How has it helped my organization?
After a proper on-boarding, we can set up proper reports of code vulnerability and/or misconfiguration to developers.
Security can be part of the SDLC and reduce the cost of vulnerability remediation. Also, we got faster remediation time for high and critical vulnerability.
What is most valuable?
Valuable features include:
- Both automatic and manual code review (CxQL).
- The languages covered by the solution.
What needs improvement?
Integration into the SDLC (i.e. support for last version of SonarQube) could be added.
What do I think about the stability of the solution?
We had to lock the number of CPUs used to not crash the Checkmarx Audit.
What do I think about the scalability of the solution?
We haven’t had scalability issues yet.
How are customer service and technical support?
Professional service is really good. Support is too formal. Quickly answering it is not supported instead of developing a hot fix.
Which solution did I use previously and why did I switch?
We didn’t really have a previous solution but Checkmarx was the best match for .NET support and scan without resolving the dependencies.
How was the initial setup?
Setup was straightforward, but quickly you need complex fine tuning.
What's my experience with pricing, setup cost, and licensing?
Include PS or deployment assistance in order not to miss true positive vulnerabilities. Really powerful tool, but it must be configured to match your application.
What other advice do I have?
Ask to meet another customer with the same needs or the same kind of organization, to learn from their experience.