How has it helped my organization?
It is very easy to insert the tool in the SDLC because there are a wide variety of ways to access the source-code, initiate scans, and review the results. The projects need not care about getting a tool, accessing the tool, and it is cheaper using it.
What is most valuable?
The most valuable feature for me is the Jenkins Plugin. We usually take a copy of the normal build job for Checkmarx so that:
- we have all of the source code we need for the build, normal and generated source code;
- we need only one technical user for scanning the projects (SVN access and Git access need to change the passwords every 90 days).
What needs improvement?
I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time).
Updating and debugging of queries is not very convenient.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
In our last update to version 8.5.0, we had a problem with DB migration but, overall, I must say it has been stable.
What do I think about the scalability of the solution?
Regarding scalability, we have only one scan engine and our licence allows only two scans at the same time.
How are customer service and technical support?
I would rate the technical support seven out of 10. When you first create a ticket you sometimes get questions that you wouldn't expect from first-level support.
Which solution did I use previously and why did I switch?
None. I started with this product.
How was the initial setup?
The initial setup was decribed very well and it was straightforward. We had only two small problems: implementing the SSL certificate, and getting access for LDAP users.
What's my experience with pricing, setup cost, and licensing?
We got a special offer for a 30% reduction for three years, after our first year.
I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year).
Which other solutions did I evaluate?
I didn’t evaluate this or other solutions, but my team leader had experience with HPE Fortify and he said it is much more expensive, and the service even worse.
What other advice do I have?
Before implementing the product I would evaluate if it is really necessary to scan so many different languages and frameworks. If not, I think there must be a cheaper solution for scanning Java-only applications (which are 90% of our applications).