which shouldn’t cost so much.

The product comes with very strange licensing options. They don’t let you exclude workplace licenses, which are useless for building automated systems.

It provides a graphical view of any vulnerabilities.

I have used it as a consultant.

It could be improved with more reporting of false positives and the understanding of file references.

I've used it for one year.

No issues encountered.

No issues encountered.

One needs to be sure on the number of LOC that will be run and also the size of the code.

8/10.

8/10.

I have used Armorize codesecure.

It's a straightforward deployment, and it learns with time.

I implement it.

They're all as valuable as each other.

We have used this product to verify the dev department's code in order to minimize security holes.

It needs better role management.

I've used it for three years.

No issues encountered.

No issues encountered.

No issues encountered.

It's very good.

It's very good.

This is the only solution I have used.

Very straightforward.

I implemented it myself.

Licensing is expensive per X amount of lines in the code.

No other options were evaluated.

We are using multiple solutions for application security, and Checkmarx is one of them. We are a client-centric organization, and we are also providing support to clients for application security. Sometimes, we have our own production, and then we scan the customer information and provide application security. For a few clients, it is deployed on the cloud, and for a few customers, it is on-premises.

The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages.

They can support the remaining languages that are currently not supported. They can also
create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks.

It is stable, and it works.

It is scalable. Our clients are small, medium, and big enterprises. It is for all the categories.

Their support is good. I had discussions with them multiple times. We are getting proper support.

It is straightforward. It is not a big challenge. It doesn't take long.

I would rate Checkmarx a seven out of ten.