Developers have improved vulnerability awareness but require more customizable training options
What is our primary use case?
I have used SonarQube as a community product for static application security testing as well as quality gate checking for the organization. Now I have retired the community edition of SonarQube and I am currently working with Checkmarx for a proper solution.
In my current license configuration, I have Codebashing, secret scanning, and SAST.
Codebashing is solely purposed for training our developers regarding the vulnerabilities we have, and it has seamless integration within Checkmarx. I am running a security champions program which leverages Codebashing platform itself.
How has it helped my organization?
Codebashing serves as a baseline for developers, though not many advanced techniques are available. In the tournament phases, it mostly resembles a Kahoot tournament, so having more CTF capabilities within the platform would be beneficial.
The statistics are really good for the developers after we deployed Codebashing. When people do not know anything regarding a vulnerability, they can gain a basic idea of what that vulnerability is and how they can mitigate things. There are some lacking vulnerabilities in Codebashing platform itself, making it both advantageous and disadvantageous.
What is most valuable?
The best features of Codebashing are the skill trees and the way I can impose trainings for the developers, which is highly effective.
What needs improvement?
It would be beneficial for Codebashing platform if we were able to quickly customize the questionnaires. Currently, we have to work with predefined questionnaires or utilize another language to create quizzes. I would prefer having a GUI for that aspect so I can provide tailor-made questionnaires for the developers, allowing me to utilize Codebashing platform entirely instead of depending on other solutions.
For how long have I used the solution?
I have two years of experience with Checkmarx.
How are customer service and support?
With Codebashing solution, we had a couple of complications, such as account configuration issues. Because we are currently in the initial stages, the support is really good, but we have to wait and see.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
Initially, we had Contrast Security, and comparing with that, the coverage against the cost shows that Checkmarx is doing a good job.
How was the initial setup?
Codebashing and Checkmarx SAST are really easy to set up; it is a matter of figuring out the SSO configuration from our end. The rest of the things are currently using the SaaS solution provided by Checkmarx, so the initial setup phase is straightforward.
Scanning the entire organization takes time, which was one of the challenges we faced during the initial phase. To overcome such issues, we had to write scripts as workarounds.
What was our ROI?
With Codebashing we can see a clear difference; the vulnerability fixing ratio became 160% per month, and the density counts started reducing after implementation.
Which other solutions did I evaluate?
Based on the coverage we receive when comparing it with the IAS tool and the options we receive, such as ID integrations and direct impact on pull push requests, the pricing is much lower than IAS.
What other advice do I have?
I am not familiar with Codebashing updates frequency. We bought it through an agent. On a scale of 1-10, I rate this solution a 7.
Fabulous
What do you like best about the product?
Very easy to understand and easy to manage the graphic interface
What do you dislike about the product?
Nothing as of now. I will say need to use this once
What problems is the product solving and how is that benefiting you?
If we talk about other product this product is easy to handle and manage
A all in one Secure training platform for Developers and IT professionals
What do you like best about the product?
The Training modules it has are very interactive helping users to detect and remediate issues . Covers all OWASP top 10 along with various other security test cases.
What do you dislike about the product?
Cost consideration . Bit of customization challenges to the content .
What problems is the product solving and how is that benefiting you?
Shift Left where in developers need to be aware of secure coding practices . THis is where Checkmarx COdebashing is a boon . Comprehensive training plan , Material and content aim at assisting teams to understand basic concepts and help to mitigate security flaws well ahead of production.
Has good stability and availability of comprehensive documentation
What is our primary use case?
We have been using the product for code-scanning purposes.
What is most valuable?
The platform is simple, easy to use, and easy to learn. It has comprehensive guidelines and a lot of documents and videos for an easy installation process. Apart from some default rules, it allows users to configure their own rules. Also, it is easy to configure as it has an extensive library for reference.
What needs improvement?
The product's pricing could be more flexible. At present, we have to buy an entire instance. Instead, they could introduce a pricing model based on specific requirements.
For how long have I used the solution?
We have been using Codebashing for three to four years.
What do I think about the stability of the solution?
The platform has good stability.
What do I think about the scalability of the solution?
Codebashing's cloud version might be more scalable than the on-premise version.
How was the initial setup?
The initial setup process is easy. It takes little time to complete for new users as well. However, it might take time if the infrastructure still needs to be implemented.
What other advice do I have?
Sometimes, Codebashing provides reports with false positives. Thus, I advise others not to rely on the reports and to do a thorough analysis. They may require to change a few configurations. Configuring your own rules is better than going for a default configuration.
I rate it an eight out of ten.
Best tool to learn and upskill yourself
What do you like best about the product?
The easiest ways and examples to learn coding and implementation
What do you dislike about the product?
The cost factor is one can be improved a bit
What problems is the product solving and how is that benefiting you?
Upskilling in careere by learning secure coding helped me in promotion as well
Nice platform to level up coding skills
What do you like best about the product?
The overall experience of the coding journey which feels so intuitive and game play alike and task based is really fun to learn.
Overall UI/UX and lots of training problems on almost all the major coding languages makes this platform must to try for coding lovers.
What do you dislike about the product?
UI lag keeps user experience good, which otherwise would have been great. Also the pricing looks a bit too premium for such a platform, I think many individuals would give a thought before getting their hands dirty owing to this.
What problems is the product solving and how is that benefiting you?
Helps improving the code quality and more towards learning more secure coding standards which would otherwise be loopholes in the product.
Mitigating security risks in our software
What do you like best about the product?
Codebashing consistently meets my expectations. It stands out from the tools.
What do you dislike about the product?
The platform is more user-friendly with navigation and clearer instructions. It does provide value there is room, for improvement.
What problems is the product solving and how is that benefiting you?
Checkmarx Codebashing insecure coding practices. It offers a practical training platform. This increases our developers skills.
Equipping our developers with hands on training
What do you like best about the product?
Theres nothing to dislike about this product. It is a simple and attractive interface.
What do you dislike about the product?
Tthe support for remediation is more comprehensive as it sometimes falls short in solving security issues.
What problems is the product solving and how is that benefiting you?
Checkmarx Codebashing eliminate the issue of security vulnerabilities, in code, which identify and resolve these issues. It has increased our code quality and mitigated security risks.
Reduce the risk of vulnerabilities in our applications
What do you like best about the product?
It promotes a culture of coding without causing any disruptions in our development workflows. It meets all of my expectations.
What do you dislike about the product?
It falls short when it comes to addressing the specific vulnerabilities that arise in niche or emerging technologies.
What problems is the product solving and how is that benefiting you?
The Checkmarx Codebashing solves the issue of insecure code. By providing training simulations that increase the security skills of our developers. Improving security practices and ensuring the safety of our codebase.
An easy-to-use tool to identify false positives or flag any medium to high-risk outcomes
What is our primary use case?
The solution mainly aims to identify false positives or flag any medium to high-risk outcomes, meaning it is mainly for source codes.
What is most valuable?
The most valuable features of the solution stem from the fact that its gamification UI is quite user-friendly to use, and it is also quite intuitive since it provides users with proper explanations while allowing one to opt for the obash option. Mapping is also quite accurate, which helps identify why the tool has flagged certain code or lines of code, making it helpful for users because sometimes you might be unable to detect the flaws on your own.
What needs improvement?
The tool can be a little more intuitive for the end users. It isn't a very friendly tool for beginners. In our company, we have to take training courses to learn how to use the platform. Introducing automation and making the tool a little more intuitive for businesses might be helpful.
In our company, we need to take care of the tool's regular updates since, often, the solution may be down. My company has a business administration unit team that is responsible for the updation of tools we use, and their processes can take a day or two to be completed, because of which we may lose out on some time when we may have required the tool to do a complete scan. It would be helpful if the update process can be made faster.
If I make use of the integration capabilities of Codebashing, then the plug-ins won't work as smoothly as it does in the application itself. Maybe the solution's plug-ins can be improved.
For how long have I used the solution?
I have been using Codebashing for three years.
What do I think about the stability of the solution?
If I use Codebashing as a standalone tool, then I don't face any stability issues, but issues arise when I try to use its integration capabilities. If you want to integrate Codebashing with Jenkins or run automated scans, I face some issues with its integration part.
What do I think about the scalability of the solution?
I think that the solution has a few plug-ins on different cloud platforms, making it a scalable product.
Between 50 to 100 people in my organization use the solution.
How are customer service and support?
The solution's technical support is good. My company has been able to resolve issues related to the tool with the help of Codebashing's technical support team. I rate the technical support a seven or eight out of ten.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I have experience with AppScan and RiskSense. I was using AppScan to support DAST and RiskSense for getting results from SAST and DAST to generate reports. I was using different solutions for different reasons, but I think they provide different benefits to users. My company chose CheckMarx over AppScan since the former offers better source code scanning capabilities.
How was the initial setup?
The installation phase of the tool is simple.
The tool's installation phase took around 45 minutes.
The tool's installation phase was carried out by a team of 17 people in my company who use Checkmarx.
The solution is deployed on the cloud.
What's my experience with pricing, setup cost, and licensing?
As a developer, though I am unaware of the cost of the solution, the product is expensive since I faced some trouble upgrading to Python for Codebashing.
What other advice do I have?
The solution is easy to maintain.
I think Codebashing is a great tool to start with if you are just learning about application security. Codebashing has some good tutorials and a nice learning platform to learn about coding. Codebashing also has a more nice gamification UI, which is a good tool. Generally, I think it's quite a good tool for developers to get started and pick up skills.
I rate the overall solution an eight and a half to nine out of ten.
