Checkmarx Room for Improvement

Don Robbins
Software Configuration Manager at a tech vendor with 501-1,000 employees
One of the biggest heartaches that we have is that all of our Windows servers are on an automated upgrade. Whenever Windows upgrades, we lose the order of the ciphers and it brings down the Checkmarx webpage. Our company policy is that we upgrade our servers at a minimum of once a month, if not more. It's a hassle to keep up on that. The ciphers are such a pain to manage. To set up a cipher connection, there's a tool out there called IIS Crypto. We just run that tool to set the best practices. It forces us to reboot the server. We haven't figured out how to automate the whole thing yet. There have been some Windows updates that haven't triggered this issue where the ciphers get messed up. The only thing we're running is TLS2. At that higher level, everything is just a pain. All of our servers are built out through code. In other words, we use Ansible and Jenkins to automatically create machines. Everything is virtual these days. It's either virtual in-house or virtual in the cloud. The issue with Checkmarx is the next pain point, i.e. their installation procedure is GUI-based. They've got a command line for upgrades. I haven't seen the command line for the initial install. My last statement on Checkmarx is Windows would not be my choice for any kind of server implementation. I'm not a Windows fan at all. Every other tool in our company is Linux-based and our target systems are Linux as well. I don't have the experience and the knowledge of working on a Windows system compared to my Linux knowledge. Checkmarx being Windows only is a hindrance as well. Another problem is: why can't I choose PostgreSQL? I would like to have an additional feature added to the product to support either PostgreSQL or MySQL. Those are the two free databases that are enterprise-ready. View full review »
Milind Dharmadhikari
Practice Head - IT Risk & Security Management Services at Suma Soft Private Limited
The reports are good, but they still need to be improved considering what the UI offers. For example, the UI will suggest the "best-fix location", whereas this information is not captured in the reports. View full review »
Director and Co-Founder at Ushiro-tec
Checkmarx could probably do something to improve their license model. If you have a small company, or if you have a small team with just one or two applications, the entry-level price is too high for such a company. You can find all the solutions offered by Checkmarx through other solutions providers. That is why this type of company needs to be more flexible. In this space, you have a security code and also you have a quality code. It is totally different in terms of investment. In terms of functionality, there are a lot of differences between the various competing products. With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too. The problem with Checkmarx lies with the pricing and licensing, not the product itself. The product is very good. View full review »
Find out what your peers are saying about Checkmarx, SonarQube, Micro Focus and others in Application Security. Updated: February 2020.
397,408 professionals have used our research since 2012.
Cyber Security Analyst at a tech vendor with 1,001-5,000 employees
It would be really helpful if the level of confidence was included, with respect to identified issues. Some competitors have this feature, and it helps a lot to concentrate on the real findings. View full review »
Ankur Sood
Technical Architect at a tech services company with 1,001-5,000 employees
It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use. View full review »
James Barwick
Principal Software Engineer at a comms service provider with 10,001+ employees
Dynamic testing. If it had that feature I would have liked to see more consideration of framework validations that we don't have to duplicate. These flags are false positives. View full review »
Find out what your peers are saying about Checkmarx, SonarQube, Micro Focus and others in Application Security. Updated: February 2020.
397,408 professionals have used our research since 2012.