1. leader badge
    The fact that the solution does security scanning is valuable. It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed.
  2. leader badge
    It's comprehensive from a feature standpoint. My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople is fabulous.
  3. Find out what your peers are saying about SonarSource, Veracode, Checkmarx and others in Application Security. Updated: April 2021.
    475,291 professionals have used our research since 2012.
  4. leader badge
    One of the most valuable features is it is flexible. The features and technologies are very good. The flexibility and the roadmap have also been very good. They're at the forefront of delivering the additional capabilities that are required with cloud delivery, etc. Their ability to deliver what customers require and when they require is very important.
  5. leader badge
    The value I get from IQ Server is that I get information on real business risks. Is something compliant, are we using the proper license?We really like the Nexus Firewall. There are increasing threats from npm, rogue components, and we've been able to leverage protection there. We also really like being able to know which of our apps has known vulnerabilities.
  6. It is easy for developers to use. The documentation is clear as well as the APIs are good and easily readable. It's a good solution overall.From the software composition analysis perspective, it first makes sure that we understand what is happening from a third-party perspective for the particular product that we use. This is very difficult when you are building software and incorporating dependencies from other libraries, because those dependencies have dependencies and that chain of dependencies can go pretty deep. There could be a vulnerability in something that is seven layers deep, and it would be very difficult to understand that is even affecting us. Therefore, Snyk provides fantastic visibility to know, "Yes, we have a problem. Here is where it ultimately comes from." It may not be with what we're incorporating, but something much deeper than that.
  7. I have found the best features to be the performance and there are a lot of additional plugins available.The solution has a great user interface.
  8. report
    Use our free recommendation engine to learn which Application Security solutions are best for your needs.
    475,291 professionals have used our research since 2012.
  9. Its ability to perform different types of scans, keep everything in one place, and track the triage process in Fortify SSC stands out.The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation.
  10. The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine.

Advice From The Community

Read answers to top Application Security questions. 475,291 professionals have gotten help from our community of experts.
Many companies wonder about whether SAST or DAST is better for application security testing. What are the relative benefits of each methodology? Is it possible to make use of both?
author avatarDan Doggendorf

SAST and  DAST are not mutually exclusive and should be used in conjunction with each other.  One should be used by the developers to ensure security is being addressed as they are writing the code.  The other is used for evaluating existing applications already in production to ensure they are not susceptible to any new vulnerabilities that have been discovered.  

The real question is which should have a higher priority when it comes to introducing the concepts into your application security model.  Unfortunately, there is no single answer to which comes first.  It all depends on your organizations culture, business model, and your relationships with the various impacted groups.

author avatarThomas Ryan

The easiest way to remember the role of each:

SCA & SAST = Am I Vulnerable
DAST & IAST = Am I Exploitable (In some cases together, they compliment SAST)
RASP & WAF = Can I Protect Myself  (Fixing the code is the primary option)

author avatarOscar Van Der Meer

For application security you ideally need SAST, SCA and DAST. You need all three as they essentially measure different things:

SAST identifies bad coding practices that potentially could be exploited

SCA identifies known vulnerabilities in the libraries and components you are using and this is the main attack vector on applications.

DAST identifies some of the weaknesses that SAST and SCA identified, but also identifies weaknesses in the configuration. You might have the perfect application code with zero vulnerabilities, but if it is misconfigured, for instance using a default password, it still can be breached.

If you have to choose, look at SCA and then DATS first as that gives you the best bang for your buck from a risk reduction perspective

author avatarCurtis Yanko
Real User

It’s a false choice of a question but DAST exist because folks don’t trust their SAST tool. DAST is good about true positives but bad about false negatives. SAST just has a reputation for false positives but a new generation of SAST tools do a much better job.

author avatarRussell Webster
Real User

Both. They are not in competition with each other.
SAST is used for analyzing your written code for practices and patterns that are risky or vulnerable.
DAST is used @ runtime for analyzing the app for vulnerabilities as shown in other ways on the runtime memory stack, etc.
Both provide different value.

Look into RASP vs DAST vs IAST as well.

There are many cybersecurity tools available, but some aren't doing the job that they should be doing.  What are some of the threats that may be associated with using 'fake' cybersecurity tools? What can people do to ensure that they're using a tool that actually does what it says it does?
author avatarSimonClark

Dan Doggendorf gave sound advice.

Whilst some of the free or cheap platforms will provide valuable information and protection, your security strategy has to be layered. Understand what you want to protect and from whom. At some point you will need to spend money but how do you know where to spend it? There are over 5,000 security vendors to choose from.

There is no silver bullet and throwing money at it won’t necessarily fix what you are at risk from but at the same time free products are free for a reason.

If your organisation doesn’t have a large team of security experts to research the market and build labs then you need to get outside advice. Good Cyber-advisors will understand your business and network architecture therefore will ask the right questions to help you to navigate the plethora of vendors and find the ones that are right for where your business is now and where you intend it to be in the future.

Large IT resellers will sell you what they have in their catalogues based on what you ask for and give a healthy discount too but that may not fix the specific risks your business is vulnerable to. A consultative approach is required for such critical decisions.

By the way, there are free security products and services that I recommend.

author avatarDanny Miller

Tools are not necessarily bogus. Sometimes they are just 'legacy' tools that have been around for too long and no longer fit the problem they were designed to solve, simply because IT infrastructure, organizational needs, and cybersecurity threat complexity have evolved. 

author avatarreviewer1266459 (Network Security Engineer at a performing arts with 201-500 employees)
Real User

Refrain from free products

Delete products and traces of product after evaluation

Always know what you want from the cybersecurity solution. Can identify illegal operations of the products if different from its stipulated functions.

Work with recognised partners and solution providers

Download opensource from reputable sites

author avatarDoctor Mafuwafuwane (Altron Systems Integration )
Real User

Open Source or Free products need proper management. Based on my experience I have found that many people who uses open source don't bother to patch them and attackers then utilize such loopholes.

One of the great example one client was using free vulnerability management plus IP scanner. And they got hit with ransomware. During the investigation I realise the attacker utilized the same tool to affect other devices on the network. The attack took his time at least 2 months unnoticed. 

author avatarBasil Dange
Real User

One should 1st have details understanding of what he/she is looking to protect within environment as tool are specially designed for point solution. Single tool will not able to secure complete environment and you should not procure any solution without performing POC within your environment 

As there is possibility that tool which works for your peer organisation does not work in similar way for yours as each organisation has different components and workload/use case

author avatarJavier Medina
Real User

You should build a lab, try the tools and analyze the traffic and behavior with a traffic analizer like wireshark and any sandbox or edr that shows you what the tools do, but all this should be outside your production environment, use tools that has been released by the company provider and not third party downloads or unknown or untrusted sources.

author avatarAlan
Real User

Bogus cybersecurity tools might bring about the data exfiltration, trojan horse 

Menachem D Pritzker
On July 15, 2020, several verified Twitter accounts with millions of followers were compromised in a cyberattack. Many of the hacked accounts we protected using two-factor authentication, which the hackers were somehow able to bypass. Hacked accounts included Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Mike Bloomberg, Warren Buffett, Kim Kardashian, and Kanye West, Benjamin Netanyahu, and several high profile tech companies, including Apple and Uber. The hackers posted variation of a message asking follower to transfer thousands of dollars in Bitcoin, with the promise that double the donated amount would be returned. How could Twitter have been better prepared for this? How do you rate their response?
author avatarKen Shaurette
Real User

I like the potential for catching an unusual activity like that with our recently implemented endpoint detection tool, Cynet360.  It seems so far to have about the highest level of transparency into the endpoint with a 24x7x365 backing of monitoring.  

author avatarPrasanna VA
Real User

It's understood that internal tool probably shared by Internal Employee as RCA. The tool was used to reset associated Mail Address of account thereby Password Reset of Choice. In MFA of Identity related features, it's more secured on keeping it with associated Mobile Secure Pin or SoftCrypto Code in Future to avoid compromise at this moment is the lesson learned. 

author avatarreviewer989748 (Security Analyst at a financial services firm with 201-500 employees)
Real User

The use of two factor authentication by Twitter

author avatarParesh Makwana

This is one of the Identity theft issue, which means some one hack your password or account and do activity which he she is not suppose to do. basic reason of hack of your identity or password is Social engineering. second reason is system has week privilege access management. If you have less control on admin id or privilege id then enter firm has to suffer along with the customer of that firm. For me the take away of this event is to protect privilege ID and you good PAM PIM tool with two factor and UBA included.  

author avatarRussell Webster
Real User

Span of control, Solid RBAC, Privileged Access Management (PAM) 

See more Application Security questions »

Application Security Articles

Netanya Carmi
Content Manager
IT Central Station
Mar 30 2021

Application security involves all the ways in which application vulnerabilities are prevented, detected, and resolved. Security should never be an afterthought. It should be an integral part of the process, from development, through integration and testing. Your applications are open to all sorts of security vulnerabilities and challenges, and protecting them is essential. But first you’ll need to have a solid grasp of these application security fundamentals.

1. Assign Application Security to Someone Specific.

If you want to ensure the security of your applications, you have to assign this job to someone. The only way to make sure this essential issue is taken care of and doesn’t fall through the cracks is to know you have a specific person in charge of it. Depending on the size of your organization and your budget, this might be a part-time or full-time role or it might require a team or even multiple teams.

2. Plan Accordingly.

You’re going to have to start small, but at the same time, you need to plan for the long-term. Prioritize your applications so you know where to start. Then set yourself some measurable goals so that you’ll see a return on investment sooner rather than later. Scale up as needed.

3. Shift Left.

It’s generally easier to identify application security issues later in the software development life cycle (SDLC), but the ideal is to detect them earlier (farther to the left on the SDLC timeline), when resolving them will be less costly. The sooner you can identify (and, ideally, prevent) vulnerabilities, the easier it will be to deal with them. This means coming up with a plan for how to handle security, data encryption, reliability, compliance requirements, etc, before coding even starts.

4. Leverage Your Existing Strengths.

When it comes to creating an application security program, there is no one single correct way to do it. Different organizations focus on different areas. To be most efficient, begin by ramping up security in the areas in which your company is strongest, and then expand from there. For example, if development revolves around the CI toolset, integrate some security tooling there. If your team manages their time via JIRA tickets, make sure you are checking those JIRA tickets for security issues. Don’t assume that a plan that was made with one company in mind will be a good fit for your company. Instead, tailor-make one that makes sense for you.

5. Put a Positive Spin on it.

Application security can easily be looked at as a cause of problems and conflicts. You don’t want this essential aspect of your business to be seen as something that is constantly blocking or preventing growth. This will make people avoid application security instead of necessarily dealing with it head-on. Instead of constantly highlighting problems, look for a way to propose solutions and encourage effectiveness and efficiency.

6. Create a Knowledge Base.

Once you’ve encountered an application security vulnerability or issue, don’t just resolve it and move on. Keep a record of challenges you come across (and their solutions) so that your team can reference it and won’t make the same mistakes twice.

7. Dev Training

At the end of the day, developers need to be taught to be more security-conscious. Your developers are your first line of defense in catching application security vulnerabilities and they need to be trained in best practices. Your team should constantly be learning the newest ways to catch and resolve application security issues.

What is Application Security?

The members of IT Central Station were clear on what was most important when evaluating Application Security: while some also mentioned that the software should be silent and have the ability to lock down configuration settings, everyone agreed that quality Application Security should provide intelligent data and come with a solid reputation, a strong usage pattern, efficient data handling, and a clean design. Members also mentioned documentation and maintenance as benefits.

Find out what your peers are saying about SonarSource, Veracode, Checkmarx and others in Application Security. Updated: April 2021.
475,291 professionals have used our research since 2012.