What is Checkmarx?
Checkmarx CxSAST is a highly accurate and flexible Static Code Analysis product that allows organizations to automatically scan un-compiled / un-built code and identify hundreds of security vulnerabilities in all major coding languages. CxSAST is available as a standalone product and can be effectively integrated into the Software Development Lifecycle (SDLC) to streamline detection and remediation. CxSAST can be deployed on-premise in a private data center or hosted via a public cloud.
Checkmarx Buyer's Guide
Download the Checkmarx Buyer's Guide including reviews and more. Updated: January 2021
YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech
Case Study: Liveperson Implements Innovative Secure SDLC
What users are saying about Checkmarx pricing:
- "We have a subscription license that is on a yearly basis, and it's a pretty competitive solution."
- "This solution is expensive. The customized package allows you to buy additional users at any time."
- "It's relatively expensive."
- Highest Rating
- Lowest Rating
- Review Length
Showingreviews based on the current filters.
Software Configuration Manager at a tech vendor with 501-1,000 employees
Jun 19, 2019
Works well with Windows servers but no Linux support and takes too long to scan files
What is our primary use case?The primary use that we have for Checkmarx is the evaluation of source code vulnerabilities. We use Git to connect to Checkmarx. We don't use GitHub. We use our own self-hosted Git. We're just using generic Git. One of the biggest thorns in our side is managing that aspect of it. It wouldn't matter if it was GitHub or Bitbucket or any of the other tools that you can use to connect Git to Checkmarx. The issue is the same. The tool is good at telling us what repository we're connected to, but it is horrible in telling us what branch we're connected to.
Pros and Cons
- "Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before."
- "Checkmarx being Windows only is a hindrance. Another problem is: why can't I choose PostgreSQL?"
What other advice do I have?From an administrative standpoint, I would rate Checkmarx with a five out of ten. From what my users are telling me, I'd give it an eight for the tool's ability to report on vulnerabilities in the user experience. I would rate Checkmarx with an eight on the user side and a five on the admin side. Customers need to work with Checkmarx to scale the system for their needs, i.e. work with their recommendations. The best practices that they have there. They have this formula to calculate how many CPUs and how much memory you need. The memory requirements are huge. We've got 64 GB machines to scan…
Practice Head - IT Risk & Security Management Services at Suma Soft Private Limited
May 18, 2019
Enables us to find vulnerabilities in our software before the development cycle is complete
What is our primary use case?My team uses this product extensively for application vulnerability assessment. This solution is for static application security testing and is used within our software development process. As the software developers are creating solutions, they are able to identify vulnerabilities while the application is being written, rather than after the entire development is over. We were interested in having the raw source code scanned, so that was the primary requirement and that is where Checkmarx comes in. We do not need any precompiled libraries, or compiled source code, to be checked by the source… more »
Pros and Cons
- "The main benefit to using this solution is that we find vulnerabilities in our software before the development cycle is complete."
- "The reports are good, but they still need to be improved considering what the UI offers."
What other advice do I have?My advice to any software development team using a different set of tools is to look at Checkmarx. It's a very good product. It's a great product, in fact. Any organization spending money on a subscription license should not look at it as a cost, rather, it should be seen as an investment. The Checkmarx solution can act as a resource that can help the development team to secure their application delivery. Be it an internal application for their own use, or applications being written for their customers. This solution tells us where, in our code, the "best-fix location" is. To put this into…
Learn what your peers think about Checkmarx. Get advice and tips from experienced pros sharing their opinions. Updated: January 2021.
455,962 professionals have used our research since 2012.
CEO at a tech services company with 11-50 employees
Easy interface that is user friendly, quick scanning, and good technical support
What is our primary use case?The primary use case is for a white-box penetration testing security. When we work with source code, it's a tool to help us conduct a deep analysis on a source code level. We push the zip file with source code to our own stent with the solution and receive a report. Also, we work with the interface to find the vulnerabilities we may have. The most popular projects for us are the mobile application security assessment. We propose this option to our customers to check source code for iOS and Android mobile applications.
Pros and Cons
- "The most valuable features are the easy to understand interface, and it 's very user-friendly."
- "We have received some feedback from our customers who are receiving a large number of false positives."
What other advice do I have?We are resellers but we are also users of this product when we need to check source code because our main business activity is security assessments, not reselling. We have many customers who have purchased this solution from our company. One of them is Softcell, a Ukrainian company. With our approach, we need to find a way to reduce false positives. We don't have great resources to do this work long-term, and we need quick results. There are some projects that have a lot of false positives but we can reduce them by tuning during the scanning. Some of our customers like the Codebashing model…
Vice President at Arisglobal Software Pvt Ltd
Jun 23, 2020
Very good technical support, good vulnerability protection upgrades, and rich in features
What is our primary use case?We are using it for static security scanning and static security testing. We also use it for code dependency analysis. We use two of the solution's tools for each variable.
Pros and Cons
- "The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database."
- "In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."
What other advice do I have?We're just a customer. We don't have a special relationship with the company. I would definitely recommend Checkmarx, I find them much more feature-rich than other tools I've used in the past. I'd rate the solution eight out of ten.
Cuneyt KALPAKOGLU Phd.
Founder & Chairman at a tech services company with 11-50 employees
The flexibility in regards to finding false-positives and false-negatives is amazing
What is our primary use case?I am the founder and the chairman of an internationally certified cybersecurity research lab. I have a Ph.D. in cryptology and network security. We are a strategic partner of Checkmarx. Our job is to help them develop solutions. Currently, we are developing some algorithms and strategic solutions for them. Checkmarx informs us about what is happening, in advance, before they launch a product. We are also one of their testers.
Pros and Cons
- "From my point of view, it is the best product on the market."
- "Micro-services need to be included in the next release."
What other advice do I have?If you wish to purchase Checkmarx, you should scan the same source code with a different product, compare them to their competition, and make a decision. This way, you can see the difference and understand the benefits of Checkmarx. Test and scan some lines of code in any programming language you wish, then do the same with a competitor. Checkmarx will produce far fewer false-positives compared to any other solution on the market. Other solutions will produce roughly 900 false-positives whereas Checkmarx will cut that number in half. I am not trying to sell this product to you, this is simply…
Director and Co-Founder at Ushiro-tec
Apr 17, 2019
The Best Fix Location & Payments Features Can Save Time Mitigating Network Configurations
What is our primary use case?We use Checkmarx to review the source code for the external applications that we expose to the cloud or other servers on the internet.
Pros and Cons
- "The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time."
- "With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too."
What other advice do I have?We have a small team. It is about four people in total. We do not require that many staff for the deployment and maintenance of Checkmarx. We are testing the solution in a small local company. Our idea is to expand the use of it to our clients in the West. In this space, you can have different points of view and if only you are looking for a solution to do a check in your auditory report, then you can choose anyone. If you really are worried about your business, i.e. about your development sites or development environments, Checkmarx is a great solution. I would rate Checkmarx a nine out of…
Technical Lead at a tech services company with 1,001-5,000 employees
Jul 7, 2020
User friendly with a good interface and excellent at detecting vulnerabilities
What is our primary use case?We use this solution to check our systems for any vulnerabilities in our applications. Currently, I'm working on a banking tool, which is aligned with the menu. Our system was created 30 years ago and still is running in the market and doing well. However, currently, there are so many changes happening. Any solution coming into the technology needs to have a security check to ensure everything is safe.
Pros and Cons
- "The user interface is excellent. It's very user friendly."
- "The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated."
What other advice do I have?I don't recall the exact version of the solution we are using. I would recommend the solution. I'd rate it eight out of ten.
Senior Manager at a manufacturing company with 10,001+ employees
Jan 6, 2021
A stable solution for identifying security vulnerabilities but needs functionalities for identifying the run-time null values and doing static and dynamic code validation
What is our primary use case?We use Checkmarx for security vulnerability identification. We are using its latest version. We have a license to upgrade to the latest version. Whenever there is a new version, we update it to the latest version.
Pros and Cons
- "The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."
- "We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
What other advice do I have?Even though we run it manually, it captures most of the things. We decided to go with Checkmarx two years ago, and we are continuing with it. I would rate Checkmarx a seven out of ten. There are a few things that can be improved in this solution.
See 10 more Checkmarx Reviews
Download our free Checkmarx Report and get advice and tips from experienced pros sharing their opinions.
- Penetration Testing
- Code Analysis
- SQL Injection
- Primary Use Case
- Valuable Features
- Room for Improvement
- What is the biggest difference between Veracode and Checkmarx?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- What is the biggest difference between Checkmarx and SonarQube?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- Which application security solutions include both vulnerability scans and quality checks?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- How was the 2020 Twitter Hack carried out? How could it have been prevented?
- Is SonarQube the best tool for static analysis?
- What are the OWASP top 10 in 2020?
- SAST vs. DAST: Which is better for application security testing?