Over 259,907 professionals have used IT Central Station research.
Compare the best Application Security vendors based on product reviews, ratings, and comparisons.
All reviews and ratings are from real users, validated by our triple authentication process.
The total ranking of a product, represented by the bar length, is based on a weighted aggregate score.
The score is calculated as follows: The product with the highest count in each area gets the highest available score.
(20 points for Reviews; 16 points for Views, Comparisons, and Followers.)
Every other product gets assigned points based on its total in proportion to the #1 product in
that area. For example, if a product has 80% of the number of reviews compared to the product
with the most reviews then the product's score for reviews would be 20% (weighting factor) *
80% = 16. For Average Rating, the maximum score is 32 points awarded linearly based on our
rating scale of 1-10. If a product has fewer than ten reviews, the point contribution
for Average Rating is reduced (one-third reduction in points for products with 5-9 reviews;
two-thirds reduction for products with fewer than five reviews). Reviews that are more than 24 months old,
as well as those written by resellers, are completely excluded from the ranking algorithm.
The members of IT Central Station were clear on what was most important when evaluating Application Security: while some also mentioned that the software should be silent and have the ability to lock down configuration settings, everyone agreed that quality Application Security should provide intelligent data and come with a solid reputation, a strong usage pattern, efficient data handling, and a clean design. Members also mentioned documentation and maintenance as benefits.
Application Security Reviews
Read reviews of Application Security that are trending in the IT Central Station community:
Your trust is our top concern, so companies can't alter or remove reviews.
So, it's been more than a year on since I wrote this review, so what has changed ? Well. The first thing to say is that we. Anyway, that's probably enough of an update. I hope you find this, and the previous review helpful ? Original Review... more»
It would be utterly impossible to contemplate Continuous Delivery without including a major focus on ensuring affordable software quality. SonarQube plays a key role in this endeavour and provides Senior Management oversight across multiple... more»
Certainly it eases integration into our workflow. Veracode is part of our Jenkins build, so whenever we build our software, Jenkins will automatically submit the code bundle over to Veracode, which automatically kicks off the static analysis.... more»
Firstly, it prevents me from putting out software that has security vulnerabilities, which is a big thing and can be one of the most important things. Also, we just finished a vendor due diligence with a very large company that wants to do... more»
The Web portal, at times, is not necessarily intuitive. I can get around when I want to but there are times when I have to email my account manager on: "Hey, where do I find this report?" Or "How do I do this?" They always respond with,... more»
Several dashboards. The licenses dashboard, which gives me an overview of all the licenses used in our software. For example, right at the moment, there are several hundreds of licenses used. The licenses dashboard and release management... more»
We find licenses together with WhiteSource which are associated with a certain library, then we get a classification of the license. This is with respect to criticality and vulnerability, so we could take action and improve some things, or... more»
Every product has room for improvement, including WhiteSource. The stability of the product is web-based. We are obliged to use the Internet Explorer, and from time-to-time I get messages which tells me that I do not have the rights to use... more»
Most features in the product are very useful, but there are some parts that I personally use more than others. 1. Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is... more»
This product has helped us improve the quality of code within the business and ensure all new developers keep to a similar code convention per project. This can basically be tracked back to saving the company money, because improved quality... more»
* Upgrading the version of the server is a bit cumbersome and could be made slightly easier. Allowing admin users to upgrade the software through the front-end would make upgrading easier. * Another improvement is with false positives.... more»
It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no... more»
We used to revise code with free tools static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL... more»
The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are... more»
We've been able to provide reports to our clients that show applications are either flaw-free, or in the process of being remediated, and give them timely status updates on how those flaw remediations are going on. Our customers have... more»
Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to... more»
It has hardened our SAP system by providing details of vulnerabilities in our SAP landscape. Before installing and configuring the Onapsis software, it would have taken an indefinable amount of time to search and monitor the system for... more»
I really love how Onapsis X1 is able to check SAP for threats; the reporting was something I felt could be improved. It could be a little easier to use and to publish for consumption with a larger audience. Currently, it takes some background... more»
Burp is the best web application penetration testing tool that I have ever used. Although all the features of Burp are very useful, I personally love its capability to automatically and accurately detect vulnerabilities. So, I would say it is... more»
The customer is almost all the time results-oriented and they want them real quick. Burp gives my organization a great authentic source of information on the security posture of web infrastructure. PortSwigger launched a feature called Burp... more»
The one feature that I would like to see in Burp is active scanning of REST based web services. A lot of organizations are providing APIs to access their services to support different business models like SaaS. Scanning these APIs is still a... more»
We’re a Linux shop and Qualys gave us good Linux vulnerability scanning; no experience with it on MSFT products. It reports only a few glaring false-positive errors (directory ownership was a common one), and our post-processing dealt with... more»
The biggest benefit was integrating Qualys scanning into our CI/CD pipeline to vulnerability-scan new custom machine images or AWS) before deployment. We’d build the image, instantiate it, run Qualys against it, get the report, post-process... more»
* The ability to utilize the Client Portal, which provided my clients with a view of the project status, vulnerabilities and needed remediation steps in real-time * I don’t know of any other On-Demand enterprise solution like this one where... more»
The HP FoD effort allowed my client to utilize this service anytime their internal IT team was overwhelmed with workloads. FoD gives them an option to utilize the additional HP Services when they are overwhelmed with other IT Security needs... more»
* I believe that sales packages should be posted for single applications, and packages of multiple applications. For example, we have one-time a package for single applications, and 12 month unlimited use for static and a package for static... more»
* The export feature and presentation of the results. * The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions). * A wide variety of modern programming languages are supported,... more»
For manual code testing, Checkmarx has been very helpful discarding false positives, filtering and removing a lot of files that are not presenting any threat, as well as indicating the files or functions that should be focused upon. Checkmarx... more»
The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode. Compiled code means that the code written is stored in binaries, for machine reading only. Tools like Veracode... more»
Quality Gate: Automated rules for determining if a project is above or below a quality threshold. This is a concise "red"/"green" style, basic quality-control. This is integrated in the development and deployment process. Issue Explanations:... more»
Better live process: More automated quality control in the lifecycle of development/testing/deployment/production. This includes the prevention of potential bugs due to ineffective code, as well as keeping a more unified style of solutions.... more»
Deep intelligence and smarter code analysis: There are many cases where a bug or critical issue is reported. However, there is very little chance of rewriting the solution in some other way due to several circumstances. The written solution... more»
We decided to begin a partnership with Veracode, so we can improve our services and provide the customers that trust us with a platform capable to report vulnerabilities and also delegate and keep tracking of the remediation until the... more»
* To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources. Compiled code means that the code written is stored in binaries for machine reading only. Veracode reads only those binaries; } }
* Code analysis tool to help identify code issues before entered into production. * Vulnerability Management and mitigation recommendations help with resolution of issues found, prior to deployment to production. * Developer Sandboxes help... more»
When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this, based on how the code was treated previously,... more»
The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes. Also the Greenlight product that integrates into the IDE is... more»
* Completeness, comprehensiveness * speed * ease of use We have such a wide variety of users for Veracode, including security champions, development leads, developers themselves, that the ease of use is really quite important, because we... more»
The benefits are quick discovery and understanding of software vulnerabilities that we are putting in our own code. By discovering them quickly enough, we can triage them and determine the best ways to remediate them and prevent them from... more»
Our client requests our expertise to audit their business-critical applications. Before using Kiuwan, we were using other solutions. We switched to Kiuwan for 8 reasons:
Ease of use and deployment: No hidden expenses, no complex deployment or complex administration. At last, we were able to help our clients to focus on improving quality without getting delayed by infrastructure issues. Upgrades are done automatically, no migration...
Clear licensing model: Kiuwan has different licensing models, all easy to understand. We were able to select the model suitable to our client needs without paying extra money for unwanted features.
Technology coverage: Kiuwan covers most of the known technologies including mobile applications.
The quality model: We have the complete freedom to...
The areas in which this product needs to improve are: * C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported. * There were issues in regards to the JSP parsing. * Defect report... more»
* Simple, easy and straightforward to start. * eader information is displayed in an easy to ready way which can be interpreted separately. * Vulnerabilities categorization, along with the suggestions, is pretty helpful. * Command line tool... more»
It covers basic-intermediate web attacks and presents the information in a very descriptive way. This enhances knowledge and also helps to identify which areas are lacking attention. Other than that, it helps you start looking for the attack... more»
Login functionality: Netsparker does not integrate single-sign-on functionality, which makes it very difficult to use for such websites. SSO has become an essential part of web security testing over the last few years. I would love to see... more»
When we try to manually exploit the vulnerabilities, it often takes time to realize what's going on and what needs to be done. By using this wonderful tool, we can easily see on the outstanding reports "Important", "Medium", "Low", and... more»
Sometimes, it is slow; when we are running this application and browsing other applications concurrently, it makes other applications work slow. Besides that, it seems fine. When I use Netsparker along with other applications such as testing... more»
The most valuable feature for me is the Jenkins Plugin. We usually take a copy of the normal build job for Checkmarx so that: * we have all of the source code we need for the build, normal and generated source code; * we need only one... more»
It is very easy to insert the tool in the SDLC because there are a wide variety of ways to access the source-code, initiate scans, and review the results. The projects need not care about getting a tool, accessing the tool, and it is cheaper... more»
I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time). Updating and debugging of queries is not very convenient.
This past June, just half-way into 2017, over 790 U.S. data breaches had already been reported, according to the Identity Theft Resource Center (ITRC). This was a half-year record high and a 29% jump from the same time period in 2016.
63% of those breaches were caused by cyber attacks.
What do users say about their application security tools?
What do Users Look for when Choosing their Application Security Tools?
Which application security tools do IT professionals such as QA engineers and software developers choose to protect their applications from external... more»
HPE Fortify on Demand, Checkmarx, Veracode, IBM Security AppScan, QualysGuard Web Application Scanning
What are the best application security testing tools?
IT Central Station’s crowdsourced platform helps technology professionals make informed decisions, by providing user reviews without... more»
Information Security Advisor, CISO & CIO, Docutek Services
About my business:
Docutek is a leading business and technology consulting company specializing in the development and implementation of healthcare technology since 2008. We deliver Consulting, Integration, Support and Training. We also provide clients with security assessment. network... more>>
Accomplished SAP Security Senior Manager with extensive experience in security design solutions in global FDA validated systems. Known for delivering complex projects on time and under budget in diverse industries, including bio pharma, oil and gas, manufacturing and information technology. ... more>>