Checkmarx Overview

Checkmarx is the #2 ranked solution in our list of AST tools. It is most often compared to SonarQube: Checkmarx vs SonarQube

What is Checkmarx?

Checkmarx CxSAST is a highly accurate and flexible Static Code Analysis product that allows organizations to automatically scan un-compiled / un-built code and identify hundreds of security vulnerabilities in all major coding languages. CxSAST is available as a standalone product and can be effectively integrated into the Software Development Lifecycle (SDLC) to streamline detection and remediation. CxSAST can be deployed on-premise in a private data center or hosted via a public cloud.

Whitepaper: I, II

Checkmarx Buyer's Guide

Download the Checkmarx Buyer's Guide including reviews and more. Updated: July 2021

Checkmarx Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech

Case Study: Liveperson Implements Innovative Secure SDLC

Checkmarx Video

Pricing Advice

What users are saying about Checkmarx pricing:
  • "This solution is expensive. The customized package allows you to buy additional users at any time."
  • "It's relatively expensive."
  • "The interface used to create custom rules comes at an additional cost."
  • "Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."

Filter Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
MM
CEO at a tech services company with 11-50 employees
Reseller
Top 10Leaderboard
Easy interface that is user friendly, quick scanning, and good technical support

What is our primary use case?

The primary use case is for a white-box penetration testing security. When we work with source code, it's a tool to help us conduct a deep analysis on a source code level. We push the zip file with source code to our own stent with the solution and receive a report. Also, we work with the interface to find the vulnerabilities we may have. The most popular projects for us are the mobile application security assessment. We propose this option to our customers to check source code for iOS and Android mobile applications.

Pros and Cons

  • "The most valuable features are the easy to understand interface, and it 's very user-friendly."
  • "We have received some feedback from our customers who are receiving a large number of false positives."

What other advice do I have?

We are resellers but we are also users of this product when we need to check source code because our main business activity is security assessments, not reselling. We have many customers who have purchased this solution from our company. One of them is Softcell, a Ukrainian company. With our approach, we need to find a way to reduce false positives. We don't have great resources to do this work long-term, and we need quick results. There are some projects that have a lot of false positives but we can reduce them by tuning during the scanning. Some of our customers like the Codebashing model…
DK
Vice President at Arisglobal Software Pvt Ltd
Real User
Very good technical support, good vulnerability protection upgrades, and rich in features

What is our primary use case?

We are using it for static security scanning and static security testing. We also use it for code dependency analysis. We use two of the solution's tools for each variable.

Pros and Cons

  • "The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database."
  • "In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."

What other advice do I have?

We're just a customer. We don't have a special relationship with the company. I would definitely recommend Checkmarx, I find them much more feature-rich than other tools I've used in the past. I'd rate the solution eight out of ten.
Learn what your peers think about Checkmarx. Get advice and tips from experienced pros sharing their opinions. Updated: July 2021.
521,817 professionals have used our research since 2012.
Cuneyt KALPAKOGLU Phd.
Founder & Chairman at Endpoint-labs Cyber Security R&D
Real User
Top 5Leaderboard
The flexibility in regards to finding false-positives and false-negatives is amazing

What is our primary use case?

I am the founder and the chairman of an internationally certified cybersecurity research lab. I have a Ph.D. in cryptology and network security. We are a strategic partner of Checkmarx. Our job is to help them develop solutions. Currently, we are developing some algorithms and strategic solutions for them. Checkmarx informs us about what is happening, in advance, before they launch a product. We are also one of their testers.

Pros and Cons

  • "From my point of view, it is the best product on the market."
  • "Micro-services need to be included in the next release."

What other advice do I have?

If you wish to purchase Checkmarx, you should scan the same source code with a different product, compare them to their competition, and make a decision. This way, you can see the difference and understand the benefits of Checkmarx. Test and scan some lines of code in any programming language you wish, then do the same with a competitor. Checkmarx will produce far fewer false-positives compared to any other solution on the market. Other solutions will produce roughly 900 false-positives whereas Checkmarx will cut that number in half. I am not trying to sell this product to you, this is simply…
AS
Technical Lead at a tech services company with 1,001-5,000 employees
Real User
User friendly with a good interface and excellent at detecting vulnerabilities

What is our primary use case?

We use this solution to check our systems for any vulnerabilities in our applications. Currently, I'm working on a banking tool, which is aligned with the menu. Our system was created 30 years ago and still is running in the market and doing well. However, currently, there are so many changes happening. Any solution coming into the technology needs to have a security check to ensure everything is safe.

Pros and Cons

  • "The user interface is excellent. It's very user friendly."
  • "The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated."

What other advice do I have?

I don't recall the exact version of the solution we are using. I would recommend the solution. I'd rate it eight out of ten.
MG
Senior Manager at a manufacturing company with 10,001+ employees
Real User
Top 20
A stable solution for identifying security vulnerabilities but needs functionalities for identifying the run-time null values and doing static and dynamic code validation

What is our primary use case?

We use Checkmarx for security vulnerability identification. We are using its latest version. We have a license to upgrade to the latest version. Whenever there is a new version, we update it to the latest version.

Pros and Cons

  • "The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."
  • "We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."

What other advice do I have?

Even though we run it manually, it captures most of the things. We decided to go with Checkmarx two years ago, and we are continuing with it. I would rate Checkmarx a seven out of ten. There are a few things that can be improved in this solution.
TD
General Manager at a consultancy with 51-200 employees
Real User
Top 5
Intuitive interface, easy to set up, and saves us money by finding problems at an early stage

What is our primary use case?

We use Checkmarx for static analysis as part of our software development lifecycle. It is very important because it helps us identify the security flaws in the code at a very early stage. Ultimately, this helps in reducing costs.

Pros and Cons

  • "The UI is very intuitive and simple to use."
  • "Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve."

What other advice do I have?

Checkmarx is probably one of the best static code analyzers available in the market at this point. It is very easy to deploy, use, and maintain. The amount of maintenance required is pretty low. It is absolutely a good tool that I can recommend. Checkmarx has added a lot of functionality since we began using it. This includes OSA, the open-source scan, a training module, and run-time protection. For static code analysis, we are only using Checkmarx and we plan to continue. I would rate this solution a nine out of ten.
VD
Sr. Application Security Manager at a tech services company with 201-500 employees
Real User
Top 5Leaderboard
Good interface and reporting capability, and it integrates well with other products

What is our primary use case?

I am in charge of application security and Checkmarx is one of the products that I use in this capacity. We use this product for code scanning and static code analysis.

Pros and Cons

  • "The user interface is modern and nice to use."
  • "If it is a very large code base then we have a problem where we cannot scan it."

What other advice do I have?

In summary, this is a good application that you can use to scan every code language. You can configure the scan because they provide the Checkmarx query language. These queries are very good and very flexible. It requires a knowledge of this language but you can reach and deal with it using most languages. I would rate this solution an eight out of ten.
MC
Director at a tech services company with 11-50 employees
Reseller
Top 20
Good features, good support, fair price, and good ability to deliver what customers require

What is our primary use case?

We're selling their licenses and their technologies. We have on-premises and cloud deployments. Its deployment depends on the customer requirements. It is used for a range of requirements for DevSecOps. It has been deployed to ensure that the development cycle delivers clean and secure code that is vulnerability-free. It is there as a part of the whole compliance and security process.

Pros and Cons

  • "The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important."
  • "There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."

What other advice do I have?

They're a very good company to work with, and that's a very important aspect of any technology these days. You could find very nice technologies, but if the company is not good to work with, it could be of no use. You'll not be able to get it deployed, and you'll not get assistance. You will get bad value for good technology. Checkmarx is a nice, pleasant, and relatively easy company to work with. You will get a good return, and you will get a good partnership and relationship working with them. I would rate Checkmarx an eight out of ten.
See 8 more Checkmarx Reviews
Buyer's Guide
Download our free Checkmarx Report and get advice and tips from experienced pros sharing their opinions.