Checkmarx Pros and Cons

The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete.

The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time.

The most valuable feature for me is the Jenkins Plugin.

Both automatic and manual code review (CxQL) are valuable.

Vulnerability details is valuable.

It is a stable product.

Most valuable features include: ease of use, dashboard. interface and the ability to report.

It shows in-depth code of where actual vulnerabilities are.

It gives the proper code flow of vulnerabilities and the number of occurrences.

The reports are good, but they still need to be improved considering what the UI offers.

With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too.

I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time).

Updating and debugging of queries is not very convenient.

Integration into the SDLC (i.e. support for last version of SonarQube) could be added.

Implementing a blackout time for any user or teams: Needs improvement.

It is an expensive solution.

It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use.