CheckMarx Reviews

Our choice of Checkmarx as a static code audit tool was done after a long reflection. the richness in terms of languages and the customization of the presets were determinents. We were accompanied at first by a very competent editor team. Today, the use of the tool is unavoidable. We use it both as an integrated tool in our IDEs but also when building in our continuous integration platform. He is also at the hand of the security team to audit code delivered by an external service provider.

We also appreciate the possibility of modifying but also creating new rules to eliminate false positives.

The tool is also rich in terms of indicators and charts. it provides a dashboard that makes it easy to track application risk level scores over time and provides management with comprehensive reports. the details of the vulnerabilities detected and the description of the corrections allows the development teams to correct the vulnerabilities but also to learn about the security of the coding.

At each audit, the number of false positives is high. but this is a defect specific to SAST tools. knowledge of the business specificities of the application is necessary to personalize the presets to eliminate false positives.

This tool is a step in the security audit process, it must be completed by DAST and IAST audits.

we highly recommend this tool. We have already recommended the tool at our group level. The cost-effectiveness ratio is interesting.

we use this tool in a bank-insurance information system. Business requirements are high. Checkmarx has helped us improve the maturity of our IT security in order to gain the confidence of our business.

This is an excellent tool to write secure code and follow best practices. i like that it gives a detailed overview of the issue in your static code and also provides ways to solve it. It attributes a risk profile to each issue and this way you can solve the ones with high priority first.

The document generated can sometimes be too verbose and you can loose track of what issues to solve. Sometimes even if you have solved all the issues, re-running the report does not ensure a count of zero.

This works great with Java, you should definitely include this in your technology portfolio

We use this as a code quality indicator, the tool helps us write efficient and secure code, benefits include fewer bugs due to poor quality code.

The tool uses your credentials to generate a report and that report is very comprehensive, yet very easy to understand, it makes very easy to solve potential security issues.

The report generated by CheckMarx always contains a lot of false positives or duplicated positives, making it bigger than it should, although to be fair it would not be easy to develop a tool that analyses code so thoroughly without displaying a fair amount of duplicates.

Performing security reviews of my project's code. It gives the user a comprehensive look into the potential security risks and the explanation of such risks which is helpfull for people like me who is not a security expert.

We use this tool to scan our code for vulnerabilities. It is a great tool because it can be run against our code base and it lists our the vulnerabilities. This has reduced our time for manual code reviews by quite some time. Also, it helps us set code quality standard. We have implemented this as part of our software development cycle. The new developers that come on board can look at previous scans and learn our coding standards and follow that as part of our coding policy.

There can be many false positives. Since the tool is automated it doesn't understand some of the code logic and why it was written in a certain way.

Be aware of false positives. Other than it's a great tool to scan your code base.

It helps us automate the code review process and catches code vulnerabilities. We have saved time on code reviews by running the code against this tool first.

I like the way that the checkmarx report provides a detailed account of al potential vulnerabilities and then provides examples of how the issue can be fixed. This is very helpful when it comes to trying to resolve all issues.

As with anything automated, some issues that are found are just non-issues. We use several different security gating products like Checkmarx and I would say that it is less often incorrect than the others.

It is a good way to catch potential vulnerabilities in your code. With a large code base and many contributors this can be next to impossible if you rely on manual methods (ie. code review).

We are making our application more secure and staying in the know about new threats and vulnerabilities.

Results are pretty good with CheckMarx. This tool is helpful to build secure source code. CheckMarx scan report gives detailed view of each issue and flowchart is given for the variables which might cause security threat. Code scanning is fast.

Sometimes reports generated by the CheckMarx scan contain lot of false positive issues even though code is designed in a way that ensures security. This decreases the readability of the reports.

Great tool designed for security scan.

Sotware application is tested using CheckMarx.

Benefits:

1. Secure code development and best coding practices

2. Possible vulnerabilities and threats identification to assure software quality

3.

Really easy to use and the level of detail you can access is amazing.

The Cost, it is not cheap, but not good rarely is.

Static Code Scan for PCI

ease of deployment. Number of supported languages and best place to fix function.

Too much detail in the report for small security shops.

Filter the final report by severity and concentrate on the most important issues first.

Fixed code flaws before deployment. Dramatically decreased rework and refactoring.

We used the tool to find security flaws in our software it helped us to find cross side scripting bugs in an easy way

When we integrate with Jenkins the report sent by CheckMarx is not easily redable

Security

Code Analysis

Cross side scripting

SQL injections

Automation has been much more easier with the checkmarx

Even if 1 test fails it shows the everything as failed

Automation is the main purpose of our use.

It gives suggestions of technical issues correctly.

Its a little confusing with existing code bases.

Better in finding code issues.

Better code quality is obtained using Checkmarx.

I was working on a project for Salesforce and needed to test my code and running CheckMarx against the code helped me get my development done faster and done right.

The specific documentation for APEX is a little hard to parse but it helps point out where you need to look.

We needed to test our APEX code and needed to make sure it was as secure as possible.

Easy installation and rollout, it performs thorough scans across most, if not all all, languages.

The work-layout requires a full screen, and like four windows. It''s not something you can do passively because it takes the whole screen.

Strengthening security by making the code airtight. And making cleaning the code provides many pluses, in general.

Highly recommend Check mark in this current trend.

Not having an option to choose personal email.

Analytics

This is a very innovative company. The product is safe.

Customer service is not so great. It takes a while for them to return your call.

Consider it. Nothing to lose. If you do not like it, switch to something else.

It is good for network security.

Fast code scanning capability and to the point recommendation.

Many false positive scenarios are provided in results when scanning is done for Apex code

Easy to use for code scanning of Force.com

Salesforce code security issues. Ability to find major security issues and recommendation to fix them

The software is responsive it is very dynamic and very thorough. If you need a dynamic system look here.

Sometimes when you most need a part to save it is sometimes slow.

Buy it

Integrity, allows us to finish our job right.

Reviews APEX code and most security/code scanners do not

Results take a few minutes to return, not a huge issue but if you are in a time crunch you never know when they will arrive :)

Providing reassurance to our customers

Static analysis & Apex Overview of unpackaged code

Cost is a big concern and frequent analysis could be better if cost is not a concern.

Threat identification in our custom code.

Security requirements review.

Checkmarx has a lot of pros, easy to deploy and integrates well in the SDLC, board overage of language support.

Very high number of false positives takes longer time to triage.

Securing SDLC.

Recommendations provided are easy to understand and actionable insights

too many false positive results while scanning code

Good tool to use for code scanning for beginners

Code best practices

Application Security testing and the testing UI

Still needs the break even analysis for the cases

Application software vulnerablities and workflow needed

providing the scan report in multiple formats

integrating with build tools is not fun

scanning the vulnerabilities in source code