Our primary use cases are for comprehensive security assessment using static analysis, dynamic analysis, source code composition, and manual penetration tests. We also use it for security training for developers.
Application Security Analysis Reviews
Showing reviews of the top ranking products in Application Security, containing the term Analysis
We are using Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Static Component Analysis (SCA). We use different types of scanning across numerous applications. We also use Greenlight IDE integration. We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.
The source composition analysis component is great because it gives our developers some comfort in using new libraries.
The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up. We've had very few issues that we have actually had to contact Veracode about.
It does give some guidance, up to a point, for fixing vulnerabilities. It does a pretty good job of that. We went from a bunch of errors to a handful that I needed help with, and that was mostly because they provided some good information for us to look at. If I had been using this product a long time ago, I would have been able to anticipate a lot of things that Veracode discovered. The product I'm working on is about 12 years old and this was the first time we ran scans on it using Veracode. It identified quite a few issues. If you're starting a new project, it would be a good place to start. Once you get used to what people like penetration testers are looking for, this is a good tool to prevent having a pen test come back bad.
The Static Analysis Pipeline Scan is very good. It found everything that we needed to fix.
reviewer1436241 says in a Veracode review
DevSecOps Consultant at a comms service provider with 10,001+ employees
There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic.
We are using the Veracode APIs to build the Splunk dashboards, which is something very nice, as we are able to showcase the application security hygiene to our stakeholders and leadership.
We have been using Veracode Greenlight for the IDE scanning.
Veracode has good documentation, integrations, and tools, so it has been a very good solution.
Veracode is pretty good about providing recommendations, remedies, and guidelines on issues that are occurring.
It is an excellent solution. It finds a good number of the securities used, providing good coverage across the languages that we require at our client site.
We have been using the solution’s Static Analysis Pipeline Scan, which is excellent. When we started, it took more time because we were doing asynchronous scans. However, in the last six months, Veracode has come with the Pipeline Scan, which supports synchronous scans. It has been helping us out a lot. Now, we don't worry when the pentesting report comes in. By using Veracode, the code is secure, and there are no issues that will stop the release later on in the SDLC.
The speed of the Pipeline Scan is very nice. It takes less than 10 minutes. This is very good, because our policy scans used to take hours.
Veracode is good in terms of giving feedback.
reviewer1448070 says in a Veracode review
Security Architect at a financial services firm with 1,001-5,000 employees
We use it to scan our web applications before we publish them to see if there are any security vulnerabilities. We use it for static analysis and dynamic analysis.
The use case is that we have quite a few projects on GitHub. As we are a consulting company, some of these projects are open source and others are enterprise and private. We do security investigating for these projects. We scan the repository for both the static analysis—to find things that might be dangerous—and we use the Software Composition Analysis as well. We get notifications when we are using some open source library that has a known vulnerability and we have to upgrade it. We can plan accordingly.
We are using the software as a service.
reviewer1450191 says in a Veracode review
IT Cybersecurity Analyst at a educational organization with 11-50 employees
One of the features they have is Software Composition Analysis. When organizations use third-party, open source libraries with their application development, because they're open source they quite often have a lot of bugs. There are always patches coming out for those open source applications. You really have to stay on your toes and keep up with any third-party libraries that might be integrated into your application. Veracode's Software Composition Analysis scans those libraries and we find that very valuable.
We like their Dynamic Analysis as well. They changed the engine of the Dynamic Analysis and it does a better job. It scans better.
We use the solution’s Static Analysis Pipeline Scan. It's really good for assessing security flaws in the pipeline. Sometimes my developers have a hard time understanding the results, but those are only certain, known developers in my organization. I typically direct them to support, especially if I cannot answer the question, because I have full confidence in that process.
The speed of the static scan is good. Our bread and butter application, which is our largest application, is bulky, and it's taking four hours. That's our baseline to compare the Static Analysis Pipeline and its efficiency. If that's only taking four hours, I have no doubt about our other applications and the solution's static analysis efficiency.
The solution’s policy reporting for ensuring compliance with industry standards and regulations is really good as well. We're a state agency and we always look to be NIST compliant. We're always looking at the OWASP and CWE-IDs, and Veracode does a really good job there. I've used it often in trying to get my point across to the developers, telling them how bad a vulnerability might be or how vulnerable the application is, based on a vulnerability we may be finding.
reviewer1450479 says in a Veracode review
Principal for the Application Security Program and Access Control at a engineering company with 10,001+ employees
reviewer1451970 says in a Veracode review
R&D Director at a computer software company with 201-500 employees
We focus on these two use cases:
- Our first use case is for Static Analysis (SAST). The purpose of it is to scan our code for any vulnerabilities and security breaches. Then, we get some other reports from the tool, pointing us to the problematic line of code, showing us what is the vulnerability, and giving us suggestions on how to fix or mitigate them.
- The second use case is for the Software Composition Analysis (SCA) tool, which is scanning our open sources and third-party libraries that we consumed. They scan and check on the internal database (or whatever depository tool it is using), then they return back a report saying our open sources, the versions, and what are the exposures of using those versions. For any vulnerability, it suggests the minimum upgrades to do in order to move to another more secure version.
reviewer1451973 says in a Veracode review
Head Of Information Security at a media company with 51-200 employees
We use Veracode for static analysis of source code as well as some dynamic analysis.
We use Veracode primarily for three purposes:
- Static Analysis, which is integrated into our CI/CD pipeline, using APIs.
- Every release gets certified for a static code analysis and dynamic code analysis. There is a UAT server, where it gets deployed with the latest release, then we perform the dynamic code scanning on that particular URL.
- Software Composition Analysis: We use this periodically to understand the software composition from an open source licensing and open source component vulnerability perspective.
We work a lot with open sources. Using the Static Analysis, the Dynamic Analysis, and the scan module, we can control everything we do via Veracode. Moreover, because all our applications are security applications, keeping a high security standard is really important.
The visibility into application status across all testing types in a single dashboard is helpful because, even if you are running different types of scans, you have everything in one place. You have a unique dashboard to control all the applications, and that is good.
Overall, we've never had any problem with vulnerable code going into production. It's quite a solid tool. We have a really good feeling with this solution.
Veracode has both static application security testing as well as dynamic application security testing, also called Dynamic Analysis. Our primary use case was on the static analysis side, not on the dynamic, because we have an automated tool in the dynamic analysis scope. So our primary use was static analysis security testing.
reviewer1465254 says in a Veracode review
Software Engineer at a tech services company with 1,001-5,000 employees
We use the Static Analysis, Dynamic Analysis, and SCA, the software composition analysis.
reviewer1596348 says in a Veracode review
IT security architect at a consumer goods company with 10,001+ employees
We are using this solution for static analysis.
Qualys Web Application Scanning: Analysis
reviewer1228896 says in a Qualys Web Application Scanning review
Security Analyst at a tech services company with 10,001+ employees
The most valuable features are scanning analysis and reporting.
This solution also provides real-time monitoring.
The interface is user-friendly and easy to understand.
I would recommend Qualys if the budget is not a problem. There may be other open-source solutions that could be used to perform a similar analysis.
On a scale from one to ten (where one is the worst and ten is the best), I would rate this solution as an eight-out-of-ten.
Acunetix by Invicti: Analysis
reviewer1218672 says in an Acunetix by Invicti review
IT Manager at a financial services firm with 1,001-5,000 employees
For static analysis, we previously used different tools.
We carried out an evaluation comparing different tools, and Acunetix was the one that most of us liked.
PortSwigger Burp Suite Professional: Analysis
I have found this solution has more plugins than other competitors which is a benefit. You are able to attach different plugins to the security scan to add features. For example, you can check to see if there are any payment systems that exist on a server, or username and password brute force analysis. You are able to do many different types of scans, such as SQL injection. There are a lot of deep packages analyzing functions that make this solution have more usability.
Micro Focus Fortify on Demand: Analysis
Prakash-Rao says in a Micro Focus Fortify on Demand review
Vice President - Solution Architecture at a financial services firm with 10,001+ employees
Fortify on Demand is easy to use and the reporting is good.
As for the static code analysis functionality, it is doing the job that it is supposed to do.
reviewer1263261 says in a Micro Focus Fortify on Demand review
Sr. Enterprise Architect at a financial services firm with 5,001-10,000 employees
We also use WebInspect, SonarQube, and other security tools in addition to this solution. The use of particular tools depends on the project and the project manager that I speak with.
Prior to working with Fortify on Demand, we worked using the code analysis capability in Microsoft Visual Studio. That is where you have things like the recommended best practices for .NET. It flags what lools like bugs.
reviewer1210665 says in a Micro Focus Fortify on Demand review
Production Manager for Nearshore SWaT at a computer software company with 10,001+ employees
The thing that could be improved is reducing the cost of usage and including some of the most pricey features, such as dynamic analysis and that sort of functionality, which makes the difference between different types of tools.
reviewer1345719 says in a Micro Focus Fortify on Demand review
Project Analyst at a financial services firm with 1,001-5,000 employees
We use it for statistical analysis for Java applications that are used in the collection process of a bank. It is also used for an internal web page. The tellers use this web page in the branches to make money transactions, such as withdrawals, deposits, etc.
We use it for normal, daily source code reviews and code analysis.
The most valuable features are the server, scanning, and it has helped identify issues with the security analysis.
reviewer1529571 says in a Micro Focus Fortify on Demand review
Acquisitions Leader at a healthcare company with 10,001+ employees
It does scanning for all virtual machines and other things, but it doesn't do the scanning for containers. It currently lacks the ability to do the scanning on containers. We're asking their product management team to expand this capability to containers.
It doesn't do software composition analysis. We've asked their product management team to look into that as well.
We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access.
We are using it for static security scanning and static security testing. We also use it for code dependency analysis. We use two of the solution's tools for each variable.
The primary use case is for a white-box penetration testing security. When we work with source code, it's a tool to help us conduct a deep analysis on a source code level.
We push the zip file with source code to our own stent with the solution and receive a report. Also, we work with the interface to find the vulnerabilities we may have.
The most popular projects for us are the mobile application security assessment. We propose this option to our customers to check source code for iOS and Android mobile applications.
When I had an issue that was causing trouble in my code, I would upload it to Checkmarx to perform static code analysis. I would then study the reports.
Checkmarx is going to announce the cloud version very soon. Every product has something innovative at the moment. Presently, we are extremely satisfied and that's why Checkmarx has been the leader for the last few years, consecutively. This is the third year they have been recognized in the static code analysis world.
Micro-services need to be included in the next release; however, as a developer, I can assure you that micro-service methodology is going to be improved in the next version. Presently, they support micro-services, but the supporting methodology of the micro-services is not good enough at the moment.
We use Checkmarx for static analysis as part of our software development lifecycle. It is very important because it helps us identify the security flaws in the code at a very early stage. Ultimately, this helps in reducing costs.
reviewer1263726 says in a Checkmarx review
Sr. Application Security Manager at a tech services company with 201-500 employees
I am in charge of application security and Checkmarx is one of the products that I use in this capacity. We use this product for code scanning and static code analysis.
We primarily use the solution for static analysis.
reviewer1479747 says in a Checkmarx review
Senior Manager at a manufacturing company with 10,001+ employees
The initial setup was easy. Our project was quite big, and it took a bit longer. It took almost six hours. We could not do it as CI/CD pipeline because the pipeline expects a response in a short span of time, which was a challenge for us. We are now doing the Checkmarx review manually. We first run the code analysis, and, after the code analysis is over, we go for the pipeline. This is an overhead for us.
It would be helpful if they can improve the speed of the analysis rate. We also need to find out from our side if there is a way to increase the wait time of the CI/CD pipeline and modify the timeout limit. It would then take 30 minutes to one hour rather than five or six hours. We should be able to adjust the timeout time, change the CI/CD settings, and go ahead with the integrated process. Currently, we cannot have an integrated system, and we also have to move from one script to the next script manually.
I have also used Veracode and when comparing the two, I find that Veracode is better at finding security-related issues during the static code analysis. At the same time, during my PoC with Veracode, they did not claim to be able to provide everything that SonarQube does.
By far the quality gate controls. Without this, there would be no way to really utilize the power of this tool. We are able to automatically ensure that no code is delivered to production when it contains severe bugs or vulnerabilities.
The tight integration to source control also helps us to keep the engineers in the loop with any follow-up actions for issues reported.
Finally, the historical trend analysis gives us great insight into how we are improving based on our decisions, which are now driven by clear data.
Yash Brahmani says in a SonarQube review
Devops Engineer at a financial services firm with 10,001+ employees
We used Fortify, it is also another tool for static code analysis. The security team used to use that, but not in our team because ours was a newly assembled team for the work.
reviewer1390020 says in a SonarQube review
Engineer at a pharma/biotech company with 201-500 employees
The primary use case of this solution is for static code analysis, and benchmarking our code standards according to our preferences.
Our builds process through SonarQube and if it passes the required set of requirements we have set, it will then go through to production.
reviewer1357878 says in a SonarQube review
DevSecOps Lead at a tech services company with 11-50 employees
Our software developers use SonarQube to catch any issues that can be found by using static code analysis. My understanding is that it checks the core complexity by evaluating the coding rules to make sure of things such as the correct classes are private.
reviewer1411233 says in a SonarQube review
Security consultant at a tech services company with 1,001-5,000 employees
We are a security organization, and we deploy security solutions and applications related to network for our clients. We mostly focus on open source products because clients don't like to have proprietary products because of the available budget for their different projects. We try to find the possible solution, and then we deploy the solution for them. Deployments are done on the AWS cloud as well as on-premises.
I came to know that there is a SonarQube solution that is used for clean and secure coding purposes and bug fixes in a large DevOps team. That's why I have deployed SonarQube. Currently, I'm testing SonarQube to demonstrate to my higher department what this tool can do. We are testing this solution for one of our clients, who may use it for two or three use cases during static code analysis and the software development life cycle.
I am a user of SonarQube and I am responsible for the information security.
I'm the principle of security in the office. I advise others of enhancing and incorporating security aspects into the IP.
We are currently using the community version. We are not quite ready for the licensed version as we need more discipline for our developers to do it correctly. Our team is growing, now we will need behavior discipline of security, and then we can upgrade the license. We have passed the ISO certificate and encourage the use of tools for peer reviews for the developers.
It is better to have a technical review before deployment to production. Developers must review before going into production.
It's a great tool but you have to have a good project plan before being introduced to the tools. For us, it is unfortunate that SonarQube was introduced at the end of the project phase, and the team is still having to learn it.
Before introducing any application tools, know the visibility of the project.
I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality. We had reached out to sales support and asked for the enterprise license as a trial but unfortunately, we had to halt the program.
It's also a part of corporate policy to know everything before it is published into the CI pipeline.
There are other alternatives that provide end-to-end analysis from the static, dynamic, interactive, and SaaS.
I would recommend SonarQube to be on your initial plan for perfect quality.
I would rate SonarQube an eight out of ten.
When it comes to security, this solution is pretty great.
The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes.
The solution is quite stable.
You can scale the solution if you need to.
reviewer1422195 says in a SonarQube review
Director IT Security, CISO at a transportation company with 10,001+ employees
I have used SonarQube for static code analysis. I am using it to assess my internal applications.
I do recommend SonarQube because it is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis.
On a scale of one to ten, I would give SonarQube an eight. To give it a 10 and not an eight, I would like to see architecture development and the QA area improved.
Kien-Nguyen says in a SonarQube review
Web Developer at a tech services company with 51-200 employees
We use SonarQube to help with our software development and testing. At the moment, we're mainly using it for static analysis and code inspection. We have an on-premises server and we connect to it from there.
Our main use case is testing software for security weaknesses, but we also use it to help eliminate code smells and to make sure our code is compliant with established coding standards.
I would recommend this solution to others. It easily outperforms other static code tools — It's perfect as a static code analysis tool.
Overall, on a scale from one to ten, I would give SonarQube a rating of eight.
reviewer1503354 says in a SonarQube review
Senior Software Engineering Manager at a computer software company with 10,001+ employees
It is a very good tool for analysis and security vulnerability checking.
We use it for the static analysis of the source code to find issues or vulnerabilities.
reviewer1537167 says in a SonarQube review
Digital Solutions Architect at a tech services company with 1,001-5,000 employees
We are a $4 billion valuation large company and we use the solution for status security, scanning, and code quality. I am currently in the process of building a pipeline for one of my customers and for that we are utilizing this solution for the static analysis.
reviewer1565832 says in a SonarQube review
DevOps Lead at a marketing services firm with 1,001-5,000 employees
We generally use the solution in order to do static code analysis.
reviewer1593939 says in a SonarQube review
Systems Analyst at a manufacturing company with 5,001-10,000 employees
We use the solution to do quality code analysis for keeping track of security hotspots. We also use it to avoid the delivery of problems as the result of new code from our partners who may be developing software for systems, making improvements and carrying out bug corrections. These are the features of SonarQube of which I am aware.
reviewer1580592 says in a SonarQube review
Technical Architect at a insurance company with 1,001-5,000 employees
In Community Edition, I don't think that we have enough scalability options because it runs only on one instance, plus it runs only one scan at a time. It doesn't even provide a settings capability where multiple scans are running simultaneously. That's why we want to move to the Enterprise Edition because it gives you a possibility of parallel analysis of reports, and that could speed up things.
reviewer1192836 says in a SonarQube review
Director of consultory at a non-tech company with 1,001-5,000 employees
The most valuable features are the analysis and detection of issues within the application code.
Not everybody uses SonarQube. However, if they do use SonarQube and they're trying to look for functionality, then an extension into SonarQube is the way to go. We, for example, love how we can have Fortify functionality via this product. I can't speak for all the other shops, right. That's just our workflow.
I'd rate the solution at a perfect ten out of ten. For what it does as far as static code analysis, it's pretty good.
SonarQube is a very nice tool and people can learn to code better from the analysis it provides. We needed to make sure our code is maintained properly and has high quality and this tool helped.
The solution has made the developers have more confidence in their code because from the scanning they can fix bugs and problems easily.
I rate SonarQube a seven out of ten.
I'm a product architect and belong to a classic management system team. We're a Klocwork customer. We have around 50-60 developers in the team and I'm involved in the utilization of the tool and I am familiar with its capability. We've just started using the latest version which is the first one that's compatible with .NET framework 4.7.2. The previous version was not fully compatible with Visual Studio 2017.
In our case, the use is for static code analysis for each baseline in order to see what kind of violation we have.
Parallel to that, we use the results and apply some refactoring in order to solve this violation. For us, the violation is considered the highest priority according to our risk assessment model.
The initial setup was very straightforward. It's a cloud solution so after you sign the contract you have the solution. You just need to create the users, do the tutorials, it's simple. There's no deployment because it's a cloud service, you might just need to download a local analyzer. We have an external consultant who performed the dynamic analysis of our code.
From the tool itself, the developer can run an analysis with the same quality. With this tool, every developer has the opportunity to do an unlimited analysis.
The solution can scale well.
The solution offers very good technical support.
It's quite a stable product.
We did not use another solution before Coverty, although in my previous company, I used Veracode.
We also use SonarQube for code analysis.
Compared to SonarQube, Coverity finds more vulnerabilities. SonarQube is stronger on core quality, such as duplicate lines of code, but the security issues are found by Coverity.
SonarQube is available as a plugin for development environments such as Eclipse, which allows us to find vulnerabilities proactively.
SonarQube was easier to deploy and I did not require assistance from the vendor for installation or configuration.
reviewer1419987 says in a Coverity review
Senior Technical Specialist at a tech services company with 201-500 employees
We have a development team and we are using this product for static code analysis.
reviewer1428837 says in a Coverity review
Security Consultant at a tech services company with 11-50 employees
I am a consultant and I work to bring solutions to different companies. Static code analysis is one of the things that I assist people with, and Coverity is one of the tools that I use for doing that.
I worked with Coverity when doing a couple of different PoCs. For these, I get a few different teams of developers together and we want to decide what makes the most sense for each team as far as scanning technologies. So, part of that is what languages are supported, part of that is how extensible it is, and part of that extensibility is do the developers have time to actually create custom roles?
We also want to know things like what the professional are services like, and do people typically need many hours of professional services to get the system spun up. Other factors include whether it deployed on-premises or in the cloud, and also, which of those environments it can operate with.
One of the things is there's not really a shining star out of all of these tools. SaaS tools have been getting more mature in the past decade, particularly in how fast they run, but also in the results they get. Of course, framework and language additions that increase the capability with results are considered.
reviewer1649727 says in a Coverity review
Sr. QA Engineer at a computer software company with 1-10 employees
We use Coverity for static analysis of our code.
Varun V says in a Coverity review
Senior Solutions Architect at a computer software company with 11-50 employees
To automate detection, we use Coverity's static analysis, which has a low false-positive ratio. That's because Coverity's analysis engine includes 20-plus patented technologies. A lot of other static analysis tools use pattern-based analysis, but Coverity's is flow based. That's why we ended up using it. Coverity is helping us identify some of the critical defects at the early stages of the development life cycle. So overall, it is giving us a greater ROI and making our application more mature and robust.
Fortify Application Defender: Analysis
Durgesh Pathak says in a Fortify Application Defender review
DevOps Engineer at a energy/utilities company with 10,001+ employees
We use this solution for inspecting our security, such as checking to see if our developers are securing their code properly. For example, we have to ensure that they are not inadvertently exposing any IP addresses or passwords. We have to be cautious because most of our applications are related to banking and the financial domain.
Fortify Application Defender accomplishes this by performing source code analysis, and it scans using agents. The source code check involves static code analysis to see if things like passwords are exposed.
For us, the most valuable tool was open-source licensing analysis. Although we don't use it on a weekly basis, when we needed to produce a reliable analysis of our open-source licensing exposure, we found it very very effective. Considering the alternatives, which were to analyse manually, WhiteSource saved us a ton of work that we really needed to complete in a short time. It would have involved finding all the different packages, be them in package.json files or analyse the docker images, and then find their effective license, which in itself is not a simple task.
The most valuable features for us are:
- Fix suggestions. Our dev team uses the fix suggestions feature to quickly find the best path for remediation. Before that you would have to research online for fixes, and most of the time it’s not that straightforward.
- Trace analysis. Trace analysis enables our team to get the fix, including a clear path to the vulnerable method. This saves quite some time.
- Open-source inventory reports. These reports are easy to manage and provide a clear view of our open-source assets. There’s also an option to create policies around that.
reviewer1444512 says in a WhiteSource review
Sr. Director, Cloud Operations at a computer software company with 1,001-5,000 employees
It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools.
Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process.
HCL AppScan: Analysis
Sonatype Nexus Firewall: Analysis
reviewer1534461 says in a Sonatype Nexus Firewall review
Senior Cyber Security Architect and Engineer at a computer software company with 10,001+ employees
We have visibility into what developers are downloading now. We had an incident recently where a few of the packages from PyPI were vulnerable, and we knew. Another example is that we were working on an open source project, enterprise-wide, and we wanted to do a PoC. When the company doing the PoC started downloading the packages, even they didn't know that those packages were vulnerable. Sonatype detected that.
Nexus Firewall has also significantly improved the time it takes us to release secure apps to market. Before, we needed to manually do a security evaluation for the static and dynamic code. While Sonatype does not do static analysis, it's been fine for dynamic. We don't have the headache of worrying about what our developers are downloading. Sonatype is taking care of all that. We have a very closed environment; nothing is allowed. Everything is "deny, deny." It used to be that for a user to request a package from PyPI, for example, they would need to submit a firewall request and to go through a CRV meeting. People would need to review it and approve it or reject it. Once that was done, we would need to whitelist that URL into the proxy. To download simple packages it would take users two weeks. Now, they can do it instantly.
It has helped developer productivity because they can do things right away now. For the majority of the code they're downloading, the URLs are already whitelisted through Sonatype. Our development has been pretty fast, as a result. Overall, the executives have been happy, because now we have something that is evaluating the open source code.
Sonatype Nexus Lifecycle: Analysis
We haven't looked at its scalability at this point. We do have plans to use it more in the future, enforcing the results of the analysis to fail builds and force the developers to fix the issues in there before moving on.
reviewer1342230 says in a Sonatype Nexus Lifecycle review
Application Development Manager at a financial services firm with 501-1,000 employees
We rely on the default policies because we are new to the system. We haven't adjusted any policies and are sticking with whatever policies were shipped to us. We are mostly focused on policies 9 and 10 for the highest threat levels. These are the ones which we are focusing right now. We don't want to make any modifications or adjustments in terms of 9 or 10. Mostly, it will be the security officer's decision if we need to update the policies. I'm the manager of the development team and my developers usually will not make any changes in terms of policies.
It provides a very detailed analysis of our library. Then, when some of the scans identify a licensing issue, we look at them and know if we have the license. It sort of scans everything. Without this tool, I don't think that there's even a capability to go through all these libraries, because some of the libraries were introduced by contractors and a developer who no longer works here anymore. When Nexus comes in with its scans, it reports on licensing or other vulnerabilities. This is easier to do instead of asking around.
reviewer1258746 says in a Snyk review
Engineering Manager at a comms service provider with 51-200 employees
The product could be improved by including other types of security scanning (e.g. SAST or DAST), which is important. It would also help to include the static analysis specifically to the open-source scanning so we could get an idea of whether a particular library is vulnerable and recognise if we're actually using the vulnerable part of it or not, they do have runtime analysis, but it is a hassle to set up.
It would be the same issue in terms of the inclusion of additional features. I think static analysis is really important. A second additional feature would be to add tags to projects, identifying an important project or assigning a project to a particular team. Custom tags would be helpful.
reviewer1354494 says in a Snyk review
Manager, Information Security Architecture at a consultancy with 5,001-10,000 employees
It is a source composition analysis tool that we use to perform vulnerability scanning for those vulnerabilities within open source libraries.
This is a SaaS solution.
If they were able to have some kind of SAS static code analysis that integrates with their vulnerability dependency alerting. I think that would work really well. Because a lot of times, only if you have this configuration or if you are using these functions, your code will be vulnerable. The alerts do require some investigation and Snyk could improve the accuracy of their alerting if they were to integrate with the SAS static code analysis.
I would like to give further ability to grouping code repositories, in such a way that you could group them by the teams that own them, then produce alerting to those teams. The way that we are seeing it right now, the alerting only goes to a couple of places. I wish we could configure the code to go to different places.
There are other tools that can perform some of the functions Snyk does. We did some analysis of competitors, including Black Duck Synopsys and Veracode, but Snyk was clearly the most hungry and keen to assist, as a business. There were a lot of incumbent competitors who didn't really want our business. It felt like Snyk clearly did want to do the right thing and are continuing to improve and mature their product really fast, which is brilliant.
Snyk, was at a good price, has very comprehensive coverage, and as a company they were much easier to engage with. It felt like some of the other competitors were very "big boys." With Snyk we had the software working before we'd even talked to a sales guy, whereas with other solutions, we weren't even allowed to see the software running in a video call or a screen-sharing session until we'd had the sales call. It was completely ridiculous.
We use it to do software composition analysis. It analyzes the third-party libraries that we bring into our own code. It keeps up if there is a vulnerability in something that we've incorporated, then tells us if that has happened. We can then track that and take appropriate action, like updating that library or putting a patch in place to mitigate it.
They have also added some additional products that we use: One of which is container security. That product is one that analyzes our microservices containers and provides them with a security assessment, so we are essentially following best practices.
I have been using this solution for one and a half years, and I definitely like it. It is awesome in whatever it does right now.
It is a really nice tool if you really want to do the dependency check and security scanning of your code, which falls under static code analysis. You can implement it and go for it for static code analysis, but when it comes to dynamic, interactive, and run-time scanning, you should look for other tools available in the market. These are the only things that are missing in this solution. If it had these features, we would have gone with it because we have already been using it for one and a half years. Now, the time has come where we are looking for new features, but they are not there.
Considering the huge database they have, all the binaries it scans, and other features, I would rate Snyk an eight out of 10.
CAST Highlight: Analysis
Its price should be better. It is a pretty costly tool.
They have two products: CAST Highlight and CAST AIP. Both are licensed separately. As per CAST, Highlight is for RAPID prototyping and AIP is for in depth detailed analysis. But then there are areas which Highlights covers (Cloud Adoption) which AIP does not. Our experience in using AIP is that it also does not look at entire tech stack and does not provide the list of all technologies present in your application and then flag what is supported and what is not so that customer has clear view. Highlight probably does that. They need to simplify it for customers. I would expect CAST Highlight to have lighter version of the Health dashboard and the Engineering dashboards . These dashboards are currently a part of CAST AIP, and if these are made available in CAST Highlight, customers won't have to use two different products all the time.
Contrast Security Assess: Analysis
Before choosing Contrast Assess, we looked at Veracode and Checkmarx.
Contrast does things continuously so it's more of an IAST. Checkmarx didn't. Using it, you would have to upload a .war file and then it would do analysis. You would then go back to the portal and see the vulnerabilities there.
It was the same with Veracode. When you take a SAST piece or a DAST piece, you have to have some specific timing in some workflows and then you upload all of the stuff to their portal and wait for results. The results would only come after three days or after five days, depending on how long it takes to scan that specific workflow.
The way the scanning is done is fundamentally different in Contrast compared to how the solutions do it. You just install Contrast on the app server and voilà. Within five minutes you might see some vulnerabilities when you use that application workflow.
reviewer1380801 says in a Contrast Security Assess review
Product Security Engineer at a tech services company with 10,001+ employees
The tool has good, strong findings. We have other static analysis tools, but Contrast has found high-priority issues which other tools have not found. The capability of the tool to scan and throw errors that other tools don't catch is important.
No other tool does the runtime scanning like Contrast does. Other static analysis tools do static scanning, but Contrast is runtime analysis, when the routes are exercised. That's when the scan happens. This is a tool that has a very unique capability compared to other tools. That's what I like most about Contrast, that it's runtime.
There is also a feature in the tool where you can actually specify that this or that is not a problem and mark it as false positive, and it doesn't show up again on your dashboard. It's pretty easy. You can filter out your false positives and be good to go. We have seen a reduction in the number of false positives because, once you mark something as a false positive, that particular one doesn't show up.
reviewer1383270 says in a Contrast Security Assess review
Manager at a consultancy with 10,001+ employees
The most valuable feature is the continuous monitoring aspect: the fact that we don't have to wait for scans to complete for the tool to identify vulnerabilities. They're automatically identified through developers' business-as-usual processes.
The automation of the actual vulnerability identification is great. I would give it a very high rating, given that it requires little of the security team or developers to understand and start reviewing the results that are identified.
The false positive rate is another good feature. It has a very low false positive rate. That means my team, the security team, has to spend less time looking at results and findings, compared to historical, static and dynamic scans where the false positive rate is much higher. From a percentage perspective, somewhere around 90 percent of the time we used to spend has been given back to our team, because the false positive rate with Contrast is less than 5 percent.
In terms of the accuracy of vulnerability identification, so far we've had tens of thousands of issues identified in applications that have historically been scanned by dynamic and static scanning. So far, the large majority of those findings have been true positive. I may have seen just a handful, five or 10, false positives so far, in the scope of tens of thousands. That's a very low rate.
We also use the solution's OSS feature through which we can look at third-party open source software libraries. It is a great tool. We've never had a solution for software composition analysis. It has affected our software development greatly. Since we've never really had a solution for doing software composition, nor have we required fixes for vulnerable third-party libraries, this has changed the way that developers are looking at usage of third-party libraries, upfront. It's changing our model of development and our culture of development to ensure that there is more thought being put into the usage of third-party libraries.
The solution is definitely helping developers incorporate security elements while they are writing code. Since we're able to install Assess in Development and QA and all the pre-production environments, developers can start making use of the tool as soon as they have a deployed version of their products. As they code new features and test those out in their development environment, Contrast is already going to be automatically identifying things at that point. We are identifying issues much earlier in the software development life cycle, which makes it much less costly for developers to fix those findings.
We're saving time and money by fixing software bugs earlier in the software development life cycle. We're saving time on the developers' side, as well as on the security auditors' side.
reviewer1494855 says in a Contrast Security Assess review
Senior Customer Success Manager at a tech company with 201-500 employees
Assess is valuable for several reasons, but time-saving factors are high on the list. Compared to a typical development environment with a SAST tool, Assess saves developer time and reduces the time-to-market. With Assess there is no waiting for a slow static scan to complete. Vulnerability findings are reported during testing and the reported findings are highly accurate, with very few false positives. Other SAST tools often emit a great number of false positives that must be investigated and resolved before the code can be released, consuming the time of developers and the security team chasing invalid vulnerability reports. Assess also provides clear and actionable guidance on how to fix each vulnerability, saving more time.
Assess integrates with a many common tools to generate notifications and tickets, such as JIRA tickets. The result is that application security vulnerabilities can be handled by developers as just another type of bug found during testing. Application security becomes part of the development process rather than a step that is done “after” development. The temptation to skip the security testing step to meet a release deadline is eliminated.
The combination of real-time analysis and accurate vulnerability reports can really accelerate time-to-market. One large customer was even able to eliminate the human signoff before release to production. This customer had a solid DevOps process with automated application testing, but still had the security testing and review process delaying releases. With Assess in their pipeline they were able to automate the release decision. Apps that passed functional tests and reported only vulnerabilities below a certain criticality threshold would be automatically released directly to production.
reviewer1605099 says in a Contrast Security Assess review
Director of Threat and Vulnerability Management at a consultancy with 10,001+ employees
The primary use case is application security testing, where we try to identify vulnerabilities within applications developed by our company.
Contrast a cloud-hosted solution. That's where most of the data and analysis takes place. It's also how most users interact with that data. Data is collected by agents that are deployed to servers within our environment. The agent component is internal to our organization, gathering data that is sent back to the cloud.
GitGuardian Internal Monitoring: Analysis
Danny says in a GitGuardian Internal Monitoring review
Chief Software Architect at a tech company with 501-1,000 employees
I would advise others to give it a try. It is easy enough to integrate with your process, and you'll see the value right away, with a couple of quick test scenarios. Once you see it in action, it sells itself.
If a colleague at another company said to me that secrets detection is not a priority, I would ask what is more of a priority, and then I would point to a quick Google search with a myriad of issues and data breaches that have happened from leaked secrets. That is pretty easy to find. If leaks are happening, and there is a reasonable plan, or even a free plan for a small number of users, to deal with them, I don't know how much more bang for your buck you can get. I would tell him to consider the small amount that GitGuardian costs and the value and ease of integration that it provides.
Secrets detection is extremely important to a security program for application development, especially on a team of people with various experience levels. Having something automated always improves things. Having that detection on top of any of your manual processes adds an extra layer of safety. Given the ease of integration, it is extremely important and extremely valuable to have that extra layer of protection to warn you if you do forget something.
So far, GitGuardian hasn't detected any true secrets in our code. They were only internal credentials, but it has certainly brought a much-needed discussion about those test credentials. Fortunately, we've been successful at not committing production secrets since we started using this solution.
The biggest lesson that I've learned from using this solution might not be so much from secret detections, per se. It is about the ease of integration and what going the extra mile actually does. It creates a positive experience, and it also helps in creating a lot of faith in the solution, overall. With the onboarding experience being handled very well, it gave me a lot of confidence that this was the right solution. That's a lesson for our own software. It is super important to have that ease of getting started. That can go a lot farther than you might think for the effort it requires in the overall project. I'm sure a lot more resources are spent on the analysis and the tool itself, but don't skimp on the onboarding.
I would rate GitGuardian a nine out of 10. The two areas for improvement are probably the only things that are keeping me from giving it a 10. The major one of those is probably going to be addressed pretty soon. Once we can do some of those custom identifiers or custom rules, it would be a 10.