Sr Manager consultant - Digital assurance Services at ADROSONIC
Consultant
Top 20
2024-03-05T08:56:24Z
Mar 5, 2024
The DAST component of the tool requires some improvements. The tool's DAST component is not much required in the integration processes with the CI/CD pipelines. IDE plugins to scan codes should be available to developers who are involved in development purposes. Some of the recommendations provided by the product are generic. Even if the recommendations provided by the product are of low level, the appropriate ones can help users deal with vulnerabilities. From an improvement perspective, the product should try to align its pricing model with the other tools available in the market.
Personally, I currently use it as a standalone tool without integrating it with other systems, and it meets my needs adequately. They should add a "what if" feature to the application. Currently, when the tool identifies issues and suggests updates, if I want to explore different scenarios, I need to prepare another file, turn it into a ZIP, and run the analysis again. It would be more convenient if there was a "what if" option in the GUI. This feature could simulate a run, allowing me to quickly check the impact of changing one or more files or versions without the need for a full rerun.
VP Software Developer/Architect at a financial services firm with 5,001-10,000 employees
Real User
Top 20
2023-09-01T14:17:09Z
Sep 1, 2023
To make the list of the vulnerabilities more clear and exposed to the users in order to see. Sometimes, we see issues high-level issues vulnerabilities that are not really issues, the interpretation of scanning. Meaning, like, outside, it's not really the issue. But it surfaces as an issue, so we probably may have a database of the errors of the vulnerabilities to expose and maybe even provide some feedback on how valuable the vulnerability is. I'm doing that. So, basically, one area that could be improved is the way that false positives are handled. In future releases, if we could create a clear RESTful API to just extract the scanning data on user-added applications and presentations.
Learn what your peers think about Checkmarx Software Composition Analysis. Get advice and tips from experienced pros sharing their opinions. Updated: June 2024.
In terms of areas for improvement, what could be improved in Checkmarx Software Composition Analysis is pricing because customers always compare the pricing among secure DevOps solutions in the market. Checkmarx Software Composition Analysis has a lot of competitors yet its features aren't much different. Pricing is the first thing customers consider, and from a partner perspective, if you can offer affordable pricing to your customers, it's more likely you'll have a winning deal. The performance of Checkmarx Software Composition Analysis also needs improvement because sometimes, it's slow, and in particular, scanning could take several hours.
Frontend Developer at a tech services company with 51-200 employees
Consultant
2022-04-25T09:36:00Z
Apr 25, 2022
An area for improvement in Checkmarx Software Composition Analysis is for the updates to be fast. I see that open-source and third party solutions have a lot of vulnerabilities discovered day by day, so it's important for the end users to get updates instantly, so we can identify those vulnerabilities as soon as possible. What I'd like to see in the next release of Checkmarx Software Composition Analysis is the improvement of its UI. For example, reconciling the live code in a more convenient way. Improving Checkmarx Software Composition Analysis to make it more convenient for end users to work, plus verifying and analyzing reports from it, is another thing I'd like to see in the next release.
Sr. Director Global Solutions Development at a energy/utilities company with 10,001+ employees
Real User
2021-02-05T23:14:34Z
Feb 5, 2021
Its pricing can be improved. It is a little bit high priced. It would be better if it was a little less expensive. It is a good tool, and we're still figuring out how to fully leverage it. There are some questions regarding whether it can scan the MuleSoft code. We don't know if this is a gap in the tool or something else. This is one thing that we're just working through right now, and I am not ready to conclude that there is a weakness there. MuleSoft is kind of its own beast, and we're trying to see how we get it to work with Checkmarx.
Checkmarx Software Composition Analysis (SCA) helps organizations manage the risks associated with open source and third-party components in their software applications. While leveraging open source libraries and third-party dependencies is common practice, it can also introduce security vulnerabilities and license risks.
Checkmarx SCA offers a multifaceted approach to managing these risks by:
Automatically scanning project repositories, build configurations, and manifests to create a...
Checkmarx Software Composition Analysis should improve dynamic analysis.
The DAST component of the tool requires some improvements. The tool's DAST component is not much required in the integration processes with the CI/CD pipelines. IDE plugins to scan codes should be available to developers who are involved in development purposes. Some of the recommendations provided by the product are generic. Even if the recommendations provided by the product are of low level, the appropriate ones can help users deal with vulnerabilities. From an improvement perspective, the product should try to align its pricing model with the other tools available in the market.
Personally, I currently use it as a standalone tool without integrating it with other systems, and it meets my needs adequately. They should add a "what if" feature to the application. Currently, when the tool identifies issues and suggests updates, if I want to explore different scenarios, I need to prepare another file, turn it into a ZIP, and run the analysis again. It would be more convenient if there was a "what if" option in the GUI. This feature could simulate a run, allowing me to quickly check the impact of changing one or more files or versions without the need for a full rerun.
To make the list of the vulnerabilities more clear and exposed to the users in order to see. Sometimes, we see issues high-level issues vulnerabilities that are not really issues, the interpretation of scanning. Meaning, like, outside, it's not really the issue. But it surfaces as an issue, so we probably may have a database of the errors of the vulnerabilities to expose and maybe even provide some feedback on how valuable the vulnerability is. I'm doing that. So, basically, one area that could be improved is the way that false positives are handled. In future releases, if we could create a clear RESTful API to just extract the scanning data on user-added applications and presentations.
I have received complaints from my customers that the pricing could be improved.
There are crashes in the solution. API security is an area with shortcomings that needs improvement.
In terms of time and quality of support, Checkmarx SCA needs improvement. The quality of support people needs improvement.
In terms of areas for improvement, what could be improved in Checkmarx Software Composition Analysis is pricing because customers always compare the pricing among secure DevOps solutions in the market. Checkmarx Software Composition Analysis has a lot of competitors yet its features aren't much different. Pricing is the first thing customers consider, and from a partner perspective, if you can offer affordable pricing to your customers, it's more likely you'll have a winning deal. The performance of Checkmarx Software Composition Analysis also needs improvement because sometimes, it's slow, and in particular, scanning could take several hours.
An area for improvement in Checkmarx Software Composition Analysis is for the updates to be fast. I see that open-source and third party solutions have a lot of vulnerabilities discovered day by day, so it's important for the end users to get updates instantly, so we can identify those vulnerabilities as soon as possible. What I'd like to see in the next release of Checkmarx Software Composition Analysis is the improvement of its UI. For example, reconciling the live code in a more convenient way. Improving Checkmarx Software Composition Analysis to make it more convenient for end users to work, plus verifying and analyzing reports from it, is another thing I'd like to see in the next release.
Its pricing can be improved. It is a little bit high priced. It would be better if it was a little less expensive. It is a good tool, and we're still figuring out how to fully leverage it. There are some questions regarding whether it can scan the MuleSoft code. We don't know if this is a gap in the tool or something else. This is one thing that we're just working through right now, and I am not ready to conclude that there is a weakness there. MuleSoft is kind of its own beast, and we're trying to see how we get it to work with Checkmarx.
It can have better licensing models.