How has it helped my organization?
Checkmarx saves us a lot of time. We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code.
What is most valuable?
The most valuable feature is that Checkmarx scans code for security vulnerabilities without needing to compile first.
What needs improvement?
Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”.
What do I think about the stability of the solution?
We encountered stability issues when scanning large code blocks. It consumes a lot of memory, and at times, Checkmarx services freeze and don’t work properly.
What do I think about the scalability of the solution?
I don’t know of any scalability issues.
How are customer service and technical support?
Just four words for the technical support team: “Checkmarx team is awesome”.
Which solution did I use previously and why did I switch?
Before Checkmarx, we used HPE Security Fortify and IBM AppScan. We also tried several open-source scanning tools.
How was the initial setup?
Overall, the initial setup is easy. Checkmarx provides an installer binary and we just need go through the wizard for an express installation. If we need an advanced configuration, we contact the Checkmarx support team.
What's my experience with pricing, setup cost, and licensing?
I believe pricing is better compared to other commercial tools.
Which other solutions did I evaluate?
Yes, we compared Checkmarx features and benefits with IBM AppScan and HPE Security Fortify.
What other advice do I have?
Personally, I recommend Checkmarx for static analysis.