Codebashing Reviews

I use Codebashing for our developers to train them in secure coding practices with the latest patterns and against the languages that we use here: Java, Python, .NET, and whatever Codebashing supports. We train them for the security aspects of OWASP Top 10, API, web, and we are also training them with AI aspects that are leading in the trends. We use it to train our developers for security training and make them security champions for reviewing the scan results which are given by Cx1 for IaC and SAST base. For Cx1, it is basically for the code reviews that we have been using to scan our static code. So far, it has been quite good. There are a few false positive occurrences and right now we are dealing with it, but overall, it has been a nice experience using these tools.

The quiz and the gamification that Codebashing has are the most valuable features or capabilities we have found so far. We have been using it for tournaments, conducting tournaments across the developers to test their knowledge and give them a token of appreciation once any developer has secured a runner up position, first position, and all. It is basically a learning and tournament thing that we provide here with the help of Codebashing.

We have been seeing a lot of impact while using Codebashing. Since the vulnerabilities which we identify usually in the code are now less in the trends, the training of Codebashing and learning via Codebashing helps our developers.

Codebashing reduces the chances of developers writing vulnerable code rather than writing secure code. It creates an impact on how our developers write code and understand how the vulnerabilities work. Rather than making them understand how the vulnerabilities can be exploited via a practical scenario, Codebashing gives a graphical representation of how and when the flow works, showing how the vulnerabilities work. It gives an impact on that.

What we have been seeing is that Codebashing's up-to-date modules have addressed emerging security threats for our organization with the AI trends that we have been using. It allows our developers to make use of secure code AI and not just be relying upon the AI that could produce vulnerable code rather than focusing on the secure code that we can produce with AI and get rid of AI vulnerabilities. That is how it helps.

Codebashing is doing pretty well so far. There should be advancement in the complexity of questions and the training module because not everybody starts from zero or a beginner level. If you can make it to the expert and advanced expert levels, anybody who wants to transition from development to security could have that option.

First, there should be more flexibility for our developers to get some trainings on. Second, there is the part of the license that we get from Checkmarx.

I have been using it for the last four years.

It has been pretty reliable. I would rate it 8.5 out of 10. Very few times we have faced downtime; otherwise, it should be fine.

We have been using it as SaaS. It is not on any cloud platform; rather, we are using it as a SaaS solution.

It is more based on the licenses that we have. What we acquire as part of the agreement is what we have been using.

We used to do classroom trainings manually for security developers, but not with Codebashing.

An implementation team was involved.

Checkmarx One, Codebashing, and IaC are the products we use.

Checkmarx One and Codebashing do not have an impact on the security flow that we use, because we usually have a strong overall flow in the organization. Instead of following a normal approach, we use SSDLC, which is security in every aspect, in every cycle of the pipeline, from threat modeling to POC to deploying the code to making it production. Rather, Codebashing is more impactful on the training and for the developers and getting them to understand what the vulnerabilities are and how they can be exploited rather than how they can securely write the code, making any changes in the flow. The flow is the same, so I do not think it is making any impact in the flow part.

For me being a security professional, the trainings that we did and the questions we did were comparatively a low hanging fruit and seemed very easy for us. So I am not sure about the developers and how they consume the questions in the training, but for any security professional, it is not that knowledge.

My overall review rating for this product is 7.5 out of 10.

I have used SonarQube as a community product for static application security testing as well as quality gate checking for the organization. Now I have retired the community edition of SonarQube and I am currently working with Checkmarx for a proper solution.

In my current license configuration, I have Codebashing, secret scanning, and SAST.

Codebashing is solely purposed for training our developers regarding the vulnerabilities we have, and it has seamless integration within Checkmarx. I am running a security champions program which leverages Codebashing platform itself.

Codebashing serves as a baseline for developers, though not many advanced techniques are available. In the tournament phases, it mostly resembles a Kahoot tournament, so having more CTF capabilities within the platform would be beneficial.

The statistics are really good for the developers after we deployed Codebashing. When people do not know anything regarding a vulnerability, they can gain a basic idea of what that vulnerability is and how they can mitigate things. There are some lacking vulnerabilities in Codebashing platform itself, making it both advantageous and disadvantageous.

The best features of Codebashing are the skill trees and the way I can impose trainings for the developers, which is highly effective.

It would be beneficial for Codebashing platform if we were able to quickly customize the questionnaires. Currently, we have to work with predefined questionnaires or utilize another language to create quizzes. I would prefer having a GUI for that aspect so I can provide tailor-made questionnaires for the developers, allowing me to utilize Codebashing platform entirely instead of depending on other solutions.

I have two years of experience with Checkmarx.

With Codebashing solution, we had a couple of complications, such as account configuration issues. Because we are currently in the initial stages, the support is really good, but we have to wait and see.

Positive

Initially, we had Contrast Security, and comparing with that, the coverage against the cost shows that Checkmarx is doing a good job.

Codebashing and Checkmarx SAST are really easy to set up; it is a matter of figuring out the SSO configuration from our end. The rest of the things are currently using the SaaS solution provided by Checkmarx, so the initial setup phase is straightforward.

Scanning the entire organization takes time, which was one of the challenges we faced during the initial phase. To overcome such issues, we had to write scripts as workarounds.

With Codebashing we can see a clear difference; the vulnerability fixing ratio became 160% per month, and the density counts started reducing after implementation.

Based on the coverage we receive when comparing it with the IAS tool and the options we receive, such as ID integrations and direct impact on pull push requests, the pricing is much lower than IAS.

I am not familiar with Codebashing updates frequency. We bought it through an agent. On a scale of 1-10, I rate this solution a 7.

I have been working with Codebashing, which is one of the modules in Checkmarx. Checkmarx has different modules like Codebashing, SAST, DAST, and SCA, providing a complete AppSec platform that includes Codebashing.

Codebashing has been integrated with our IDEs like Jenkins, Visual Studio, and Eclipse. Whenever a developer identifies any kind of security-related vulnerabilities, they receive a lot of information from Codebashing, such as what exactly the vulnerability is, how it can be fixed, any games around that, and any videos related to those vulnerabilities. The developer watches these videos and learns how to fix those specific issues. Additionally, we organize tournaments to test developer capabilities in terms of how quickly they can identify and fix issues, and how effectively they handle those issues without creating new ones.

For Checkmarx, we are the customer, and we use this particular platform to service our customers.

The kind of remediation that Codebashing trains developers on is outstanding, as it relates developers to real-life use cases.

I would like to highlight the tournament feature of Codebashing as great, allowing us to organize competitions among skilled developers, which helps identify the best and most productive individuals in our organization.

Codebashing's adaptive learning paths help us by addressing different use cases among our customers, as some follow OWASP Top 10 guidelines while others adhere to CWE, PCI DSS, or HIPAA. This means Codebashing helps us comply with these requirements so developers do not make mistakes when remediating issues found in the source code.

I have a very clear example regarding the measurable impact Codebashing has had on our team's ability to identify security flaws early in development. One customer in the aviation sector had around 7.8 vulnerabilities in one thousand lines of code before implementing Checkmarx or Codebashing. After using Codebashing, we improved our mean time to remediation (MTTR) and reduced the defect count to 3.6 in one thousand lines of code.

I am not using Codebashing's up-to-date modules to address emerging security threats, as I handle the security part and this module is not relevant for me, although my development team might be using it.

I think the video content of Codebashing can be improved and should be updated regularly, as we currently see minimal updates in terms of real-time vulnerabilities.

I think the user interface (UI) features could be improved, as it is not very attractive when compared to competitors like Secure Code Warrior, which we recently evaluated.

I have been working with Codebashing since we took Codebashing and Checkmarx in 2022, so it has been almost four years now.

Codebashing has been stable and reliable so far, as I have not seen any crashes or issues in platform usage, so it has been performing great for my team.

I would rate the stability and reliability of Codebashing a ten, as ten represents the highest level of stability.

I can evaluate how scalable Codebashing is. I find Codebashing very scalable as we are currently using around 250 developers, having started with 50, so it has been increasing rapidly for the past four years.

We often communicate with the technical support of Codebashing, as we have dedicated technical support for that.

My impression of their support is positive, as they are available on calls and emails, and they provide fast responses, abiding by the signed SLA for technical responses. I find them to be highly professional.

I would rate their support a nine out of ten.

We have not had any significant issues, as all L1 and L2 issues have been remediated immediately over calls, although some complicated issues take time to resolve due to R&D and engineering involvement. Overall, support from Checkmarx is good.

The return on investment with Codebashing has been evaluated by my business team, so I do not have any information about that.

The pricing and licensing of Codebashing is based on contributing developers. I consider Codebashing an affordable solution, as we have been using the Checkmarx platform and it came to us at a very nominal cost.

The reason I switched to Codebashing is that we were already a user of Checkmarx, and since Codebashing is a module of it, we got great pricing from the Checkmarx team, which is why we onboarded Codebashing as a fully-fledged tool.

Codebashing serves as our primary tool for learning and awareness purposes, as one of my team's responsibilities is to spread awareness on secure coding practices. Codebashing helps facilitate that mission.

A specific example of how we've used Codebashing to spread secure coding awareness in our team involves SQL injection, which is one of the top 10 OWASP vulnerabilities. Codebashing provides a very thorough walk-through example that explains SQL injection and demonstrates how to use parameterized queries, structured queries, and perform input validation. This exemplifies how we use Codebashing to educate product teams on writing secure code.

While we do not integrate Codebashing with our workflow, we use it to educate product teams about the different kinds of vulnerabilities, such as the OWASP Top 10 and the SANS Top 25. We encourage product teams and developers to use the tool and rank teams based on who scores better on these assessments.

The best features Codebashing offers include its interactivity, as it walks you through how the SQL injection exploit can happen while providing real-time feedback on what exact changes you need to make in your code to prevent it. This makes it a technology-agnostic approach, but also allows you to select which technology you write code in, providing specific examples relevant to your technology. For example, it shows how to perform input validation in Python to prevent a vulnerability such as SQL injection.

Codebashing positively impacts our organization by improving awareness. We encourage product teams to have security ambassadors and use Codebashing to educate themselves on secure coding practices. While there is not a precise metric or KPI I can share on improving security posture, the overall awareness of these vulnerabilities is something that Codebashing helps strengthen.

I cannot recall any specific pain points or missing features regarding improvements.

I do not have anything small that I would like to see improved or changed in Codebashing, as I think it excels at what it does today. However, with evolving times and the increasing use of AI, I think it would be beneficial for Codebashing to cover new LLM-related vulnerabilities and weaknesses that are being identified in AI-generated code and software. I am uncertain if it covers this today, but if not, then it should evolve in that aspect.

My experience with Codebashing is part of our contract with Checkmarx, and I have been using Codebashing for the last three years.

I cannot recall any issues with downtime or reliability regarding Codebashing. It has been stable.

I have no complaints regarding Codebashing's scalability, as it handles growth and larger teams well.

I have not interacted with customer support, as we did not reach out specifically to Codebashing. We had a contract with Checkmarx, and I have no complaints on that side.

We did not have a former solution prior to using Codebashing.

Getting started with Codebashing is fairly simple, as we have integrated it with our scanning tools, making it convenient to use Codebashing.

I have not seen any quantitative return on investment metrics, but I can share that Codebashing has been supremely helpful in educating engineers and cybersecurity professionals within my team on how to practice secure coding.

We did not evaluate any other options before choosing Codebashing.

We measure increased awareness through participation rates, which have been improving as people use the tool more consistently, leading to friendly competition within the enterprise to see who can rank higher and how many puzzles of Codebashing they have completed.

My advice to others looking into using Codebashing is to proceed with it, as it is a brilliant tool. I would rate this review a 9.

I use Codebashing for security-related testing and aggressive testing, and also to stress-check code to expose weaknesses.

Ours is an HRA benefits application, and I use Codebashing for security testing or exposing weaknesses by attacking the input and intentionally passing malicious input. Through Codebashing, I can identify the required vulnerability. This means security testing, and a few of my colleagues have also been using Codebashing.

In my opinion, the best features Codebashing offers are early vulnerability discovery, improved defensive coding habits, and catching what automated tests miss.

When I talk about early vulnerability discovery through Codebashing, I mean conducting intentional adversarial review very early during development or code review only, rather than waiting for QA, a pen test, or production incidents.

Additional features worth highlighting are shared security ownership, knowledge transfer across the team, common attacking patterns, how real-world exploits work, and better PR and design discussions since I started using Codebashing.

Codebashing is powerful, but it is not perfect. Based on my experience, the product can be made more systematic rather than ad hoc. The approach should balance intuition with automation by combining Codebashing with static analysis, dependency scanning, and secret detection, focusing only on high-risk parts such as authentication, payments, and data access to avoid slow delivery.

Improvements are needed, and the balance and focus should be emphasized more on the improvement side.

I have been using Codebashing for three years.

I would say Codebashing is stable.

Codebashing's scalability is good.

I have not been able to reach out to customer support because I did not face many issues, so I am satisfied regarding customer support.

Negative

Everything was taken care of by the organization, so I did not have to do anything privately regarding pricing, setup cost, and licensing.

For knowledge transfer or shared security ownership in my team, we ask questions such as 'What happens if this field is missing or tampered?' and 'Should this ID come from a token instead of a request?' Such PR reviews and knowledge transfers have been conducted with real-world examples, including real payloads that break assumptions and actual vulnerable code.

My advice regarding Codebashing would be to be practical, culture-focused, and incremental, starting with the high-risk areas such as authentication and authorization, data access APIs, and payments. The approach should focus on breaking the code, not the people.

I would rate this product a seven out of ten.

The solution mainly aims to identify false positives or flag any medium to high-risk outcomes, meaning it is mainly for source codes.

The most valuable features of the solution stem from the fact that its gamification UI is quite user-friendly to use, and it is also quite intuitive since it provides users with proper explanations while allowing one to opt for the obash option. Mapping is also quite accurate, which helps identify why the tool has flagged certain code or lines of code, making it helpful for users because sometimes you might be unable to detect the flaws on your own.

The tool can be a little more intuitive for the end users. It isn't a very friendly tool for beginners. In our company, we have to take training courses to learn how to use the platform. Introducing automation and making the tool a little more intuitive for businesses might be helpful.

In our company, we need to take care of the tool's regular updates since, often, the solution may be down. My company has a business administration unit team that is responsible for the updation of tools we use, and their processes can take a day or two to be completed, because of which we may lose out on some time when we may have required the tool to do a complete scan. It would be helpful if the update process can be made faster.

If I make use of the integration capabilities of Codebashing, then the plug-ins won't work as smoothly as it does in the application itself. Maybe the solution's plug-ins can be improved.

I have been using Codebashing for three years.

If I use Codebashing as a standalone tool, then I don't face any stability issues, but issues arise when I try to use its integration capabilities. If you want to integrate Codebashing with Jenkins or run automated scans, I face some issues with its integration part.

I think that the solution has a few plug-ins on different cloud platforms, making it a scalable product.

Between 50 to 100 people in my organization use the solution.

The solution's technical support is good. My company has been able to resolve issues related to the tool with the help of Codebashing's technical support team. I rate the technical support a seven or eight out of ten.

Positive

I have experience with AppScan and RiskSense. I was using AppScan to support DAST and RiskSense for getting results from SAST and DAST to generate reports. I was using different solutions for different reasons, but I think they provide different benefits to users. My company chose CheckMarx over AppScan since the former offers better source code scanning capabilities.

The installation phase of the tool is simple.

The tool's installation phase took around 45 minutes.

The tool's installation phase was carried out by a team of 17 people in my company who use Checkmarx.

The solution is deployed on the cloud.

As a developer, though I am unaware of the cost of the solution, the product is expensive since I faced some trouble upgrading to Python for Codebashing.

The solution is easy to maintain.

I think Codebashing is a great tool to start with if you are just learning about application security. Codebashing has some good tutorials and a nice learning platform to learn about coding. Codebashing also has a more nice gamification UI, which is a good tool. Generally, I think it's quite a good tool for developers to get started and pick up skills.

I rate the overall solution an eight and a half to nine out of ten.

We have been using the product for code-scanning purposes.

The platform is simple, easy to use, and easy to learn. It has comprehensive guidelines and a lot of documents and videos for an easy installation process. Apart from some default rules, it allows users to configure their own rules. Also, it is easy to configure as it has an extensive library for reference.

The product's pricing could be more flexible. At present, we have to buy an entire instance. Instead, they could introduce a pricing model based on specific requirements.

We have been using Codebashing for three to four years.

The platform has good stability.

Codebashing's cloud version might be more scalable than the on-premise version.

The initial setup process is easy. It takes little time to complete for new users as well. However, it might take time if the infrastructure still needs to be implemented.

Sometimes, Codebashing provides reports with false positives. Thus, I advise others not to rely on the reports and to do a thorough analysis. They may require to change a few configurations. Configuring your own rules is better than going for a default configuration.

I rate it an eight out of ten.

We use Codebashing for secure code development.

The most important aspect of Codebashing, in my opinion, is the gamification advantage. When compared to competitors' offerings, the most significant thing to emphasize is gamification. The rest is similar to the competitors.

It is user-friendly.

From my perspective, Codebashing might use some enhancement. Clients should be able to handle their tests directly according to their needs. That aspect of Codebashing is currently inflexible. Customers would wish to sign, compile, or manage their tests in accordance with their requirements. It is just not possible.

As previously stated, one of my main criticisms is that customers should be able to manage and develop their tests independently.

I know Codebashing very well.

I have been working with Codebashing from the first day until now. It has been for more than five years.

We are selling it as well, which is why we know it very well.

Codebashing is quite stable.

Codebashing is a scalable solution.

We assist both small and medium-sized customers. We also have some banks. Small businesses with 10 to 20 users.

To be honest, the product never requires any form of technical support.

If customers require technical support, we provide it in our country, but there is no requirement because it is only a learning suite. There is no need for technical support for these types of products.

We are representing Checkmarx, and I am extremely familiar with Checkmarx, and Codebashing. I am well knowledgeable about all of these topics. I am familiar with them.

We are only working with Codebashing. Only with Codebashing. We are not that type of company. We are loyal to Checkmarx. On the other hand, there are not many similar products on the market.

It is a cloud service, you, don't need any setup.

Very simple to deploy. 

You can do it quickly, effortlessly, and effectively. 

It is simple to deploy and use.

Pricing is relatively reasonable. I would prefer it if their pricing would be a bit cheaper. This is not my personal comment, this is the comment of the market.

I am conducting research. 

I'm in academics. I am conducting some studies. I am trying to understand some details of the product.

To be honest, this is a very well-designed product, with the most essential competitive advantage being, as previously stated, gamification. 

It is very user-friendly, simple to use, and simple to understand. The course duration is excellent. Certainly not more than eight or ten minutes, which is critical. From the perspective of a developer or programmer, those types of individuals are unable to allocate their time for too long. 

These are the benefits of the product, and I enjoy it.

We are the partner. We are more than a reseller. We are the representative of Checkmarx in our region.

I would rate Codebashing a nine out of ten.

I am a reseller.

Codebashing is a training tool. It's a training tool that helps users or developers detect their coding errors and correct them. Then Codebashing shows them how to improve and secure their development skills.

Codebashing is only one feature. It's a trim model.

According to the feedback, it's an easy-to-use application tool.

We don't use it directly, but from the feedback of our customers who do use it, they are pleased with it.

Because I am not the direct user, but rather a reseller, I may not know, because the only way we will know is if we receive a complaint from one of our users. We have received any major complaints that tell us what needs to be changed, on the tool, or where they need to improve it.

Change is an unavoidable constant. There will always be opportunities for change and improvement in order to provide more value to their end users. However, I am unable to specify where the change or improvement will be required.

It is difficult to say, but maybe there are areas of the solution that could improve. 30% improvement.

It does not require storage. Because it is an online tool, there is no need for backup. It is a training platform. When it identifies your area of weakness, it shows you and instructs you on what to do. You, simply log in. It's similar to a cloud base.

I expect the dashboard to be improved based on user feedback and, of course, as technology advances.

I would like to see Certificates issued to users. I believe that certificates should be issued to users so that they can be used as proof of having completed that training. The certificate is currently not being used for any competence validation outside of the chance environment.

They should issue certificates to the users, which can be used as evidence of security development code.

The company is called Checkmarx. One of their products is codebashing.

I have been selling Checkmarx products for eight or nine years.

I am working with the most updated version.

Generally, Codebashing is a stable solution. We haven't had any complaints.

Codebashing should be scalable.

It should be scalable. Scalable in terms of improvement, and scalable in terms of the environment. Because technologies are expected to be scalable, they should be scaled to users, user experiences, or user environments.

So far, I believe Checkmarx has provided very good technical responses in all areas of their solution. Their technical response is excellent. They will contact you once you have booked your ticket.

I would rate their technical support a four out of five.

Positive

The initial setup is straightforward. That's all there is to it once you install the tool.

It does not require any maintenance. People are not required to do anything. It is straightforward.

The return on investment will be one year.

I believe the product is valuable because it assists you in improving secure applications, which can then prevent fraud and threats against the application as well as incorrect application activities.

Licenses are renewed annually.

I can recommend Checkmarx, in my opinion, they are good. Their product is good. It has minimal false positives. They are user-friendly, and they are not complex at all. The response from the technical support is also excellent.

I would happily recommend Checkmarx products at any time, at least for the time being, unless circumstances change.

I would rate Codebashing an eight out of ten. 

I'm giving it an eight because it's extremely useful. It enables users to deploy improved, secure development skills. 

The remaining tool, in my opinion, is that the user cannot use the certificate to demonstrate ability, and they do not use the certificate to demonstrate competence in that area at this time.

Our team leaders and managers use this solution. They use this platform to educate and provide security training to their developer teams.

The most valuable feature is that you get the security from the design of the training. It ensures our developers write code securely and effectively. They will not write code that is vulnerable to hackers.

This solution could be improved by offering an increased number of quizzes after each module. The GUI for this solution could also be updated to be more modern. 

We have been using this solution for one year. 

This is a stable solution due to the fact that it is an e-learning platform. 

This is a scalable solution. 

The technical support for this solution is good. 

If using Codebashing for a big team of more than 10 developers, it is important to plan to ensure the training is effective. 

I would rate this solution a nine out of ten.