Checkmarx One Reviews

When I had an issue that was causing trouble in my code, I would upload it to Checkmarx to perform static code analysis. I would then study the reports.

Using this product improved the stability of my code that went into production.

The most valuable feature is the scanning.

The reports are very good because they include details on the code level, and make suggestions about how to fix the problems.

You can't use it in the continuous delivery pipeline because the scanning takes too much time. Better integration with the CD pipeline would be helpful.

It reports a lot of false positives so you have to discriminate and take ones that are rated at either a one or a two. The lower-rated problems need to be discarded.

I used Checkmarx for about six months at my previous place of employment. I stopped using it about six months ago.

We had perhaps 100 users at my previous job.

I was not in contact with technical support.

I would rate this solution a seven out of ten.

We use Checkmarx to review the source code for the external applications that we expose to the cloud or other servers on the internet.

We received two main benefits from Checkmarx:

1. Better Security
2. Saving Time

I recommend Checkmarx to be sure that your development has robust security. For your team management, Checkmarx has a very nice feature to check out manual staff in the process.

The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time.

Checkmarx could probably do something to improve their license model. If you have a small company, or if you have a small team with just one or two applications, the entry-level price is too high for such a company. 

You can find all the solutions offered by Checkmarx through other solutions providers. That is why this type of company needs to be more flexible. 

In this space, you have a security code and also you have a quality code. It is totally different in terms of investment. In terms of functionality, there are a lot of differences between the various competing products. 

With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too.

The problem with Checkmarx lies with the pricing and licensing, not the product itself. The product is very good.

Checkmarx is a good product, certainly stable.

The scalability is good. We haven't had any problems with it.

Our experience with technical support is good. They have a lot of expert staff on their customer service lines. We have had no problems with their technical support services.

We used Veracode for some time and it's also a good solution. Veracode fits better for small companies. It's more automatic.

Checkmarx is more complete and they have more features to support our development team and security team requirements.

In general, Checkmarx is a better solution, but it's more complicated, especially in terms of the price for a small company.

Our deployment of Checkmarx took a couple of days, at max, a week. 

The setup was a long time back, but I know that we did not use a reseller or consultant for the deployment.

We evaluated some products from a company in Spain. Checkmarx provided better functionality and options for us.

We have a small team. It is about four people in total. We do not require that many staff for the deployment and maintenance of Checkmarx.

We are testing the solution in a small local company. Our idea is to expand the use of it to our clients in the West.

In this space, you can have different points of view and if only you are looking for a solution to do a check in your auditory report, then you can choose anyone. 

If you really are worried about your business, i.e. about your development sites or development environments, Checkmarx is a great solution.

I would rate Checkmarx a nine out of ten because of the price, but technically for me, it is a 10. 

I would rate Checkmarx with a nine because it would be perfect at a more functional level, and could be better at providing these features for parity. 

If you research what Checkmarx is offering in their package distribution, you get exactly what they promise up front, so they are not lying.

It is very useful because it fits our requirements. It is also easy to use. It is not complex, and we are satisfied with the results.

Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model.

I have been using this solution for a couple of years.

It is pretty stable.

It has the capability to scale very easily. It is not a problem.

Their support is good. It has a good webpage with a lot of details.

It is very easy to set up. It takes a couple of days. It is not an issue.

It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing. 

I would absolutely recommend this solution. I would rate Checkmarx a nine out of 10.

Checkmarx is used only for static application security testing (SAST), and it can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security.

I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features. So most of my customers would love to have consolidated vendors who cover all application security to lower operational overhead.

I'm a solution architect, not an end-user. I'm selling Checkmarx. This is the first year I've done business with Checkmarx. In the past five years, I worked a lot with Fortify and Micro Focus. I currently have two customers running Checkmarx, and one more is evaluating the product.

Setting up Checkmarx should be relatively straightforward. It takes a little more time for the DevOps team to enable everything, but overall deployment should take less than a week, including preparation and implementation. 

Most of my customers opted for a perpetual license. They prefer to pay the highest amount upfront for the perpetual license and then pay for additional support annually.

I rate Checkmarx eight out of 10. Until I get more extensive feedback from clients, I would rate it an eight.

Code scan. We performed periodic static code scans on copies of our Git repository to identify possible vulnerabilities.

Code consistency. It prompted our developers to fix code or document code they otherwise would not have done.

The consistency of code. Showed our team where they are inconsistent or where they have made simple omissions.

Dynamic testing. If it had that feature I would have liked to see more consideration of framework validations that we don't have to duplicate. These flags are false positives.

It moved our organization towards being agile vs. waterfall.

Scan reviews can occur during the development lifecycle.

The areas in which this product needs to improve are:

• C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported.
• There were issues in regards to the JSP parsing.
• Defect report generation takes multiple hours for large projects.
• The Jenkins plugin does not work for projects that are larger than 4 million lines of code.
• The Eclipse plugin does not work.
• The hardware requirements for the tool add to the substantial cost of the solution and thus, increase the total cost of ownership.

• There seems to be a decline in the support team's responsiveness as our contract nears its end.

• We felt like we were the extended quality organization for Checkmarx as they frequently released poor quality patches that broke the existing functionality. A lot of the organizational hours, almost 1 FTE per year since Checkmarx was implemented, were spent to allow regression testing of the product. The Checkmarx SME team at my company had to do this testing to ensure that we do not expose product flaws to our user community.

We did encounter stability issues. The different versions of this product provide inconsistent results when the same piece of code is scanned.

We did not encounter any scalability issues.

The support team is knowledgeable. However, we still have tickets open from 2014. There is a lot of follow up required to get closure on issues.

Previously, we were using a different solution. We were leveraging multiple tools since we have code in multiple languages. Checkmarx advertised that they provide support for C, C+++, Java, etc. It turned out that they aren’t able to scan C and C++ for us. Our reason to switch to Checkmarx didn’t work out for us.

The initial setup was straightforward.

The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies.

I suggest using a trial term to run a gamut of scenarios that need to be leveraged before settling in with the Checkmarx solution.

We evaluated the Veracode option.

The product is not mature and ready for the enterprise usage yet. It is okay to use it when the support expectations are low and the code is in languages that require support only in Java and .NET.

We are using multiple solutions for application security, and Checkmarx is one of them. We are a client-centric organization, and we are also providing support to clients for application security. Sometimes, we have our own production, and then we scan the customer information and provide application security. For a few clients, it is deployed on the cloud, and for a few customers, it is on-premises.

The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages.

They can support the remaining languages that are currently not supported. They can also
create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks.

It is stable, and it works.

It is scalable. Our clients are small, medium, and big enterprises. It is for all the categories.

Their support is good. I had discussions with them multiple times. We are getting proper support.

It is straightforward. It is not a big challenge. It doesn't take long.

I would rate Checkmarx a seven out of ten.

I have used it for source code scanning of security vulnerabilities. It seems to be a good tool. It gives the proper code flow of vulnerabilities and the number of occurrences.

We have scanned various applications with it. It works fine, although we need to check manually for false positive issues. 

After scanning, it shows in-depth code of where actual vulnerabilities are, which helps us to analyze them.

It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use.