Application Security Integration Reviews

Showing reviews of the top ranking products in Application Security, containing the term Integration
Veracode: Integration
Sebastian Toma says in a Veracode review
Engineering Security Manager at Nextiva

Veracode owns SourceClear. They bought them in 2017 or 2018, and they still are not fully integrated with the actual Veracode dashboards. Right now, you have to use two separate tools from the same company. One for the static analysis and dynamic analysis, then the second one for the third-party dependency. 

That is an area that they need to improve the service. Veracode needs to bring the second tool in already to the dashboard so that we don't have to use two separate logins. We don't want two different sets of jobs that we have to upload into two different places, etc. Veracode also needs better integration of their tools to each other.

Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis. The SDA feature is on the website. Veracode should integrate SourceClear with the company product line finally after two years. I would love to see that. 

Veracode did not previously support Python 3. They just released the support for Python 3. Keeping updates coming quicker would be the main thing that I would love to see, i.e. to have all these solutions better integrated.

View full review »
Divakar Rai says in a Veracode review
Senior Solutions Architect at NessPRO Italy

The initial setup was straightforward. What I recall is that it was not really difficult and we had optimal support. They also provided us with documentation to help set up integration with tools such as Jenkins.

View full review »
Riley Black says in a Veracode review
Senior Security Analyst at a health, wellness and fitness company with 1,001-5,000 employees

Veracode has improved our Application Security program by providing numerous integrations and tools to take our AppSec/DevSecOps to the next level. 

Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence.

In many ways, Veracode has increased productivity, helped build and improve security and development departmental relationships as well as enabling developers to consider and care about application security. 

View full review »
reviewer1360617 says in a Veracode review
Sr. Security Architect at a financial services firm with 10,001+ employees

We are using Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Static Component Analysis (SCA). We use different types of scanning across numerous applications. We also use Greenlight IDE integration. We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.

View full review »
reviewer1436241 says in a Veracode review
DevSecOps Consultant at a comms service provider with 10,001+ employees

There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic. 

We are using the Veracode APIs to build the Splunk dashboards, which is something very nice, as we are able to showcase the application security hygiene to our stakeholders and leadership. 

We have been using Veracode Greenlight for the IDE scanning. 

Veracode has good documentation, integrations, and tools, so it has been a very good solution. 

Veracode is pretty good about providing recommendations, remedies, and guidelines on issues that are occurring.

It is an excellent solution. It finds a good number of the securities used, providing good coverage across the languages that we require at our client site.

We have been using the solution’s Static Analysis Pipeline Scan, which is excellent. When we started, it took more time because we were doing asynchronous scans. However, in the last six months, Veracode has come with the Pipeline Scan, which supports synchronous scans. It has been helping us out a lot. Now, we don't worry when the pentesting report comes in. By using Veracode, the code is secure, and there are no issues that will stop the release later on in the SDLC. 

The speed of the Pipeline Scan is very nice. It takes less than 10 minutes. This is very good, because our policy scans used to take hours.

Veracode is good in terms of giving feedback.

View full review »
Qualys Web Application Scanning: Integration
Consultant at a tech services company with 1,001-5,000 employees

I am an integrator. I work for an integration company. I do the deployments. 

View full review »
Acunetix Vulnerability Scanner: Integration
Senior Security Engineer at a media company with 1,001-5,000 employees

At the current pricing structure, I would tell people to do their research. If you have X amount of dollars to spend in the budget, and you're looking for a good solution, definitely consider Acunetix, but also consider other tools for similar features and functionalities where you may get a little bit more bang for your dollar, frankly, versus a tool that's still maturing as it's starting to take market share. Acunetix is a very intermediate tool. It's not an advanced DAST solution. It's still in its infancy. There's a lot of the solution to still build out, a lot of features to still work on, but it is definitely a tool that's worth looking into. Keep in mind, for that same price structure, you can get more established, more brand-name solutions.

The speed of the solution is about average. I use a lot of DAST solutions and I can't say that I'm blown away by the amount of time it takes to complete a security assessment, but I do like that it's not slow. It's not the fastest tool I've ever seen, but it's not the slowest tool I've ever seen, so it meets my expectations. It is a fast application but I'm not blown out of the water by it.

It definitely meets the benchmark. Like I said, it doesn't fall below expectations. When you're running Acunetix against a site, looking for security vulnerabilities, you're not blown away by the speed, but you're not sitting there for a day-and-a-half waiting for results or waiting for a scan to complete. It really depends on the size of the application and the granularity of that application. Acunetix performs just as expected. It's not a bad thing. 

We have very large applications, so it could be less about the solution and more about the depth of our applications. A lot of our applications have special prerequisites that Acunetix just can't expect or predict. A lot of it is giving Acunetix the proper permissions and things of that nature to go in-depth with DAST scans. On average, depending on the application, it can take anywhere from six to eight hours.

We host Acunetix on our own environment. I don't think they have a SaaS solution yet. We host it in an in Azure environment where we put it on our own server - a dedicated server - specialized to doing DAST security scans - and we are happy. We're not unhappy with Acunetix, but we're not greatly excited that this is the best tool ever. But we are very impressed by some of the things that it has been doing. It's that middle ground. It's a good tool. I would definitely recommend it.

The remediation rate is based on the maturity of our development team. Acunetix doesn't provide a format that makes remediation easier. It does what every tool does and gives us the vulnerability, explains the vulnerability, and gives us some remediation guidelines or tips, but that's what everyone does. So it really depends on the workload of our development team, and what backlog they have or what their sprints look like going into the next cycle. It has very little to do with the tool and more to do with the capability and workload of the development teams.

Using it on a secondary basis, we have found some medium vulnerabilities but no critical vulnerabilities which required immediate remediation. What I do notice about Acunetix is that there's a lot of "white noise," a lot of "background noise," things that just don't apply. When filtering those out and removing the false-positives that don't apply to the actual application, we may find one cross-site scripting. That may be a medium vulnerability but not a high vulnerability because of business impact. There are different risk ratios that we apply to different findings, but we haven't found anything critical with Acunetix. It could just be that we don't have any critical vulnerabilities in that environment - although I don't think that's the case. In terms of DOM-based cross-site scripting vulnerabilities, it all depends on the application.

We don't have it deployed on any Linux server. It's on our Windows environment. We have it in Azure, in a cloud, so it's a Microsoft framework that we have Acunetix installed on top of.

All of our users of Acunetix are in development and security roles. The number of users is well into the hundreds. I administrate the tool, I set the roles and also manage users and user interface and interaction. We have a dedicated server team that does maintenance and deployment. If we need to deploy another instance of Acunetix, that is usually done by our server team. They handle all server infrastructure activities. I am the senior security engineer, so I handle all security-related activities.

We don't have plans to increase our usage of Acunetix. We may stop usage. Acunetix is raising the cost of licensing. It's 3.5 times what we were initially quoted. As a secondary solution, we're trying to figure out, is it worth the extra cost just to have it do some supplemental scans for us. We're still evaluating that.

Overall, Acunetix is definitely a seven out of ten. I like the product. It's doing a lot of what its competitors are doing. It's running great DAST scans and it has a rich database of vulnerabilities that it can report and it also provides a web component of its solution where you don't necessarily have to sign on to a physical server or a virtual device to interact. You can, but you can also contact Acunetix through a web interface, which is great. But the interface, in general, is still very simplistic, which may be a good or bad thing. The reporting could be a little bit better. When ending a scan I would like to see more graphical representations, maybe trends from scan to scan, of how the overall maturity is going of the application project that it's scanning or assessing. The reporting is okay. It does give you the option to do PDFs or CSVs. More reporting formats, like an Excel format, maybe an XML format, would be great.

Integration into other tools is very limited for Acunetix. While we're trying to incorporate a CI/CD process where we're integrating with JIRA and we're integrating with Jenkins and Chef, it becomes problematic. Other tools give you a high integration capability to connect into different solutions that you may already have, like JIRA. All findings that Acunetix happens to run across could be sent straight to JIRA. That would increase our remediation rate because it's very seldom that developers read PDFs of security vulnerabilities. One of the things that Qualys does is allow us to integrate into our JIRA environment, into our Jenkins environment, etc. We haven't seen the same capabilities with Acunetix. 

Because of these things, I have to give it a seven. It's ultimately a great tool, a great scanner, and you can really rely on some of its findings once it's tuned.

View full review »
PortSwigger Burp: Integration
Vijayanathan Naganathan says in a PortSwigger Burp review
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd

The tool comes in three type. First, there is the  Open Community Edition, which is meant for people who use it to learn the tool or use it to secure their system. This edition does not have scanning features enabled to source scan the against application URLs or websites. From the standpoint of learning about security tests or assessing the security of application without scanning, the community edition really helps.

Then you also have a Professional edition which is more meant for doing comprehensive vulnerability assessment and penetration application which is very important. Especially for independent teams like ours who make use of tools based on tech, etc. The good part about the professional edition is that it comes with a term license which is cost-effective. You pay for an annual charge and use it for a year's time and then you can extend it on an as-needed basis.

Apart from these, we also have an Enterprise Edition which has features like scan schedulers unlimited scalability to test across multiple websites in parallel, supporting multiple user access with role based access control and easy integration with CI tools.

The very best way this tool can be used through is to understand the application, identify the various roles that are there in the application. Then capture the user flows, with Port Swigger's BurpSuite, and understand what the requests are making use of the different features in BurpSuite. 

Post this the teams look at and analyze all the requests being sent. Observe the requests, use various roles with the tool using a repeater and intruder, analyze what's breaking through in the application. As you can quickly analyze with the intruder out here how the application's really behaving, how the payload is being sent across the tool. Then you get a quick sense of what's available which could be checked through for false positives and then arrive at the final output along with it.

This is how I would like to handle the implementation of the solution.

I would rate this solution 10 out of 10.

View full review »
reviewer1170114 says in a PortSwigger Burp review
Director at a consultancy with 10,001+ employees

The Burp Collaborator needs improvement. There also needs to be improved integration

View full review »
reviewer1112304 says in a PortSwigger Burp review
IT Manager at a manufacturing company with 10,001+ employees

We've faced lots of challenges, including slowing down of the tool, and a lot of error messages, sometimes because of the interface. If we're running a huge number of scans regularly, I think that also slows down the tool so I'm not sure if it is good for lots of scans. I hope they will work on the amount of scans they can handle. There have been improvements in the interface and the reporting structure, but they need to do more. They have a long way to go. For now, if we use the interface directly, we need to use an integration with our web application. We're after value for money. 

View full review »
Ashutosh Barot says in a PortSwigger Burp review
Security Researcher at a financial services firm with 5,001-10,000 employees

It's an amazing tool. We can work with it automatically, or we can work with it manually.

There is no other tool like it. I like the intuitiveness and the plugins that are available.

The plugins are similar to integration. I can create my own login and use it.

View full review »
Micro Focus Fortify on Demand: Integration
reviewer1263261 says in a Micro Focus Fortify on Demand review
Sr. Enterprise Architect at a financial services firm with 5,001-10,000 employees

The initial setup was quite simple.

I performed the deployment a couple of times on different platforms and it did not take much effort to set up. I also did the integration with other platforms like Microsoft Information Server and it was quite easy. You just need to know the platform that you are integrating into.

When it came time to deploy, I just had to run through the documentation on the vendor's web site. I spent one day reading it and one the second day, I did my integration. It took about eight hours that day, and I had challenges but they came from the platform that I was integrating into, like Microsoft Information Server. There were things to be done, such as converting XML files. The next day I was able to fix the problems, so in total it took me between nine and twelve hours to integrate it.

The second time that I deployed this solution it took me not more than two or three hours to repeat all of these same steps.

View full review »
Co-Founder at TechScalable

You can choose this product for sure with a lot of confidence. It entirely depends on how you are exploring the stuff and trying to integrate it. Designing has to be good. It has all the features, but exploring the features and using it as per your need is important. It is not that features are not there. You just need to explore them and know how to use them. 

I would rate Micro Focus Fortify on Demand an eight out of ten. It is a good product. However, it needs improvements from the security aspect and from the aspect of integrations with other popular tools in the market.

View full review »
Checkmarx: Integration
CyberSecAn08987 says in a Checkmarx review
Cyber Security Analyst at a tech vendor with 1,001-5,000 employees

There are many good features like site integration, but the most valuable feature for us is the XL scan of source code. 

View full review »
reviewer971370 says in a Checkmarx review
CEO at a tech services company with 11-50 employees

The initial setup is pretty simple, it's no problem to start using Checkmarx. It's a very good approach if you compare it with competitors.

It only takes a few hours to tune your Checkmarx solution. You may need more time for deeper integration when it comes to DLC integration, for example, when using plug-in build management, such as Jenkins. 

If you are scanning and you have the source code then you are good to start scanning in a few hours. Three to four hours is required for tasks done in source code.

We have one or two engineers who can work with the solution.

For some of our customers have more than 100 developers and a DevOps team.

View full review »
Samuel Baguma says in a Checkmarx review
Senior Security Engineer at a pharma/biotech company with 501-1,000 employees

You can't use it in the continuous delivery pipeline because the scanning takes too much time. Better integration with the CD pipeline would be helpful.

It reports a lot of false positives so you have to discriminate and take ones that are rated at either a one or a two. The lower-rated problems need to be discarded.

View full review »
reviewer1295802 says in a Checkmarx review
Founder & Chairman at a tech services company with 11-50 employees

Aside from my occupation, I am an academic. Because of our status, we test products as well as their competition, for example, we45, AppScan, SonarQube, etc. I have to point out, from an academic and business point of view, there is a very serious competitive advantage to using Checkmarx. Even if there are multiple vulnerabilities in the source coding, Checkmarx is able to identify which lines need to be corrected and then proceeds to automatically remediate the situation. This is an outstanding advantage that none of the competition offers. 

The flexibility in regards to finding false-positives and false-negatives is amazing. Checkmarx can easily manage false-positives and negatives. You don't need to generate an additional platform if you would like to scan a mobile application from iOS or Android. With a single license, you are able to scan and test every platform. This is not possible with other competitive products. For instance, say you are using we45 — if you would like to scan an iOS application, you would have to generate an iOS platform first. With Checkmarx you don't need to do anything — take the source code, scan it and you're good to go. Last but not least, the incremental scanning capabilities are a mission-critical feature for developers. 

Also, the API and integrations are both very flexible.

View full review »
SonarQube: Integration
Daniel Hall says in a SonarQube review
Technical Architect at Dwr Cymru Welsh Water

A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product with additional cost, also gives the benefit of a single pane of glass view, although we still need white source bolt for 3rd part library scanning. The integration into docker builds could be better as pulling the latest version of the scanner, setting the path and then invoking the scan is an extra overhead to manage between versions of the scanner. An apt-get and scan start with the key passed as a variable would be a nicer implementation. Have not looked into SSL for the management page yet but hoping that goes smoothly.

View full review »
Phil Denomme says in a SonarQube review
Manager at a wireless company with 11-50 employees

I haven't really done a comparative analysis yet.

We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side, nothing major.

Kubernetes is a container-based run-time that works with Docker in terms of container-based applications, so we're a microservice based solution. Microservices are contained inside these containers which are managed by a run-time called Kubernetes. Kubernetes comes out of a Google enterprise. It's used by organizations like Netflix and apps to do continuous development deployment and use integration and development. It means that your container has this application lodging, around which all of the user authentication, run-time controls, and communications integration are handled by Kubernetes.

For instance, an application doesn't really see its DNS at all. It's completely abstract in a way. It is layers away from a virtual hardware. What it does is abstract that patient component into a nice package of business logic that is managed in a dynamic container, which takes care of all the run-time and communication issues that normally become a lot of the configuration overhead of an application.

Once you get your Kubernetes environment behind and organized, that forms a very efficient way to introduce these microservices in a dynamic way and to easily integrate and upgrade components rather than applications. You're much more granular in terms of your release capabilities and much more efficient in terms of how it's released and managed.

I would rate this around seven out of ten, because it has what we need, and it's easy to use.

View full review »
Steven Gomez says in a SonarQube review
Lead Engineer at bioMerieux, Inc.

The initial setup was complex because we were using the Community Edition. We did have some issues with the compatibility of the different components. For example, there is the server itself, but then you can plug in different packages, like the C++ package. We've also experimented a little bit with Python metrics, but unfortunately we don't have a project that's really under that control yet, to really get a feel for how that works.

Configuration issues were pretty complicated, but once we got things up and running, it's been extremely stable, it was kind of maintenance-free, now, although we have a time issue. Of the scans that it does, it could be somewhat time-consuming, so originally some of the developers would say, "Well we want to be able to do that on our desktop." I told them, "I don't think you know what you're asking for, here." But as an alternative, we have it set up with our continuous integration server, which we use in TeamCity by the way. In the middle of the night, it automatically runs a scan for them, while they're in bed at home asleep so their results will be ready the next morning. This way, whatever they have most recently checked in, they can see the results right there. And then it runs in the background so it doesn't matter how long it takes per se, it gets it done by the next time they come in. That's part of what continuous integration does, it does things for you that years ago people would do themselves, and never get around to it.

View full review »
Donovan Greeff says in a SonarQube review
Head of Software Delivery at a tech services company with 51-200 employees

Our primary use case is to analyze source code for software bugs, technical debt, vulnerabilities, and test coverage. It provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production. 

We plug this process into our process right from the start enabling the IDE integrations so that engineers can scan their code before submission. Following on from that we run the scans on every change that has been submitted for review. 

This way we ensure that no core/fundamental issues are added to our codebases. 

View full review »
TibinLukose says in a SonarQube review
Software Engineer at Adfolks

The reporting can be improved. In particular, the portability report can be better.

I would like to see better integration with the various DevOps tools.

View full review »
Yash Brahmani says in a SonarQube review
Devops Engineer at a financial services firm with 10,001+ employees

The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues.

It also gives you a very good highlight of what's changed, and what has to be changed in the future.

Apart from that, there are many other good features as it's a code analytics platform. It also has a dashboard reporting feature, which is very good. I also like the ease of its integration with Jenkins.

Another valuable feature is the time snapshot that it provides for the code. It provides the code quality, the lagging, and the training features like what already has gone wrong and what is likely to go wrong. It's a very good feature for a project to have a dashboard where the users can find everything about their project at a single glance.

View full review »
reviewer1390020 says in a SonarQube review
Engineer at a pharma/biotech company with 201-500 employees

The library could have more languages that are supported. It would be helpful.

There are a few clauses that are specific to our organization, and it needs to improve. It's the reason that were are evaluating other solutions. It creates the ability for the person who releases the authorized release, which is not good. We would like to be able to expand on our work.

MicroFocus, as an example, would be helping us with that area or creating a dependency tree of the code from where it deployed and branching it into your entire code base. This would be something that is very helpful and has helped in identifying the gaps.

It would be great to have a dependency tree with each line of your code based on an OS top ten plugin that needs to be scanned. For example, a line or branch of code used in a particular site that needs to be branched into my entire codebase, and direct integration with Jira in order to assign that particular root to a developer would be really good.

Automated patching for my library, variable audience, and support for the client in the CICD pipeline is all done with a set of different tools, but it would be nice to have it like a one-stop-shop.

I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production. We would also need the ability to edit those rules.

View full review »
reviewer1407126 says in a SonarQube review
Team Lead at a computer software company with 10,001+ employees

The main factor that makes the product valuable for us is that it is free because budget is always an issue. We do not have to pay for it, but there are many cons to using a free product at times. It is a very good tool even if it is free. The dashboard and the media that it provides are all quite helpful.  

We are always using SonarQube. But currently, we were trying to evaluate some more tools because Sonar in the free version has around 10 to 15 languages. If we go to the commercial version, they support 27 languages and there are a lot of limitations in the resources for traditional support which is not available for the free license users of Sonar.  

Integration is there with most of the tools, but we do not have full integration with the free version. That is why we were planning to go ahead and plan to work with some other commercial tools. But as a whole, Sonar will do what we need it to.  

View full review »
Tariq Saraj says in a SonarQube review
Sr. Information Security Engineer at a tech services company with 1,001-5,000 employees

If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard.

From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes. 

View full review »
Klocwork: Integration
Sivanesh Waran says in a Klocwork review
Sr. Software Solution Engineer at Meteonic Innovation Pvt Ltd at Meteonic Innovation Pvt Ltd

The pre-checkin code review, industry standard checks, continuous integration (CI) and customized checkers are the most valuable features.

View full review »
Real Klocwork User says in a Klocwork review
TMS Product Architect with 10,001+ employees

For an improved product, we'd like to see integration with Agile DevOps and Agile methodologies. Some capability of the tool that allows us to trigger the status analysis report based on actions like regular builds. We would like to have better integration with Microsoft Agile DevOps tools. This would save us a lot of time. In addition, we also sometimes experience issues with false-positive detections - phantom issues.

For the previous version, we realized it wasn't possible to have a quick dashboard for the number of violations. A feature like business intelligence or code coverage could be included. 

View full review »
Kiuwan: Integration
Felix Esteban says in a Kiuwan review
Head of Development and Consulting at Logalty

Better integration with code repositories is something that we will need.

I would like to see better integration with the Visual Studio and Eclipse IDEs.

It would be helpful to have better testing for vulnerabilities in mobile development.

View full review »
Ernst Marais says in a Kiuwan review
Software Architect at Digital Solution Foundry (Pty) Ltd

The rate of false positives, where it reports issues that are not really issues, can be improved.

Scanning of vulnerabilities on open-source projects is not particularly useful as it is.

I would like to see better integration with Azure DevOps in the next release of this solution.

View full review »
Felix Esteban says in a Kiuwan review
Head of Development and Consulting at Logalty

The most valuable feature of the solution is the continuous integration process. This enables us to make the best in terms of security of our solution and not introduce new mistakes. Problems are solved step by step. 

View full review »
Coverity: Integration
Yantao Zhao says in a Coverity review
Software Integration Engineer at Thales Australia

We use Coverity during the software integration phase. We have a lot of components so we use Coverity to build the components, analyze and publish the data into sonar server and that's our work.

View full review »
Nachu Subramanian says in a Coverity review
Head of DevOps Engineering Center of Excellence at OCBC Bank

I would like to see integration with popular IDEs, such as Eclipse. If Coverity were available as a plugin then developers could use it to find security issues while they are coding because right now, as we are using Coverity, it is a reactive way of finding vulnerabilities. We need to find these kinds of problems during the coding phase, rather than waiting for the code to be analyzed after it is written.

View full review »
reviewer1419987 says in a Coverity review
Senior Technical Specialist at a tech services company with 201-500 employees

The most valuable feature is the integration with Jenkins. Jenkins can be used to automatically run it to perform the code analysis.

Integration with GitLab is helpful.

View full review »
WhiteSource: Integration
Daniel Hall says in a WhiteSource review
Technical Architect at Dwr Cymru Welsh Water

The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps.

View full review »
reviewer1250697 says in a WhiteSource review
User at a tech vendor with 1,001-5,000 employees

We moved from Black Duck to WhiteSource as it was a more modern and scalable solution, with better integration support to various build and source environments. The ease of running scans and getting results quickly enables our developers to address issues quicker. 

View full review »
reviewer1255491 says in a WhiteSource review
VP R&D at a tech services company with 11-50 employees

The agent usage was not as smooth as the online experience. It lacks in terms of documentation and the errors and warnings it produces are not always very clear. We were able to get it up and running in a short while by getting help from support, which was very approachable and reliable.

If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation.

I would also like to get better integration with Google Docs.

View full review »
Alon Michaeli says in a WhiteSource review
Founder & CEO at Data+

We use WhiteSource mainly to:

  1. Detect and automate vulnerability remediation. We started to research solutions since our dev teams are unable to meet sprint deadlines and keep track of product security. Most of our code scans are automated and integrated within our pipeline, which integrates with our CI server. With some, we run them manually using an agent. We recently started using the repository integration with Github, too, pre-build.
  2. License reporting and attribution reports. We use attribution reports and due diligence reports to asses risks associated with open-source licenses.
View full review »
reviewer1264290 says in a WhiteSource review
Project Manager at a health, wellness and fitness company with 11-50 employees

We started using WhiteSource mainly to scan dependencies and detect open-source licenses, copyright information, and vulnerabilities.

We’ve managed to establish an integration with our CICD pipelines and use pretty much all of the automation that is offered, including automated policies.

View full review »
reviewer1261788 says in a WhiteSource review
VP R&D at a computer software company with 51-200 employees

We use WhiteSource mainly to automate open source vulnerability detection and remediation, as well as for license compliance.

I’m less on the side of the license but mainly use the service to get control over vulnerabilities, detect the ones that affect us and remediate accordingly.

We integrate WhiteSource to our pipeline via CI server integration and now started using the GitHub integration too. We also run an agent in specific use cases.

View full review »
Sonatype Nexus Lifecycle: Integration
Charles Chani says in a Sonatype Nexus Lifecycle review
DevSecOps at a financial services firm with 10,001+ employees

They could do with making more plugins for the more common integration engines out there. Right now, it supports automation engine by Jenkins but it doesn't fully support something like TeamCity. That's where they could make the most improvements.

In terms of features, the reports natively come in as PDF or JSON. They should start thinking of another way to filter their reports. The reporting tool used by most enterprises, like Splunk and Elasticsearch, do not work as well with JSON. They should improve the reporting so that the format can be expanded.

View full review »
Axel Niering says in a Sonatype Nexus Lifecycle review
Achitekt at SV Informatik GmbH

The initial process is straightforward. It took half an hour. We had everything working and then the integration into Jenkins took another half an hour. This was very straightforward. Of course, you must look at the rules and the metrics that are important to you. You must do something regarding the applications you are using and your organizations that are involved. But this is true for every tool.

View full review »
Security Team Lead at Tyro Payments Limited

We created a Wiki page for each team showing an overview of their outstanding security issues because the Lifecycle reporting interface isn't as intuitive. It is good for people on my team who use it quite often. But for a tech engineer who doesn't interact with it regularly, it's quite confusing. We did that because we got so many questions about it all the time.

There are other areas for improvement. 

The most recent one - something I haven't shared with Sonatype yet but I intend to - is with the creating of defect tickets. The solution has something that is really useful, its integration with JIRA, and it creates tickets if there's an issue. What I thought would be really good was, from the moment we break builds, there is no way to track, from a management perspective, how we are doing. We are looking at creating tickets. The problem with the tickets, which is the where there is room for Sonatype to grow, is that there is no flexibility in terms of customizing the entries in the tickets. There are certain things they put in for you, they tell you what application it is, but what I'd really like to be able to do is say, "Fill in this field with the name of the application. Fill in this field with the name of the owner. Or set a due date to be X days from when it was raised. They don't allow that. They allow hard-coded values across everything in Nexus IQ. It doesn't work well because the tickets created depend on the use case. We would like to create these tickets and give them directly to the teams that have to look after them. We want to be able to assign them to the right person, based on the application that is used. " We are looking at finding ways to integrate with it because they don't have that.

Another feature they could use is more languages. Sonatype has been mainly a Java shop because they look after Maven Central. And we have been mainly a Java shop in development. But we've slowly been branching out to different languages. They don't cover all of them, and those that they do cover are not as in-depth as we would like them to be. They don't have the same level of coverage as the main language, which is Java.

View full review »
Russell Webster says in a Sonatype Nexus Lifecycle review
VP and Sr. Manager at a financial services firm with 1,001-5,000 employees

Its core features are the most valuable:

  • protection
  • scanning
  • detection
  • notification of vulnerabilities.

It's important for us as an enterprise to continually and dynamically protect our software development from threats and vulnerabilities, and to do that as early in the cycle as possible.

Also, the onboarding process is pretty smooth and easy. We didn't feel like it was a huge problem at all. We were able to get in there and have it start scanning pretty rapidly.

The data quality is really good. They've got some of the best in the industry as far as that is concerned. As a result, it helps us to resolve problems faster. The visibility of the data, as well as their features that allow us to query and search - and even use it in the development IDE - allow us to remediate and find things faster.

The solution also integrated well with our existing DevOps tool. That was of critical importance to us. We built it directly into our continuous integration cycles and that's allowed us to catch things at build time, as well as stop vulnerabilities from moving downstream.

View full review »
ConfigManag73548 says in a Sonatype Nexus Lifecycle review
Configuration Manager at a health, wellness and fitness company with 5,001-10,000 employees

There are a number of features that we find valuable. The basic functionality of Sonatype is its scanning feature. Out of that, you get the reporting capability as part of your build and it gives you the statistics as part of the build report.

There's also a feature whereby, in your IDE, you can get immediate feedback as you're developing. That's also quite a handy feature.

In addition, in our Nexus repository - we have Nexus OSS and Nexus Lifecycle linked together - all our third-party dependencies are scanned.

The policy management is quite federated, in a sense, whereby we can assign a policy specific to an application.

The grandfathering mode allows us to add legacy applications which we know we're not going to change or refactor for some time. New developments can be scanned separately and we can obviously resolve those vulnerabilities where there are new applications developed. The grandfathering is a good way to separate what can be factored now, versus long-term technical debt. In most cases, these legacy applications are simply retired, so to refactor them wouldn't make sense. Most of them go through a rewrite cycle or are replaced by something we have purchased.

There's a very interactive view where there's a recommendation, as part of the reporting. You can click on a certain vulnerability and it will give you a recommendation. For example, if you're using something that's not licensed or has a certain license type, it will recommend to you, "You should go onto this license," or, "Go to this version, which covers this vulnerability." There are actual recommendations that are synchronized with the database in the States.

The solution integrates well with our existing DevOps tools. We're using Atlassian and using Bamboo as part of that Atlassian set. Bamboo is our continuous integration tool. There's an out-of-the-box Nexus IQ plugin for Bamboo. It's really simple to configure and it gives you results as you're building. Also, the API is very rich, meaning that we don't necessarily have to get a report from the front end. We can build custom reports through the API.

View full review »
Product Strategy Group Director at Civica

We use Azure DevOps as our application lifecycle management tool. It doesn't integrate with that as well as it does with other tools at the moment, but I think there's work being done to address that. In terms of IDEs, it integrates well. We would like to integrate it into our Azure cloud deployment but the integration with Azure Active Directory isn't quite as slick as we would like it to be. We have to do some workarounds for that at the moment.

Also, the ability of the solution to recognize more of the .NET components would be helpful for us.

View full review »
Scott Hibbard says in a Sonatype Nexus Lifecycle review
DevOps Engineer at Guardhat

So far, the information that we're getting out of both the Nexus Lifecycle and SonarQube tools is really great.

And the integration of Lifecycle is really good with Jenkins and GitHub; those work very well. We've been able to get it to work seamlessly with them so that it runs on every build that we have. That part is easy to use and we're happy with that.

We're able to use Jenkins Pipeline and the integrations that are built into Gradle to incorporate that into our build process where we can have control over exactly when Nexus IQ and SonarQube analyses are run — what kinds of builds — and have them run automatically.

View full review »
Wes Kanazawa says in a Sonatype Nexus Lifecycle review
Sr. DevOps Engineer at Primerica

The proxy repository is probably the most valuable feature to us because it allows us to be more proactive in our builds. We're no longer tied to saving components to our repository.

The default policies are good, they're a good start. They're a great place to start when you are looking to build your own policies. We mostly use the default policies, perhaps with changes here and there. It's deceptively easy to understand. It definitely provides the flexibility we need. There's a lot more stuff that you can get into. It definitely requires training to properly use the policies.

We like the integrations into developer tooling. We use the Lifecycle piece for some of our developers and it integrates easily into Eclipse and into Visual Studio code. It's a good product for that.

View full review »
Ricardo Van Den Broek says in a Sonatype Nexus Lifecycle review
Software Architect at a tech vendor with 11-50 employees

We filed a ticket for some unknown components and got quick feedback. They gave us pointers on how to figure out what it is. One of the things that we were impressed with was that they wanted to do a review of how we were using it after a few months. I guess this is a problem with us technical people. We often don't like reading manuals and like to figure out how stuff works. I initially was skeptical, but I figured that if they were offering it we should do it.

They had us show them how we had set it up, then they had a number of pointers for how we could improve it. E.g., we weren't fully using the JIRA integration and notifications and they pointed that out. There were a few other things they pointed out as well, such as a list of things for us to double check, like whether all our Javascript libraries and open source Javascripts were indexed correctly. Double checking that is what actually triggered the unknown component notification because we weren't 100 percent sure what it was. They then talked us through how to handle those. I'm happy they reached out to do the review. A lot of times, after you buy a piece of software, you just cost the vendor money every hour that they spend on you. In this case, the review was offered and initiated by them. We really appreciated that and we have had good experiences with them as a company.

It has been fun to work with Sonatype. We have been happy with them as a company.

View full review »
Julien Carsique says in a Sonatype Nexus Lifecycle review
DevOps Engineer at a tech vendor with 51-200 employees

The REST API is the most useful for us because it allows us to drive it remotely and, ideally, to automate it.

We have worked a lot on the configuration of its capabilities. This is something very new in Nexus and not fully supported. But that's one of the aspects we are the most interested in.

And we like the ability to analyze the libraries. There are a lot of filters to output the available libraries for our development people and our continuous integration.

The solution integrates well with our existing DevOps tools. It's mainly a Maven plugin, and the REST API provides the compliance where we have everything in a giant tool.

View full review »
Michael Esmeraldo says in a Sonatype Nexus Lifecycle review
Sr. Enterprise Architect at MIB Group

I won't say there aren't a ton of features, but primarily we use it as an artifact repository. Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD; we use Jenkins to do continuous integration, and it makes our pipeline build a lot more streamlined. It integrates with Jenkins very well.

The default policies and the policy engine provide the flexibility we need. The default policy was good enough for us. We didn't really mess with it. We left it alone because the default policy engine pretty much works for our use cases.

The integrations into developer tooling work just fine. We primarily use Gradle to build our applications. We just point the URL to what we call our "public repository group" in Nexus. It's a front for everything, so it can see all of the other underlying repositories. Our developers, in their Gradle builds, just point them to this public repository and they can pull down any dependency that they need. It doesn't really integrate with our IDE. It's just simply that we use Gradle and it makes it very straightforward.

Nexus blocks undesirable open-source components from entering our development lifecycle because of the IQ policy actions. We define what sort of level of risk we're willing to take. For example for "security-critical," we could just fail them across the board; we don't want anything that has a security-critical. That's something we define as a CVE security number of nine or 10. If it has a known vulnerability of nine or 10 we could even stop it from coming down from Maven Central; it's quarantined because it has a problem that we don't want to even introduce into our network. We've also created our own policy that we call an "architecture blacklist," which means we don't want certain components to be used from an architectural standpoint. For example, we don't want anybody to build anything with Struts 1. We put it on the architecture blacklist. If a component comes in and it has that tag, it fails immediately.

View full review »
Marcello Bellini says in a Sonatype Nexus Lifecycle review
IT Security Manager at a insurance company with 1,001-5,000 employees

The vulnerability description shows:

  1. Where the problem is
  2. An explanation of the vulnerability
  3. The recommendation
  4. How to fix the problem, especially if there is no possibility to close it by updating the library. 

Also, what is really cool is the version graph where we see the best version of which vulnerabilities to use.

The integration is easy and straightforward, which is great. The integration in our development pipeline was quite easy. With the developer IDE integration, they don't have to lock into the web application to see how to remediate vulnerabilities or integrate artifacts, if they already see there is a problem. 

The solution's data quality is great and near perfect for our use cases in the field of Java applications and Telescript applications. This helps us solve our problems faster.

If it has a critical vulnerability, this solution blocks undesirable open source components from entering our development lifecycle. They cannot be introduced. There are two possibilities when this can happen: 

  1. With configuration policy, something deployed into our staging or release environment can be blocked.
  2. The developer has the visibility right away to block something when he introduces new components. He might already see there is a problem and can address it then.
View full review »
Ryan Carrie says in a Sonatype Nexus Lifecycle review
Security Analyst at a computer software company with 51-200 employees

I like the JIRA integration, as well as the email notifications. They allow me to see things more in real-time without having to monitor the application directly. So as new items come in, it will generate a JIRA task and it will send me an email, so I know to go in and have a look at what is being alerted.

The policy engine is really cool. It allows you to set different types of policy violations, things such as the age of the component and the quality: Is it something that's being maintained? Those are all really great in helping get ahead of problems before they arise. You might otherwise end up with a library that's end-of-life and is not going to get any more fixes. This can really help you to try to get ahead of things, before you end up in a situation where you're refactoring code to remove a library. The policy engine absolutely provides the flexibility we need. We are rolling with the default policy, for the most part. We use the default policy and added on and adjusted it a little bit. But, out-of-the-box, the default policy is pretty good.

The data quality is good. The vulnerabilities are very detailed and include links to get in and review the actual postings from the reporters. There have been relatively few that I would consider false positives, which is cool. I haven't played with the licensing aspect that much, so I don't have any comment on the licensing data. One of the cool things about the data that's available within the application is that you can choose your vulnerable library and you can pull up the component information and see which versions of that library are available, that don't have any listed vulnerabilities. I've found myself using that a lot this week as we are preparing for a new library upgrade push.

The data quality definitely helps us to solve problems faster. I can pull up a library and see, "Okay, these versions are non-vulnerable," and raise my upgrade task. The most valuable part of the data quality is that it really helps me fit this into our risk management or our vulnerability management policy. It helps me determine: 

  • Are we affected by this and how bad is it? 
  • How quickly do we need to fix this? Or are we not affected?
  • Is there any way to leverage it? 

Using that data quality to perform targeted, manual testing in order to verify that something isn't a direct issue and that we can designate for upgrade for the next release means that we don't have to do any interim releases.

As for automating open-source governance and minimizing risk, it does so in the sense of auditing vulnerabilities, thus far. It's still something of a reactive approach within the tool itself, but it comes in early enough in the lifecycle that it does provide those aspects.

View full review »
reviewer1342230 says in a Sonatype Nexus Lifecycle review
Application Development Manager at a financial services firm with 501-1,000 employees

One thing that I would like to give feedback on is to scan the binary code. It's very difficult to find. It's under organization and policies where there are action buttons that are not very obvious. I think for people who are using it and are not integrated into it, it is not easy to find the button to load the binary and do the scan. This is if there is no existing, continuous integration process, which I believe most people have, but some users don't have this at the moment. This is the most important function of the Nexus IQ, so I expect it should be right on the dashboard where you can apply your binary and do a quick scan. Right now, it's hidden inside organization and policies. If you select the organization, then you can see in the top corner that there is a manual action which you can approve. There are multiple steps to reach that important function that we need. When we were initially looking at the dashboard, we looked for it and couldn't find it. So, we called our coworker who set up the server and they told us it's not on the dashboard. This comes down to usability. 

There is another usability thing in the reports section. When the PDF gets generated, it is different from the web version. There are some components from some areas which only reside inside the PDF version. When I generate the PDF for my boss to review, she comes back with a question that I didn't even see. I see on the reporting page whatever the PDF will be generating. The PDF is actually generating more information than the web version. That caught me off guard because she forwarded this to the security officer, who is asking, "Why is this? Or, why is that?" But, she has no idea. I didn't have anything handy because I saw the PDF version, which should be same as what I see on the web. This is a bit misrepresented. I would like these versions to speak together and be consistent. Printing a PDF report should generally reflect whatever you have on the page.

View full review »
Austin Bradley says in a Sonatype Nexus Lifecycle review
Enterprise Infrastrcture Architect at Qrypt

When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process, in general. The build stages are a good template for us to help establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages that align with the Nexus Lifecycle build stages.

Going to the Nexus product encouraged me to look for a package manager solution for our C and C++ development. My customer success engineer, Derek, recommended that we go to one that Sonatype was considering integrating with the product, which was called Conan Package Manager. I started doing research with Conan and realized how beneficial it would be for our C and C++ development cycle. Transitioning to that has really changed our whole C and C++ development. It was because we needed to have Nexus scanning for our C applications and I needed Conan to do that.

It's because of Conan that we've reduced our build timelines from weeks because we have so many architectures that we build for. After we figured out how to use it, we can build everything with only a couple of commands. Now, it's a really integrated process for our C and C++ applications, from development to the build pipelines to the IQ scanning, and the Nexus Repository manager repositories that we're using for building and packaging. It's been a fun process.

In terms of the data quality, everything has been really good for our Python and our Yum repositories. I know that they are still building their capability for the Conan repositories, the C dependencies. Right now, what Derek has told me, is that Conan application are analyzed with what they call Low Quality Assessment, or LQA. Essentially, any package that has identified vulnerabilities will show up, otherwise, there's not much information on the package. So scanning for Conan is not as good as Python right now, but I know they're working on higher quality data for Conan packages.

Comparing LQA in Conan to something like the higher quality data available in Python repositories does show a difference. For example, Nexus IQ identified a vulnerability in a Python package that we don't use, but it's a transitive dependency in four packages that we do use. We discovered the root vulnerability causing the problem in our four packages with the higher quality data, but we may not have been to do that as easily with a vulnerability identified in multiple C packages without the higher quality data. I'm not sure.

Nexus will block undesirable open source components from entering our development life cycle. We've agreed on the governance of our policies for blocking builds automatically and we've set a date, for example, to start failing builds automatically on July 15.

It integrates very well with our existing DevOps tools. The Azure DevOps Nexus IQ plugin was really easy. All we did was go to our DevOps portal, go to the add-ins, and then search the list for Nexus. We just clicked on it and it installed in DevOps. There are a couple of help pages on Sonatype's webpage, and I send those to the developers, they add the IQ plugin to the build pipeline and it just works. It's really nice also because the IQ plugin for DevOps gets updated before I can even go check on it. They've released two updates since we installed it. Every time I hear from Derek that they've updated the IQ plugin, I go to the IQ plugin page on our DevOps server, and it's already been updated. It's totally seamless for us.

It has brought open-source intelligence and policy enforcement across our software development life cycle for almost all of our applications. We're still integrating it with all of our applications, but it definitely has brought the kind of intelligence that we needed.

View full review »
reviewer1381962 says in a Sonatype Nexus Lifecycle review
Application Security at a comms service provider with 1,001-5,000 employees

The biggest thing we've learned from using it is that, from a development point of view, we just never realized what types of badness are in those third-party libraries that we pull in and use. It has been an eye-opener as to just how bad they can be.

As far as Lifecycle's integration into developer tooling like IDEs, Git Repos, etc., I don't set that up. But I have not heard of any problems from our guys, from the team that set that stuff up.

I like the tool overall and would rate it at about nine out of 10. There are a few UI-type things that I don't like, that I would like to work a different way. But overall, the tool is good.

View full review » Web Application Scanning: Integration
IT Manager at a manufacturing company with 10,001+ employees

The technical support is responsive and they worked on our problem quickly. That said, it depends on how quickly support is needed. The SLA is one or two days, although that depends on the agreement.

When we contacted support during the integration with ZeroNorth, our agents went down and it took a week to come up again. I think that the response and resolution time from technical support could be improved, which would lead to less downtime.

Overall, I would say that they are responsive.

View full review »
Snyk: Integration
reviewer1258746 says in a Snyk review
Engineering Manager at a comms service provider with 51-200 employees

What is valuable about Snyk is its simplicity, and that's the main selling point. It's understandably also very cheap because you don't need as much account management resources to manage the relationship with the customer and that's a benefit. I also like that it's self-service, with extremely easy integration. You don't need to speak to anybody to get you off and running and they have loads of integrations with source control and cloud CI systems. They are a relatively new product so they might not have a bigger library than competitors, but it's a good product overall.

They do however have the option to install Snyk on-prem, but it is much more expensive.

View full review »
Reviewer636936 says in a Snyk review
Information Security Engineer at a financial services firm with 1,001-5,000 employees

It is pretty easy and straightforward to use because integration won't take more than 15 minutes to be honest. After that, developers don't have to do anything. Snyk automatically monitors their projects. All they need to do is wait and see if any vulnerabilities have been reported, and if yes, how to fix those vulnerability. 

So far, Snyk has given us really good results because it is fully automated. We don't have to scan projects every time to find vulnerabilities, as it already stores the dependencies that we are using. It monitors 24/7 to find out if there are any issues that have been reported out on the Internet.

Whenever Snyk reports to us about a vulnerability, it always reports to us the whole issue in detail:

  • What is the issue.
  • What is the fix.
  • What version we should use.

E.g., if upgrading to a new version may break an application, developers can easily understand the references and details that we receive from Snyk regarding what could break if we upgrade the version.

The solution allows our developers to spend less time securing applications, increasing their productivity. As soon as there is a fix available, developers don't have to look into what was affected. They can easily upgrade their dependencies using Snyk's recommendation. After that, all they need is to test their application to determine if the new upgrade is breaking their application. Therefore, they are completely relaxed on the security side. 

Snyk is playing a big role in our security tooling. There were a couple of breaches in the past, which used vulnerability dependencies. If they had been using Snyk and had visibility into what vulnerabilities they had in their dependencies, they could have easily patched it and saved themselves from their breaches.

So far, we have really good feedback from our developers. They enjoy using it. When they receive a notification that they have a vulnerability in their project, they find that they like using Snyk as they have a very easy way to fix an issue. They don't have to spend time on the issue and can also fix it. This is the first time I have seen in my career that developers like a security tool.

I'm the only person who is currently maintaining everything for Snyk. We don't need more resources to maintain Snyk or work full-time on it. The solution has Slack integration, which is a good feature. We have a public channel where we are reporting all our vulnerabilities. This provides visibility for our developers. They can see vulnerabilities in their projects and fix them on their own without the help of security.

View full review »
reviewer1354494 says in a Snyk review
Manager, Information Security Architecture at a consultancy with 5,001-10,000 employees

We previously used Black Duck. We switched to Snyk because of its better false positive ratings along with its ease of use, integration, and deployment.

View full review »
reviewer1354503 says in a Snyk review
Security Analyst at a tech vendor with 201-500 employees

I find many of the features valuable: 

  • The capacity for your DevOps workers to easily see the vulnerabilities which are impacting the code that they are writing. This is a big plus. 
  • It has a lot of integration that you can use even from an IDE perspective and up to the deployment. It's nice to get a snapshot of what's wrong with the build, more than it is just broken and you don't know why. 
  • It has a few nice features for us to manage the tool, e.g., it can be integrated. There are some nice integrations with containers. It was just announced that they have a partnership with Docker, and this is also nice. 

The baseline features like this are nice. 

It is easy to use as a developer. There are integrations that will directly scan your code from your IDE. You can also use a CLI. I can just write one command, then it will just scan your old project and tell you where you have problems. We also managed to integrate it into our build pipeline so it can easily be integrated using the CLI or API directly, if you have some more custom use cases. The modularity of it is really easy to use.

Their API is well-documented. It's not too bad to integrate and for creating some custom use cases. It is getting extended going forward, so it's getting easier to use. If we have issues, we can contact them and they'll see if they can change some stuff around. It is doing well.

Most of the solution's vulnerability database is really accurate and up-to-date. It has a large database. We do have some missing licenses issues, especially with non-SPDX compliant one, but we expect this to be fixed soon. However, on the development side, I rarely have had any issues with it. It's pretty granular and you can see each package that you're using along with specific versions. They also provide some nice upgrade paths. If you want to fix some vulnerabilities, they can provide a minor or major patch where you can fix a few of them.

View full review »
reviewer1367229 says in a Snyk review
Senior Manager, Product & Application Security at a tech services company with 1,001-5,000 employees

There are two use cases that we have for our third-party libraries:

  • We use the Snyk CLI to scan our pipeline. Every time our developer is building an application and goes to the building process, we scan all the third-party libraries there. Also, we have a hard gate in our pipeline. E.g., if we see a specific vulnerability with a specific threshold (CDSS score), we can then decide whether we want to allow it or block the deal.
  • We have an integration with GitHub. Every day, Snyk scans our repository. This is a daily scan where we get the results every day from the Snyk scan. 

We are scanning Docker images and using those in our pipeline too. It is the same idea as the third-party libraries, but now we have a sub-gate that we are not blocking yet. We scan all the Docker images after the build process to create the images. In the future, we will also create a hard gate for Docker images.

View full review »
Dirk Koehler says in a Snyk review
Senior Director, Engineering at Zillow Group

It is a fairly developer-focused product. There are pretty good support and help pages which come with the developer tools, like plugins and modules, which integrate seamlessly into continuous integration, continuous deployment pipelines. E.g., as you build your software, you may update your dependencies along with it. Packages that it supports include CI/CD toolchains, build tools, various platforms, and software/programming languages.

It is one of the best product out there to help developers find and fix vulnerabilities quickly. When we talk about the third-party software vulnerability piece and potentially security issues, it takes the load off the user or developer. They even provide automitigation strategies and an auto-fix feature, which seem to have been adopted pretty well. 

Their focus is really towards developer-friendly integrations, like plug and play. They understand the ecosystem. They listen to developers. It has been a good experience so far with them.

View full review »
Nicholas Secrier says in a Snyk review
Information Security Officer at a tech services company with 51-200 employees

We are using it to identify security weaknesses and vulnerabilities by performing dependency checks of the source code and Docker images used in our code. We also use it for open-source licensing compliance review. We need to keep an eye on what licenses are attached to the libraries or components that we have in use to ensure we don't have surprises in there.

We are using the standard plan, but we have the container scanning module as well in a hybrid deployment. The cloud solution is used for integration with the source code repository which, in our case, is GitHub. You can add whatever repository you want to be inspected by Snyk and it will identify and recommend solutions for your the identified issues. We are also using it as part of our CI/CD pipelines, in our case it is integrated with Jenkins. 

View full review »
Cameron Gagnon says in a Snyk review
Security Software Engineer at a tech company with 10,001+ employees

We use it as a pretty wide ranging tool to scan vulnerabilities, from our Docker images to Ruby, JavaScript, iOS, Android, and eventually even Kubernetes. We use those findings with the various integrations to integrate with our teams' workflows to better remediate the discoveries from Snyk.

View full review »
reviewer1412625 says in a Snyk review
Application Security Engineer at a tech services company with 501-1,000 employees

We have a lot of code and a lot of microservices and we're using Snyk to test our third-party libraries, all the external dependencies that our code uses, to see if there are any vulnerabilities in the versions we use.

We use their SaaS dashboard, but we do have some internal integrations that are on-prem.

We scan our code and we go through the results on the dashboard and then we ask the teams to upgrade their libraries to mitigate vulnerabilities.

View full review »
Raman Zelenco says in a Snyk review
Lead Security System Engineer at a health, wellness and fitness company with 51-200 employees

We have integrated it with our infrastructure, collecting images from there, and performing regular scans. We also integrated it with our back-end in version control systems.

Sometime ago, we deployed a new product based on web technologies. It was a new app for us. From the beginning, we integrated Snyk's code scannings that the product is based on. Before the production deployment, we checked the code base of Snyk, and this saved us from the deployment with the image of the solution where there were some spots of high severity. This saved us from high, critical vulnerabilities which could be exploited in the future, saving us from some risks.

It helps find issues quickly because:

  1. All the code changes go through the pipeline.
  2. All new changes will be scanned. 
  3. All the results will be delivered. 

This is about the integration. However, if we're talking about local development, developers can easily run Snyk without any difficulties and get results very quickly. 

It is one of the most accurate databases on the market, based on multiple open source databases. It has some good correlation and verifications about findings from the Internet. We are very happy on this front.

The solution’s container security feature allows developers to own security for the applications and containers they run in in the cloud. They can mitigate the vulnerabilities in the beginning of the solution's development. We can correlate the vulnerabilities in our base images and fix the base image, which can influence multiple services that we provide.

View full review »
Matt Spencer says in a Snyk review
Senior Security Engineer at Instructure

We have integrated it into our software development environment. We have it in a couple different spots. Developers can use it at the point when they are developing. They can test it on their local machine. If the setup that they have is producing alerts or if they need to upgrade or patch, then at the testing phase when a product is being built for automated testing integrates with Snyk at that point and also produces some checks.

The integration of SDE has been easy. We have it on GitHub, then we are using an open source solution that isn't natively supported, but Snyk provides ways for us to integrate it with them regardless of that. GitHub is very easy. You can do that through the UI and with some commands in the terminal. 

The sooner that we can find potential vulnerabilities, the better. Snyk allows us to find these potential vulnerabilities in the development and testing phases. We want to pursue things to the left of our software development cycle, and I think Snyk helps us do that.

A lot of the containerization is managed by some of our shared services teams. The solution’s container security feature allows those teams to own security for the applications and containers they run in in the cloud. Our development operations is a smooth process. We are able to address these findings later in the development process, then have the scans at the time of deployment. We are then able to avoid time crunches because it allows us to find vulnerabilities earlier and have the time to address them.

It provides better security because we make sure that our libraries dependencies and product stay up-to-date and have the most current code available. Yet, we are able to quickly know when something requires urgent attention.

View full review »
reviewer1417671 says in a Snyk review
VP of Engineering at a tech vendor with 11-50 employees

The core offering of reporting across multiple projects and being able to build that into our build-pipelines, so that we know very early on if we've got any issues with dependencies, is really useful.

We're loving some of the Kubernetes integration as well. That's really quite cool. It's still in the early days of our use of it, but it looks really exciting. In the Kubernetes world, it's very good at reporting on the areas around the configuration of your platform, rather than the things that you've pulled in. There's some good advice there that allows you to prioritize whether something is important or just worrying. That's very helpful.

In terms of actionable items, we've found that when you're taking a container that has been built from a standard operating system, it tends to be riddled with vulnerabilities. It's more akin to trying to persuade you to go for something simpler, whether that's a scratch or an Alpine container, which has less in it. It's more a nudge philosophy, rather than a specific, actionable item.

We have integrated Snyk into our software development environment. The way Snyk works is that, as you build the software in your pipelines, you can have a Snyk test run at that point, and it will tell you if there are newly-discovered vulnerabilities or if you've introduced vulnerabilities into your software. And you can have it block builds if you want it to. Our integrations were mostly a language-based decision. We have Snyk integrated with Python, JavaScript Node, and TouchScript code, among others, as well as Kubernetes. It's very powerful and gives us very good coverage on all of those languages. That's very positive indeed.

We've got 320-something projects — those are the different packages that use Snyk. It could generate 1,000 or 2,000 vulnerabilities, or possibly even more than that, most of which we can't do anything about, and most of which aren't in areas that are particularly sensitive to us. One of our focuses in using Snyk — and we've done this recently with some of the new services that they have offered — is to partition things. We have product code and we have support tools and test tools. By focusing on the product code as the most important, that allows us to scope down and look at the rest of the information less frequently, because it's less important, less vulnerable.

From a fixing-of-vulnerabilities perspective, often Snyk will recommend just upgrading a library version, and that's clearly very easy. Some of the patching tools are a little more complicated to use. We're a little bit more sensitive about letting SaaS tools poke around in our code base. We want a little bit more sensitivity there, but it works. It's really good to be able to focus our attention in the right way. That's the key thing.

Where something is fixable, it's really easy. The reduction in the amount of time it takes to fix something is in orders of magnitude. Where there isn't a patch already available, then it doesn't make a huge amount of difference because it's just alerting us to something. So where it wins, it's hugely dramatic. And where it doesn't allow us to take action easily, then to a certain extent, it's just telling you that there are "burglaries" in your area. What do you do then? Do you lock the windows or make sure the doors are locked? It doesn't make a huge difference there.

View full review »
reviewer1419804 says in a Snyk review
Security Engineer at a tech vendor with 201-500 employees

It helps us meet compliance requirements, by identifying and fixing vulnerabilities, and to have a robust vulnerability management program. It basically helps keep our company secure, from the application security standpoint.

Snyk also helps improve our company by educating users on the security aspect of the software development cycle. They may have been unaware of all the potential security risks when using open source packages. During this process, they have become educated on what packages to use, the vulnerabilities behind them, and a more secure process for using them.

In addition, its container security feature allows developers to own security for the applications and the containers they run in the cloud. It gives more power to the developers.

Before using Snyk, we weren't identifying the problems. Now, we're seeing the actual problems. It has affected our security posture by identifying open source packages' vulnerabilities and licensing issues. It definitely helps us secure things and see a different facet of security.

It also allows our developers to spend less time securing applications, increasing their productivity. I would estimate the increase in their productivity at 10 to 15 percent, due to Snyk's integration. The scanning is automated through the use of APIs. It's not a manual process. It automates everything and spits out the results. The developers just run a few commands to remediate the vulnerabilities.

View full review »
CAST Highlight: Integration
Kangkan Goswami says in a CAST Highlight review
Digital Solution Architect at a tech services company with 10,001+ employees

I have also used Veracode and I like it much better. Veracode is easier for developers to work with. I have also worked with SonarQube.

The integration with Azure DevOps means that there are things you can do in CAST Highlight that you cannot do using other solutions.

View full review »
Contrast Security Assess: Integration
reviewer1361742 says in a Contrast Security Assess review
Director of Innovation at a tech services company with 1-10 employees

The effectiveness of the solution’s automation via its instrumentation methodology is good, although it still has a lot of room for growth. The documentation, for example, is not quite up to snuff. There are still a lot of plugins and integrations that are coming out from Contrast to help it along the way. It's really geared more for smaller companies, whereas I'm contracting for a very large organization. Any application's ability to be turnkey is probably the one thing that will set it apart, and Contrast isn't quite to the point where it's turnkey.

Also, Contrast's ability to support upgrades on the actual agents that get deployed is limited. Our environment is pretty much entirely Java. There are no updates associated with that. You have to actually download a new version of the .jar file and push that out to the servers where your app is hosted. That can be quite cumbersome from a change-management perspective.

View full review »
Ramesh Raja says in a Contrast Security Assess review
Senior Security Architect at a tech services company with 5,001-10,000 employees

It depends on how many apps a company or organization has. But whatever the different apps are that you have, you can scale it to those apps. It has wide coverage. Once you install it in an app server, if the app is very convoluted, it has too many workflows, that is no problem. Contrast is per app. It's not like when you install source-code tools, where they charge by lines of code, per KLOC. Here, it's per app. You can pick 50 apps or 100 apps and then scale it. If the app is complex, that's still no problem, because it's all per app.

We have continuously increased our license count with Contrast, because of the ease of deployment and the ease of remediating vulnerabilities. We had a fixed set for one year. When we updated about six months ago, we did purchase extra licenses and we intend to ramp up and keep going. It will be based on the business cases and the business apps that come out of our organization.

Once we get a license for an app, folks who are project managers and scrum masters, who also have access to Contrast, get emails directly. They know they can put defects right from Contrast into JIRA. We also have other different tools that we use for integration like ThreatFix, and risk and compliance and governance tools. We take the results and upload them to those tools for the audit team to look at.

View full review »
Aggelos Karonis says in a Contrast Security Assess review
Technical Information Security Team Lead at Kaizen Gaming

The real-time evaluation and library vulnerability checks are the most valuable features, because we have a code that has been inherited from the past and are trying to optimize it, improve it, and remove what's not needed. In this aspect, we have had many unused libraries. That's one of the key things that we are striving to carve out at this point.

An additional feature that we appreciate is the report associated with PCI. We are Merchant Level 1 due to the number of our transactions, so we use it for test application compliance. We also use the OWASP Top 10 type of reports since it is used by our regulators in some of the markets that we operate in, such as, Portugal and Germany.

The effectiveness of the solution’s automation via its instrumentation methodology is very effective and was a very easy integration. It does not get affected by how many reviews we perform in the way that we have designed the release methodologies. So, it has clear visibility over every release that we do, because it is the production code which is being evaluated. 

The solution has absolutely helped developers incorporate security elements while they are writing code. The great part about the fixes is they provide a lot of sensory tapes and stuff like what you should avoid to do in order to avoid future occurrences around your code. Even though the initial assessment is being done by a senior, more experienced engineers in our organization, we provide the fixes to more junior staff so they have a visceral marker for what they shouldn't do in the future, so they are receiving a good education from the tool as well.

View full review »