Checkmarx, an Israeli headquartered company with US offices, provides a suite of application security software delivered via the Checkmarx Software Security Platform. Individual modules and capabilities include Checkmarx Static Application Security Testing, Checkmarx Software Composition Analysis, Checkmarx Interactive Application Security Testing (CxIAST)
If you are going with SAST process or want to improve overall security posture then go for it like integrating it with post deployment steps. If you are more concerned about proactive controls better choose other options such as pee-commit hooks and CI security. Also choose other tools for DAST and API scans.
Upsource is the best review tool we've found but it still has some flaws. Notably, it makes reviewing small and quick changes less convenient than they need to be, and diff viewing (especially collaboratively) can be tedious.
It does handle larger, iterative reviews well. Especially when using a feature branch, Upsource will track that branch and automatically add all commits to the review. You can then review the branch as a whole, or look at a subset of diffs.
Creating and closing reviews isn't as quick as it could be. You must create a review, assign reviewers, approve and close. I wish there would be a quick review-approve-close for a commit where the change is simple and doesn't require multiple review iterations.
Web based interface can be clunky, especially when looking at big diffs side-by-side
JetBrains IDE integration is somehow less convenient than going using it in browser.
Their API based customizations which I leveraged to create an ASPM package, which is developer friendly and can extend above the dashboard features, other ones are UI which is great and feels clutter free. Menu and navigation is also good so as support. Only drawback is sometimes scan takes longer which I feel so can be reduced
Checkmarx is easier to integrate with development tools and gives quick feedback during coding, which is helpful for developers. Veracode is more focused on scanning and reporting for compliance, but it’s more complex to set up. We chose Checkmarx because it fits better into our development process, offering faster scans and more useful suggestions for fixing problems
Compared to the other tools we evaluated, Upsource was the only tool that allowed distinct reviews without needing explicit pull requests while still being able to go in-depth when required. The diff viewer is serviceable and better than the alternatives, as well, especially the side-by-side viewer.
