Application Security Testing (AST) Features

Read what people say are the most valuable features of the solutions they use.
Kyle Engibous says in a Veracode review
Systems Architect at a tech vendor with 201-500 employees
The most important one is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to production or provide something to a client. We pair that with dynamic scanning, which actually hits our Web applications, to try to detect any well-known Web application vulnerabilities as well. It's really just a way for us to stay ahead of it and provide some assurances and security with the software that we deliver. Also, Veracode has a nice API that they provide to allow for custom things to be built, or automation. We actually have integrated Veracode into our software development cycle using their API. We actually are able to automatically, every time a new build of a software is completed, submit that application, kick off a scan, and we get results in a much more automated fashion. So the API is a huge thing that we use from Veracode, in addition to those two types of scans. In terms of integrating Veracode into our existing software development life cycle, we heavily use JIRA today for bug tracking issues, time management, and the like, for our development team. When those scans kick, Veracode integrates back into our JIRA and actually open tickets with the appropriate development teams. We can use that as a measurement of vulnerabilities opened, closed; we can tie them to releases. So, we get a whole lot more statistical information about security in our software products. That's really what we use in measuring there, the integration back to JIRA in issues found. View full review »
Application Security Specialist at a tech services company with 5,001-10,000 employees
The most important feature of the product is to follow today's technology fast, updated rules and algorithms (of the product). It also allows for more efficient and custom integration by allowing customized enhancements through the API support offered through the SSC portal. View full review »
Don Robbins says in a Checkmarx review
Software Configuration Manager at a tech vendor with 501-1,000 employees
I'm more of the admin as opposed to a user of Checkmarx. Overall, the ability to find vulnerabilities in the code is better than the tool that we were using before. View full review »
Ravi says in a Klocwork review
Software Solutions Engineer at a tech services company with 11-50 employees
First will be the on the fly analysis as it is reducing the time for developing a code. One more best thing is the reports section which is very nice to understand. View full review »
Directord98b says in a Veracode review
Director Security and Risk OMNI Cloud Operations at a tech vendor with 1,001-5,000 employees
* The static scanning of the software is very important to us. * The ability to set policy profiles that are specific to us. * The software composition analysis, to give us reports on known vulnerabilities from our third-party components. View full review »
Assistan84a9 says in a Veracode review
Assistant Vice President of Programming and Development at a financial services firm with 501-1,000 employees
* Code analysis tool to help identify code issues before entered into production. * Vulnerability Management and mitigation recommendations help with resolution of issues found, prior to deployment to production. * Developer Sandboxes help move scanning earlier within the SDLC. * The platform itself has a lot of AppSec best practices information, especially in the mitigation recommendation process. They have also offered cybersecurity e-learning for our team. View full review »
OpsRiskL10dc says in a WebInspect review
Ops Risk Lead at a tech services company with 10,001+ employees
Guided Scan option allows us to easily scan and share reports. View full review »
SeniorIneab1 says in a Veracode review
Senior Information Security Program Manager at a financial services firm with 10,001+ employees
* The ability on static scans to be able to do sandbox scans which do not generate metrics. * Gives us every vulnerability that has been identified, so there is no human intervention. Therefore, we can actually look and prioritize our own vulnerabilities as opposed to having someone else try to get in between. View full review »
Sivanesh Waran says in a Klocwork review
Sr. Software Solution Engineer at Meteonic Innovation Pvt Ltd at a tech services company with 11-50 employees
The pre-checkin code review, industry standard checks, continuous integration (CI) and customized checkers are the most valuable features. View full review »
Vijayanathan Naganathan says in an OWASP Zap review
Director - Head of Delivery Services at a tech vendor with 11-50 employees
The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool and at the same time give a comprehensive report with great confidence to the client for helping them in their go-live decision. In terms of technical supremacy, I would put PortSwigger's Burp Suite ahead in terms of the ease with which I can retry the request with different combinations or conduct different attacks. View full review »
Head of Compliance & Quality / CISO at a tech services company with 51-200 employees
The static code analyzers are the most valuable features of this solution. View full review »
Princip677 says in a Veracode review
Managing Principal Consultant at a tech vendor with 11-50 employees
The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs. View full review »
Andrei Sandulescu says in a PortSwigger Burp review
IT Auditor & Compliance Officer at a tech vendor with 51-200 employees
The most valuable feature of this solution is the scanning functionality. Some of the extensions, available using Burp Extender, are also very good and we have found issues by using them. Burp Intruder is another very good feature in this solution. View full review »
Girish Kikkeri says in a Rapid7 AppSpider review
Cyber Security Consultant at Relevance Lab
Rapid7 AppSpider is good at managing different applications. It uses applets and generates reports to cover the PCA/GDPR compliance requirements. View full review »
Sarath Kumar Choday says in a Codenomicon Defensics review
Senior Technical Lead at HCL Technologies
The product is related to US usage with TLS contact fees, how more data center connections will help lower networking costs. View full review »
WanArchSD455 says in an Ixia BreakingPoint review
SDWAN Architect at a aerospace/defense firm with 10,001+ employees
The most valuable feature is Layer 7 traffic generation such as Facebook, Netflix, WhatsApp... View full review »
Ivan Biagi says in a PortSwigger Burp review
Security Specialist with 201-500 employees
The best feature that I've found is the built-in manual tools. View full review »
Sebastian Toma says in a Veracode review
Engineering Security Manager at Nextiva
With Veracode, it's not about features for us. It is about the pricing model that they offer. To be honest, with their vulnerability database, the total amount of false positives that we're getting is very low. That's the main reason we use Veracode over anybody else. New Veracode features could include a very big database of actual vulnerabilities to be better than other products. View full review »
CyberSecAn08987 says in a Checkmarx review
Cyber Security Analyst at a tech vendor with 1,001-5,000 employees
There are many good features like site integration, but the most valuable feature for us is the XL scan of source code. View full review »
Milind Dharmadhikari says in a Checkmarx review
Practice Head - IT Risk & Security Management Services at Suma Soft Private Limited
There are many features, but first is the fact that it is easy to use, and not complicated. One of the cool features is that it identifies the development technology that we are using on its own, whether it is Java or .NET or otherwise, it identifies it by itself. The most important aspect is that it shows us exactly, on which particular line, the vulnerability is. The user interface is very intuitive and it offers help on the fly. View full review »
Rishi Kant says in a PortSwigger Burp review
Senior Security Engineer at a insurance company with 10,001+ employees
There are several features that I like about this solution. The most valuable feature is that it has support for add-ons where we can add extra little scripts to the tool to perform more automated testing. I like using the Repeater feature to perform proxy testing, and the Repeaters have dashboards now. The add-ons are compatible with the dashboards, as well. View full review »
Cinfooffice09987 says in a Micro Focus Fortify on Demand review
CISO at a retailer with 1,001-5,000 employees
The product, in general, is meant to scan the website and identify any vulnerabilities: a known vulnerability across that script and SQL injection or other vulnerabilities from OWASP top 10, etc. That is what we're using this for. The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it. View full review »
Shaikh Jamal Uddin says in an IBM Security AppScan review
Information Security Lead Consultant at Secure Coat
The most valuable feature is that it achieves a very low false-positive detection rate. View full review »
EduardoBeltran says in a Checkmarx review
Director and Co-Founder at Ushiro-tec
The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time. View full review »
Senior Security Engineer at a insurance company
The ability to be on the website and test for different vulnerabilities. We are able to create a report which shows the PCI DSS scoring and share it with the application teams. Then, they can correlate and see exactly what they need to fix, and why. I can have a scan set up within five to ten minutes by double checking the login script works, so it doesn't take long at all. We have found a few cross-site scripting vulnerabilities. View full review »

Sign Up with Email