What is our primary use case?
I'm a user also, but I'm also responsible for information security.
I am the principal of security in the office. I'm the one that actually advises people about enhancing or incorporating information security aspects. Right now, we are using a community version. We have yet to subscribe for the enterprise license because we need more disciplined developers first.
Within our organization, there are roughly 14 people using this solution.
We use it to find the scoop, or the use, for peer review for the developers. It will require more time, to get used to it and to get trained. My team is very small and I am part of the development team — I'm in the security team but I'm also part of the development team. I am helping to build this along with the team.
What is most valuable?
The product itself has a friendly UI. It's easy to use and we understand how to manage the admin control panel, it's really quick. It's really easy to perform admin jobs using the control panel.
The tools are really easy to use. With the coding, we can build a bunch of rules that apply for each programming language, for example, CSS, Java, and more. Even with the community version, we can still set up rules. We accommodate them and they give us the best quality. It's been a great experience so far.
What needs improvement?
We could use some team support, but since we are using the community version, it's not available.
Also, because we are using the community version, we have some problems from time to time regarding the SSO logins.
Sometimes you need more time to configure things, to edit some profiles.
SonarQube has come to the end of the project phase. The development team doesn't really utilize this because it's in the product development phase. They need more paths and delivery — they don't really care about security. But now, since we are also certified technical security, we can go ahead and provide that for them.
In short, communication needs to be better.
Automation could be better. Sometimes by default, you need to configure some rules regarding detection. You need to have some parameters set regarding false-positive risk.
For how long have I used the solution?
We have had SonarQube for over a year, but we have only been using it for the past two months.
How are customer service and technical support?
With the use of community version, we already have utilized and carried out our needs to fulfil application security at the earlier stage with small medium SDLC Team.
How was the initial setup?
The initial setup was very straightforward. Overall, deployment took roughly one week.
What other advice do I have?
There are so many qualitative tools other than SonarQube, but I think it's the only platform that is open-source; however, it doesn't cover you end-to-end — from the static, dynamic, and interactive source.
Once we're done with SonarQube, we will switch to a proprietary tool, like Qualys — something that provides more end-to-end — but before we can do that, we need more people who know how to properly run the software.
Overall, I would recommend SonarQube for your initial software quality.
On a scale from one to ten, I would give this solution a rating of eight.
Which deployment model are you using for this solution?
Which version of this solution are you currently using?