What is our primary use case?
The primary use case is for a white-box penetration testing security. When we work with source code, it's a tool to help us conduct a deep analysis on a source code level.
We push the zip file with source code to our own stent with the solution and receive a report. Also, we work with the interface to find the vulnerabilities we may have.
The most popular projects for us are the mobile application security assessment. We propose this option to our customers to check source code for iOS and Android mobile applications.
What is most valuable?
The most valuable features are the easy to understand interface, and it 's very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan.
We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project.
The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.
What needs improvement?
Checkmarx has tried to build a deeper analysis using IAST and SAST. They have a code version for developers. It would be good if they improve the combination of the two solutions.
Both are good, but ISAT (Interactive Application Security Testing) is in progress and doesn't support the full spectrum of languages. A combination of the two solutions would achieve good results.
We have received some feedback from our customers who are receiving a large number of false positives. I believe that they can improve their engine to reduce false positives. It's better for reducing false positives when you use a compilation.
There are several levels and they are mapped to the different languages and some customers want to check when the developers will pass the training. There should be a questionnaire for the team lead to check the employees and how well they understand the material and the training.
Also, they will want to add their own content to this solution.
I would like to see some improvements in technology to reduce false positives. This is only relevant to some use cases, not all. For example, there are several false positives for some languages, but it works in C#.
For how long have I used the solution?
I have been using this solution since 2015.
What do I think about the stability of the solution?
This solution is stable and we have not had bugs or glitches. If it is set up according to the instructions, there will be no negative feedback from the customers.
The platform has regular updates.
What do I think about the scalability of the solution?
This solution is scalable, but it depends on the package you have purchased as some do not allow you to expand.
How are customer service and technical support?
They have a great support team, and they can help you tune a solution. For our country, it is very important that they have Russian speaking support engineers and to have a quick response.
Also, they have a very good knowledge base. The resources are public on the Checkmarx website and they have good instructions and regulations on how you should tune the solution. It shows you where you can download the plug-ins, how to do it, and explains how they should be integrated.
Which solution did I use previously and why did I switch?
We have some experience with HPP AppScan, and with SonarQube. We started with a trial and felt that Checkmarx was the best.
How was the initial setup?
The initial setup is pretty simple, it's no problem to start using Checkmarx. It's a very good approach if you compare it with competitors.
It only takes a few hours to tune your Checkmarx solution. You may need more time for deeper integration when it comes to DLC integration, for example, when using plug-in build management, such as Jenkins.
If you are scanning and you have the source code then you are good to start scanning in a few hours. Three to four hours is required for tasks done in source code.
We have one or two engineers who can work with the solution.
For some of our customers have more than 100 developers and a DevOps team.
What's my experience with pricing, setup cost, and licensing?
This solution is expensive.
The customized package allows you to buy additional users at any time.
You could advise the vendor that you are in need of some more resources, and they can send you a trial license which lets you pay later. In the meantime, you can start working with the trial license.
They have subscriptions for licenses, but this is confidential information and I cannot share the price as per our non-disclosure agreement.
If you purchase a typical package then it is clear licensing with no hidden payments. You can add integration services for Checkmarx if you needed to, but it's optional.
The hardware is on the customer site. It could be virtual, or a physical server, or even cloud-based. You can choose what you want to use and there are still no hidden fees. Licensing and policy are clear.
What other advice do I have?
We are resellers but we are also users of this product when we need to check source code because our main business activity is security assessments, not reselling.
We have many customers who have purchased this solution from our company. One of them is Softcell, a Ukrainian company.
With our approach, we need to find a way to reduce false positives. We don't have great resources to do this work long-term, and we need quick results. There are some projects that have a lot of false positives but we can reduce them by tuning during the scanning.
Some of our customers like the Codebashing model. It's an additional model for learning for security practice for developers. They ask for additional tests to this model and want to receive the functionality to check the knowledge.
When you receive your product, you should start with testing and understand how it works according to your environment. This includes the language and what framework to choose because it is not a simple solution. You should understand that you should tune it.
The most effective approach is to implement SAST into the SDLC, (software development life cycle).
You should regularly check your source code, and check your security before every release. For infrastructure, security testing is not enough. There are several applications and static source code security is a must.
You should choose Checkmarx SAST for security checks and try to optimize it's build management or source code repository.
I would rate this solution a nine out of ten.
Which deployment model are you using for this solution?