Checkmarx

Checkmarx

Score 7.3 out of 10
Checkmarx

Overview

What is Checkmarx?

Checkmarx, an Israeli headquartered company with US offices, provides a suite of application security software delivered via the Checkmarx Software Security Platform. Individual modules and capabilities include Checkmarx Static Application Security Testing, Checkmarx Software Composition Analysis, Checkmarx Interactive Application Security...
Read more

Recent Reviews

SAST tool review

7 out of 10
February 06, 2023
Checkmarx is used in our organization to scan code base or applications and perform security analysis. The SAST tool of the Checkmarx is …
Continue reading
Read all reviews

Reviewer Pros & Cons

View all pros & cons
Return to navigation

Pricing

View all pricing
N/A
Unavailable

What is Checkmarx?

Checkmarx, an Israeli headquartered company with US offices, provides a suite of application security software delivered via the Checkmarx Software Security Platform. Individual modules and capabilities include Checkmarx Static Application Security Testing, Checkmarx Software Composition Analysis,…

Entry-level set up fee?

  • No setup fee

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting / Integration Services

Would you like us to let the vendor know that you want pricing?

190 people want pricing too

Alternatives Pricing

What is SonarQube?

SonarQube (formerly Sonar) is an open source application security solution.

What is Sonatype Nexus Platform?

The Sonatype Nexus Platform is a software composition analysis tool that scans to build a repository components, and then checks security and licensing to ensure compliance. Sonatype acquired MuseDev in March 2021 to expand the capabilities of the Nexus platform. Current modules available on the…

Return to navigation

Product Details

What is Checkmarx?

Checkmarx, an Israeli headquartered company with US offices, provides a suite of application security software delivered via the Checkmarx Software Security Platform. Individual modules and capabilities include Checkmarx Static Application Security Testing, Checkmarx Software Composition Analysis, Checkmarx Interactive Application Security Testing (CxIAST)

Checkmarx Technical Details

Operating SystemsUnspecified
Mobile ApplicationNo
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews and Ratings

 (20)

Reviews

(1-3 of 3)
Companies can't remove reviews or game the system. Here's why
February 06, 2023

SAST tool review

Score 7 out of 10
Vetted Review
Verified User
Checkmarx is used in our organization to scan code base or applications and perform security analysis. The SAST tool of the Checkmarx is used for scanning the code and finding the security defects. It addresses the security concerns and eliminates manual security review. The scope includes 75% of the organization's code base.
  • Recommendations to fix the security findings
  • Reports
  • Finds wide range of security risks
  • Time taken for scan
  • False positives
  • Integrations with other systems
Chechmarx is really suited for finding wide range of security risks. It although identifies false positives which can be confusing at times. It can do better in terms of scan duration. They are better alternate competitors in the market who can do equally good or even better. It all depends on the scope of the problem you want to address
  • SAST scanning tool
  • Reporting
  • Recommendations to fix security defects
  • Reduced manual effort to analyse and fix the code
  • Can easily summarize findings through reports
Score 6 out of 10
Vetted Review
Verified User
It is used by the information security team in our company. We run various static code analysis tools on our source code and Checkmarx is one of them. What it helps us with is to generate reports that we can share with our Developers as it is comprehensive and easy to understand.
  • Reporting
  • Language support
  • Fix recommendations
  • Scan duration
  • False positives
  • Integration with other tools like Jenkins comes with some inconveniences.
It is well suited in cases where you wanna share reports with people that do not have a lot of knowledge in security concepts. It would help as the report has elaborate content explaining the issues and fix recommendations. If you want a SAST tool that gives fewer false positives, there are better options compared to Checkmarx. In cases where you want to do SAST scans regularly and quickly, Checkmarx may hold you back with its high count of false positives and lengthy reports.
  • Static application security testing.
  • Variety of bugs it identifies.
  • Best fix location recommendations.
  • Great diversity of vulnerabilities covered.
  • Quicker scans
  • They are feature rich compared to other tools I used in the past.
  • Dashboards are not customizable enough.
  • High number of false positives take up time and sometimes make our report look bad.
We actually use Checkmarx along with the other tools. However, the reason we chose Checkmarx is its wide support for languages and useful fix recommendations. The flowcharts help better understand the data flow and give a clear picture of what needs to be fixed and how. Also, developers can make a note of what should be avoided in the future. Overall, it's a great tool and would be a good investment to make.
Veracode, Rapid7 InsightAppSec, Qualys Web Application Scanning (WAS)
Score 4 out of 10
Vetted Review
Verified User
As part of R&D projects for military contracts, we used Checkmarx to help our engineering team improve information assurance and reduce potential security risks in our software. We specifically used it to scan applications written in PHP. Through the many months of use, we found it often had a very large amount of false-positives but the things it did catch was helpful. We refactored several components, libraries and classes and upgraded some of dependencies to reduce the number of results Checkmarx returned. It never found a truly significant security risk, but we were a team of security experts so I'm rather glad about that. Downsides I did see was that it was completely impossible to get set up locally or through a continuous integration system. This was partially because the way Checkmarx was designed, and partially because the security requirements we held in configuring our development and staging environments made it so. We had to interact with Checkmarx by exporting a zip of our codebase and uploading it, and it was a rather large codebase, so it took awhile to scan. Overall, it was a helpful took, but cumbersome to use.
  • Supports a large number of languages
  • Finds a large variety of potential risks
  • Lots of false positives
  • Hard to integrate with CI
Checkmarx works really well when you actively work with it, rerunning it after change. It gets confused easily when lots of files get changes, and results in a lot of additional false positives.
  • Improved ability to provide high level of IA confidence
  • Improved confidence in application-level security
Return to navigation