We just raised a $30M Series A: Read our story

Checkmarx OverviewUNIXBusinessApplication

Checkmarx is #2 ranked solution in AST tools and #6 ranked solution in application security tools. IT Central Station users give Checkmarx an average rating of 8 out of 10. Checkmarx is most commonly compared to SonarQube:Checkmarx vs SonarQube. Checkmarx is popular among the large enterprise segment, accounting for 56% of users researching this solution on IT Central Station. The top industry researching this solution are professionals from a computer software company, accounting for 29% of all views.
What is Checkmarx?

Checkmarx CxSAST is a highly accurate and flexible Static Code Analysis product that allows organizations to automatically scan un-compiled / un-built code and identify hundreds of security vulnerabilities in all major coding languages. CxSAST is available as a standalone product and can be effectively integrated into the Software Development Lifecycle (SDLC) to streamline detection and remediation. CxSAST can be deployed on-premise in a private data center or hosted via a public cloud.

Whitepaper: I, II

Checkmarx Buyer's Guide

Download the Checkmarx Buyer's Guide including reviews and more. Updated: November 2021

Checkmarx Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech

Case Study: Liveperson Implements Innovative Secure SDLC

Checkmarx Video

Pricing Advice

What users are saying about Checkmarx pricing:
  • "This solution is expensive. The customized package allows you to buy additional users at any time."
  • "It's relatively expensive."
  • "The interface used to create custom rules comes at an additional cost."
  • "Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."

Checkmarx Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
MM
CEO at a tech services company with 11-50 employees
Real User
Top 5Leaderboard
Easy interface that is user friendly, quick scanning, and good technical support

Pros and Cons

  • "The most valuable features are the easy to understand interface, and it 's very user-friendly."
  • "We have received some feedback from our customers who are receiving a large number of false positives."

What is our primary use case?

The primary use case is for a white-box penetration testing security. When we work with source code, it's a tool to help us conduct a deep analysis on a source code level. 

We push the zip file with source code to our own stent with the solution and receive a report. Also, we work with the interface to find the vulnerabilities we may have.

The most popular projects for us are the mobile application security assessment. We propose this option to our customers to check source code for iOS and Android mobile applications.

What is most valuable?

The most valuable features are the easy to understand interface, and it 's very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan.

We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project.

The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.

What needs improvement?

Checkmarx has tried to build a deeper analysis using IAST and SAST. They have a code version for developers. It would be good if they improve the combination of the two solutions. 

Both are good, but ISAT (Interactive Application Security Testing) is in progress and doesn't support the full spectrum of languages. A combination of the two solutions would achieve good results.

We have received some feedback from our customers who are receiving a large number of false positives. I believe that they can improve their engine to reduce false positives. It's better for reducing false positives when you use a compilation.

There are several levels and they are mapped to the different languages and some customers want to check when the developers will pass the training. There should be a questionnaire for the team lead to check the employees and how well they understand the material and the training. 

Also, they will want to add their own content to this solution.

I would like to see some improvements in technology to reduce false positives. This is only relevant to some use cases, not all. For example, there are several false positives for some languages, but it works in C#.

For how long have I used the solution?

I have been using this solution since 2015.

What do I think about the stability of the solution?

This solution is stable and we have not had bugs or glitches. If it is set up according to the instructions, there will be no negative feedback from the customers.

The platform has regular updates.

What do I think about the scalability of the solution?

This solution is scalable, but it depends on the package you have purchased as some do not allow you to expand. 

How are customer service and technical support?

They have a great support team, and they can help you tune a solution. For our country, it is very important that they have Russian speaking support engineers and to have a quick response.

Also, they have a very good knowledge base. The resources are public on the Checkmarx website and they have good instructions and regulations on how you should tune the solution. It shows you where you can download the plug-ins, how to do it, and explains how they should be integrated.

Which solution did I use previously and why did I switch?

We have some experience with HPP AppScan, and with SonarQube. We started with a trial and felt that Checkmarx was the best.

How was the initial setup?

The initial setup is pretty simple, it's no problem to start using Checkmarx. It's a very good approach if you compare it with competitors.

It only takes a few hours to tune your Checkmarx solution. You may need more time for deeper integration when it comes to DLC integration, for example, when using plug-in build management, such as Jenkins. 

If you are scanning and you have the source code then you are good to start scanning in a few hours. Three to four hours is required for tasks done in source code.

We have one or two engineers who can work with the solution.

For some of our customers have more than 100 developers and a DevOps team.

What's my experience with pricing, setup cost, and licensing?

This solution is expensive.

The customized package allows you to buy additional users at any time.

You could advise the vendor that you are in need of some more resources, and they can send you a trial license which lets you pay later. In the meantime, you can start working with the trial license.

They have subscriptions for licenses, but this is confidential information and I cannot share the price as per our non-disclosure agreement.

If you purchase a typical package then it is clear licensing with no hidden payments. You can add integration services for Checkmarx if you needed to, but it's optional.

The hardware is on the customer site. It could be virtual, or a physical server, or even cloud-based. You can choose what you want to use and there are still no hidden fees. Licensing and policy are clear.

What other advice do I have?

We are resellers but we are also users of this product when we need to check source code because our main business activity is security assessments, not reselling.

We have many customers who have purchased this solution from our company. One of them is Softcell, a Ukrainian company.

With our approach, we need to find a way to reduce false positives. We don't have great resources to do this work long-term, and we need quick results. There are some projects that have a lot of false positives but we can reduce them by tuning during the scanning. 

Some of our customers like the Codebashing model. It's an additional model for learning for security practice for developers. They ask for additional tests to this model and want to receive the functionality to check the knowledge.

When you receive your product, you should start with testing and understand how it works according to your environment. This includes the language and what framework to choose because it is not a simple solution. You should understand that you should tune it.

The most effective approach is to implement SAST into the SDLC, (software development life cycle).

You should regularly check your source code, and check your security before every release. For infrastructure, security testing is not enough. There are several applications and static source code security is a must.

You should choose Checkmarx SAST for security checks and try to optimize it's build management or source code repository.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
DK
Vice President at Arisglobal Software Pvt Ltd
Real User
Top 20
Very good technical support, good vulnerability protection upgrades, and rich in features

Pros and Cons

  • "The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database."
  • "In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."

What is our primary use case?

We are using it for static security scanning and static security testing. We also use it for code dependency analysis. We use two of the solution's tools for each variable.

What is most valuable?

The support the solution offers is very good. When we were evaluating tools, they were extremely helpful. They're always available and they always respond back to any queries.

The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database. I am able to be assured that when I am scanning my product those vulnerabilities are identified at very initial stages. It gives my development team more time to react.

What needs improvement?

The particular way the tool works for the scanning at the IDE level, is very expensive. It makes it very expensive to deploy this tool on to multiple different developers' machines. Right now, the way it scans, the request is raised to the IDE of the developer but then the actual scanning gets done in the centralized scan server. This increases the load on the scanning server and that will make it difficult to use Checkmarx at the developer end. That forces me to look for another solution for implementing at the developer IDE level. I would strongly recommend Checkmarx relook into their approach. 

From a technical point of view, it's better to integrate with other systems within my ecosystem. For example, when I'm connecting Checkmarx with my DevSecOps pipeline and then wiring Checkmarx with other security systems as well as the pipeline (and my defect management system), it provides the connectivity to some of the tools, but there are tools which are excluded. It would be nice if they were added to the solution itself, otherwise, it requires us to do custom development.

In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now. I would recommend much more flexibility in terms of dashboarding to help us customize more effectively.

Their licensing model is rigid and difficult to navigate.

For how long have I used the solution?

I haven't been dealing with the solution for that long. We've only used it for one quarter - about three months.

What do I think about the scalability of the solution?

Their licensing fees are rigid and this causes two main issues. One is a restriction in terms of scaling the product at an enterprise level. The number of licenses required for a sizable business is just too large. The solution forces a user to apply for the licenses not directly to the software and the software products are defined in a curious way. For that reason, I wouldn't say it's great at scaling.

How are customer service and technical support?

So far, technical support at the initial level has been decent. We paid for their protection services, and, the protection tool is definitely very expensive. However, with the price tag comes more support and service. 

We'll have to see in the coming quarters once the protection services end if the support will continue to be at such a high level of attention.  

Which solution did I use previously and why did I switch?

We were using IBM AppScan. Checkmarx is much better than that particular tool. It has more functionality and offers much more support to its users than IBM.

How was the initial setup?

It took about two to three days to deploy a basic portion of the solution. However, it takes more time in terms of configuring and fine-tuning the product so that it's useable. I would say it took us about two to three weeks of configuring before we could start our initial scans.

What about the implementation team?

We bought that separate service from Checkmarx to help us out in terms of deploying and configuring the products.

What's my experience with pricing, setup cost, and licensing?

This solution is definitely one of the more expensive tools. However, if I'm able to get value out of using it, I don't mind paying. 

They have protection services costs that are separate from the main license.

There are multiple components that are part of the product suite and there are different license costs for each of those components. Sometimes it can be a little difficult to understand. There are a lot of components an individual will need to buy to cover an organization's needs. It really should be more transparent and flexible. Their licensing model as of today is quite rigid. 

What other advice do I have?

We're just a customer. We don't have a special relationship with the company.

I would definitely recommend Checkmarx, I find them much more feature-rich than other tools I've used in the past. 

I'd rate the solution eight out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about Checkmarx. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
552,695 professionals have used our research since 2012.
Cuneyt KALPAKOGLU Phd.
Founder & Chairman at Endpoint-labs Cyber Security R&D
Real User
Top 5Leaderboard
The flexibility in regards to finding false-positives and false-negatives is amazing

Pros and Cons

  • "From my point of view, it is the best product on the market."
  • "Micro-services need to be included in the next release."

What is our primary use case?

I am the founder and the chairman of an internationally certified cybersecurity research lab. I have a Ph.D. in cryptology and network security.

We are a strategic partner of Checkmarx. Our job is to help them develop solutions. Currently, we are developing some algorithms and strategic solutions for them. Checkmarx informs us about what is happening, in advance, before they launch a product. We are also one of their testers.

What is most valuable?

Aside from my occupation, I am an academic. Because of our status, we test products as well as their competition, for example, we45, AppScan, SonarQube, etc. I have to point out, from an academic and business point of view, there is a very serious competitive advantage to using Checkmarx. Even if there are multiple vulnerabilities in the source coding, Checkmarx is able to identify which lines need to be corrected and then proceeds to automatically remediate the situation. This is an outstanding advantage that none of the competition offers. 

The flexibility in regards to finding false-positives and false-negatives is amazing. Checkmarx can easily manage false-positives and negatives. You don't need to generate an additional platform if you would like to scan a mobile application from iOS or Android. With a single license, you are able to scan and test every platform. This is not possible with other competitive products. For instance, say you are using we45 — if you would like to scan an iOS application, you would have to generate an iOS platform first. With Checkmarx you don't need to do anything — take the source code, scan it and you're good to go. Last but not least, the incremental scanning capabilities are a mission-critical feature for developers. 

Also, the API and integrations are both very flexible.


What needs improvement?

Checkmarx is going to announce the cloud version very soon. Every product has something innovative at the moment. Presently, we are extremely satisfied and that's why Checkmarx has been the leader for the last few years, consecutively. This is the third year they have been recognized in the static code analysis world.

Micro-services need to be included in the next release; however, as a developer, I can assure you that micro-service methodology is going to be improved in the next version. Presently, they support micro-services, but the supporting methodology of the micro-services is not good enough at the moment.

For how long have I used the solution?

I have been using Checkmarx for six years.

What do I think about the stability of the solution?

Checkmarx is stable. We investigate the stability of the competition as well. From my point of view, it is the best product on the market. It's relatively expensive, but it's the best product. Keep in mind, this is not my private comment. I respect the comments, results, and the statistics of Gartner and these are their findings.

What do I think about the scalability of the solution?

Checkmarx has been selected as the front-runner by Gartner for the third year in a row — you bet it's scalable.

How are customer service and technical support?

We give technical support in our territory; Checkmarx's technical support is also quite good. If you open a ticket with a question, they'll reply the same day.

How was the initial setup?

The initial setup is not complex at all, it's straightforward and robust. If you decide to use Checkmarx, you'll be ready to go in one day.

What other advice do I have?

If you wish to purchase Checkmarx, you should scan the same source code with a different product, compare them to their competition, and make a decision. This way, you can see the difference and understand the benefits of Checkmarx. Test and scan some lines of code in any programming language you wish, then do the same with a competitor. Checkmarx will produce far fewer false-positives compared to any other solution on the market. Other solutions will produce roughly 900 false-positives whereas Checkmarx will cut that number in half. I am not trying to sell this product to you, this is simply the reality of it.

From the technological side, I would give this solution a rating of ten. From a commercial aspect, because it's relatively expensive, I would give it a rating of eight. Overall, because I must choose one number between one and ten, I will give Checkmarx a rating of ten.

Day by day, they are improving this product. For example, one of the most important features missing was open sources, which they have now added. They were also missing code training facilities, but they have added those as well. They have a complimentary product now.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
AS
Technical Lead at a tech services company with 1,001-5,000 employees
Real User
User friendly with a good interface and excellent at detecting vulnerabilities

Pros and Cons

  • "The user interface is excellent. It's very user friendly."
  • "The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated."

What is our primary use case?

We use this solution to check our systems for any vulnerabilities in our applications. Currently, I'm working on a banking tool, which is aligned with the menu. Our system was created 30 years ago and still is running in the market and doing well. However, currently, there are so many changes happening. Any solution coming into the technology needs to have a security check to ensure everything is safe. 

What is most valuable?

The reporting on the solution is very good. The reports we get are very self-explanatory. They aren't complex or confusing. They will tell us if we are facing vulnerabilities and where. From the reporting, it's quite easy to find the problems and fix them.

The solution overall is very good at detecting and pinpointing vulnerabilities in the code.

The user interface is excellent. It's very user friendly.

The solution offers good training documentation so we know how to handle problems as they arise.

What needs improvement?

Honestly speaking, we do not have much experience in this tool yet as we just started using it a couple of months ago. I personally am still just diving into the data. It may be too early to tell if there are improvements that need to be made.

The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated.

For how long have I used the solution?

I've only been using the solution for three months. It hasn't been too long yet. I'm new to the position. My organization, however, has been using the solution for quite a while.

What do I think about the scalability of the solution?

We have different team members on the solution in the UK and India. It's only available to those directly involved in the security aspects of our company.

How are customer service and technical support?

We have our own in-house team that manages a lot of issues that may come up on the solution. 

The thing is, security is a major concern for us. We cannot exactly contact their team about a lot of things as we do have process guidelines and we need to follow these processes if we run into issues. If we have problems, we have an expert that can sit right next to us and figure out a solution. This helps us better manage the tool and the security surrounding it, rather than, for example, calling up the company and having a random help desk technician try and assist us.

How was the initial setup?

For our purposes, the initial set up was not complex. It was fairly easy to plug the solution into our build processes and pipelines. We haven't had any issues with configurations or anything like that. It's been very straightforward.

The deployment is very fast and only takes about 15 minutes or so.

We manage the solution ourselves. However, if I personally want to access it, I do need to contact specific team members. Only specific individuals have access. It's not accessible to everyone in the organization. 

What about the implementation team?

A specific team in our organization handled the initial setup and holds the license for the product.

Which other solutions did I evaluate?

I've looked at SonarQube. The basic difference between the two solutions is that Checkmarx is a bit more intelligent and can detect vulnerabilities better and faster than SonarQube. SonarQube is more focused on code and style formatting or code complexity. It depends on the priorities of the organization, as each has its own unique benefits.

What other advice do I have?

I don't recall the exact version of the solution we are using.

I would recommend the solution. I'd rate it eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
MG
Senior Manager at a manufacturing company with 10,001+ employees
Real User
A stable solution for identifying security vulnerabilities but needs functionalities for identifying the run-time null values and doing static and dynamic code validation

Pros and Cons

  • "The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."
  • "We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."

What is our primary use case?

We use Checkmarx for security vulnerability identification. We are using its latest version. We have a license to upgrade to the latest version. Whenever there is a new version, we update it to the latest version.

What is most valuable?

The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking.

What needs improvement?

We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code.

The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything.

For how long have I used the solution?

I have been using this solution for two years. 

What do I think about the stability of the solution?

Its stability is okay.

How are customer service and technical support?

We don't directly deal with the Checkmarx technical team. There is a support group available for that, and they work with the Checkmarx team. When we have any issues, we directly call our internal team, and they call the Checkmarx team. They get back to us pretty quickly. The response is very quick. There is no problem.

How was the initial setup?

The initial setup was easy. Our project was quite big, and it took a bit longer. It took almost six hours. We could not do it as CI/CD pipeline because the pipeline expects a response in a short span of time, which was a challenge for us. We are now doing the Checkmarx review manually. We first run the code analysis, and, after the code analysis is over, we go for the pipeline. This is an overhead for us. 

It would be helpful if they can improve the speed of the analysis rate. We also need to find out from our side if there is a way to increase the wait time of the CI/CD pipeline and modify the timeout limit. It would then take 30 minutes to one hour rather than five or six hours. We should be able to adjust the timeout time, change the CI/CD settings, and go ahead with the integrated process. Currently, we cannot have an integrated system, and we also have to move from one script to the next script manually.

What other advice do I have?

Even though we run it manually, it captures most of the things. We decided to go with Checkmarx two years ago, and we are continuing with it. 

I would rate Checkmarx a seven out of ten. There are a few things that can be improved in this solution.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
TD
General Manager at a consultancy with 51-200 employees
Real User
Top 5
Intuitive interface, easy to set up, and saves us money by finding problems at an early stage

Pros and Cons

  • "The UI is very intuitive and simple to use."
  • "Creating and editing custom rules in Checkmarx is difficult because the license for the editor comes at an additional cost, and there is a steep learning curve."

What is our primary use case?

We use Checkmarx for static analysis as part of our software development lifecycle. It is very important because it helps us identify the security flaws in the code at a very early stage. Ultimately, this helps in reducing costs.

What is most valuable?

The UI is very intuitive and simple to use. You don't need to know anything about the product before you being working with it.

The interface used to audit issues is also simple to use.

Compared to similar products, the code scanning time is fast.

What needs improvement?

Most the the static analysers come with pre-loaded rulesets. However, many times developers have to write their own custom rules. Writing custom rules in Checkmark is difficult because you need a different editor which is licensed separately. Besides not much training material is available on how to write the rules. 

For how long have I used the solution?

We have been using Checkmarx for almost four years.

What do I think about the stability of the solution?

It is pretty stable and we have not had any issues. We have a monitoring team that monitors the health of our infrastructure and we are alerted to any problems.

What do I think about the scalability of the solution?

We were able to scale easily and did not have any issues in doing so. At this team, we have between 70 and 80 applications that we are scanning with it.

How are customer service and technical support?

We have contacted technical support a couple of times and the issues were addressed in a timely manner.

Which solution did I use previously and why did I switch?

We have used other products and found that you have to spend considerable time fine-tuning the scanning engine. With Checkmarx, it is a lot less and I would say that this is one of the significant differences with this solution.

The maintenance in terms of running the scans and fine-tuning the scans is very low.

On the other hand, we have used other tools where writing custom rules is not so difficult to do.

How was the initial setup?

Checkmarx is pretty straightforward and very easy to set up.

What about the implementation team?

Our in-house team deployed and manages this product. I have one person who handles all of it, and the deployment can be completed within a day or two. As long as the infrastructure is ready, it can be done within a day.

What was our ROI?

Checkmarx helps us to find problems with source code at an early stage in the development, which saves us in terms of troubleshooting costs.

What's my experience with pricing, setup cost, and licensing?

The interface used to create custom rules comes at an additional cost.

What other advice do I have?

Checkmarx is probably one of the best static code analyzers available in the market at this point. It is very easy to deploy, use, and maintain. The amount of maintenance required is pretty low. It is absolutely a good tool that I can recommend.

Checkmarx has added a lot of functionality since we began using it. This includes OSA, the open-source scan, a training module, and run-time protection.

For static code analysis, we are only using Checkmarx and we plan to continue. 

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
VD
Sr. Application Security Manager at a tech services company with 201-500 employees
Real User
Top 5Leaderboard
Good interface and reporting capability, and it integrates well with other products

Pros and Cons

  • "The user interface is modern and nice to use."
  • "If it is a very large code base then we have a problem where we cannot scan it."

What is our primary use case?

I am in charge of application security and Checkmarx is one of the products that I use in this capacity. We use this product for code scanning and static code analysis.

What is most valuable?

The user interface is modern and nice to use.

This product has very good reports.

Checkmarx integrates with a lot of different tools such as BitBucket and Jira.

There is good coverage for different languages.

What needs improvement?

I think that the configuration is a bit difficult and we required support from Checkmarx to complete it (there are a lot of manual, not documented configurations should be done, like direct changes in a Database for example).  This is the case, at least, if you are using the on-premises version. From my point of view, the configuration should be improved.

If it is a very large code base then we have a problem where we cannot scan it (if more then ~ 30 mb zip file provided - scan is crashes or takes a lot of time) . It seems to me that they have a problem with the number of code line scans.

In the future, I would like to see Checkmarx support a combination of dynamic and static code scanning (IAST)

For how long have I used the solution?

I have been working with Checkmarx for about five months.

What do I think about the stability of the solution?

It works fine but if you have a file that is too big to scan then it takes a lot of time to run and sometimes crashes.

There is a problem with the memory, and scanning a large codebase should be done by dividing it into different files. For microservices with a small number of lines of code, it works well well. On the other hand, scanning a legacy solution such as a big monolith with millions of lines of code in it has been a problem. We need to make certain modifications to the files before we can upload them to the scan.

What do I think about the scalability of the solution?

We have 80 users who are using Checkmarx.

How are customer service and technical support?

They have very good technical support and we haven't had a problem with them. If you have a problem that you cannot handle on your own or you need to configure this product then you should have technical support.

How was the initial setup?

The basic installation is easy for us but in our case, we had some additional configuration that had to be done to access our documents on the server. We were not able to complete it without help from Checkmarx because there are a lot of configuration options, and we had to make manual changes to the database as well. 

What other advice do I have?

In summary, this is a good application that you can use to scan every code language. You can configure the scan because they provide the Checkmarx query language. These queries are very good and very flexible. It requires a knowledge of this language but you can reach and deal with it using most languages.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
MC
Director at a tech services company with 11-50 employees
Reseller
Top 20
Good features, good support, fair price, and good ability to deliver what customers require

Pros and Cons

  • "The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important."
  • "There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver."

What is our primary use case?

We're selling their licenses and their technologies. We have on-premises and cloud deployments. Its deployment depends on the customer requirements. 

It is used for a range of requirements for DevSecOps. It has been deployed to ensure that the development cycle delivers clean and secure code that is vulnerability-free. It is there as a part of the whole compliance and security process.

What is most valuable?

The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important. 

What needs improvement?

There is nothing particular that I don't like in this solution. It can have more integrations, but the integrations that we would like are in the roadmap anyway, and they just need to deliver the roadmap. What I like about the roadmap is that it is going where it needs to go. If I were to look at the roadmap, there is nothing that is jumping out there that says to me, "Yeah. I'd like something else on the roadmap." What they're looking to deliver is what I would expect and forecast them to deliver.

For how long have I used the solution?

I have been using this solution for two years.

What do I think about the scalability of the solution?

Our customers are completely comfortable with the scalability of the technologies. They can deploy them initially in a relatively straightforward manner and then grow them into their organization quite successfully. We primarily have large customers.

How are customer service and technical support?

Our team works with them. Their sales engineering team as well as their pre-sales capabilities are very good. They're clear. They work, and they're available, which is good. It is somewhat unusual in this business.

How was the initial setup?

It depends on different technologies, but it is reasonably quite straightforward.

What's my experience with pricing, setup cost, and licensing?

Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive.

What other advice do I have?

They're a very good company to work with, and that's a very important aspect of any technology these days. You could find very nice technologies, but if the company is not good to work with, it could be of no use. You'll not be able to get it deployed, and you'll not get assistance. You will get bad value for good technology. Checkmarx is a nice, pleasant, and relatively easy company to work with. You will get a good return, and you will get a good partnership and relationship working with them.

I would rate Checkmarx an eight out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Buyer's Guide
Download our free Checkmarx Report and get advice and tips from experienced pros sharing their opinions.