Share your experience using Codacy

My main task involved integrating a security tool into a cloud platform. Once the integration was complete, we ran the pipeline. After completion, the overall metadata was fed into the security tool. The tool then scanned the data from the cloud platform and transferred it to the Veracode platform. Once Veracode processed the information, it scanned the overall metadata to identify vulnerabilities based on OWASP or application security top ten rules. The tool categorized the vulnerabilities as critical, high, or medium based on these rules. This was the workflow we implemented in the industry.

Veracode helps organizations develop software by reducing the risk of security vulnerabilities through developer enablement and applications focused on governance. You can utilize different levels of processes to achieve better performance or a more scalable service. Since I started working with it in 2022, I’ve found it to be cost-effective as well. Overall, Veracode is a user-friendly security tool.

It includes features such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA). During the development phase, we can identify vulnerabilities in the application. This process occurs in the staging environment during development. When we're ready to go to production, we conduct a final check. Essentially, this tool helps identify vulnerabilities during the code development stage, including both high-level vulnerabilities and those related to open-source software composition. We utilize specific methodologies for this purpose. Additionally, it offers a feature that allows us to set up policies based on client requirements. This means we can customize the tool to meet the specific needs of our clients, ensuring that they receive the appropriate level of security in their applications.

Veracode is user-friendly as well. Compared to other tools, their scans take 15 minutes or under. If you have a large scale of libraries or data, it might take longer, but based on my personal experience, the scan usually runs within fifteen minutes.

For my case study using the Veracode tool, I worked on an internal project following industry standards. We used Veracode to improve our security posture and speed up the time to market by streamlining the development process. This enhanced collaboration between developers, operations, and security teams. The automated scanning process helped identify and fix vulnerabilities earlier in the development process. We maintained compliance with regulatory requirements, avoided fines, and built customer trust by integrating security into the development process.

When we conduct this scan, we receive data on a list of vulnerabilities. This information improved our communication and increased transparency, which leads to better reports about the efforts being put in. This results in a more effective and efficient collaboration process, making it user-friendly for all involved. When considering costs, if we resort to manual processes, it can be time-consuming. Therefore, we utilize automated scans to identify and fix security issues. This allows us to address vulnerabilities early in the development process, as we discussed previously. This applies both to our in-house code and third-party libraries, using Software Composition Analysis (SCA) agent-based scans. In the future, we will also implement SCA agent-based scans as a separate feature within Veracode, which can help organizations avoid the expensive and time-consuming consequences of security issues. Furthermore, we have seen an increase in compliance, helping to maintain adherence to regulatory requirements and industry standards, thereby avoiding fines and reputational damage associated with noncompliance.

Additionally, by integrating security into the development process, we enhance customer trust in our organization and its products. 

Veracode is a modular cloud-based solution for application security with features such as SAST, DAST, SCA, IAST, and pen testing. It helps organizations reduce the risk of a security breach through analysis, developer enablement, and AppSec governance. The tool integrates into cloud platforms to scan metadata, identify vulnerabilities based on OWASP Top 10 rules, and set up policies according to client requirements. It's also time-efficient, scalable, cost-friendly, and enhances customer trust.

I have been using Veracode for four years and have found some areas that need improvement. When we implement a policy, it can be very difficult to locate. Running SAST and DAST simultaneously can be challenging. The initial deployment was not easy, and the internal training was quite difficult. However, after using it for about a month, it became more user-friendly.

I have been using Veracode since 2022.

Veracode is time-efficient compared to other tools, taking nearly 15 minutes for standard scans. When dealing with large-scale libraries or data, it may require more time. Veracode's price is lower and the solution is more scalable.

The technical support team provides immediate responses. We can resolve multiple issues during the calls. They provide good technical support, and I would rate their support as seven out of ten.

In response to our inquiry, they provide an update within 24 hours. They share detailed information via email, including screenshots or further clarification about the issue. If we are experiencing a significant backlog in processing technical issues, we arrange a call with our senior technical team. They will provide guidance and help resolve the issue during the call.

Neutral

For quality and SAST-based purposes, we can use SonarQube and ShiftLeft. ShiftLeft only provides SAST and SCA based scans. For DAST, we work with Acunetix or Burp Suite. We compared ShiftLeft, Veracode, and GitHub Advanced Security. While Veracode has five features, ShiftLeft provides SAST and SCA, and GitHub only handles secret scanning. Veracode was ultimately the best choice.

The initial deployment wasn't easy. During the internal training, I found it quite challenging. However, after about fifteen to twenty days of use, or nearly a month, it became user-friendly.

As for the deployment team, we had specific client requirements. They had multiple applications, which meant we needed more than one person. Initially, we started with two people, and then one intern joined us later on. In total, we had three members working on approximately 120 applications.

When considering pricing, Veracode stands out due to its lower cost per service and more scalable options. It offers nearly five security testing features within its own service, making it a competitive choice compared to other tools. Overall, Veracode's pricing is lower and more scalable than many alternatives in the market.

I would rate Veracode as eight out of ten.

PyCharm is mainly used by our team for Python development. We engage in tasks such as converting Perl to Python or developing Python software from scratch. Although a couple of people use PyCharm, most of us prefer using Visual Studio for our development work.

PyCharm is not integrated with other systems. Developers create Python scripts using PyCharm and then use tools such as Grafana to integrate those scripts into dashboards, working independently with them.

Some of our developers appreciate the unique features of PyCharm because they already had a license and were familiar with using IntelliJ platforms. PyCharm, being from JetBrains, fits into their ecosystem. Despite its advantages, we have not expanded its use among developers due to its high cost, approximately 200 pounds per workstation, which we find prohibitive.

Exchange usage has dropped in favor of cloud-based solutions such as Microsoft 365, indicating a shift in how tools are adopted by organizations. PyCharm offers a desktop, on-premises deployment model, which might suit specific organizational needs.

The pricing model for PyCharm is a significant area for improvement. It is currently too high, with a per-seat cost of approximately 200 pounds. A community edition, similar to IntelliJ Community Edition, could serve as a stepping stone for users. A community edition would allow potential users to familiarize themselves with the product before opting for more powerful features in a subscribed model.

Users have expressed that the cost is a barrier to broad adoption, especially when compared to alternatives such as Visual Studio, which is free. Implementing a community edition could make PyCharm more accessible and lead to wider adoption.

The initial setup of PyCharm was pretty straightforward. I did not see any difficulty when people were implementing it.

From my experience, PyCharm stability on a scale from 1 to 10 deserves at least a nine. I have not seen any issues with it or any issues reported by it. From what I can tell, it was as stable as IntelliJ. IntelliJ never had any problems, so I would assume it maintains the same level of stability, though I have not used it extensively enough to identify all potential problems.

Regarding scalability for PyCharm, it is not easy to expand licenses. With a per-seat license of 200 pounds, expansion becomes challenging. The enterprise license cost remains unknown but would presumably be quite expensive.

I have not used PyCharm extensively because of its cost. One or two people have PyCharm licenses, so I interact with it occasionally. Generally, when dealing with Python, we use Visual Source for most of our developers because it is more economical.

The room for improvement for PyCharm is its pricing model, which is too high. A community edition would be beneficial, similar to what is available for IntelliJ. The community edition would serve as a stepping stone, allowing users to try the basic features before subscribing to more powerful ones. Most of our team uses the IntelliJ community edition for Java development, and a similar option for PyCharm would be valuable.

The initial setup of PyCharm was pretty straightforward. I did not see any difficulty when people were implementing it.

Our platform operates independently of Azure, but it can be ported to Azure. We work with Terraform to deploy in Azure, and once deployed, it functions with standard integrations. However, I am not personally involved in the Azure or cloud aspects.

Currently, PyCharm is not integrated. Developers create Python scripts and implement them in dashboards using tools such as Grafana, then work with them independently. I have not personally explored the debugging capabilities of PyCharm.

For my review about PyCharm, anonymous is better because I am not professionally known to be a PyCharm user.

Overall, I would rate PyCharm an eight out of ten based on my experience. It is a very mature product, very stable, and I appreciate its interface. However, this assessment comes with limited intensive usage.

My review rating for PyCharm is 8 out of 10.