External reviews are not included in the AWS star rating for the product.
I use Codebashing for security-related testing and aggressive testing, and also to stress-check code to expose weaknesses.
Ours is an HRA benefits application, and I use Codebashing for security testing or exposing weaknesses by attacking the input and intentionally passing malicious input. Through Codebashing, I can identify the required vulnerability. This means security testing, and a few of my colleagues have also been using Codebashing.
In my opinion, the best features Codebashing offers are early vulnerability discovery, improved defensive coding habits, and catching what automated tests miss.
When I talk about early vulnerability discovery through Codebashing, I mean conducting intentional adversarial review very early during development or code review only, rather than waiting for QA, a pen test, or production incidents.
Additional features worth highlighting are shared security ownership, knowledge transfer across the team, common attacking patterns, how real-world exploits work, and better PR and design discussions since I started using Codebashing.
Codebashing is powerful, but it is not perfect. Based on my experience, the product can be made more systematic rather than ad hoc. The approach should balance intuition with automation by combining Codebashing with static analysis, dependency scanning, and secret detection, focusing only on high-risk parts such as authentication, payments, and data access to avoid slow delivery.
Improvements are needed, and the balance and focus should be emphasized more on the improvement side.
I have been using Codebashing for three years.
I would say Codebashing is stable.
Codebashing's scalability is good.
I have not been able to reach out to customer support because I did not face many issues, so I am satisfied regarding customer support.
Negative
Everything was taken care of by the organization, so I did not have to do anything privately regarding pricing, setup cost, and licensing.
For knowledge transfer or shared security ownership in my team, we ask questions such as 'What happens if this field is missing or tampered?' and 'Should this ID come from a token instead of a request?' Such PR reviews and knowledge transfers have been conducted with real-world examples, including real payloads that break assumptions and actual vulnerable code.
My advice regarding Codebashing would be to be practical, culture-focused, and incremental, starting with the high-risk areas such as authentication and authorization, data access APIs, and payments. The approach should focus on breaking the code, not the people.
I would rate this product a seven out of ten.
I have used SonarQube as a community product for static application security testing as well as quality gate checking for the organization. Now I have retired the community edition of SonarQube and I am currently working with Checkmarx for a proper solution.
In my current license configuration, I have Codebashing, secret scanning, and SAST.
Codebashing is solely purposed for training our developers regarding the vulnerabilities we have, and it has seamless integration within Checkmarx. I am running a security champions program which leverages Codebashing platform itself.
Codebashing serves as a baseline for developers, though not many advanced techniques are available. In the tournament phases, it mostly resembles a Kahoot tournament, so having more CTF capabilities within the platform would be beneficial.
The statistics are really good for the developers after we deployed Codebashing. When people do not know anything regarding a vulnerability, they can gain a basic idea of what that vulnerability is and how they can mitigate things. There are some lacking vulnerabilities in Codebashing platform itself, making it both advantageous and disadvantageous.
The best features of Codebashing are the skill trees and the way I can impose trainings for the developers, which is highly effective.
It would be beneficial for Codebashing platform if we were able to quickly customize the questionnaires. Currently, we have to work with predefined questionnaires or utilize another language to create quizzes. I would prefer having a GUI for that aspect so I can provide tailor-made questionnaires for the developers, allowing me to utilize Codebashing platform entirely instead of depending on other solutions.
I have two years of experience with Checkmarx.
With Codebashing solution, we had a couple of complications, such as account configuration issues. Because we are currently in the initial stages, the support is really good, but we have to wait and see.
Positive
Initially, we had Contrast Security, and comparing with that, the coverage against the cost shows that Checkmarx is doing a good job.
Codebashing and Checkmarx SAST are really easy to set up; it is a matter of figuring out the SSO configuration from our end. The rest of the things are currently using the SaaS solution provided by Checkmarx, so the initial setup phase is straightforward.
Scanning the entire organization takes time, which was one of the challenges we faced during the initial phase. To overcome such issues, we had to write scripts as workarounds.
With Codebashing we can see a clear difference; the vulnerability fixing ratio became 160% per month, and the density counts started reducing after implementation.
Based on the coverage we receive when comparing it with the IAS tool and the options we receive, such as ID integrations and direct impact on pull push requests, the pricing is much lower than IAS.
I am not familiar with Codebashing updates frequency. We bought it through an agent. On a scale of 1-10, I rate this solution a 7.
We have been using the product for code-scanning purposes.
The platform is simple, easy to use, and easy to learn. It has comprehensive guidelines and a lot of documents and videos for an easy installation process. Apart from some default rules, it allows users to configure their own rules. Also, it is easy to configure as it has an extensive library for reference.
The product's pricing could be more flexible. At present, we have to buy an entire instance. Instead, they could introduce a pricing model based on specific requirements.
We have been using Codebashing for three to four years.
The platform has good stability.
Codebashing's cloud version might be more scalable than the on-premise version.
The initial setup process is easy. It takes little time to complete for new users as well. However, it might take time if the infrastructure still needs to be implemented.
Sometimes, Codebashing provides reports with false positives. Thus, I advise others not to rely on the reports and to do a thorough analysis. They may require to change a few configurations. Configuring your own rules is better than going for a default configuration.
I rate it an eight out of ten.
