IT Central Station’s crowdsourced user review platform helps technology decision makers around the world to better connect with peers and other independent experts who provide advice without vendor bias.
Our users have ranked their solutions according to their valuable features, and have also discussed where they see room for improvement. You can read user reviews for the top 6 application security solutions from Q1 2017 here, to help you decide which solution is best for you.
Users compare and give feedback on the application security solutions that they’ve used — based on product reviews, ratings, and comparisons.
#1 HPE Fortify on Demand
HPE Fortify on Demand is ranked by our users as the number one application security solution of Q1 2017, but what do users really think of it?
A user from a consultancy company with 1,000-5,000 employees writes:
“The static code analyzer provides views from a security perspective and it is easy to use compared to others...We use it to evaluate security from the code and provide results from a security perspective as opposed to a developer’s perspective.”
For this Development and Database Manager at a financial services firm with 501-1,000 employees, threat flagging capabilities could use improvement:
“While it does find a lot of legitimate threats, it tends to have a lot of false positives, and there are more false positives than I would like to see. It flags threats that sometimes are not, and when we have to investigate that it takes time. If they could improve the intelligence then I think it could really help the system function more efficiently.”
The IT Central Station community ranks Checkmarx as the number two application security solution for Q1 2017.
“The ability to identify a vulnerability, the optimal place for remediation and the correct syntax is very valuable”, writes Robert V. Jones, Founder at a tech company with 51-200 employees.
Jones explains that “This feature helps ensure that the software fix is comprehensive and effective. The CxSuite is easy to use and because it provides the correct coding syntax to address a vulnerability, it helps improve the secure coding skill set among developers.
The product can scan precompiled (source) code, as well as compiled (binary) code, delivering effectiveness and efficiency throughout the SDLC.”
Yafes Duygulutuna shares that “You can’t implement blackout time for any user or teams. I need to limit this for some users or teams within a specific time frame. For example, I might want to limit from 02:00 am to 06:00 am. They can't start scanning during that time frame, even if they have scanner privileges.”
Veracode is ranked by our users as the number three application security solution of Q1 2017.
Gustavo Gonzalez, Product Marketing Engineering at a manufacturing company with 1,000-5,000, lists several valuable features for Veracode:
Customer and professional support
Live sessions and training
The coverage of the last vulnerabilities reported
The coverage of the programming languages
For areas to improve, Gonzalez suggests “To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources.
Compiled code means that the code written is stored in binaries for machine reading only. Veracode reads only those binaries (compiled code). The other way to have the code is “Source Code written only”, a process where you don’t compile and anyone is able to read line by line the code.”
The IT Central Station community ranks SonarQube as the number four application security solution for Q1 2017.
“We are working in the banking sector, and our application code is quite large in terms of performance. Ranorex has helped us a lot to follow Java code conventions for writing performance oriented code”, shares Arvind Katoch, DevOps Engineer at Trantor Software Private Limited.
“It also has very good compatibility with continuous integration servers like Hudson and Jenkins”, adds Katoch.
Fraser Goffin, Technical Authority Digital at an insurance company with 1,000-5,000 employees, shares what he believes can improve within SonarQube:
More granular security.
Simpler integration with JIRA.
It would be nice for a dashboard server to be able to address more than one database (this limitation tends to encourage either lots of small (team/project) servers or one uber server if you want to report across projects).
#5 QualysGuard Web Application Scanning
QualysGuard Web Application Scanning is ranked by our users as the number five application security solution of Q1 2017.
A Senior Security Systems Engineer at a software R&D company with 501-1,000 explains how “WAS gave us visibility into our externally exposed web applications and showed us vulnerabilities that we were not aware of and did not know how to test for. We didn't need any knowledge of these vulnerabilities or how they worked to scan for them and to gain the visibility.”
In terms of how QualysGuard Web Application Scanning can improve, this user shares that “The organization of the assets was a little confusing and overwhelming. The system could also use some work in pivoting from a VM scan to add the servers with web applications exposed to the WAS server. It frequently created WAS assets that did not have web applications.”
#6 PortSwigger Burp
The IT Central Station community ranks PortSwigger Burp as the number six application security solution for Q1 2017.
Razvan Gabriel Coman, a Penetration Testing Advisor at a tech services company with 1,000-5,000 employees lists several of PortSwigger Burp’s valuable features:
Intruder - allows inserting predefined or custom payloads at chosen locations inside requests and analyzing results using custom filters;
Repeater - allows reissuing requests to manually verify reported issues, changing parameters or issuing a specific sequence of requests to test for logic flaws;
Extender - allows installing additional modules from the BApp store, created by the community in Java, Python or Ruby;
Suggesting potential improvements to PortSwigger Burp, Golnaz Elahi, Information Systems Security Officer at a financial services firm with 1,000-5,000 employees, describes:
“The professional edition of Burp Suite provides some automated pen-testing scripts to detect application vulnerabilities, like SQL injection, XSS, etc.
However, this component is not extremely useful. The results need to be double-checked manually, and false positives are very common, i.e., the tool detects a vulnerability from the HTTP response when a vulnerability does not actually exist.”