A catchy review of Checkmarx not full of wordplay
August 29, 2016

A catchy review of Checkmarx not full of wordplay

Anonymous | TrustRadius Reviewer
Score 4 out of 10
Vetted Review
Verified User

Overall Satisfaction with Checkmarx

As part of R&D projects for military contracts, we used Checkmarx to help our engineering team improve information assurance and reduce potential security risks in our software. We specifically used it to scan applications written in PHP. Through the many months of use, we found it often had a very large amount of false-positives but the things it did catch was helpful. We refactored several components, libraries and classes and upgraded some of dependencies to reduce the number of results Checkmarx returned. It never found a truly significant security risk, but we were a team of security experts so I'm rather glad about that. Downsides I did see was that it was completely impossible to get set up locally or through a continuous integration system. This was partially because the way Checkmarx was designed, and partially because the security requirements we held in configuring our development and staging environments made it so. We had to interact with Checkmarx by exporting a zip of our codebase and uploading it, and it was a rather large codebase, so it took awhile to scan. Overall, it was a helpful took, but cumbersome to use.
  • Supports a large number of languages
  • Finds a large variety of potential risks
  • Lots of false positives
  • Hard to integrate with CI
  • Improved ability to provide high level of IA confidence
  • Improved confidence in application-level security
Checkmarx works really well when you actively work with it, rerunning it after change. It gets confused easily when lots of files get changes, and results in a lot of additional false positives.