Atlassian tried most of the mature products or services in the marketplace.
The selection of Checkmarx
Atlassian conducted an extensive due diligence process over a period of several months with a number of SAST vendors. Atlassian selected Checkmarx's solution because it offered a good balance of functionality, and cost and the company demonstrated a readiness to respond to our various specific requests.
The Implementation
When Atlassian implemented Checkmarx over a year ago, the product was not as mature as it is today and so they were prepared for the inevitable tweaks and bugs to get the p roduct to work smoothly. A few hiccups inevitably occurred, which were promptly handled by Checkmarx support team. Overall, it did not take long for the product to be fully installed and productive. Atlassian currently uses Checkmarx for assessing third-party plugins before bundling those with the core Atlassian products and SaaS services. The main concern is that plugins run at the same level of privileges as the rest of the JVM, so security vulnerability in these third- party software components is equal in severity to any vulnerability in the host product.Following a successful implementation of Checkmarx, Atlassian gradually expanded the use caseto assessing shared components used within the entire product range. Eventually, the aim is to scan the millions LoC Atlassian has across its entire code base on a regular basis. Atlassian is considering integrating Checkmarx into the SDLC so that every programmer at Atlassian will be able to scan their code using Checkmarx's IDE plugins for visual studio / Eclipse and to promote a secure coding methodology across the entire company.
The Bottom Line
Atlassian security team’s overall impression with Checkmarx is that it is a flexible and easy-to-use product.
The team was extremely happy with the levels of support they received. It was both professional and timely despite the time zones differences. As is always the case with similar tools, Atlassian was prepared for a few quirks with installing and tuning it - the installation was easy. Additional documentation would have been useful.
“Using Checkmarx is easier than other tools. Important - you do not need to integrate it into your build process, just throw source code at it, assuming you have tuned the signatures to your taste.”