We just raised a $30M Series A: Read our story
VY
Vice President Of Technology at a computer software company with 5,001-10,000 employees
Real User
Top 5
Good reporting, performance, and coverage for different languages

Pros and Cons

  • "The most valuable feature is the application tracking reporting."
  • "The cost per user is high and should be reduced."

What is our primary use case?

We primarily use Checkmarx for application security and tracking.

What is most valuable?

The most valuable feature is the application tracking reporting.

From the user's perspective, the interface is pretty good. It will point out the exact line of code when an issue is found.

It is good in terms of coverage for different languages.

It is updated automatically so there is less maintenance.

What needs improvement?

The cost per user is high and should be reduced. Five years ago, it was a user-based model, which was significantly better. It would be great if we could distribute the cost equally between projects.

For how long have I used the solution?

I have been working with Checkmarx for about two years.

What do I think about the stability of the solution?

This is a stable product.

What do I think about the scalability of the solution?

It is scalable in terms of being able to run multiple instances for different products. We have approximately 10 users, which is the size of our application security team.

I would like to increase our usage of this product, but it will ultimately depend on the company's strategy.

How are customer service and technical support?

Given the stability of Checmarx, it doesn't require a lot of communication with technical support. That said, we have been in touch with them for non-technical issues and they have a good team with a lot of Russian speakers.

Which solution did I use previously and why did I switch?

Prior to using Checkmarx, I used AppScan but the concept is completely different. With Checkmarx, you are working with source code, whereas as with AppScan, you are working with binaries. You can say that AppScan is more like a dynamic security scan and Checkmarx is more static.

These products are quite different in terms of how you do the testing. Checkmarx is better from both a performance perspective and reporting a lower number of false positives.

How was the initial setup?

We did not have any trouble with the initial setup. Our deployment was done within a couple of hours. The easiest thing to do is create a virtual machine and deploy it.

What about the implementation team?

Our in-house IT staff was responsible for the implementation.

What's my experience with pricing, setup cost, and licensing?

The number of users and coverage for languages will have an impact on the cost of the license. We would like to deploy it for the whole company but it's a question of spending thousands of dollars. Investing $200,000 or $300,000 would be an upper management decision.

The educational component is additional and costs approximately $100 per month for each user. This is too high so we did not agree to the service.

What other advice do I have?

Overall, we are very satisfied with Checkmarx and it is a product that I recommend.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ŁR
Solution Manager at a computer software company with 201-500 employees
Reseller
Top 20
Good value with a very good CodeBashing platform and AppSec Awareness

Pros and Cons

  • "The value you can get out of the speedy production may be worth the price tag."
  • "The pricing can get a bit expensive, depending on the company's size."

What is our primary use case?

We're more evaluating the solution rather than using it right now. We're resellers and it's something we'd like to offer to our clients.

What is most valuable?

I am aware of Checkmarx's portfolio, however, we've been playing exclusively with the SAST and with the AppSec Awareness platform, they're Codebashing platform. It's been a very positive experience overall.

The value you can get out of the speedy production may be worth the price tag.

What needs improvement?

The reporting could be better on the product. The need to be much more customizable including being customizable for various roles.

The pricing can get a bit expensive, depending on the company's size.

For how long have I used the solution?

We've been working with this solution for some time. I have personally been working with the product for the last three or four months.

Which solution did I use previously and why did I switch?

We haven't really extensively worked with any other products.

What's my experience with pricing, setup cost, and licensing?

The cost might seem steep, however, it really depends on, first the size and requirements of your company. There are companies for which the speed of developing new features and developing them securely, is more valuable than for other organizations. 

This goes not only for Checkmarx. It goes for any automated desktop security platform in general. I definitely see the cases when the Checkmarx license is a reasonable expense. It just may not be for everyone.

Which other solutions did I evaluate?

We've been looking at SonarQube. We're looking into other options as we don't want exclusively to just offer Checkmarx to potential clients.

We looking for solutions more on the enterprise spectrum. Therefore, I would probably consider products such as Vericode. I would also consider the newer players, such as, for example, GitLab

What other advice do I have?

We're resellers, however, we don't have an exclusive relationship with this company. We're looking at other products we can use and offer to our clients as well.

In our company, we do not have the Checkmarx solution running on production. We do have it, however, we only have a learning license, which is non-commercial.

On a scale from one to ten, I would rate this product at an eight. Overall, it's been a positive experience so far.

Disclosure: My company has a business relationship with this vendor other than being a customer: reseller
Flag as inappropriate
Learn what your peers think about Checkmarx. Get advice and tips from experienced pros sharing their opinions. Updated: October 2021.
542,823 professionals have used our research since 2012.
Antoine Rime
Cyber Security Consultant at a computer software company with 5,001-10,000 employees
Consultant
Top 20
Stable with an easy setup and good visibility

Pros and Cons

  • "The setup is fairly easy. We didn't struggle with the process at all."
  • "They could work to improve the user interface. Right now, it really is lacking."

What is our primary use case?

We primarily use the solution for static analysis.

What is most valuable?

The visibility the solution gives you is great. It really gives you the ability to see what the root issues in the code actually are. 

The setup is fairly easy. We didn't struggle with the process at all.

What needs improvement?

The solution isn't exactly user-friendly. They could make the user experience a bit better in future builds. 

They could work to improve the user interface. Right now, it really is lacking.

For how long have I used the solution?

We've been using this solution for six months. It's been less than a year and not very long just yet.

What do I think about the stability of the solution?

The solution is very stable. There aren't bugs or glitches. The solution doesn't freeze and it's not likely to crash. We find it very reliable.

What do I think about the scalability of the solution?

It's my understanding that the solution is scalable. A company that needs to expand can do so.

We have about 100 people that use it in the company.

How are customer service and technical support?

The technical support is fine. We've always had good experiences. We're satisfied with the level of service we are provided.

Which solution did I use previously and why did I switch?

We didn't previously use a different solution. We've only ever used this product.

How was the initial setup?

The initial setup is easy and straightforward. It's not complex.

We don't have to handle any maintenance. It's my understanding that Checkmarx handles it.

What's my experience with pricing, setup cost, and licensing?

The pricing is rather reasonable. It's not the most expensive on the market.

What other advice do I have?

We're a customer. We use the solution in our organization.

I'm not sure of which version of the solution we're using.

Overall, I'd rate the solution eight out of ten. We've had a pretty positive experience overall.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
EK
Director of consultory at a non-tech company with 1,001-5,000 employees
Reseller
Top 5Leaderboard
Includes features to easily secure code, multiple language support and excellent customer support

Pros and Cons

  • "The setup is very easy. There is a lot of information in the documents which makes the install not difficult at all."
  • "I would like to see the DAST solution in the future."

What is our primary use case?

We onboard clients with the solution. We install the product and do the first scan with them. We help developers with security and the best practices with their applications with this solution.

What is most valuable?

The most valued feature comes within the platform called Codebashing, it allows scanning code for security flaws. Our clients are able to learn from these scans and develop more secure code. The solution is easy to configure and user friendly as well. They also have support for a large variety of languages compared to other solutions and the product updates continuously.

What needs improvement?

I would like to see the DAST solution in the future. 

For how long have I used the solution?

We have been using the solution for one year.

What do I think about the stability of the solution?

We had no issues and it has always worked at a top level of performance.

What do I think about the scalability of the solution?

The solution is easy to intergate. It is plug and play and intergrates well with the pipeline and DevSecOps. Our main client is a big company and the solution works well.

How are customer service and technical support?

The support is excellent.

How was the initial setup?

The setup is very easy. There is a lot of information in the documents which makes the install not difficult at all.

What was our ROI?

The product saves you money by minimizing the time needed to figure out how to mitigate the problems by using such features such as The Best Fixed Location and the flow charts.

Which other solutions did I evaluate?

We evaluated Veracode before choosing Checkmarx.

What other advice do I have?

Depending on the client, we could deploy the solution on the cloud or on-premise. I would recommend Checkmarx because you can learn from the scanning done. They have some of the best features which make the product wonderful. 

I rate Checkmarx a ten out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
RG
Information Security Architect at a tech services company with 1,001-5,000 employees
Real User
Gives less number of false positives and supports most of the languages, but need to support remaining languages and create a model to identify zero-day attacks

What is our primary use case?

We are using multiple solutions for application security, and Checkmarx is one of them. We are a client-centric organization, and we are also providing support to clients for application security. Sometimes, we have our own production, and then we scan the customer information and provide application security. For a few clients, it is deployed on the cloud, and for a few customers, it is on-premises.

What is most valuable?

The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages.

What needs improvement?

They can support the remaining languages that are currently not supported. They can also…

What is our primary use case?

We are using multiple solutions for application security, and Checkmarx is one of them. We are a client-centric organization, and we are also providing support to clients for application security. Sometimes, we have our own production, and then we scan the customer information and provide application security. For a few clients, it is deployed on the cloud, and for a few customers, it is on-premises.

What is most valuable?

The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages.

What needs improvement?

They can support the remaining languages that are currently not supported. They can also
create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks.

What do I think about the stability of the solution?

It is stable, and it works.

What do I think about the scalability of the solution?

It is scalable. Our clients are small, medium, and big enterprises. It is for all the categories.

How are customer service and technical support?

Their support is good. I had discussions with them multiple times. We are getting proper support.

How was the initial setup?

It is straightforward. It is not a big challenge. It doesn't take long.

What's my experience with pricing, setup cost, and licensing?

I would rate Checkmarx a seven out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
AN
Senior Cybersecurity Solution Architect at a computer software company with 51-200 employees
Real User
Integrates well with other security solutions

Pros and Cons

  • "It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security."
  • "I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features."

What is our primary use case?

Checkmarx is used only for static application security testing (SAST), and it can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security.

What needs improvement?

I expect application security vendors to cover all aspects of application security, including SAST, DAST, and even mobile application security testing. And it would be much better if they provided an on-premises and cloud option for all these main application security features. So most of my customers would love to have consolidated vendors who cover all application security to lower operational overhead.

For how long have I used the solution?

I'm a solution architect, not an end-user. I'm selling Checkmarx. This is the first year I've done business with Checkmarx. In the past five years, I worked a lot with Fortify and Micro Focus. I currently have two customers running Checkmarx, and one more is evaluating the product.

How was the initial setup?

Setting up Checkmarx should be relatively straightforward. It takes a little more time for the DevOps team to enable everything, but overall deployment should take less than a week, including preparation and implementation. 

What's my experience with pricing, setup cost, and licensing?

Most of my customers opted for a perpetual license. They prefer to pay the highest amount upfront for the perpetual license and then pay for additional support annually.

What other advice do I have?

I rate Checkmarx eight out of 10. Until I get more extensive feedback from clients, I would rate it an eight.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Samuel Baguma
Senior Security Engineer at a pharma/biotech company with 501-1,000 employees
Real User
Top 20
Detailed reporting assists in repairing problems, but there are a lot of false positives

Pros and Cons

  • "The reports are very good because they include details on the code level, and make suggestions about how to fix the problems."
  • "You can't use it in the continuous delivery pipeline because the scanning takes too much time."

What is our primary use case?

When I had an issue that was causing trouble in my code, I would upload it to Checkmarx to perform static code analysis. I would then study the reports.

How has it helped my organization?

Using this product improved the stability of my code that went into production.

What is most valuable?

The most valuable feature is the scanning.

The reports are very good because they include details on the code level, and make suggestions about how to fix the problems.

What needs improvement?

You can't use it in the continuous delivery pipeline because the scanning takes too much time. Better integration with the CD pipeline would be helpful.

It reports a lot of false positives so you have to discriminate and take ones that are rated at either a one or a two. The lower-rated problems need to be discarded.

For how long have I used the solution?

I used Checkmarx for about six months at my previous place of employment. I stopped using it about six months ago.

What do I think about the scalability of the solution?

We had perhaps 100 users at my previous job.

How are customer service and technical support?

I was not in contact with technical support.

What other advice do I have?

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
EB
Director and Co-Founder at a tech services company with 11-50 employees
Real User
Fits our requirements, scales easily, and is easy to use

Pros and Cons

  • "It is very useful because it fits our requirements. It is also easy to use. It is not complex, and we are satisfied with the results."
  • "Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model."

What is most valuable?

It is very useful because it fits our requirements. It is also easy to use. It is not complex, and we are satisfied with the results.

What needs improvement?

Its pricing model can be improved. Sometimes, it is a little complex to understand its pricing model.

For how long have I used the solution?

I have been using this solution for a couple of years.

What do I think about the stability of the solution?

It is pretty stable.

What do I think about the scalability of the solution?

It has the capability to scale very easily. It is not a problem.

How are customer service and technical support?

Their support is good. It has a good webpage with a lot of details.

How was the initial setup?

It is very easy to set up. It takes a couple of days. It is not an issue.

What's my experience with pricing, setup cost, and licensing?

It is not expensive, but sometimes, their pricing model or licensing model is not very clear. There are similar variables, such as projects or developers, and sometimes, it is a little bit confusing. 

What other advice do I have?

I would absolutely recommend this solution. I would rate Checkmarx a nine out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Buyer's Guide
Download our free Checkmarx Report and get advice and tips from experienced pros sharing their opinions.