Checkmarx is a stable product, especially based on the number of updates that we receive. Every time we get a new update or a hotfix, I'm very much in the loop on getting that information. Compared to some other products, it doesn't have the churn that others do, i.e. in the number of updates and patches that we have to apply to it.
We're licensed for 100 users. Primarily we use Checkmarx for developers, managers, architects, and maybe some of the design folk, but not QA. This would solely be in the realm of development and architecture.
There is no plan for us to increase our usage of Checkmarx. We're trying to get as many scans as possible. One of the issues that we have is the concept of an incremental scan. The more of the incremental that you do, the slower the service becomes.
When you go in and you look at the last result: it's your baseline or your full scan, followed by applying each incremental. The more of the incrementals that you have, the slower Checkmarx gets.
They've come up with a recommendation for users to do one full scan a week and maybe six incremental scans. This needs to be worked on to get the performance better on this particular tool.