Improvements to My Organization
For manual code testing, Checkmarx has been very helpful discarding false positives, filtering and removing a lot of files that are not presenting any threat, as well as indicating the files or functions that should be focused upon.
Checkmarx acts as the first checkpoint during our consulting for apps that are looking for a security assessment or Penetration Testing. It is also a game changer, giving the customer's results from each finding in the Checkmarx results.
- The export feature and presentation of the results.
- The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions).
- A wide variety of modern programming languages are supported, including mobile languages).
Room for Improvement
The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode.
Compiled code means that the code written is stored in binaries, for machine reading only. Tools like Veracode read only those binaries (compiled code).
Another way to have the code is “Source Code written only”, which is the only code format that Checkmarx accepts, a process where you don’t compile and everyone is able to read line by line the code.
When the workload contains so many source codes being scanned, and none of them present any progress, sometimes they seem to get stuck. There are also a considerable number of false positives (vulnerabilities that do not present a danger against the application or the user).
We have not encountered any scalability issues.
Customer Service and Technical Support
From both customer support and technical support, the response is very swift (less than a day) and the technical people are very skilled on the common issues concerning the management of the scanning tool, even with issues of server saturation and scanners stuck at a percentage.
I used to work mostly on checking the source code manually, and estimated the time of completion counting the lines of code to review. With Checkmarx that time was hugely reduced.
I also worked with Veracode, which I use for compiled code, but most of the customer’s applications have uncompiled code, so that is why I use Checkmarx more frequently.
The initial setup was complex. There is a curve of learning, and you also need technical knowledge on reviewing the results of Checkmarx’s work.
Pricing, License Cost and Setup
Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products to build a safe and stable application when it comes to inviting customers to use your online services.
Other Solutions Considered
We evaluated IBM AppScan and Veracode. Neither covers the needs of my clients, the way I work, and the programming languages that Checkmarx covers.
I recommend to have a live session with the marketing team, to have a demo and to track all your doubts before purchasing. Checkmarx is a powerful tool but you need to be sure what you are using, and what it is for. You could use just 20% of what the tool can do, and therefore waste your money. So either fully learn how to use it and evaluate if it’s the right scanning tool to have, or go for a better and cheaper option.
Disclosure: My company has a business relationship with this vendor other than being a customer: We support together a huge list of clients, we have credentials and provide support to each
business and division. So, we have the capacity to escalate any trouble or problem in case it is
necessary. We have our own community and are able to provide and remove access to users.
Feb 26 2017