"When we develop software, and we do that on a daily basis (...) Codacy makes sure that we do security testing on that code, automatically. So the developer doesn't have to care about it"

About LOGEX

LOGEX is a leading healthcare analytics company with the mission of turning data into better healthcare. Currently available in the UK, Netherlands, Finland, Sweden, and Norway, LOGEX aims to become the number one healthcare data analytics provider in Europe.

The main programming languages used by the LOGEX development team include .NET (C#), JSON, JS, Shell, Markdown, Dockerfile, CSS, and SQL. They use Bitbucket as their version control system.

Challenge

Data concerning health is highly sensitive since it consists of information that reveals an individual's overall health and medical history. Therefore, LOGEX must respect specific standards to protect those data.

Besides the European GDPR and the Dutch NEN 7510 certificate, LOGEX must comply with ISO/IEC 27001:2013 and prove its compliance to external auditors. Codacy helps LOGEX achieve its highly demanding code security goals to obtain the ISO/IEC 27001:2013 certification.

Without Codacy

Without Codacy, developers can correct the issues presented in their IDE of choice. Still, they might overlook that information, and there is no validation concerning security management. Quoting Tim, "People can also run it [ESLint] in their development environment, in the IDE, but then you have to trust the developer that they do something with it because you cannot control it centrally. So it [Codacy] also allows us to actually use it, and enforce it as a quality gate."

With Codacy

On the one hand, Codacy helps developers meet high-security standards and prevent critical issues and vulnerabilities. On the other hand, Codacy reassures management that all security testing is being carried out throughout their product and gives them an overall view of the quality of the code.

Developers are also pleased with Codacy because it removes pressure from their side and makes their lives easier when coding. Codacy guarantees the security testing of code written by developers, automatically.

When it's time for the yearly ISO 27001 checkup, Codacy is there to help. As Tim commented, "By using the [Codacy] tool we can fulfill that requirement and prove to the auditor, and it's a big help for our developers." In fact, LOGEX developers present Codacy dashboards to the auditor. This is a way to confirm LOGEX complies with the technical controls in A.14.2.8. The auditor then writes in the report that he has seen, first hand, the results of the code analysis.

Future

The next step for LOGEX will be using Codacy for code standardization across all developers and define coding standards. As mentioned by Tim, "we will have some debate on code styles (…) it is something we would like to have."

LOGEX also plans to use Codacy to improve their quality gates. As Tim explained, "in the end, what we want to do is if it doesn't meet the quality gates, we will block the pull request." This additional step will further reinforce their commitment to their already high-security standards.

We look forward to seeing what LOGEX accomplishes in its mission of turning data into better healthcare. Always with code security and quality in mind!