A catchy review of Checkmarx not full of wordplay
Rating: 4 out of 10
IncentivizedUse Cases and Deployment Scope
As part of R&D projects for military contracts, we used Checkmarx to help our engineering team improve information assurance and reduce potential security risks in our software. We specifically used it to scan applications written in PHP. Through the many months of use, we found it often had a very large amount of false-positives but the things it did catch was helpful. We refactored several components, libraries and classes and upgraded some of dependencies to reduce the number of results Checkmarx returned. It never found a truly significant security risk, but we were a team of security experts so I'm rather glad about that. Downsides I did see was that it was completely impossible to get set up locally or through a continuous integration system. This was partially because the way Checkmarx was designed, and partially because the security requirements we held in configuring our development and staging environments made it so. We had to interact with Checkmarx by exporting a zip of our codebase and uploading it, and it was a rather large codebase, so it took awhile to scan. Overall, it was a helpful took, but cumbersome to use.
Pros
- Supports a large number of languages
- Finds a large variety of potential risks
Cons
- Lots of false positives
- Hard to integrate with CI
Likelihood to Recommend
Checkmarx works really well when you actively work with it, rerunning it after change. It gets confused easily when lots of files get changes, and results in a lot of additional false positives.