Application Security Languages Reviews

Showing reviews of the top ranking products in Application Security, containing the term Languages
Veracode: Languages
Sebastian Toma says in a Veracode review
Engineering Security Manager at Nextiva

Our primary use case of this solution is for static and dynamic analysis along with the source gear for the third party dependency (not IDM). 

We were looking into actually moving towards IDM, but that's the extent of my knowledge. They are licensed as two separate products. They're part of the same platform, but they are licensed separately.

We have Veracode, Veracode Developer Training, Veracode Software Composition Analysis, and SourceClear. SourceClear and SDA are pretty much the same. They just support different languages. Veracode as a whole, the top option, is the one that includes everything.

View full review »
Princip677 says in a Veracode review
Managing Principal Consultant at a tech vendor with 11-50 employees

This solution does a good job, but it is limited to only a few technologies. I would like to see expanded coverage for supporting more platforms, frameworks, and languages.

Specifically, I would like to see support for mobile frameworks like Xaramin and React JS, as well as extended support for iOS applications.

View full review »
reviewer1436241 says in a Veracode review
DevSecOps Consultant at a comms service provider with 10,001+ employees

There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic. 

We are using the Veracode APIs to build the Splunk dashboards, which is something very nice, as we are able to showcase the application security hygiene to our stakeholders and leadership. 

We have been using Veracode Greenlight for the IDE scanning. 

Veracode has good documentation, integrations, and tools, so it has been a very good solution. 

Veracode is pretty good about providing recommendations, remedies, and guidelines on issues that are occurring.

It is an excellent solution. It finds a good number of the securities used, providing good coverage across the languages that we require at our client site.

We have been using the solution’s Static Analysis Pipeline Scan, which is excellent. When we started, it took more time because we were doing asynchronous scans. However, in the last six months, Veracode has come with the Pipeline Scan, which supports synchronous scans. It has been helping us out a lot. Now, we don't worry when the pentesting report comes in. By using Veracode, the code is secure, and there are no issues that will stop the release later on in the SDLC. 

The speed of the Pipeline Scan is very nice. It takes less than 10 minutes. This is very good, because our policy scans used to take hours.

Veracode is good in terms of giving feedback.

View full review »
Acunetix Vulnerability Scanner: Languages
Senior Test Engineer II at a financial services firm with 201-500 employees

The scanning speed could be faster. It digs really deep, so that could be one of the reasons why it takes a while. If I want to scan an application, it's going to take over three to four hours. That's something I think they could improve.

Instead of posting hundreds of requests to find the vulnerability, if it simply had the capability to find that particular vulnerability in the payload itself, that would make a big impact.

The vulnerability identification speed should be improved. It takes more time compared to other tools I have used. 

Simply put, Acunetix passes too many payloads in order to identify one part of the ratio. That's probably why it can take a while to identify a particular issue. Other tools are able to identify vulnerabilities with just a few requests. Acunetix takes more time to make certain if a vulnerability exists. That's one of the areas which they can improve on.

The scan configuration could be improved. The first thing that we need to do is set up a site policy and a scan policy. By site policy, I mean we have to choose what kind of technology our site is developed with so that it will only pass payloads related to that technology.

For example, if I'm using MySQL or Python as my backend database, it will only check payloads related to MySQL or Python; it won't check Java or other programming languages.

We have to define the scanning configuration as well as the site configuration each and every time. This has to be done whenever we are adding a new set of sites or domains.

Other tools provide a list of predefined scan policies, but with Acunetix, we have to create our own every time. We have to spend a lot of time setting up these configurations, rather than just picking them from a vast variety of predefined sets of configurations, which is much easier.

View full review »
Spirent CyberFlood: Languages
Jangsun KIM says in a Spirent CyberFlood review
CEO at Panoptics Corp.

It would be helpful to have other languages available. I would also like to see updates on a more frequent schedule.

View full review »
Netsparker Web Application Security Scanner: Languages
Security Specialist at Alfa-A IT

The customer service is good.

There are some problems with languages (like for Italian they send you people who can speak Italian just a bit, but it's ok).

View full review »
Checkmarx: Languages
reviewer971370 says in a Checkmarx review
CEO at a tech services company with 11-50 employees

Checkmarx has tried to build a deeper analysis using IAST and SAST. They have a code version for developers. It would be good if they improve the combination of the two solutions. 

Both are good, but ISAT (Interactive Application Security Testing) is in progress and doesn't support the full spectrum of languages. A combination of the two solutions would achieve good results.

We have received some feedback from our customers who are receiving a large number of false positives. I believe that they can improve their engine to reduce false positives. It's better for reducing false positives when you use a compilation.

There are several levels and they are mapped to the different languages and some customers want to check when the developers will pass the training. There should be a questionnaire for the team lead to check the employees and how well they understand the material and the training. 

Also, they will want to add their own content to this solution.

I would like to see some improvements in technology to reduce false positives. This is only relevant to some use cases, not all. For example, there are several false positives for some languages, but it works in C#.

View full review »
reviewer1286010 says in a Checkmarx review
Senior Software Engineer at a computer software company with 10,001+ employees

I would like to see the rate of false positives reduced.

Checkmarx needs support for more languages, including COBOL.

View full review »
reviewer1263726 says in a Checkmarx review
Sr. Application Security Manager at a tech services company with 201-500 employees

The user interface is modern and nice to use.

This product has very good reports.

Checkmarx integrates with a lot of different tools such as BitBucket and Jira.

There is good coverage for different languages.

View full review »
reviewer1410597 says in a Checkmarx review
Vice President Of Technology at a computer software company with 5,001-10,000 employees

The most valuable feature is the application tracking reporting.

From the user's perspective, the interface is pretty good. It will point out the exact line of code when an issue is found.

It is good in terms of coverage for different languages.

It is updated automatically so there is less maintenance.

View full review »
SonarQube: Languages
Daniel Hall says in a SonarQube review
Technical Architect at Dwr Cymru Welsh Water

The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices).

View full review »
Kiran Gujju says in a SonarQube review
Cyber Security Architect (USDA) at a government with 10,001+ employees

It supports around 25 plus languages.

View full review »
Donovan Greeff says in a SonarQube review
Head of Software Delivery at a tech services company with 51-200 employees

It should keep up with newer technologies. As this is primarily open-source, it does require updates from the community. As such, there is sometimes a delay for new technologies to be covered by this too. 

Particularly around the languages that the webpages state they support. The big benefit of Sonar is that it handles so many different languages, problems, and static analysis in one place. 

When that one place has a low coverage for the most basic rules (OWASP top 10 for example) it starts to lose its value add. 

View full review »
reviewer1390020 says in a SonarQube review
Engineer at a pharma/biotech company with 201-500 employees

The library could have more languages that are supported. It would be helpful.

There are a few clauses that are specific to our organization, and it needs to improve. It's the reason that were are evaluating other solutions. It creates the ability for the person who releases the authorized release, which is not good. We would like to be able to expand on our work.

MicroFocus, as an example, would be helping us with that area or creating a dependency tree of the code from where it deployed and branching it into your entire code base. This would be something that is very helpful and has helped in identifying the gaps.

It would be great to have a dependency tree with each line of your code based on an OS top ten plugin that needs to be scanned. For example, a line or branch of code used in a particular site that needs to be branched into my entire codebase, and direct integration with Jira in order to assign that particular root to a developer would be really good.

Automated patching for my library, variable audience, and support for the client in the CICD pipeline is all done with a set of different tools, but it would be nice to have it like a one-stop-shop.

I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production. We would also need the ability to edit those rules.

View full review »
reviewer1407126 says in a SonarQube review
Team Lead at a computer software company with 10,001+ employees

The main factor that makes the product valuable for us is that it is free because budget is always an issue. We do not have to pay for it, but there are many cons to using a free product at times. It is a very good tool even if it is free. The dashboard and the media that it provides are all quite helpful.  

We are always using SonarQube. But currently, we were trying to evaluate some more tools because Sonar in the free version has around 10 to 15 languages. If we go to the commercial version, they support 27 languages and there are a lot of limitations in the resources for traditional support which is not available for the free license users of Sonar.  

Integration is there with most of the tools, but we do not have full integration with the free version. That is why we were planning to go ahead and plan to work with some other commercial tools. But as a whole, Sonar will do what we need it to.  

View full review »
Klocwork: Languages
Ravi says in a Klocwork review
Software Solutions Engineer at Meteonic Innovations

Support for more languages would be helpful since this is my trustworthy tool. One more advice from my side would be to do some webinars on Klocwork will be helpful for some new users.

View full review »
Ravi says in a Klocwork review
Software Solutions Engineer at Meteonic Innovations

Not much as of now. But I am feeling Klocwork should support more number of languages like other static code analyzers do. Right now Klocwork has supportability available only to C, C++, Java, and C#. 

View full review »
Prasad D says in a Klocwork review
Senior H.R - DevOps & Infrastructure Recruitment Consultant at Meteonic Innovation Pvt Ltd

Nothing much as of now. I feel Klocwork is going in a great way. The one thing I personally feel is that Klocwork must increase their support to some other languages.

View full review »
Kiuwan: Languages
Felix Esteban says in a Kiuwan review
Head of Development and Consulting at Logalty

For the moment, this is a solution that I could recommend. It is a cheaper way for us to enter into working on code security.

The biggest lesson that I have learned to make sure that we do not have any big security issues during development. We are confident about the vulnerabilities that are being found in our Java code, but we are not sure about other languages such as Angular. This solution may not be able to detect all of the problems that are in the code.

I would rate this solution an eight out of ten.

View full review »
Coverity: Languages
SecurityEngineer0015 says in a Coverity review
Security Engineer at a comms service provider with 10,001+ employees

The quality of the code needs improvement. They should develop a better code. 

The interface, efficiency, and the performance also need improvement as well as the languages that it offers. It should have more language options.

The user interface is not user-friendly.

View full review »
reviewer1428837 says in a Coverity review
Security Consultant at a tech services company with 11-50 employees

I am a consultant and I work to bring solutions to different companies. Static code analysis is one of the things that I assist people with, and Coverity is one of the tools that I use for doing that.

I worked with Coverity when doing a couple of different PoCs. For these, I get a few different teams of developers together and we want to decide what makes the most sense for each team as far as scanning technologies. So, part of that is what languages are supported, part of that is how extensible it is, and part of that extensibility is do the developers have time to actually create custom roles?

We also want to know things like what the professional are services like, and do people typically need many hours of professional services to get the system spun up. Other factors include whether it deployed on-premises or in the cloud, and also, which of those environments it can operate with.

One of the things is there's not really a shining star out of all of these tools. SaaS tools have been getting more mature in the past decade, particularly in how fast they run, but also in the results they get. Of course, framework and language additions that increase the capability with results are considered.

View full review »
WhiteSource: Languages
reviewer1257792 says in a WhiteSource review
Co Founder at a consumer goods company with 11-50 employees

WhiteSource is very accurate and covers all of our languages (including C++).

WhiteSource Prioritize is amazing. If we are using a vulnerable library, it shows us if we are actually using the vulnerable method or not. This saves us a lot of time that we can instead invest in other projects.

It also does a great job of automating many activities we used to do manually. Now the system does it for us and it generates a great security dashboard that shows us whether our remediation velocity is improving or not.

View full review »
reviewer1261788 says in a WhiteSource review
VP R&D at a computer software company with 51-200 employees

The UI is not that friendly and you need to learn how to navigate easily. It also doesn’t run as smoothly as I would want or expect, and I believe it requires some improvements. That said, the Success team is very attentive and does reply and answer related matters quite fast.

Currently, effective vulnerabilities are only available in two languages, which is great, but I would be very happy to see more languages. It does cover most of our libraries, but we do have other languages in use. More coverage on that aspect would be helpful.

View full review »
Sonatype Nexus Lifecycle: Languages
Security Team Lead at Tyro Payments Limited

We created a Wiki page for each team showing an overview of their outstanding security issues because the Lifecycle reporting interface isn't as intuitive. It is good for people on my team who use it quite often. But for a tech engineer who doesn't interact with it regularly, it's quite confusing. We did that because we got so many questions about it all the time.

There are other areas for improvement. 

The most recent one - something I haven't shared with Sonatype yet but I intend to - is with the creating of defect tickets. The solution has something that is really useful, its integration with JIRA, and it creates tickets if there's an issue. What I thought would be really good was, from the moment we break builds, there is no way to track, from a management perspective, how we are doing. We are looking at creating tickets. The problem with the tickets, which is the where there is room for Sonatype to grow, is that there is no flexibility in terms of customizing the entries in the tickets. There are certain things they put in for you, they tell you what application it is, but what I'd really like to be able to do is say, "Fill in this field with the name of the application. Fill in this field with the name of the owner. Or set a due date to be X days from when it was raised. They don't allow that. They allow hard-coded values across everything in Nexus IQ. It doesn't work well because the tickets created depend on the use case. We would like to create these tickets and give them directly to the teams that have to look after them. We want to be able to assign them to the right person, based on the application that is used. " We are looking at finding ways to integrate with it because they don't have that.

Another feature they could use is more languages. Sonatype has been mainly a Java shop because they look after Maven Central. And we have been mainly a Java shop in development. But we've slowly been branching out to different languages. They don't cover all of them, and those that they do cover are not as in-depth as we would like them to be. They don't have the same level of coverage as the main language, which is Java.

View full review »
Austin Bradley says in a Sonatype Nexus Lifecycle review
Enterprise Infrastrcture Architect at Qrypt

We have a few applications that we're developing that use several different languages. The first ones we did were Python and Yum Repository applications. Recently we've started scanning C and C++ applications that use Conan Package Manager. We will soon start doing node applications with NPM. Our use case is that we primarily rely on the IQ server to ensure we don't have open source dependencies in our applications that have security vulnerabilities, and to ensure that they're not using licenses our general counsel wants us to avoid using.

View full review »
Snyk: Languages
Reviewer636936 says in a Snyk review
Information Security Engineer at a financial services firm with 1,001-5,000 employees

If the Snyk had a SAST or DAST solution, then we could have easily gone with just one vendor rather than buying more tools from other vendors. It would save us time, not having to maintain relationships with other vendors. We would just need to manage with one vendor. From a profitability standpoint, we will always choose the vendor who gives us multiple services. Though, we went ahead with Snyk because it was a strong tool.

Snyk needs to support more languages. It's not supporting all our languages, e.g., Sift packages for our iOS applications. They don't support that but are working to build it for us. They are also missing some plugins for IDEs, which is the application that we are using for developers to code.

There are a couple of feature request that I have asked from Snyk. For example, I would like Snyk to create a Jira ticket from Slack notifications. We already have Snyk creating a pull request from Slack notifications, so I asked if we could create a Jira ticket as well so we can track the vulnerability.

View full review »
Dirk Koehler says in a Snyk review
Senior Director, Engineering at Zillow Group

It is a fairly developer-focused product. There are pretty good support and help pages which come with the developer tools, like plugins and modules, which integrate seamlessly into continuous integration, continuous deployment pipelines. E.g., as you build your software, you may update your dependencies along with it. Packages that it supports include CI/CD toolchains, build tools, various platforms, and software/programming languages.

It is one of the best product out there to help developers find and fix vulnerabilities quickly. When we talk about the third-party software vulnerability piece and potentially security issues, it takes the load off the user or developer. They even provide automitigation strategies and an auto-fix feature, which seem to have been adopted pretty well. 

Their focus is really towards developer-friendly integrations, like plug and play. They understand the ecosystem. They listen to developers. It has been a good experience so far with them.

View full review »
Nicholas Secrier says in a Snyk review
Information Security Officer at a tech services company with 51-200 employees

They've recently launched their open source compliance. That's an area that is definitely of interest. The better the capability in that, the better it will be for everyone. There may be room to improve the level of information provided to the developers so they understand exactly why using, say, a GPL license is a potential issue for a company that is not intending to publish its code.

There is potential for improvement in expanding the languages they cover and in integrating with other solutions. SonarQube is something that I'm quite interested in, something that I want to bring into play. I know that Snyk integrates with it, but I don't know how well it integrates. I will have to see.

Generating reports and visibility through reports are definitely things they can do better.

View full review »
Cameron Gagnon says in a Snyk review
Security Software Engineer at a tech company with 10,001+ employees

We didn't have a direct previous solution. We did have a SAST tool that we had been using a lot across our main repositories. But we didn't have anything that would cover a lot of the other teams' languages and dependencies. This is the first big tool that we've introduced for scanning.

We went with Snyk because of the wide range of integrations and ease of use. Those were a couple of the big points, and the fact that they offered an on-prem solution.

View full review »
Raman Zelenco says in a Snyk review
Lead Security System Engineer at a health, wellness and fitness company with 51-200 employees

We have multiple language service platforms based on different language scopes. We were interested in a platform which could cover all of the languages that we are using. We are a mobile-first application, so we were interested in the iOS and Android code and having back-end services that could be deployed via different languages. Another aspect was checking Docker images for vulnerabilities, using Gartner investigation and market research, and applying my personal experience in this niche (Security Development Lifecycle).

We had a comparison between several vendors, like Aqua Security, Snyk, and Qualys. In general, Snyk was the only solution that had a Docker scan aspect to it. It also offered us open scan for vulnerabilities. For this reason, we chose Snyk. It covers not only continuous scanning, but also provides the license scanning and open source scanning from the box. While there are lot of open source products on the market who offers this capability, Snyk aggregates all these features in one place.

If I had to go through the process of choosing a platform for our company again, I would chose Snyk. 

View full review »
reviewer1417671 says in a Snyk review
VP of Engineering at a tech vendor with 11-50 employees

The core offering of reporting across multiple projects and being able to build that into our build-pipelines, so that we know very early on if we've got any issues with dependencies, is really useful.

We're loving some of the Kubernetes integration as well. That's really quite cool. It's still in the early days of our use of it, but it looks really exciting. In the Kubernetes world, it's very good at reporting on the areas around the configuration of your platform, rather than the things that you've pulled in. There's some good advice there that allows you to prioritize whether something is important or just worrying. That's very helpful.

In terms of actionable items, we've found that when you're taking a container that has been built from a standard operating system, it tends to be riddled with vulnerabilities. It's more akin to trying to persuade you to go for something simpler, whether that's a scratch or an Alpine container, which has less in it. It's more a nudge philosophy, rather than a specific, actionable item.

We have integrated Snyk into our software development environment. The way Snyk works is that, as you build the software in your pipelines, you can have a Snyk test run at that point, and it will tell you if there are newly-discovered vulnerabilities or if you've introduced vulnerabilities into your software. And you can have it block builds if you want it to. Our integrations were mostly a language-based decision. We have Snyk integrated with Python, JavaScript Node, and TouchScript code, among others, as well as Kubernetes. It's very powerful and gives us very good coverage on all of those languages. That's very positive indeed.

We've got 320-something projects — those are the different packages that use Snyk. It could generate 1,000 or 2,000 vulnerabilities, or possibly even more than that, most of which we can't do anything about, and most of which aren't in areas that are particularly sensitive to us. One of our focuses in using Snyk — and we've done this recently with some of the new services that they have offered — is to partition things. We have product code and we have support tools and test tools. By focusing on the product code as the most important, that allows us to scope down and look at the rest of the information less frequently, because it's less important, less vulnerable.

From a fixing-of-vulnerabilities perspective, often Snyk will recommend just upgrading a library version, and that's clearly very easy. Some of the patching tools are a little more complicated to use. We're a little bit more sensitive about letting SaaS tools poke around in our code base. We want a little bit more sensitivity there, but it works. It's really good to be able to focus our attention in the right way. That's the key thing.

Where something is fixable, it's really easy. The reduction in the amount of time it takes to fix something is in orders of magnitude. Where there isn't a patch already available, then it doesn't make a huge amount of difference because it's just alerting us to something. So where it wins, it's hugely dramatic. And where it doesn't allow us to take action easily, then to a certain extent, it's just telling you that there are "burglaries" in your area. What do you do then? Do you lock the windows or make sure the doors are locked? It doesn't make a huge difference there.

View full review »
reviewer1419804 says in a Snyk review
Security Engineer at a tech vendor with 201-500 employees
  • The wide range of programming languages it covers, including Python
  • Identifying the vulnerabilities and providing information on how to fix them — remediation steps

It's very easy for developers to use. Onboarding was an easy process for all of the developers within the company. After a quick, half-an-hour to an hour session, they were fully using it on their own. It's very straightforward. Usability is definitely a 10 out of 10. Our developers are using the dashboard and command lines. All the documentation is provided and I've never had an issue.

We have integrated Snyk into our software development environment. It's something that is ongoing at the moment. Our SDE is VS Code.

Another important feature is the solution’s vulnerability database, in terms of comprehensiveness and accuracy. It's top-notch. It pulls all the data from the CVE database, the national vulnerability database. It's accurate and frequently updated.

View full review »
CodeSonar: Languages
CodeSonar677 says in a CodeSonar review
Senior Solutions Architect at a tech vendor with 1-10 employees

The scanning tool for core architecture could be improved. The core complex is something that we really need to analyze, but the complex feature as a whole is not present in the tool.

I would like CodeSonar to support many other programming languages, apart from C and C++. They should support things like AngularJS and Node.js, which are trending in the market right now.

View full review »