Application Security Analysis Reviews

Showing reviews of the top ranking products in Application Security, containing the term Analysis
Veracode: Analysis
Sebastian Toma says in a Veracode review
Engineering Security Manager at Nextiva

Our primary use case of this solution is for static and dynamic analysis along with the source gear for the third party dependency (not IDM). 

We were looking into actually moving towards IDM, but that's the extent of my knowledge. They are licensed as two separate products. They're part of the same platform, but they are licensed separately.

We have Veracode, Veracode Developer Training, Veracode Software Composition Analysis, and SourceClear. SourceClear and SDA are pretty much the same. They just support different languages. Veracode as a whole, the top option, is the one that includes everything.

View full review »
Divakar Rai says in a Veracode review
Senior Solutions Architect at NessPRO Italy

When it comes to DevSecOps, in the industry it is still under adoption. With the advent of the cloud and code being there, or on other public platforms, many people have embraced it or are in the process doing so. 

My advice for anybody interested in implementing this solution is to be really careful when choosing your tools. Be very proactive and up-front on the requirements of your systems, because no tool is perfect. You need to find the best fit for each particular use case. I would do a thorough analysis.

As a solution architect, I do small POCs and run initiatives on products to find out various aspects. For example, the technical feasibility of the product is an important aspect. Other important ones are usability, testing, and implementation. Normally, I select at least three products and do a comparative analysis based on the POC. After this, I recommend a particular solution.

I would recommend Veracode. There are plusses and minuses to this solution, but given the chance to use it again I would definitely do so. Every product has its own flaws, but for my use case, it did fit very well.

I would rate this solution an eight and a half out of ten.

View full review »
SeshagiriSriram says in a Veracode review
Vice President of Technology at Cogniphi Technologies Pvt Ltd

I would strongly recommend doing an internal analysis first, before setting it across to Veracode to proceed and to use it more as a final verification point. My point is that Veracode is very good, and I would strongly recommend it. I have seen other solutions on the market and that's why I say: don't waste your time on other products, just get Veracode.

I would rate it an eight out of ten. Not a ten because of the reporting issues I mentioned that I would like to see improved.

View full review »
reviewer1360623 says in a Veracode review
VP Engineering at a tech services company with 201-500 employees

Our primary use cases are for comprehensive security assessment using static analysis, dynamic analysis, source code composition, and manual penetration tests. We also use it for security training for developers.                         

View full review »
reviewer1360617 says in a Veracode review
Sr. Security Architect at a financial services firm with 10,001+ employees

We are using Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Static Component Analysis (SCA). We use different types of scanning across numerous applications. We also use Greenlight IDE integration. We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.

View full review »
reviewer1359297 says in a Veracode review
Software Engineer at a financial services firm with 501-1,000 employees

The source composition analysis component is great because it gives our developers some comfort in using new libraries.

View full review »
Christian Camerlengo says in a Veracode review
Senior Programmer/Analyst at a financial services firm with 10,001+ employees

The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up. We've had very few issues that we have actually had to contact Veracode about.

It does give some guidance, up to a point, for fixing vulnerabilities. It does a pretty good job of that. We went from a bunch of errors to a handful that I needed help with, and that was mostly because they provided some good information for us to look at. If I had been using this product a long time ago, I would have been able to anticipate a lot of things that Veracode discovered. The product I'm working on is about 12 years old and this was the first time we ran scans on it using Veracode. It identified quite a few issues. If you're starting a new project, it would be a good place to start. Once you get used to what people like penetration testers are looking for, this is a good tool to prevent having a pen test come back bad.

The Static Analysis Pipeline Scan is very good. It found everything that we needed to fix.

View full review »
reviewer1436241 says in a Veracode review
DevSecOps Consultant at a comms service provider with 10,001+ employees

There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic. 

We are using the Veracode APIs to build the Splunk dashboards, which is something very nice, as we are able to showcase the application security hygiene to our stakeholders and leadership. 

We have been using Veracode Greenlight for the IDE scanning. 

Veracode has good documentation, integrations, and tools, so it has been a very good solution. 

Veracode is pretty good about providing recommendations, remedies, and guidelines on issues that are occurring.

It is an excellent solution. It finds a good number of the securities used, providing good coverage across the languages that we require at our client site.

We have been using the solution’s Static Analysis Pipeline Scan, which is excellent. When we started, it took more time because we were doing asynchronous scans. However, in the last six months, Veracode has come with the Pipeline Scan, which supports synchronous scans. It has been helping us out a lot. Now, we don't worry when the pentesting report comes in. By using Veracode, the code is secure, and there are no issues that will stop the release later on in the SDLC. 

The speed of the Pipeline Scan is very nice. It takes less than 10 minutes. This is very good, because our policy scans used to take hours.

Veracode is good in terms of giving feedback.

View full review »
Qualys Web Application Scanning: Analysis
reviewer1228896 says in a Qualys Web Application Scanning review
Security Analyst at a tech services company with 10,001+ employees

The most valuable features are scanning analysis and reporting.

This solution also provides real-time monitoring.

The interface is user-friendly and easy to understand.

View full review »
Data Specialist at CHUN SHIN LIMITED

I would recommend Qualys if the budget is not a problem. There may be other open-source solutions that could be used to perform a similar analysis.   

On a scale from one to ten (where one is the worst and ten is the best), I would rate this solution as an eight-out-of-ten.  

View full review »
Acunetix Vulnerability Scanner: Analysis
reviewer1155117 says in an Acunetix Vulnerability Scanner review

I am a freelance consultant and I use this product to scan customer's web sites.

Most of the time, I use it to perform black-box analysis. The automated approach to these repetitive discovery attempts would take days to do manually and therefore it helps reduce the time needed to do an assessment.

View full review »
reviewer1218672 says in an Acunetix Vulnerability Scanner review
IT Manager at a financial services firm with 1,001-5,000 employees

For static analysis, we previously used different tools. 

We carried out an evaluation comparing different tools, and Acunetix was the one that most of us liked. 

View full review »
Micro Focus Fortify on Demand: Analysis
reviewer1050960 says in a Micro Focus Fortify on Demand review
CISO at a retailer with 1,001-5,000 employees

I don't remember if we evaluated anybody else. I think Fortify was recommended through a consultant. Some years ago, there were not so many vendors at a time playing in this arena. There's not so many today for static analysis, but I don't think that we really evaluated any others.

View full review »
Head of Compliance & Quality / CISO at a tech services company with 51-200 employees

Our primary use case for this solution is static code analysis.

View full review »
Vice President - Solution Architecture at a financial services firm with 10,001+ employees

Fortify on Demand is easy to use and the reporting is good.

As for the static code analysis functionality, it is doing the job that it is supposed to do. 

View full review »
reviewer1263261 says in a Micro Focus Fortify on Demand review
Sr. Enterprise Architect at a financial services firm with 5,001-10,000 employees

We also use WebInspect, SonarQube, and other security tools in addition to this solution. The use of particular tools depends on the project and the project manager that I speak with.

Prior to working with Fortify on Demand, we worked using the code analysis capability in Microsoft Visual Studio. That is where you have things like the recommended best practices for .NET. It flags what lools like bugs.

View full review »
reviewer1210665 says in a Micro Focus Fortify on Demand review
Production Manager for Nearshore SWaT at a computer software company with 10,001+ employees

The thing that could be improved is reducing the cost of usage and including some of the most pricey features, such as dynamic analysis and that sort of functionality, which makes the difference between different types of tools.

View full review »
Netsparker Web Application Security Scanner: Analysis
Founding Partner at da ros e associati srl

The program uses technology that is different from application scanners. It's not an incremental solution. It could be a new product, but I'm not that knowledgeable to know which products are part of a suite. Netsparker doesn't provide the source code of the static application security testing. I would love to see a completion of the offering with statistical analysis

Every customer has its own nuance, so I don't think it's really an issue when it comes to the user interface. Every customer has something that they would like different because they're used to something different. In my opinion, there is not very much to mention besides changing as little as possible. Something that Microsoft often does, is to change things with every release and users don't like that. 

I would also see the price being at least 20% cheaper because the market is currently very crowded and there are many vendors and clients. A lower price will get more sales. 

View full review »
Checkmarx: Analysis
Milind Dharmadhikari says in a Checkmarx review
Practice Head - IT Risk & Security Management Services at Suma Soft Private Limited

My team uses this product extensively for application vulnerability assessment. This solution is for static application security testing and is used within our software development process.

As the software developers are creating solutions, they are able to identify vulnerabilities while the application is being written, rather than after the entire development is over.  

We were interested in having the raw source code scanned, so that was the primary requirement and that is where Checkmarx comes in. We do not need any precompiled libraries, or compiled source code, to be checked by the source code analysis solution.

We have a security team that uses this product to scan source code, rather than have the developers handle it. We do not have any developer licenses (i.e. the SDLC Edition). Instead, the security team identifies the vulnerabilities and shares the report with the development team.

View full review »
Deepak Kamra says in a Checkmarx review
Vice President at Arisglobal Software Pvt Ltd

We are using it for static security scanning and static security testing. We also use it for code dependency analysis. We use two of the solution's tools for each variable.

View full review »
reviewer971370 says in a Checkmarx review
CEO at a tech services company with 11-50 employees

The primary use case is for a white-box penetration testing security. When we work with source code, it's a tool to help us conduct a deep analysis on a source code level. 

We push the zip file with source code to our own stent with the solution and receive a report. Also, we work with the interface to find the vulnerabilities we may have.

The most popular projects for us are the mobile application security assessment. We propose this option to our customers to check source code for iOS and Android mobile applications.

View full review »
Samuel Baguma says in a Checkmarx review
Senior Security Engineer at a pharma/biotech company with 501-1,000 employees

When I had an issue that was causing trouble in my code, I would upload it to Checkmarx to perform static code analysis. I would then study the reports.

View full review »
reviewer1295802 says in a Checkmarx review
Founder & Chairman at a tech services company with 11-50 employees

Checkmarx is going to announce the cloud version very soon. Every product has something innovative at the moment. Presently, we are extremely satisfied and that's why Checkmarx has been the leader for the last few years, consecutively. This is the third year they have been recognized in the static code analysis world.

Micro-services need to be included in the next release; however, as a developer, I can assure you that micro-service methodology is going to be improved in the next version. Presently, they support micro-services, but the supporting methodology of the micro-services is not good enough at the moment.

View full review »
Tusnin Das says in a Checkmarx review
General Manager at a consultancy with 1,001-5,000 employees

We use Checkmarx for static analysis as part of our software development lifecycle. It is very important because it helps us identify the security flaws in the code at a very early stage. Ultimately, this helps in reducing costs.

View full review »
reviewer1263726 says in a Checkmarx review
Sr. Application Security Manager at a tech services company with 201-500 employees

I am in charge of application security and Checkmarx is one of the products that I use in this capacity. We use this product for code scanning and static code analysis.

View full review »
SonarQube: Analysis
Phil Denomme says in a SonarQube review
Manager at a wireless company with 11-50 employees

I haven't really done a comparative analysis yet.

We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side, nothing major.

Kubernetes is a container-based run-time that works with Docker in terms of container-based applications, so we're a microservice based solution. Microservices are contained inside these containers which are managed by a run-time called Kubernetes. Kubernetes comes out of a Google enterprise. It's used by organizations like Netflix and apps to do continuous development deployment and use integration and development. It means that your container has this application lodging, around which all of the user authentication, run-time controls, and communications integration are handled by Kubernetes.

For instance, an application doesn't really see its DNS at all. It's completely abstract in a way. It is layers away from a virtual hardware. What it does is abstract that patient component into a nice package of business logic that is managed in a dynamic container, which takes care of all the run-time and communication issues that normally become a lot of the configuration overhead of an application.

Once you get your Kubernetes environment behind and organized, that forms a very efficient way to introduce these microservices in a dynamic way and to easily integrate and upgrade components rather than applications. You're much more granular in terms of your release capabilities and much more efficient in terms of how it's released and managed.

I would rate this around seven out of ten, because it has what we need, and it's easy to use.

View full review »
AppSecAn0945 says in a SonarQube review
Application Security Analyst at a agriculture with 501-1,000 employees

We are looking for how we can integrate several products. We are using static code analysis, we are looking into runtime code analysis, and of course, we have a web application firewall. The problem with all of these tools is that you need a lot of maintenance, and you have a lot of false positives. So, we have tried to find the best solution.

View full review »
BvsReddy says in a SonarQube review
Company Director at Alwyn Technologies

My primary use for this solution is to perform static code analysis.

View full review »
Jeff Ingalls says in a SonarQube review
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees

This solution is part of our pipeline. We use GitLab for source control and Jenkins to build management. Jenkins kicks off our SonarQube scans, we use Checkmarx for static code analysis, UrbanCode Deploy, and UrbanCode Release.

Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs.

View full review »
ScalaCon4d53 says in a SonarQube review
Scala Contractor at a tech services company with 10,001+ employees

My advice is to focus on quality, not on tools. Work on the quality of your code and get a quality culture, but don't require the use of a tool. SonarQube is an okay tool. I'd suggest it as a default tool, but I wouldn't rave about it.

In all of my previous jobs, there has been somebody using SonarQube. They're usually very positive. I don't share that positiveness, but the reasons for that are that I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it.

I don't rate any tool higher than a five or six, ever. JUnit is the only tool that gets a rating of ten. On a scale of one to ten, where ten is JUnit, I would rate SonarQube as about a five or a six.

View full review »
Kiran Gujju says in a SonarQube review
Cyber Security Architect (USDA) at a government with 10,001+ employees

Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time.

View full review »
Anshuman Kishore says in a SonarQube review
Director Product Development at Mycom Osi

I have also used Veracode and when comparing the two, I find that Veracode is better at finding security-related issues during the static code analysis. At the same time, during my PoC with Veracode, they did not claim to be able to provide everything that SonarQube does. 

View full review »
Donovan Greeff says in a SonarQube review
Head of Software Delivery at a tech services company with 51-200 employees

By far the quality gate controls. Without this, there would be no way to really utilize the power of this tool. We are able to automatically ensure that no code is delivered to production when it contains severe bugs or vulnerabilities. 

The tight integration to source control also helps us to keep the engineers in the loop with any follow-up actions for issues reported. 

Finally, the historical trend analysis gives us great insight into how we are improving based on our decisions, which are now driven by clear data.

View full review »
Yash Brahmani says in a SonarQube review
Devops Engineer at a financial services firm with 10,001+ employees

We used Fortify, it is also another tool for static code analysis. The security team used to use that, but not in our team because ours was a newly assembled team for the work. 

View full review »
reviewer1390020 says in a SonarQube review
Engineer at a pharma/biotech company with 201-500 employees

The primary use case of this solution is for static code analysis, and benchmarking our code standards according to our preferences. 

Our builds process through SonarQube and if it passes the required set of requirements we have set, it will then go through to production.

View full review »
reviewer1357878 says in a SonarQube review
DevSecOps Lead at a tech services company with 11-50 employees

Our software developers use SonarQube to catch any issues that can be found by using static code analysis. My understanding is that it checks the core complexity by evaluating the coding rules to make sure of things such as the correct classes are private.

View full review »
Tariq Saraj says in a SonarQube review
Sr. Information Security Engineer at a tech services company with 1,001-5,000 employees

We are a security organization, and we deploy security solutions and applications related to network for our clients. We mostly focus on open source products because clients don't like to have proprietary products because of the available budget for their different projects. We try to find the possible solution, and then we deploy the solution for them. Deployments are done on the AWS cloud as well as on-premises.

I came to know that there is a SonarQube solution that is used for clean and secure coding purposes and bug fixes in a large DevOps team. That's why I have deployed SonarQube. Currently, I'm testing SonarQube to demonstrate to my higher department what this tool can do. We are testing this solution for one of our clients, who may use it for two or three use cases during static code analysis and the software development life cycle. 

View full review »
Hilman Tehrani says in a SonarQube review
IT Security Architect at a insurance company with 51-200 employees

I am a user of SonarQube and I am responsible for the information security.

I'm the principle of security in the office. I advise others of enhancing and incorporating security aspects into the IP.

We are currently using the community version. We are not quite ready for the licensed version as we need more discipline for our developers to do it correctly. Our team is growing, now we will need behavior discipline of security, and then we can upgrade the license. We have passed the ISO certificate and encourage the use of tools for peer reviews for the developers.

It is better to have a technical review before deployment to production. Developers must review before going into production.

It's a great tool but you have to have a good project plan before being introduced to the tools. For us, it is unfortunate that SonarQube was introduced at the end of the project phase, and the team is still having to learn it.

Before introducing any application tools, know the visibility of the project.

I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality. We had reached out to sales support and asked for the enterprise license as a trial but unfortunately, we had to halt the program.

It's also a part of corporate policy to know everything before it is published into the CI pipeline.

There are other alternatives that provide end-to-end analysis from the static, dynamic, interactive, and SaaS.

I would recommend SonarQube to be on your initial plan for perfect quality.

I would rate SonarQube an eight out of ten.

View full review »
Klocwork: Analysis
Sivanesh Waran says in a Klocwork review
Sr. Software Solution Engineer at Meteonic Innovation Pvt Ltd at Meteonic Innovation Pvt Ltd

Unlike other static code analysis tools, Klocwork integrates seamlessly into desktop IDEs, build systems, continuous integration tools, and any team's natural workflow. Mirroring how code is developed at any stage, Klocwork prevents defects and finds vulnerabilities on-the-fly, as code is being written.

Klocwork also helps prioritize work with SmartRank, the revolutionary new recommendation engine that prioritizes issues and helps select which ones to work on first.

Take prioritized, corrective action immediately to deliver more secure and reliable code.

View full review »
Ravi says in a Klocwork review
Software Solutions Engineer at Meteonic Innovations

Nothing as of now. I hope that in each new release they add new features relating to the addition of checkers, improving their analysis engines etc. In the near future I will discuss additional features that need to be added.

View full review »
Ravi says in a Klocwork review
Software Solutions Engineer at Meteonic Innovations

Our main test case is to check for some of our internal standards which we usually do manually. But when we got Klocwork, it completely changed the scenario. We are writing a simple logic for checking our internal standards without much overhead. 

One more is on the fly analysis which is the most important feature which Klocwork provides I believe. 

View full review »
Susant Bhuyan says in a Klocwork review
.Net Developer at Sure Shield Infotech

One more is on-the-fly analysis which is the most important feature, and CI which Klocwork provides I believe.

View full review »
Specialist677 says in a Klocwork review
Specialist at a non-tech company with 5,001-10,000 employees

We currently use Klocwork mainly for static code analysis.

View full review »
Real Klocwork User says in a Klocwork review
TMS Product Architect with 10,001+ employees

I'm a product architect and belong to a classic management system team. We're a Klocwork customer. We have around 50-60 developers in the team and I'm involved in the utilization of the tool and I am familiar with its capability. We've just started using the latest version which is the first one that's compatible with .NET framework 4.7.2. The previous version was not fully compatible with Visual Studio 2017.

In our case, the use is for static code analysis for each baseline in order to see what kind of violation we have.

Parallel to that, we use the results and apply some refactoring in order to solve this violation. For us, the violation is considered the highest priority according to our risk assessment model.

View full review »
reviewer1184322 says in a Klocwork review
Software Chief Engineer at a transportation company with 10,001+ employees

Our primary use case of Klocwork is for static project analysis and for getting ratios.

View full review »
Kiuwan: Analysis
Felix Esteban says in a Kiuwan review
Head of Development and Consulting at Logalty

The initial setup was very straightforward. It's a cloud solution so after you sign the contract you have the solution. You just need to create the users, do the tutorials, it's simple. There's no deployment because it's a cloud service, you might just need to download a local analyzer.  We have an external consultant who performed the dynamic analysis of our code. 

View full review »
Coverity: Analysis
Yantao Zhao says in a Coverity review
Software Integration Engineer at Thales Australia

The features I find most valuable is that our entire company can publish the analysis results into our central space. That allows us to see the latest quality of all components on the sonar web page.

View full review »
SecurityEngineer0015 says in a Coverity review
Security Engineer at a comms service provider with 10,001+ employees

The security analysis features are the most valuable features of this solution. 

View full review »
Nachu Subramanian says in a Coverity review
Head of DevOps Engineering Center of Excellence at OCBC Bank

We did not use another solution before Coverty, although in my previous company, I used Veracode.

We also use SonarQube for code analysis.

Compared to SonarQube, Coverity finds more vulnerabilities. SonarQube is stronger on core quality, such as duplicate lines of code, but the security issues are found by Coverity.

SonarQube is available as a plugin for development environments such as Eclipse, which allows us to find vulnerabilities proactively.

SonarQube was easier to deploy and I did not require assistance from the vendor for installation or configuration.

View full review »
reviewer1419987 says in a Coverity review
Senior Technical Specialist at a tech services company with 201-500 employees

We have a development team and we are using this product for static code analysis.

View full review »
reviewer1428837 says in a Coverity review
Security Consultant at a tech services company with 11-50 employees

I am a consultant and I work to bring solutions to different companies. Static code analysis is one of the things that I assist people with, and Coverity is one of the tools that I use for doing that.

I worked with Coverity when doing a couple of different PoCs. For these, I get a few different teams of developers together and we want to decide what makes the most sense for each team as far as scanning technologies. So, part of that is what languages are supported, part of that is how extensible it is, and part of that extensibility is do the developers have time to actually create custom roles?

We also want to know things like what the professional are services like, and do people typically need many hours of professional services to get the system spun up. Other factors include whether it deployed on-premises or in the cloud, and also, which of those environments it can operate with.

One of the things is there's not really a shining star out of all of these tools. SaaS tools have been getting more mature in the past decade, particularly in how fast they run, but also in the results they get. Of course, framework and language additions that increase the capability with results are considered.

View full review »
Fortify Application Defender: Analysis
Grandin Major says in a Fortify Application Defender review
Solution Architect at a logistics company with 10,001+ employees

We use the solution for static code analysis. We do static code analysis on our application project code and we use the solution to check the product quality.

View full review »
Durgesh Pathak says in a Fortify Application Defender review
DevOps Engineer at a energy/utilities company with 10,001+ employees

We use this solution for inspecting our security, such as checking to see if our developers are securing their code properly. For example, we have to ensure that they are not inadvertently exposing any IP addresses or passwords. We have to be cautious because most of our applications are related to banking and the financial domain.

Fortify Application Defender accomplishes this by performing source code analysis, and it scans using agents. The source code check involves static code analysis to see if things like passwords are exposed.

View full review »
WhiteSource: Analysis
reviewer1255491 says in a WhiteSource review
VP R&D at a tech services company with 11-50 employees

For us, the most valuable tool was open-source licensing analysis. Although we don't use it on a weekly basis, when we needed to produce a reliable analysis of our open-source licensing exposure, we found it very very effective. Considering the alternatives, which were to analyse manually, WhiteSource saved us a ton of work that we really needed to complete in a short time. It would have involved finding all the different packages, be them in package.json files or analyse the docker images, and then find their effective license, which in itself is not a simple task.

View full review »
Alon Michaeli says in a WhiteSource review
Founder & CEO at Data+

The most valuable features for us are:

  1. Fix suggestions. Our dev team uses the fix suggestions feature to quickly find the best path for remediation. Before that you would have to research online for fixes, and most of the time it’s not that straightforward.
  2. Trace analysis. Trace analysis enables our team to get the fix, including a clear path to the vulnerable method. This saves quite some time.
  3. Open-source inventory reports. These reports are easy to manage and provide a clear view of our open-source assets. There’s also an option to create policies around that.
View full review »
Sonatype Nexus Lifecycle: Analysis
ConfigManag73548 says in a Sonatype Nexus Lifecycle review
Configuration Manager at a health, wellness and fitness company with 5,001-10,000 employees

There's SonarQube which does static code analysis, but not at the level that Nexus IQ offers it. There is Artifactory, which does do Docker scanning now.

One thing that Nexus IQ has been able to do is to be almost proactive in its integration. You can be in your IDE, you can be in the build pipeline, you can be in the Nexus Repository, and you can get a view of the vulnerabilities. Also you can get recommendations, so you don't necessarily have to waste time in searching the web for a patching solution or an update to fix the vulnerability. It actually gives you recommendations about what you can do to mitigate the problem. That's a distinguishing feature from the other toolsets.

View full review »
Sebastian Lawrence says in a Sonatype Nexus Lifecycle review
Solutions Delivery Lead at a financial services firm with 201-500 employees

Our primary use case is for the SAS testing. This is the dynamic composition analysis that we need to do. In our apps, we do a lot of bespoke development and use a lot of third-party components. Therefore, it is critical to know what number is embedded within the third-party components that we may not directly be responsible for. The main use case is for scanning and ensuring that the deployments that we are adding to our servers is as secure as we can make it.

We use it for scanning alone. That is our way of mitigating risk.

We just upgraded to the latest version.

View full review »
Scott Hibbard says in a Sonatype Nexus Lifecycle review
DevOps Engineer at Guardhat

We haven't looked at its scalability at this point. We do have plans to use it more in the future, enforcing the results of the analysis to fail builds and force the developers to fix the issues in there before moving on.

View full review »
reviewer1342230 says in a Sonatype Nexus Lifecycle review
Application Development Manager at a financial services firm with 501-1,000 employees

We rely on the default policies because we are new to the system. We haven't adjusted any policies and are sticking with whatever policies were shipped to us. We are mostly focused on policies 9 and 10 for the highest threat levels. These are the ones which we are focusing right now. We don't want to make any modifications or adjustments in terms of 9 or 10. Mostly, it will be the security officer's decision if we need to update the policies. I'm the manager of the development team and my developers usually will not make any changes in terms of policies.

It provides a very detailed analysis of our library. Then, when some of the scans identify a licensing issue, we look at them and know if we have the license. It sort of scans everything. Without this tool, I don't think that there's even a capability to go through all these libraries, because some of the libraries were introduced by contractors and a developer who no longer works here anymore. When Nexus comes in with its scans, it reports on licensing or other vulnerabilities. This is easier to do instead of asking around.

View full review »
Snyk: Analysis
reviewer1258746 says in a Snyk review
Engineering Manager at a comms service provider with 51-200 employees

The product could be improved by including other types of security scanning (e.g. SAST or DAST), which is important. It would also help to include the static analysis specifically to the open-source scanning so we could get an idea of whether a particular library is vulnerable and recognise if we're actually using the vulnerable part of it or not, they do have runtime analysis, but it is a hassle to set up.

It would be the same issue in terms of the inclusion of additional features. I think static analysis is really important. A second additional feature would be to add tags to projects, identifying an important project or assigning a project to a particular team. Custom tags would be helpful.

View full review »
reviewer1354494 says in a Snyk review
Manager, Information Security Architecture at a consultancy with 5,001-10,000 employees

It is a source composition analysis tool that we use to perform vulnerability scanning for those vulnerabilities within open source libraries.

This is a SaaS solution.

View full review »
Matt Spencer says in a Snyk review
Senior Security Engineer at Instructure

If they were able to have some kind of SAS static code analysis that integrates with their vulnerability dependency alerting. I think that would work really well. Because a lot of times, only if you have this configuration or if you are using these functions, your code will be vulnerable. The alerts do require some investigation and Snyk could improve the accuracy of their alerting if they were to integrate with the SAS static code analysis.

I would like to give further ability to grouping code repositories, in such a way that you could group them by the teams that own them, then produce alerting to those teams. The way that we are seeing it right now, the alerting only goes to a couple of places. I wish we could configure the code to go to different places.

View full review »
reviewer1417671 says in a Snyk review
VP of Engineering at a tech vendor with 11-50 employees

There are other tools that can perform some of the functions Snyk does. We did some analysis of competitors, including Black Duck Synopsys and Veracode, but Snyk was clearly the most hungry and keen to assist, as a business. There were a lot of incumbent competitors who didn't really want our business. It felt like Snyk clearly did want to do the right thing and are continuing to improve and mature their product really fast, which is brilliant.

Snyk, was at a good price, has very comprehensive coverage, and as a company they were much easier to engage with. It felt like some of the other competitors were very "big boys." With Snyk we had the software working before we'd even talked to a sales guy, whereas with other solutions, we weren't even allowed to see the software running in a video call or a screen-sharing session until we'd had the sales call. It was completely ridiculous.

View full review »
CodeSonar: Analysis
CodeSonar677 says in a CodeSonar review
Senior Solutions Architect at a tech vendor with 1-10 employees

I would suggest trying out automated tools along with CodeSonar on your project, and you will find out that CodeSonar reports many more defects compared to other static analysis tools, so this is a very important tool.

I would rate CodeSonar as nine out of ten.

View full review »
Contrast Security Assess: Analysis
C. Ray Mallory says in a Contrast Security Assess review
Lead Application Security Engineer at FEPOC

When I came aboard we had SonarQube. Our teams weren't using it religiously. They would only spot check. There was really no one pushing to use it. Only a few developers knew how to use it. It was one of those things they bought and that sat on the shelf unless someone pulled it off the shelf to use for their code base. There was no management push to scan code for X number or types of vulnerabilities before putting that code into production.

We did an analysis of what FEPOC needs right now. We looked at several tools and we settled on Contrast Assess because 

  1. it was scalable or for our needs 
  2. it was an easy set up 
  3. there wasn't a high bar or learning curve. 

The major reason was that we didn't really have a lot of time to spend on the learning curve. The Contrast tool and the Contrast team were there in guiding us every step of the way.

We still use SonarQube in our Jenkins pipeline. But the developers are no longer using it. Now they're using Contrast, 100 percent.

View full review »
Ramesh Raja says in a Contrast Security Assess review
Senior Security Architect at a tech services company with 5,001-10,000 employees

Before choosing Contrast Assess, we looked at Veracode and Checkmarx. 

Contrast does things continuously so it's more of an IAST. Checkmarx didn't. Using it, you would have to upload a .war file and then it would do analysis. You would then go back to the portal and see the vulnerabilities there. 

It was the same with Veracode. When you take a SAST piece or a DAST piece, you have to have some specific timing in some workflows and then you upload all of the stuff to their portal and wait for results. The results would only come after three days or after five days, depending on how long it takes to scan that specific workflow. 

The way the scanning is done is fundamentally different in Contrast compared to how the solutions do it. You just install Contrast on the app server and voilà. Within five minutes you might see some vulnerabilities when you use that application workflow.

View full review »
reviewer1380801 says in a Contrast Security Assess review
Product Security Engineer at a tech services company with 10,001+ employees

The tool has good, strong findings. We have other static analysis tools, but Contrast has found high-priority issues which other tools have not found. The capability of the tool to scan and throw errors that other tools don't catch is important.

No other tool does the runtime scanning like Contrast does. Other static analysis tools do static scanning, but Contrast is runtime analysis, when the routes are exercised. That's when the scan happens. This is a tool that has a very unique capability compared to other tools. That's what I like most about Contrast, that it's runtime.

There is also a feature in the tool where you can actually specify that this or that is not a problem and mark it as false positive, and it doesn't show up again on your dashboard. It's pretty easy. You can filter out your false positives and be good to go. We have seen a reduction in the number of false positives because, once you mark something as a false positive, that particular one doesn't show up.

View full review »
reviewer1383270 says in a Contrast Security Assess review
Manager at a consultancy with 10,001+ employees

The most valuable feature is the continuous monitoring aspect: the fact that we don't have to wait for scans to complete for the tool to identify vulnerabilities. They're automatically identified through developers' business-as-usual processes.

The automation of the actual vulnerability identification is great. I would give it a very high rating, given that it requires little of the security team or developers to understand and start reviewing the results that are identified.

The false positive rate is another good feature. It has a very low false positive rate. That means my team, the security team, has to spend less time looking at results and findings, compared to historical, static and dynamic scans where the false positive rate is much higher. From a percentage perspective, somewhere around 90 percent of the time we used to spend has been given back to our team, because the false positive rate with Contrast is less than 5 percent.

In terms of the accuracy of vulnerability identification, so far we've had tens of thousands of issues identified in applications that have historically been scanned by dynamic and static scanning. So far, the large majority of those findings have been true positive. I may have seen just a handful, five or 10, false positives so far, in the scope of tens of thousands. That's a very low rate.

We also use the solution's OSS feature through which we can look at third-party open source software libraries. It is a great tool. We've never had a solution for software composition analysis. It has affected our software development greatly. Since we've never really had a solution for doing software composition, nor have we required fixes for vulnerable third-party libraries, this has changed the way that developers are looking at usage of third-party libraries, upfront. It's changing our model of development and our culture of development to ensure that there is more thought being put into the usage of third-party libraries.

The solution is definitely helping developers incorporate security elements while they are writing code. Since we're able to install Assess in Development and QA and all the pre-production environments, developers can start making use of the tool as soon as they have a deployed version of their products. As they code new features and test those out in their development environment, Contrast is already going to be automatically identifying things at that point. We are identifying issues much earlier in the software development life cycle, which makes it much less costly for developers to fix those findings.

We're saving time and money by fixing software bugs earlier in the software development life cycle. We're saving time on the developers' side, as well as on the security auditors' side.

View full review »