Checkmarx Review
Acts as the first check point during our consulting for apps that are looking for a security assessment or Penetration Testing.


Improvements to My Organization

For manual code testing, Checkmarx has been very helpful discarding false positives, filtering and removing a lot of files that are not presenting any threat, as well as indicating the files or functions that should be focused upon.

Checkmarx acts as the first checkpoint during our consulting for apps that are looking for a security assessment or Penetration Testing. It is also a game changer, giving the customer's results from each finding in the Checkmarx results.

Valuable Features

  • The export feature and presentation of the results.
  • The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions).
  • A wide variety of modern programming languages are supported, including mobile languages).

Room for Improvement

The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode.

Compiled code means that the code written is stored in binaries, for machine reading only. Tools like Veracode read only those binaries (compiled code).

Another way to have the code is “Source Code written only”, which is the only code format that Checkmarx accepts, a process where you don’t compile and everyone is able to read line by line the code.

Stability Issues

When the workload contains so many source codes being scanned, and none of them present any progress, sometimes they seem to get stuck. There are also a considerable number of false positives (vulnerabilities that do not present a danger against the application or the user).

Scalability Issues

We have not encountered any scalability issues.

Customer Service and Technical Support

From both customer support and technical support, the response is very swift (less than a day) and the technical people are very skilled on the common issues concerning the management of the scanning tool, even with issues of server saturation and scanners stuck at a percentage.

Previous Solutions

I used to work mostly on checking the source code manually, and estimated the time of completion counting the lines of code to review. With Checkmarx that time was hugely reduced.

I also worked with Veracode, which I use for compiled code, but most of the customer’s applications have uncompiled code, so that is why I use Checkmarx more frequently.

Initial Setup

The initial setup was complex. There is a curve of learning, and you also need technical knowledge on reviewing the results of Checkmarx’s work.

Pricing, License Cost and Setup

Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products to build a safe and stable application when it comes to inviting customers to use your online services.

Other Solutions Considered

We evaluated IBM AppScan and Veracode. Neither covers the needs of my clients, the way I work, and the programming languages that Checkmarx covers.

Other Advice

I recommend to have a live session with the marketing team, to have a demo and to track all your doubts before purchasing. Checkmarx is a powerful tool but you need to be sure what you are using, and what it is for. You could use just 20% of what the tool can do, and therefore waste your money. So either fully learn how to use it and evaluate if it’s the right scanning tool to have, or go for a better and cheaper option.

Disclosure: My company has a business relationship with this vendor other than being a customer: We support together a huge list of clients, we have credentials and provide support to each business and division. So, we have the capacity to escalate any trouble or problem in case it is necessary. We have our own community and are able to provide and remove access to users.
2 visitors found this review helpful

Free Demo

Learn more about Checkmarx.

Add a Comment

Guest
Why do you like it?

Sign Up with Email