Checkmarx One

I am a partner of the vendor, and I can say that one of the clients with whom I am working has bought the licenses for Checkmarx One , and we are actually doing the security scans of their whole application base, code base, and everything.

Whatever solutions were provided by, or suggested by, Checkmarx One , we are going through them and implementing them. Some were valid and some were not applicable for us based on the scenario. That is the work experience I have working on Checkmarx One.

My experience with the initial setup of Checkmarx One is straightforward; it is not complex compared to other tools that I have tried.

Checkmarx One was deployed in a hybrid manner because they were scanning their production-based systems and then fixing the code base. It was hybrid, maybe on-premises with them, not completely on cloud.

My clients for Checkmarx One are usually enterprise-sized businesses. I have seen a return on investment from Checkmarx One.

In my opinion, if we are able to extract or show the report, and because everything is going towards agent tech and GenAI, it would be beneficial if it could get integrated with our code base and do the fix automatically.

It could suggest how the code base is written and automatically populate the source code with three different solution options to choose from. This would be really helpful.

I would rate the stability of this solution a nine on a scale of 1 to 10 where one is low stability and 10 is high.

I would rate the scalability of this solution an eight on a scale of 1 to 10, where one is low scalability and 10 is high scalability.

I would rate technical support a nine from 1 to 10, where one is low quality of their technical support and 10 is high quality.

I have seen a return on investment from Checkmarx One.

The price of Checkmarx One should be fine as of now.

I would rate this solution a nine overall, from 1 to 10, where one is the worst solution and 10 is the best solution.

Hybrid Cloud

Other

What do you like best about the product?

Is so user friendly and it is very easy to become familiar with all the numerous features. Although I wasn't around for the implementation, I've found that it is relatively straightforward to integrate further functionality. The Scanning tools (IaC, SAST, SCA, API etc.) are all excellent and provide us with all the staus and visibility that we require. If we ever have issues that can't be resolved the Customer Support team at Checkmarx always are there to help us out.

What do you dislike about the product?

The dahsboards layour and display could be improved.

What problems is the product solving and how is that benefiting you?

Checkmarx is being used mainly for the scanning and checking of code before it makes the journey to the Cloud (AWS). We are using it to look at all the languages and frameworks that we have in our Tech/Data Stack that are incorporated into our IT Landscape. One of the main benefits is that it allows our developers to identify, detect and remediate vulnerabilities at source. It also allows them to edit queries easily and quickly.

I am representing Checkmarx as a reseller. I work with both the cloud and on-premises versions. I have been working with Checkmarx for more than twelve years.

Checkmarx is a must-use product due to the increasing number of cyber-attacks nowadays. The product's quality and performance justify its pricing, making it a worthwhile investment.

Checkmarx offers many valuable features, including Static Application Security Testing (SAST ), Software Composition Analysis (SCA) , Infrastructure as Code  (IAC), Supply Chain Security, and API Security .

The Dynamic Application Security Testing (DAST)  feature should be better. The technical support service could also improve in terms of their response time.

I have been working with Checkmarx since the early days of Checkmarx, which is more than 12 years.

I would rate the stability of Checkmarx at nine out of ten.

Checkmarx is scalable, and I would rate its scalability at nine out of ten.

The customer service and support should be quicker from my point of view. I would rate them eight out of ten.

Positive

I have been working with Checkmarx for over 12 years without switching to a competitor due to Checkmarx being the best product in the market.

The initial setup is straightforward, especially with the cloud version where no deployment is needed. The on-premises version requires some time and depends on the customer's environment.

In typical circumstances, one senior engineer is enough for implementation, but in special cases, maybe two engineers are needed.

Checkmarx is cost-effective. It is a must-use product in today's cyber security environment.

The pricing is relatively expensive due to the product's quality and performance, but it is worth it.

I chose Checkmarx over competitors due to ethical considerations and its superior functionality.

Checkmarx is plug-and-play and the best product in the market at the moment, as evidenced by reports such as Gartner's.

I'd rate the solution nine out of ten.

We have integrated Checkmarx into all the company's development pipelines. We use it to scan more than 4,000 repositories and around 25,000 pipelines. 

The integration is particularly useful as it works directly with several common SCM solutions in the market, such as GitHub  and Bitbucket , and with CI/CD tools like Jenkins  and GoCD . This allows us to register repositories quickly and scan code efficiently in our development process.

Checkmarx helps developers improve the maturity of their coding practices and brings a security mindset to development teams, product managers, and business areas. 

It aids in identifying and mitigating vulnerabilities early in the development cycle, enhancing the overall security posture of the organization.

The most valuable features of Checkmarx are its integration with multiple SCM solutions and CICD tools, its ability to scale according to user licenses, and the quick scanning process. Specifically, the Static Application Security Test (SAST ) and Software Composition Analysis (SCA)  are highly established and useful in identifying numerous vulnerabilities.

Checkmarx needs improvement in its Dynamic Application Security Testing (DAST)  and API security features. The DAST solution uses the OWASP Zap  engine, which is less powerful compared to other market solutions like Fortify's WebInspect . 

Additionally, the API security solution does not provide comprehensive results, and the secret scanning feature also needs enhancement. Furthermore, the container security and infrastructure as code scanning features are not mature enough and require significant improvements.

I have been working with Checkmarx for about two years.

Checkmarx scales very well according to the user licenses. The solution supports concurrent scans based on the number of committers, which is a significant improvement over the previous CXSAST solution that only supported a limited number of simultaneous scans. 

The scans are quick, but the time taken can vary based on the amount of code and the frequency of scans.

The technical support from the vendor is generally good, rated at about 8.5 out of ten. Checkmarx utilizes partners as integrators who offer enterprise support, including a dedicated technical account manager. The support from Checkmarx's team has improved, offering a four-hour SLA and 24/7 availability.

The initial setup is simple and quick due to its SaaS nature. It involves setting up the tenant, registering applications, and integrating with the company's SSO . The integration with CI/CD tools takes a bit more time and effort.

The implementation is typically done with the help of a partner who acts as an integrator and offers enterprise support. This includes the allocation of a dedicated professional as a technical account manager or customer success manager.

Checkmarx provides a good return on investment by preventing breaches and vulnerabilities that could be much more costly. It adds significant value by improving the security practices and mindset across the development lifecycle.

Checkmarx is not a cheap solution. For around 250 users or committers, the cost is approximately $500,000. However, the investment is justified considering the potential costs of security breaches and the benefits of improved security practices.

To achieve better results, consider performing both native integration in the SCM tool and integration using the CI/CD solution. This helps gain visibility into the deployment stages and ensures comprehensive code scanning. I'd rate the solution eight out of ten.

Public Cloud

Other

I use the tool for testing purposes. 

The tool's valuable features include integrating GPT and Copilot. Additionally, the UI web representation is very user-friendly, making navigation easy. GPT has made several improvements to my security code.

I can't create a business case with multiple-factor authentication.

I have been working with the product for two years. 

While support handles tickets and resolves specific issues, such as business cases, it can be frustrating waiting for responses. They often take a lot of time to address cases or provide resolutions.

Neutral

Checkmarx One's deployment is easy. When we deployed it for a new client, it took around a month to complete. This involved setting up all parameters and sub-administrators. Additionally, finalizing the project involved several tasks, such as scanning with all security gates.

We can get a return in six months. 

The tool's pricing is fine. 

I rate the overall product an eight out of ten.