
CheckMarx has been used an application to scan the applications to rectify vulnerability in the code and to check the security lapses. I have been using checkMarx to check the same in my .NET application and have found checkMarx to be great use. I would like to mention few good things about the same .
1.) It has support to many languages . In my case it can find the lapses in C#, Java script, J query , Typescript .
2.) The description is quite clear about the issues which makes it easier to understand the problem statement behind the security lapse.
3.) The online community present for CheckMarx is quite good which makes it easier to find the resolution Review collected by and hosted on G2.com.
Even though CheckMarx is quite helpful to check the security threats in the application code there are few things which can be improved by the CheckMarx team to make it more useful and efficient .
1.) There are many false positives which increase a lot of issues which in turn are required to marked as non exploitable
2.) Per user cost of CheckMarx subscription is high which makes it difficult for the small organisation to own it completely. Review collected by and hosted on G2.com.
I like the way that the checkmarx report provides a detailed account of al potential vulnerabilities and then provides examples of how the issue can be fixed. This is very helpful when it comes to trying to resolve all issues. Review collected by and hosted on G2.com.
As with anything automated, some issues that are found are just non-issues. We use several different security gating products like Checkmarx and I would say that it is less often incorrect than the others. Review collected by and hosted on G2.com.
Results are pretty good with CheckMarx. This tool is helpful to build secure source code. CheckMarx scan report gives detailed view of each issue and flowchart is given for the variables which might cause security threat. Code scanning is fast. Review collected by and hosted on G2.com.
Sometimes reports generated by the CheckMarx scan contain lot of false positive issues even though code is designed in a way that ensures security. This decreases the readability of the reports. Review collected by and hosted on G2.com.
Our choice of Checkmarx as a static code audit tool was done after a long reflection. the richness in terms of languages and the customization of the presets were determinents. We were accompanied at first by a very competent editor team. Today, the use of the tool is unavoidable. We use it both as an integrated tool in our IDEs but also when building in our continuous integration platform. He is also at the hand of the security team to audit code delivered by an external service provider.
We also appreciate the possibility of modifying but also creating new rules to eliminate false positives.
The tool is also rich in terms of indicators and charts. it provides a dashboard that makes it easy to track application risk level scores over time and provides management with comprehensive reports. the details of the vulnerabilities detected and the description of the corrections allows the development teams to correct the vulnerabilities but also to learn about the security of the coding. Review collected by and hosted on G2.com.
At each audit, the number of false positives is high. but this is a defect specific to SAST tools. knowledge of the business specificities of the application is necessary to personalize the presets to eliminate false positives.
This tool is a step in the security audit process, it must be completed by DAST and IAST audits. Review collected by and hosted on G2.com.
This is an excellent tool to write secure code and follow best practices. i like that it gives a detailed overview of the issue in your static code and also provides ways to solve it. It attributes a risk profile to each issue and this way you can solve the ones with high priority first. Review collected by and hosted on G2.com.
The document generated can sometimes be too verbose and you can loose track of what issues to solve. Sometimes even if you have solved all the issues, re-running the report does not ensure a count of zero. Review collected by and hosted on G2.com.
The tool uses your credentials to generate a report and that report is very comprehensive, yet very easy to understand, it makes very easy to solve potential security issues. Review collected by and hosted on G2.com.
The report generated by CheckMarx always contains a lot of false positives or duplicated positives, making it bigger than it should, although to be fair it would not be easy to develop a tool that analyses code so thoroughly without displaying a fair amount of duplicates. Review collected by and hosted on G2.com.
We use this tool to scan our code for vulnerabilities. It is a great tool because it can be run against our code base and it lists our the vulnerabilities. This has reduced our time for manual code reviews by quite some time. Also, it helps us set code quality standard. We have implemented this as part of our software development cycle. The new developers that come on board can look at previous scans and learn our coding standards and follow that as part of our coding policy. Review collected by and hosted on G2.com.
There can be many false positives. Since the tool is automated it doesn't understand some of the code logic and why it was written in a certain way. Review collected by and hosted on G2.com.
We used the tool to find security flaws in our software it helped us to find cross side scripting bugs in an easy way Review collected by and hosted on G2.com.
When we integrate with Jenkins the report sent by CheckMarx is not easily redable Review collected by and hosted on G2.com.
Easy installation and rollout, it performs thorough scans across most, if not all all, languages. Review collected by and hosted on G2.com.
The work-layout requires a full screen, and like four windows. It''s not something you can do passively because it takes the whole screen. Review collected by and hosted on G2.com.
Reviews APEX code and most security/code scanners do not Review collected by and hosted on G2.com.
Results take a few minutes to return, not a huge issue but if you are in a time crunch you never know when they will arrive :) Review collected by and hosted on G2.com.
Checkmarx has a lot of pros, easy to deploy and integrates well in the SDLC, board overage of language support. Review collected by and hosted on G2.com.
Very high number of false positives takes longer time to triage. Review collected by and hosted on G2.com.
I was working on a project for Salesforce and needed to test my code and running CheckMarx against the code helped me get my development done faster and done right. Review collected by and hosted on G2.com.
The specific documentation for APEX is a little hard to parse but it helps point out where you need to look. Review collected by and hosted on G2.com.