5 out of 5.0, Reviewed Nov 22, 2016
Great Partnership and focussed effort to help us automate SAST capabilities at organizational scale
Start with big picture and end result in mind.
Breadth and coverage across latest technologies and ability to automate and integrate with CD tools
False Positives Percentage is high which requires fine tuning
4 out of 5.0, Reviewed Nov 17, 2016
Experienced some deployment and licensing hiccups, upgrade surprises and some interesting desktop software behavior, but overall I feel it's working better than the previous solution we had implemented.
Examine entire functional offering from Checkmarx to evaluate both SAST and OSA components together
Ability to scan a variety of languages, quickly audit issues, and provide integration with external build systems and ticketing solutions.
We've experienced some bad user experiences with their desktop solution and some of the custom query engine scenarios and haven't had a satisfactory resolution or explanation for these difficulties yet.
Had a more mature Open Source Software solution in place
Possibly identify use cases better before proof of concept and implementation
4 out of 5.0, Reviewed Nov 17, 2016
Very good experience with the breadth of issues and explanations about remediation steps.
Please train all your developers early on. With attrition being a major issue with distributed development teams, it is a challenge to set up a continuous online training platform/program that helps all developers understand secure software development.
Ease of execution, explanation of issues and mitigation/remediation steps.
Checkmarx were very helpful with the installation and support.
Train developers to address the problems earlier, ensure that code that gets checked in adheres to OWASP Top-10 and other standards for secure software development.
5 out of 5.0, Reviewed Oct 13, 2016
We run PoC and found that Checkmarx was better than Fortify and IBM App Scan, also better audit experience. Installation was easy and it uses resources more efficiently (DB/disk)
Do your homework, run PoC and see if it matches your needs.
Very efficient use of resources in case of very large code base, user interface.
If scan fails, it can not resume.
5 out of 5.0, Reviewed Oct 12, 2016
Product fulfills requirements, good support, and relationship to the company.
An unlimited number of projects, lots of different programming languages supported, speed.
GUI usability could be improved
response time sometimes not very good. not easy to find a reason if something is not working.
5 out of 5.0, Reviewed Sep 14, 2016
We are very satisfied with the features offered by the tool and the reactivity of Checkmarx.
To sensitize the developers with the security of the applications
To enrich certain functions (restitution and extraction of the results)
to optimize the incremental analyses
The same things
Product conforms to our present needs
A very good reactivity and support on behalf of Checkmarx.
5 out of 5.0, Reviewed Sep 6, 2016
We compared the CxSAST (Checkmarx Static Analysis Suite) against solutions from Fortify and Coverity. We found that CxSAST was better than Fortify and on-par with Coverity in terms of out-of-the-box performance, however the impressive programmability of the CxSAST, much broader programming language support, and their rapid-release process made them the clear winner. Once we purchased, we were happy with the responsiveness of support, speed of fixing issues, and their local support representatives. The product continues to rapidly involve and impress. The UI has been greatly improved. The plugins allowing integration with third party services are a significant value add. Areas that need improvement: The software only works in windows environment and requires an MS SQL database that must be separately purchased, two things that no other product in this space requires and which add cost to deploying the solution over the use of free operating systems and open source databases that are bundled. The installation process when performing non-standard installs is high tough, as it requires manually editing multiple configuration xml files on different hosts. There is also some paranoia: the licensing restrictions are excessive for no apparent reason. E.g. things like the number of company managers are not actually paid for but are restricted on a per-license basis, so they must be accurately scoped in advance and are difficult to change without going contacting support and obtaining a new license, even though sales are not made on the basis of how many company managers there are. To download the zip file to obtain updates requires entering a password that must first be requested by support, making this process also high touch.
Invest in Checkmarx query language training. This is a significant value-add that will greatly increase the overall usefulness of the solution.
The Checkmarx query language, support, excellent performance.
High touch upgrades. Each time we upgrade I have to log into each of our 16 servers and edit xml files.
Have out-of-the box support for SSL between components that does not require manually editing multiple XML files. Stop artificially restricting things like company managers in the license. Have support for a scale-based install with Docker images or VMs that does not require per-server steps.
We would engage more heavily with professional services to help us deploy the solution rather than deploying ourselves and then engaging with professional services to help fix issues.
The product has more features than the competition combined. Truly amazing breadth of language support, user management, and plugins.
Support is timely and the support staff are knowledgable.
The requirement of windows and a third party MS SQL is a real burden and cost, which adds several months to the total deployment timeline. Manually editing config files in order to obtain basic SSL encryption between all system components is completely out of touch with today's threat environment.
4 out of 5.0, Reviewed Aug 30, 2016
Product technology is solid and fits our needs.
Support for scripting languages.
Please release Checkmarx plug-in for Rubymine. Our RoR developers prefer to run the security check within IDE and be more effective and efficient.
Lack of local support in Singapore
Please release Checkmarx plug-in for Rubymine. Our RoR developers prefer to run the security check within IDE and be more effective and efficient
5 out of 5.0, Reviewed Aug 29, 2016
Checkmarx CxSAST is exceptionally easy to use, low cost and used by expert security professionals for Static Code Analysis. The installation was easy and support staff was excellent. The availability of Proof of Concept (POC) helped us gain our confident with the CxSAST product. We are extremely satisfied with the performance of large scans as well as scan report capabilities.
Highly recommend using the POC option to evaluate Checkmarx CxSAST tool.
The support staff was great and not hesitate to an extent the POC license when we needed additional time.
None. Best SAST tool in the market.
Perhaps more frequent updates.
We are extremely satisfied with the pre and post sales process.
After looking at multiple vendors,
5 out of 5.0, Reviewed Aug 18, 2016
We left the decision on which product would meet our security policies in the engineering / development hands. The results have been way beyond expectations. The product is made by developers for developers and as a security leader, my role is to increase adoption and manage risks. This product has achieved that. We left the decision on which product would meet our security policies in the engineering / development hands. The results have been way beyond expectations. The product is made by developers for developers and as a security leader, my role is to increase adoption and manage risks. This product has achieved that.
Think about what the goal of the technology is. To meet your needs or the business.
What I like most is the level of adoption usage and impact within our engineering department the product has made.
Set better end of year goals to aling to the strong adoption.