What is our primary use case?
My team uses this product extensively for application vulnerability assessment. This solution is for static application security testing and is used within our software development process.
As the software developers are creating solutions, they are able to identify vulnerabilities while the application is being written, rather than after the entire development is over.
We were interested in having the raw source code scanned, so that was the primary requirement and that is where Checkmarx comes in. We do not need any precompiled libraries, or compiled source code, to be checked by the source code analysis solution.
We have a security team that uses this product to scan source code, rather than have the developers handle it. We do not have any developer licenses (i.e. the SDLC Edition). Instead, the security team identifies the vulnerabilities and shares the report with the development team.
How has it helped my organization?
The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete.
As an example, an application may contain three hundred thousand lines of code that was written over two or three months. Rather than having to examine the entire product for vulnerabilities, we are able to assess weaknesses and identify vulnerabilities in, say, five hundred or one thousand lines of code. This is really advantageous for us.
What is most valuable?
There are many features, but first is the fact that it is easy to use, and not complicated.
One of the cool features is that it identifies the development technology that we are using on its own, whether it is Java or .NET or otherwise, it identifies it by itself.
The most important aspect is that it shows us exactly, on which particular line, the vulnerability is.
The user interface is very intuitive and it offers help on the fly.
What needs improvement?
The reports are good, but they still need to be improved considering what the UI offers. For example, the UI will suggest the "best-fix location", whereas this information is not captured in the reports.
For how long have I used the solution?
A couple of years.
What do I think about the stability of the solution?
We have not observed any issues, such as the application crashing, with respect to the stability of this solution.
What do I think about the scalability of the solution?
The solution is quite scalable. We are not using the SDLC edition, but with that version, the developers can use different plugins and initiate the scan from their own development environment.
There are three or four members in our security team who use this tool. At the current time, we are happy with this solution and do not plan to increase its usage to the point where we need a different license.
How are customer service and technical support?
We have found the technical support to be good. Whenever anyone has an issue, we write directly to Checkmarx.com and they issue a support ID. Most of the time we receive a quick response.
We are currently based in India, and they have increased their team size in India with a couple of people providing support. It covers the Indian subcontinent as well. With this increase, our tickets are answered very quickly as compared to what we used to get.
If you previously used a different solution, which one did you use and why did you switch?
I do not have recent, hands-on experience with this tool but, I have used it in the past and my team now uses it extensively. We did not use a tool previous to this one, and we plan to continue using this because we are getting good results.
We use this solution for static application security testing. For dynamic testing, we use the Netsparker solution.
How was the initial setup?
The initial setup is pretty simple and straightforward, and it does not take more than fifteen minutes, maximum. The entire deployment was completed in not more than half an hour.
Not many people are required for deployment or maintenance. We have not done much since the original installation. When a new version comes in, any member of the security team can update the solution. In that way, a single person can maintain it. Within my team, it is a Senior Security Analyst who maintains this solution for us.
What about the implementation team?
It is a very simple tool and we do not have a complex environment. It is installed on a standalone machine.
We do not have an integrated solution. This is a standalone solution that is used with the Security Gate. The installation was completed in-house, by our team only.
What was our ROI?
We have seen ROI, but quantifying it in terms of the numbers is difficult. The biggest advantage we have seen is that we're able to develop and deliver secure solutions, in a faster time. We used to test our applications efficiently, and we still do, but there used to be a period of rework required. Now, that does not happen. We are able to identify the issues and address them while the development is in progress.
What's my experience with pricing, setup cost, and licensing?
We have a subscription license that is on a yearly basis, and it's a pretty competitive solution. I don't know of any additional costs, beyond the standard licensing fees, for our version of the software.
In the case of the SDLC edition, which is a higher version, there may be some professional support that is required. Otherwise, any license that they provide is just an annual subscription fee.
Which other solutions did I evaluate?
We evaluated the Fortify Static Code Analyzer and IBM Security AppScan, but our evaluation was not fully completed. We were happy with what we were seeing with Checkmarx, so we did not go ahead with the others.
What other advice do I have?
My advice to any software development team using a different set of tools is to look at Checkmarx. It's a very good product. It's a great product, in fact. Any organization spending money on a subscription license should not look at it as a cost, rather, it should be seen as an investment. The Checkmarx solution can act as a resource that can help the development team to secure their application delivery. Be it an internal application for their own use, or applications being written for their customers.
This solution tells us where, in our code, the "best-fix location" is. To put this into perspective, consider a particular piece of code where there are ten vulnerabilities detected. Perhaps it is an SQL injection vulnerability. This tool gives you specific locations and informs that if you fix the code in certain areas (e.g. in three specific locations) then the subsequent vulnerabilities will automatically be addressed. Therefore, you save on development effort because you do not need to fix all ten vulnerabilities specifically and independently.
I would rate this product a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.