How has it helped my organization?
For manual code testing, Checkmarx has been very helpful discarding false positives, filtering and removing a lot of files that are not presenting any threat, as well as indicating the files or functions that should be focused upon.
Checkmarx acts as the first checkpoint during our consulting for apps that are looking for a security assessment or Penetration Testing. It is also a game changer, giving the customer's results from each finding in the Checkmarx results.
What is most valuable?
- The export feature and presentation of the results.
- The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions).
- A wide variety of modern programming languages are supported, including mobile languages).
What needs improvement?
The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode.
Compiled code means that the code written is stored in binaries, for machine reading only. Tools like Veracode read only those binaries (compiled code).
Another way to have the code is “Source Code written only”, which is the only code format that Checkmarx accepts, a process where you don’t compile and everyone is able to read line by line the code.
What do I think about the stability of the solution?
When the workload contains so many source codes being scanned, and none of them present any progress, sometimes they seem to get stuck. There are also a considerable number of false positives (vulnerabilities that do not present a danger against the application or the user).
What do I think about the scalability of the solution?
We have not encountered any scalability issues.
How are customer service and technical support?
From both customer support and technical support, the response is very swift (less than a day) and the technical people are very skilled on the common issues concerning the management of the scanning tool, even with issues of server saturation and scanners stuck at a percentage.
Which solution did I use previously and why did I switch?
I used to work mostly on checking the source code manually, and estimated the time of completion counting the lines of code to review. With Checkmarx that time was hugely reduced.
I also worked with Veracode, which I use for compiled code, but most of the customer’s applications have uncompiled code, so that is why I use Checkmarx more frequently.
How was the initial setup?
The initial setup was complex. There is a curve of learning, and you also need technical knowledge on reviewing the results of Checkmarx’s work.
What's my experience with pricing, setup cost, and licensing?
Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products to build a safe and stable application when it comes to inviting customers to use your online services.
Which other solutions did I evaluate?
We evaluated IBM AppScan and Veracode. Neither covers the needs of my clients, the way I work, and the programming languages that Checkmarx covers.
What other advice do I have?
I recommend to have a live session with the marketing team, to have a demo and to track all your doubts before purchasing. Checkmarx is a powerful tool but you need to be sure what you are using, and what it is for. You could use just 20% of what the tool can do, and therefore waste your money. So either fully learn how to use it and evaluate if it’s the right scanning tool to have, or go for a better and cheaper option.