Application Security Scan Reviews

Showing reviews of the top ranking products in Application Security, containing the term Scan
Veracode: Scan
ChiefInfaf47 says in a Veracode review
Chief Information Security Officer with 501-1,000 employees

We are a state agency, we're not a private-sector company. What we're able to do is take our main web-based application, which is not only for internal use but which the citizens of Ohio also use, and we can run this application, and others as well, through Veracode to ensure that we've done our job, our due diligence.

We print out a report, we see the rating of the vulnerabilities that have been found: "critical" and "high", "moderate" and "low." We've been able to go from having critical vulnerabilities to where we're now into the more moderate range. We've shown improvement through the years. We can provide that information to our superiors, and to people who come in and audit us, to show that we've made progress on scanning.

When we find a vulnerability, we do pass it on to our developers and they've been able to go in and adjust the code so that the vulnerability is no longer there. The goal, of course, is that these findings will help them as they develop new code so that these vulnerabilities are not a part of the next application. We run a follow-up scan to make sure the vulnerability has been cleared.

The benefit, at this point, has been more internal than for our customers. Obviously we don't want them to have a problem so that they could then, theoretically, actually see the benefit. We try to be proactive.

View full review »
Evan Christoe says in a Veracode review
AVP, IS Manager with 1,001-5,000 employees

We use Veracode to scan custom-developed code for flaws.

View full review »
Rick Spickelmier says in a Veracode review
Chief Technology Officer at a tech vendor with 201-500 employees

We use it for security scanning of SaaS and mobile software that we develop: one server-side and two mobile applications. Most customers require SAST and DAST scanning in order to purchase.

View full review »
Sebastian Toma says in a Veracode review
Engineering Security Manager at Nextiva

We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle. We rely on this set of tools to automatically scan our artifacts when they are moving to different environments. 

We got it to the point that when we were promoting the artifacts from desktop to the server environment, we already had the scans completed. We knew the vulnerabilities that we were introducing with the new features ahead of time, i.e. before the QA department was finding them. That was the main reason we decided to use Veracode or to use tools for static analysis and dynamic analysis.

View full review »
Riley Black says in a Veracode review
Senior Security Analyst at a health, wellness and fitness company with 1,001-5,000 employees

Veracode is a cornerstone of our Development Security Operations Program, particularly scanning automation and remediation tracking.

We've been able to monitor the release cycle and verify our Security Standards are met by setting policy and ensuring scans are taking place. If a scan fails to meet our standard the build breaks and the flaws are remediated before releasing to Stage and ultimately Production -  where the potential impact is much more costly. 

We have discovered opportunities to make our code even better thanks to Veracode!

View full review »
reviewer1360617 says in a Veracode review
Sr. Security Architect at a financial services firm with 10,001+ employees

We are using Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Static Component Analysis (SCA). We use different types of scanning across numerous applications. We also use Greenlight IDE integration. We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.

View full review »
reviewer1359297 says in a Veracode review
Software Engineer at a financial services firm with 501-1,000 employees

This was intended to scan all of our custom development efforts to ensure a certain level of (secure) code quality. Right now the scope of that effort is limited to web exposed systems but with maturity, we hope to increase that scope.

View full review »
Christian Camerlengo says in a Veracode review
Senior Programmer/Analyst at a financial services firm with 10,001+ employees

The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up. We've had very few issues that we have actually had to contact Veracode about.

It does give some guidance, up to a point, for fixing vulnerabilities. It does a pretty good job of that. We went from a bunch of errors to a handful that I needed help with, and that was mostly because they provided some good information for us to look at. If I had been using this product a long time ago, I would have been able to anticipate a lot of things that Veracode discovered. The product I'm working on is about 12 years old and this was the first time we ran scans on it using Veracode. It identified quite a few issues. If you're starting a new project, it would be a good place to start. Once you get used to what people like penetration testers are looking for, this is a good tool to prevent having a pen test come back bad.

The Static Analysis Pipeline Scan is very good. It found everything that we needed to fix.

View full review »
reviewer1436241 says in a Veracode review
DevSecOps Consultant at a comms service provider with 10,001+ employees

We use the Veracode SAST solution to scan the Java, Node.js, and Python microservices as part of our CI/CD pipeline, wherein we are using our CI/CD server as Bamboo, Jenkins, and GitLab CI/CD. 

We have teams for both our cloud pipeline and on-prem pipeline, and both teams use this solution. We are using Veracode to constantly run the internal application source code and ensure the code's security hygiene.

View full review »
Qualys Web Application Scanning: Scan
Consultant at a tech services company with 1,001-5,000 employees

The most valuable feature is that we are able to scan the services and put credentials like a user ID password. We can verify the vulnerability level. 

View full review »
Lead Security Architect at a financial services firm with 501-1,000 employees

The vulnerability scanning and patching features are the most valuable parts of the solution.

View full review »
reviewer1254240 says in a Qualys Web Application Scanning review
CEO at a tech services company with 51-200 employees

We were testing a lot of products. We were looking for a good product for our needs and for the needs of our customers to scan vulnerabilities. Qualys was one of the products we chose to do further testing with. The testing with data is still continuing and is a process. As we are in the process of discovery now, we cannot exactly qualify our experience with the product.  

View full review »
reviewer1228896 says in a Qualys Web Application Scanning review
Security Analyst at a tech services company with 10,001+ employees

We primarily use this solution for VM scanning. We scan more than a thousand applications.

View full review »
reviewer1387992 says in a Qualys Web Application Scanning review
Senior Software Developer at a tech vendor with 1,001-5,000 employees

I think we have the fastest version, and they always upgrade it. I think it's the $2 or $3-a-month version. They have multiple engines inside it, but it's a site-based service. It is not on-demand, so Qualys will host it. It's the pay as you go service that is on the software-as-a-service. 

We use the DAST, dynamic application scan test.

View full review »
Data Specialist at CHUN SHIN LIMITED

We are concerned with the frequency of their virus code updates and reporting that contains false positives. We do not think that the accuracy of the reporting is as good as it should be.  

It would be nice if Qualys would provide a solution after analyzing the data for us so we can understand what the cause of a vulnerability is and how to fix it. It would be good enough to provide something like just a download page that describes the problem and the steps to take to resolve the vulnerability.  

We are researching open source software because Qualys needs to improve their reports and the documentation for the end-users in resolving scanned issues.  

Sometimes the deployment is complicated. It is not so easy to deploy and that should be simplified. Something like Zap or other open-source software is often easier to deploy.  

View full review »
Acunetix Vulnerability Scanner: Scan
Senior Security Engineer at a media company with 1,001-5,000 employees

Dynamic application security testing is our primary use case. I don't know if it would be used as a primary solution, but as a supplemental solution, Acunetix is very good for scanning applications and finding vulnerabilities.

We're a global organization. We're a large book publisher around the world. We use it globally: China, Australia, Europe, Asia, India, South America, Canada, and the USA. It's a global solution.

View full review »
Lead Information Security Engineer at a financial services firm with 1,001-5,000 employees

The most important feature is that it's a web-based graphical user interface. That is a great addition. Also, the ability to schedule scans is great.

The speed of Acunetix has been pretty good. It's been the same as most other tools that we use, but it's been good.

View full review »
Vijayanathan Naganathan says in an Acunetix Vulnerability Scanner review
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd
  • Login Sequence Recorder
  • Scan throttling
  • Fantastic reporting output.
View full review »
Security Engineer at a tech services company with 51-200 employees

We use it as a dynamic scanner for testing our websites. We also adjust it into another tool that we use which allows us to share our report with our developers.

View full review »
Senior Security Engineer at a insurance company with 10,001+ employees

We have had more success with this particular product being able to control our different applications better than some of the other applications that we have used in the past, as far as checking for vulnerabilities. We know our apps are more secure.

It takes a few weeks just to look at the entire process. We take the reports, send it to the business team, who give it the analysts, and then come up with the remediation plan. Afterwards, we scan it again unless there are critical issues, which are done in less time.

View full review »
Manager for Technology Services at a non-tech company with 10,001+ employees

Our primary use case of this solution is to scan web vulnerabilities.

View full review »
reviewer1155117 says in an Acunetix Vulnerability Scanner review
User

I am a freelance consultant and I use this product to scan customer's web sites.

Most of the time, I use it to perform black-box analysis. The automated approach to these repetitive discovery attempts would take days to do manually and therefore it helps reduce the time needed to do an assessment.

View full review »
reviewer1292124 says in an Acunetix Vulnerability Scanner review
Cyber Security Associate at a financial services firm with 10,001+ employees

For the last two years, we've primarily used the solution for specific scanning of external web applications for some of our clients.

View full review »
reviewer1312281 says in an Acunetix Vulnerability Scanner review
Executive Director at a financial services firm with 201-500 employees

We have quite a few applications that we scan. We have a requirement to meet PCI DSS compliance and we deal with it by producing reports on a quarterly or a part-quarterly evaluation. We are customers of Acunetix and I'm the executive director of our company. 

View full review »
reviewer1379034 says in an Acunetix Vulnerability Scanner review
Project Manager at a computer software company with 1,001-5,000 employees

Our primary use case is scanning our websites for security flaws.

View full review »
Senior Test Engineer II at a financial services firm with 201-500 employees

We use Acunetix for POC.

We have a scanner site website. We have two web applications, related to banking, that primarily serve our customers. We use Acunetix Vulnerability Scanner to ensure that the APAs that have been exposed to the customers are well-protected and don't have any major vulnerabilities.

We wanted to have some kind of vulnerability scanner which could evaluate our requests and tell us where any vulnerabilities may reside. For that purpose, we use Acunetix scanner.

Originally, we used version 3.12, but they provided us with different products including Acunetix premium and Acunetix 360. We figured Acunetix 360 would be much better suited for our solutions; that's why we are currently using the trial version of Acunetix 360 at the moment.

Within our company, there are around five to ten people using this solution. Some from DevOps, IT Security, and a few penetration testers use it.

View full review »
PortSwigger Burp: Scan
Rishi Kant says in a PortSwigger Burp review
Senior Security Engineer at a insurance company with 10,001+ employees

There is a lot to this product, and it would be good if when you purchase the tool, they can provide us with a more extensive user manual. This would help us to better understand the product, and we would not need to buy a separate book.

In the next release, I want to see it more interactive and have more multitasking with some faster features. Sometimes scanning takes a long time, so they need to add more tricks to reduce the time spent in security testing.

View full review »
Ivan Biagi says in a PortSwigger Burp review
Security Specialist at Alfa-A IT

This solution has helped a lot in finding bugs and vulnerabilities, and the scanner is good enough for simple web apps.

View full review »
Andrei Sandulescu says in a PortSwigger Burp review
IT Auditor & Compliance Officer at Intellimind

Our primary use for this solution is to perform vulnerability scanning before we deploy software in production.

View full review »
reviewer1139067 says in a PortSwigger Burp review
User

The auto scanning feature provides really good details about issues that it finds.

Crawling web applications using Burp Spider, Target Site Map, automating customized attack with Burp Intruder, and manipulating parameters with Burp Repeater are the most useful and used features.

View full review »
Vijayanathan Naganathan says in a PortSwigger Burp review
Director - Head of Delivery Services at Ticking Minds Technology Solutions Pvt Ltd

With the open edition, it's not a problem to install on any number of machines. When it comes to the professional edition, you need a license and you have to pick a license type. I have to use it against a particular machine on which I would run. From there I would run my scans. Let's say I don't find my laptop or my computer fast enough, and I decide to move my license across to a higher processor, higher memory laptop or computer, I can easily move the license across to the new machine.

As long as I am on that particular license use, I have one license that I'm able to move across to one instance at any given point of time. That is quite stable. I think even more than that, for a top-priced edition you can take multiple contract licenses. Something like a license server where you might have five licenses. You might have 10 installations and you can have different people working on various routes use the tool. Only those five licenses will be needed. In that instance, scalability is definitely a great point for most uses.

Currently, if you look at the users that are linked to roles that we have, one is the security test engineer and one is the security test analyst. At any given point in time, only one person uses the tool for engagement in the professional edition. We have about two to three people working with us on these projects.

View full review »
reviewer1112304 says in a PortSwigger Burp review
IT Manager at a manufacturing company with 10,001+ employees

We use the solution for scanning our in-house external facing website.

View full review »
reviewer1223976 says in a PortSwigger Burp review
Cyber Security Specialist at a university with 10,001+ employees

The most valuable features are Burp Intruder and Burp Scanner.

The automatic scanning feature is helpful.

View full review »
reviewer1112304 says in a PortSwigger Burp review
IT Manager at a manufacturing company with 10,001+ employees

Burp has several good features; it's cheaper than other solutions and you can scan any number of applications and it updates its database. With the professional version, it creates a lot of applications which you can incorporate with your scanning and enable deep diving in the specific section. 

View full review »
SivaPrakash says in a PortSwigger Burp review
Senior Test Engineer II at a financial services firm with 201-500 employees

The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned.

Additionally, it has good reporting and dashboards and also integrates well with other task management applications that we're using.

View full review »
reviewer1110963 says in a PortSwigger Burp review
Security consultant at a manufacturing company with 10,001+ employees

Their flagship feature would be the active scanner, which carries out an automated look up of any web vulnerabilities reflecting over to one of the main compliance standards, like OWASP. This provides an accurate security audit for their web applications.

View full review »
Saminda Jayawardene says in a PortSwigger Burp review
Compliance Manager at a tech services company with 201-500 employees

We use some different tools for web application testing, like Nmap and others. If PortSwigger Burp could actually scale up for web application scanning, that would be really good. This way, instead of using different tools, we could easily rely on one tool for all testing.

View full review »
Micro Focus Fortify on Demand: Scan
KavithaSridhar says in a Micro Focus Fortify on Demand review
Director Consulting at a tech services company with 10,001+ employees

My primary use case is to help the teams in development. It helps us scan.

View full review »
reviewer1050960 says in a Micro Focus Fortify on Demand review
CISO at a retailer with 1,001-5,000 employees

Before we migrate a new code to our production website, it is scanned with Fortify and all security vulnerabilities are identified. Then we try to remediate them so we don't expose ourselves.

I've been involved in deciding what's right or wrong. I've been involved in deciding on the product early on, and then if we should go on-premise or in the cloud, if we should build it into part of the software development life cycle or if we should do it on demand before we go to production. I've been involved in a lot of that. I've been involved in working with the development team to decide what is a vulnerability and what is not, and which vulnerabilities we need to take to heart, regardless if we understand what it is that we should ignore, and regardless of the fact that we think it's highly critical.

View full review »
Head of Compliance & Quality / CISO at a tech services company with 51-200 employees

We have approximately twenty users who perform code scanning. They are developers and security experts. We do plan to increase our usage of this solution in the future.

View full review »
Senior Application Security Analyst at a financial services firm with 10,001+ employees

We use the cloud deployment model of the solution.

Whether or not you decide to implement the solution depends on the use case. It depends on if the user has a big application or multiple lines of code which need to be scanned. New users need to do POC so they can investigate if this tool fits in their company or their enterprise before they begin implementation. Everyone should do a comparison before implementing or doing the rollout of any security tool.

I would rate the solution seven out of ten.

View full review »
Vice President - Solution Architecture at a financial services firm with 10,001+ employees

We are using Fortify on Demand as a static code analyzer. As it scans each application, it checks each line of code. When we are developing mobile applications there might be some kind of security vulnerability. One example is a check to see if information that is being transferred is not encrypted because this would be vulnerable to hackers who are trying to break into the system. We also look at whether were are using the network transport layer security.

Our overall goal at this time is to protect our mobile app because it is one of the ways that hackers can break into the system. 

View full review »
reviewer1263261 says in a Micro Focus Fortify on Demand review
Sr. Enterprise Architect at a financial services firm with 5,001-10,000 employees

I have been using this solution to gain some perspective from different architectures for the security team. I do not use it every day. I do have an overview and it is integrated with our development platform.

I do work for our governance team, so whenever a project is coming I will review products. I need to connect with the project managers for testing them, and these tests include the vulnerability assessment along with other security efforts. One of the things that I suggest is using Micro Focus Fortify on Demand.

The primary use case is core scanning for different vulnerabilities, based on standards. It beings with an architect who designs a model on a security-risk advisor platform. Then you have an idea of what the obstacles are. Once the code is scanned according to standards, you figure out where the gaps are. The team then suggests what needs to be done to the code to fix the vulnerabilities. The process repeats after the code is fixed until all of the vulnerabilities have been eliminated.

When you take all of these things together, it is Security by design.

View full review »
reviewer1210665 says in a Micro Focus Fortify on Demand review
Production Manager for Nearshore SWaT at a computer software company with 10,001+ employees

We have a team that works with the product. All development teams work with this team to accomplish the goals. Everything was set up by this team, and afterward, the development team just has to look at the reports and vulnerabilities so that they can run scans.

View full review »
Netsparker Web Application Security Scanner: Scan
Security Specialist at Alfa-A IT

The scanner itself should be improved because it is a little bit slow.

CPU usage should be improved due to my PC's fan going mad.

RAM usage also should be improved as well.

The attacker part of the scanner should be more fluid and faster.

There should be some option to tune up the scan, like throttling requests or using some WAF/IDS/IPS bypass technique. It needs more than what is currently in the Advanced Options.

The passive analyzer for some vulnerabilities should be improved, as it doesn't get all vulnerabilities. It should also be more efficient.

The scanner should also use some cool techniques to inject payloads, like replacing the entire body and Content-Type header (like for XML input).

View full review »
Founding Partner at da ros e associati srl

The program uses technology that is different from application scanners. It's not an incremental solution. It could be a new product, but I'm not that knowledgeable to know which products are part of a suite. Netsparker doesn't provide the source code of the static application security testing. I would love to see a completion of the offering with statistical analysis. 

Every customer has its own nuance, so I don't think it's really an issue when it comes to the user interface. Every customer has something that they would like different because they're used to something different. In my opinion, there is not very much to mention besides changing as little as possible. Something that Microsoft often does, is to change things with every release and users don't like that. 

I would also see the price being at least 20% cheaper because the market is currently very crowded and there are many vendors and clients. A lower price will get more sales. 

View full review »
Retail Services Senior Manager at e-finance

The most valuable features that I've found in this solution was the level of accuracy and also that the process of scanning was very quick and we're easily able to change the frame of a scan. I use the many applications and security management tools and the accuracy is important for me. Other solutions like NetBus don't have such an accurate timeline. 

View full review »
Consultant Cyber Security at a tech services company with 51-200 employees

With respect to the algorithm that Netsparker is running, they don't really provide the proof of concept up to the level that we need, here in the organization. Specifically, because the tool is running the scan and exploiting the read-only version, it doesn't prove to the customer that the exploit is genuine. We have to perform this manually, but it is difficult to prove to the concerned team, whether it is the development team, the remediation team, or the security team.

Right now, they are missing the static application security part, especially web application security. If they can integrate a SaaS tool with their dynamic one then it would be really helpful.

View full review »
Consultant Cyber Security at a tech services company with 51-200 employees

I am impressed by the whole technology that they are using in this solution. It is really fast. When using netscan, the confirmation that it gives on the vulnerabilities is pretty cool.

It is really easy to configure a scan in Netsparker Web Application Security Scanner. It is also really easy to deploy.

View full review »
Checkmarx: Scan
Bus432Anly says in a Checkmarx review
Business Analyst at a tech services company with 201-500 employees

Our primary use case solution is for code scanning.

View full review »
James Barwick says in a Checkmarx review
Principal Software Engineer at SingTel Internet Exchange

Code scan. We performed periodic static code scans on copies of our Git repository to identify possible vulnerabilities.

View full review »
Milind Dharmadhikari says in a Checkmarx review
Practice Head - IT Risk & Security Management Services at Suma Soft Private Limited

My team uses this product extensively for application vulnerability assessment. This solution is for static application security testing and is used within our software development process.

As the software developers are creating solutions, they are able to identify vulnerabilities while the application is being written, rather than after the entire development is over.  

We were interested in having the raw source code scanned, so that was the primary requirement and that is where Checkmarx comes in. We do not need any precompiled libraries, or compiled source code, to be checked by the source code analysis solution.

We have a security team that uses this product to scan source code, rather than have the developers handle it. We do not have any developer licenses (i.e. the SDLC Edition). Instead, the security team identifies the vulnerabilities and shares the report with the development team.

View full review »
CyberSecAn08987 says in a Checkmarx review
Cyber Security Analyst at a tech vendor with 1,001-5,000 employees

There are many good features like site integration, but the most valuable feature for us is the XL scan of source code. 

View full review »
Don Robbins says in a Checkmarx review
Software Configuration Manager at a tech vendor with 501-1,000 employees

Checkmarx is a stable product, especially based on the number of updates that we receive. Every time we get a new update or a hotfix, I'm very much in the loop on getting that information. Compared to some other products, it doesn't have the churn that others do, i.e. in the number of updates and patches that we have to apply to it.

We're licensed for 100 users. Primarily we use Checkmarx for developers, managers, architects, and maybe some of the design folk, but not QA. This would solely be in the realm of development and architecture. 

There is no plan for us to increase our usage of Checkmarx. We're trying to get as many scans as possible. One of the issues that we have is the concept of an incremental scan. The more of the incremental that you do, the slower the service becomes.

When you go in and you look at the last result: it's your baseline or your full scan, followed by applying each incremental. The more of the incrementals that you have, the slower Checkmarx gets.

They've come up with a recommendation for users to do one full scan a week and maybe six incremental scans. This needs to be worked on to get the performance better on this particular tool.

View full review »
Deepak Kamra says in a Checkmarx review
Vice President at Arisglobal Software Pvt Ltd

We are using it for static security scanning and static security testing. We also use it for code dependency analysis. We use two of the solution's tools for each variable.

View full review »
reviewer971370 says in a Checkmarx review
CEO at a tech services company with 11-50 employees

The most valuable features are the easy to understand interface, and it 's very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan.

We can do the work quickly and we don't need to compile the source code because Checkmarx does the work without compiling the project.

The scanning is very quick. It's about 20,000 lines per hour, which is a good speed for scanning.

View full review »
reviewer1375824 says in a Checkmarx review
Technical Lead at a tech services company with 1,001-5,000 employees

Honestly speaking, we do not have much experience in this tool yet as we just started using it a couple of months ago. I personally am still just diving into the data. It may be too early to tell if there are improvements that need to be made.

The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated.

View full review »
reviewer1286010 says in a Checkmarx review
Senior Software Engineer at a computer software company with 10,001+ employees

We use Checkmarx for scanning our source code.

View full review »
Samuel Baguma says in a Checkmarx review
Senior Security Engineer at a pharma/biotech company with 501-1,000 employees

The most valuable feature is the scanning.

The reports are very good because they include details on the code level, and make suggestions about how to fix the problems.

View full review »
reviewer1295802 says in a Checkmarx review
Founder & Chairman at a tech services company with 11-50 employees

Aside from my occupation, I am an academic. Because of our status, we test products as well as their competition, for example, we45, AppScan, SonarQube, etc. I have to point out, from an academic and business point of view, there is a very serious competitive advantage to using Checkmarx. Even if there are multiple vulnerabilities in the source coding, Checkmarx is able to identify which lines need to be corrected and then proceeds to automatically remediate the situation. This is an outstanding advantage that none of the competition offers. 

The flexibility in regards to finding false-positives and false-negatives is amazing. Checkmarx can easily manage false-positives and negatives. You don't need to generate an additional platform if you would like to scan a mobile application from iOS or Android. With a single license, you are able to scan and test every platform. This is not possible with other competitive products. For instance, say you are using we45 — if you would like to scan an iOS application, you would have to generate an iOS platform first. With Checkmarx you don't need to do anything — take the source code, scan it and you're good to go. Last but not least, the incremental scanning capabilities are a mission-critical feature for developers. 

Also, the API and integrations are both very flexible.


View full review »
Tusnin Das says in a Checkmarx review
General Manager at a consultancy with 1,001-5,000 employees

The UI is very intuitive and simple to use. You don't need to know anything about the product before you being working with it.

The interface used to audit issues is also simple to use.

Compared to similar products, the code scanning time is fast.

View full review »
reviewer1263726 says in a Checkmarx review
Sr. Application Security Manager at a tech services company with 201-500 employees

I am in charge of application security and Checkmarx is one of the products that I use in this capacity. We use this product for code scanning and static code analysis.

View full review »
reviewer1410597 says in a Checkmarx review
Vice President Of Technology at a computer software company with 5,001-10,000 employees

Prior to using Checkmarx, I used AppScan but the concept is completely different. With Checkmarx, you are working with source code, whereas as with AppScan, you are working with binaries. You can say that AppScan is more like a dynamic security scan and Checkmarx is more static.

These products are quite different in terms of how you do the testing. Checkmarx is better from both a performance perspective and reporting a lower number of false positives.

View full review »
SonarQube: Scan
Daniel Hall says in a SonarQube review
Technical Architect at Dwr Cymru Welsh Water

A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product with additional cost, also gives the benefit of a single pane of glass view, although we still need white source bolt for 3rd part library scanning. The integration into docker builds could be better as pulling the latest version of the scanner, setting the path and then invoking the scan is an extra overhead to manage between versions of the scanner. An apt-get and scan start with the key passed as a variable would be a nicer implementation. Have not looked into SSL for the management page yet but hoping that goes smoothly.

View full review »
AppSecAn0945 says in a SonarQube review
Application Security Analyst at a agriculture with 501-1,000 employees

We use this program as a compliment to our security scans, in addition to Checkmarx.

View full review »
Steven Gomez says in a SonarQube review
Lead Engineer at bioMerieux, Inc.

The initial setup was complex because we were using the Community Edition. We did have some issues with the compatibility of the different components. For example, there is the server itself, but then you can plug in different packages, like the C++ package. We've also experimented a little bit with Python metrics, but unfortunately we don't have a project that's really under that control yet, to really get a feel for how that works.

Configuration issues were pretty complicated, but once we got things up and running, it's been extremely stable, it was kind of maintenance-free, now, although we have a time issue. Of the scans that it does, it could be somewhat time-consuming, so originally some of the developers would say, "Well we want to be able to do that on our desktop." I told them, "I don't think you know what you're asking for, here." But as an alternative, we have it set up with our continuous integration server, which we use in TeamCity by the way. In the middle of the night, it automatically runs a scan for them, while they're in bed at home asleep so their results will be ready the next morning. This way, whatever they have most recently checked in, they can see the results right there. And then it runs in the background so it doesn't matter how long it takes per se, it gets it done by the next time they come in. That's part of what continuous integration does, it does things for you that years ago people would do themselves, and never get around to it.

View full review »
ViPres97886 says in a SonarQube review
Vice President at a financial services firm with 1,001-5,000 employees

The security portion of this solution needs to be improved. They do have a few rules, but I don't think that they are of much use because you cannot position it as a security scanner. I think that there is a lot more that can be done in the security space. I would like to see, for example, more security updates as part of the scan.

The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at.

We would like to be able to perform differential scans for a few modules or a few lines, rather than for the whole source code each time. 

View full review »
Jeff Ingalls says in a SonarQube review
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees

This solution is part of our pipeline. We use GitLab for source control and Jenkins to build management. Jenkins kicks off our SonarQube scans, we use Checkmarx for static code analysis, UrbanCode Deploy, and UrbanCode Release.

Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs.

View full review »
ScalaCon4d53 says in a SonarQube review
Scala Contractor at a tech services company with 10,001+ employees

I would like to see something around mutation testing included in SonarQube. I'd like to see some mechanism of quality which has real meaning. The problem in metrics is that they're correlated. I'd like to see how they can add a feature to detect genuine quality, instead of numbers that people can game. The number can be manipulated. There are a few ways to do this, and mutation testing is one of them.

I would also be interested in more security scanning.

View full review »
Kiran Gujju says in a SonarQube review
Cyber Security Architect (USDA) at a government with 10,001+ employees

I work for a government agency and we use this tool. It is lightweight and very cost effective as compared to IBM AppScan, but I wouldn't say it's a very good tool for vulnerability assessment. The dashboard is neat and easy to operate and the information on the dashboard makes it easy for the developers to work on. You can have it automated and set up for you to have an automated process every time the code is checked in. 

View full review »
Donovan Greeff says in a SonarQube review
Head of Software Delivery at a tech services company with 51-200 employees

Our primary use case is to analyze source code for software bugs, technical debt, vulnerabilities, and test coverage. It provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production. 

We plug this process into our process right from the start enabling the IDE integrations so that engineers can scan their code before submission. Following on from that we run the scans on every change that has been submitted for review. 

This way we ensure that no core/fundamental issues are added to our codebases. 

View full review »
TibinLukose says in a SonarQube review
Software Engineer at Adfolks

I was using SonarQube to scan my code for vulnerabilities as part of the DevOps process.

View full review »
reviewer1390020 says in a SonarQube review
Engineer at a pharma/biotech company with 201-500 employees

The library could have more languages that are supported. It would be helpful.

There are a few clauses that are specific to our organization, and it needs to improve. It's the reason that were are evaluating other solutions. It creates the ability for the person who releases the authorized release, which is not good. We would like to be able to expand on our work.

MicroFocus, as an example, would be helping us with that area or creating a dependency tree of the code from where it deployed and branching it into your entire code base. This would be something that is very helpful and has helped in identifying the gaps.

It would be great to have a dependency tree with each line of your code based on an OS top ten plugin that needs to be scanned. For example, a line or branch of code used in a particular site that needs to be branched into my entire codebase, and direct integration with Jira in order to assign that particular root to a developer would be really good.

Automated patching for my library, variable audience, and support for the client in the CICD pipeline is all done with a set of different tools, but it would be nice to have it like a one-stop-shop.

I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production. We would also need the ability to edit those rules.

View full review »
reviewer1407126 says in a SonarQube review
Team Lead at a computer software company with 10,001+ employees

We do not really have very much contact at all with technical support because SonarQube quite user friendly and intuitive. Technical support is not actually available with the free product, but we do have access to community tools online.   

There was this one issue that we had where we had raised a question in the community. We found that if we scanned our project with SonarLint and if we scanned our project with SonarQube, it was giving some different results. SonarQube was showing some issues and SonarLint was not showing any issues at all. There was a clear difference in the report. But when we Googled this issue and looked on the support web site, we found now that SonarLint does not give you the errors around integration. When it comes to SonarQube, it automatically integrates with other processes and scans your port to that. SolarLint does not do this in the same way. This is why SonarQube might give you some errors that SolarLint does not.  

So we are not in contact the company support. When there are times when we do have an issue, we see what we can Google or the SonarQube community. Usually, we do find out our answers.  

View full review »
Kiuwan: Scan
Ernst Marais says in a Kiuwan review
Software Architect at Digital Solution Foundry (Pty) Ltd

The rate of false positives, where it reports issues that are not really issues, can be improved.

Scanning of vulnerabilities on open-source projects is not particularly useful as it is.

I would like to see better integration with Azure DevOps in the next release of this solution.

View full review »
Coverity: Scan
Nachu Subramanian says in a Coverity review
Head of DevOps Engineering Center of Excellence at OCBC Bank

I am the administrator and I use this solution to do the calibrating and security scanning of the code in my bank. We are trying to find any vulnerabilities in our code and we are integrating the process with our DevOps.

View full review »
reviewer1428837 says in a Coverity review
Security Consultant at a tech services company with 11-50 employees

I am a consultant and I work to bring solutions to different companies. Static code analysis is one of the things that I assist people with, and Coverity is one of the tools that I use for doing that.

I worked with Coverity when doing a couple of different PoCs. For these, I get a few different teams of developers together and we want to decide what makes the most sense for each team as far as scanning technologies. So, part of that is what languages are supported, part of that is how extensible it is, and part of that extensibility is do the developers have time to actually create custom roles?

We also want to know things like what the professional are services like, and do people typically need many hours of professional services to get the system spun up. Other factors include whether it deployed on-premises or in the cloud, and also, which of those environments it can operate with.

One of the things is there's not really a shining star out of all of these tools. SaaS tools have been getting more mature in the past decade, particularly in how fast they run, but also in the results they get. Of course, framework and language additions that increase the capability with results are considered.

View full review »
Fortify Application Defender: Scan
Durgesh Pathak says in a Fortify Application Defender review
DevOps Engineer at a energy/utilities company with 10,001+ employees

We use this solution for inspecting our security, such as checking to see if our developers are securing their code properly. For example, we have to ensure that they are not inadvertently exposing any IP addresses or passwords. We have to be cautious because most of our applications are related to banking and the financial domain.

Fortify Application Defender accomplishes this by performing source code analysis, and it scans using agents. The source code check involves static code analysis to see if things like passwords are exposed.

View full review »
Director of Security at Merito

The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology. The rules that are created are very specific to the application that it's defending. In a typical WAF, out of the box, it comes with a set of standard rules that work reasonably well. However, if you want rules that are specific to vulnerabilities that you know are in the application, the application defender is superior at defending against these. 

View full review »
WhiteSource: Scan
reviewer1250700 says in a WhiteSource review
Senior Productization Specialist at a tech services company with 51-200 employees

WhiteSource needs improvement in the scanning of the containers and images with distinguishing the layers.

This solution needs better support and customer service.

View full review »
reviewer1250697 says in a WhiteSource review
User at a tech vendor with 1,001-5,000 employees

Our primary use for WhiteSource is security and license risk detection in open-source, third-party libraries and components. We run scans from multiple source control and build systems (TFS, ADO, Jenkins, ...). Some of our scans are automated, while others are done manually with the unified file agent in offline mode scan, and then the resulting "wsjson" file is uploaded to the WS SaaS portal.

View full review »
Alon Michaeli says in a WhiteSource review
Founder & CEO at Data+

We use WhiteSource mainly to:

  1. Detect and automate vulnerability remediation. We started to research solutions since our dev teams are unable to meet sprint deadlines and keep track of product security. Most of our code scans are automated and integrated within our pipeline, which integrates with our CI server. With some, we run them manually using an agent. We recently started using the repository integration with Github, too, pre-build.
  2. License reporting and attribution reports. We use attribution reports and due diligence reports to asses risks associated with open-source licenses.
View full review »
reviewer1264290 says in a WhiteSource review
Project Manager at a health, wellness and fitness company with 11-50 employees

We started using WhiteSource mainly to scan dependencies and detect open-source licenses, copyright information, and vulnerabilities.

We’ve managed to establish an integration with our CICD pipelines and use pretty much all of the automation that is offered, including automated policies.

View full review »
reviewer1268112 says in a WhiteSource review
DevOps CI/CD Team Lead at a computer software company with 10,001+ employees

We use this solution for scanning NodeJS and Maven projects during the CI/CD processes. We have hundreds of scans per day for any project that runs on our CI and passes the release build.

This means that any release build runs the WhiteSource scan before deployment to production clusters, which ensures that we are pretty covered in terms of licenses for open source dependencies.

We are running on top of hundreds of microservices and thousands of daily builds, of which part of them are moving to production deployment eventually.  

View full review »
HCL AppScan: Scan
Sungmin Chun says in a HCL AppScan review
Chief researcher at INSEC Security

External and internal web application vulnerability scan.

View full review »
Shaikh Jamal Uddin says in a HCL AppScan review
Senior Information Security Consultant at Secure Coat

This solution saves us time due to the low number of false positives detected. Other scanners have an issue with respect to reporting false positives.

View full review »
Sonatype Nexus Lifecycle: Scan
Charles Chani says in a Sonatype Nexus Lifecycle review
DevSecOps at a financial services firm with 10,001+ employees

My advice is "do it yesterday." You save yourself a lot of money. Even during one, two, or three weeks, it's going to cost you a lot of money to fix the security vulnerabilities that you are ingesting in your development lifecycle. You could be avoiding that by using a product like Lifecycle.

With Lifecycle, the product itself, the intelligence is contained in the implementation called IQ Server. IQ Server has a component called Firewall. The Firewall, as the libraries are ingested into the organization, will scan each and every one of them. Depending on the policies, it's customizable as well. You can put policies there to say, if the library missed this criteria, block it. And you can say, if you block it, "But this library's okay, allow it in." You can waive policies. It's very highly customizable, such that you can block it at ingestion and you've got five other levels through which you could disallow a library. You could block a library from going into your staging or your development.

It will be used by over 2,000 developers in our organization, and that is just Phase One. Other phases will be rolled out, so it will be an enterprise deployment for the whole bank. It's a financial institution, an investment bank that is very big. We may have over 10,000 developers.

For all organizations - but most of all for financial institutions - security is very important. Somebody in the bank gave a mandate that we need to be more secure and this was implemented. The best way is to get the developers into the idea is that, by using the product, they'll be actually be saving themselves some time, because as far as security is concerned, they won't be required to change their programs as much.

I would give this product a nine out of ten, knowing that I'll have a full report of artifacts that would have been ingested into our organization - artifacts that are not secure - if I didn't have the product. That information is priceless.

View full review »
Axel Niering says in a Sonatype Nexus Lifecycle review
Achitekt at SV Informatik GmbH

If there is something which is not in Maven Central, sometimes it is difficult to get the right information because it's not found.

And if you look at NPM-based applications, JavaScript, for example, these are only checkable via the build pipeline. You cannot upload the application itself and scan it, as is possible with Java, because a file could change significantly, so the applications are not found anymore. This is something that could be improved in future.

Also, I have seen in Black Duck, for example, that there is also information about exploits there are known for a given vulnerability. This is something I haven't seen or haven't found yet in Nexus Lifecycle. If there is a known exploit to a vulnerability, this could be something that is useful to know as well.

View full review »
Security Team Lead at Tyro Payments Limited

It's mainly used to scan for security issues in any components that we use. There are two parts to it, the license part and the security part. We use it generally for the security, but we also do have scans for the license stuff too.

View full review »
Gus Orologas says in a Sonatype Nexus Lifecycle review
Lead IT Security Architect at a transportation company with 10,001+ employees
  • The application onboarding and policy grandfathering features are good.
  • The solution integrates well with our existing DevOps tools.
  • It also blocks undesirable open-source components from entering our development lifecycle. It scans code libraries and it flags them if there's a vulnerable version. It shows us very quickly if there is a newer version available, and what generation that non-vulnerable version is.
View full review »
JavaDevef0ca says in a Sonatype Nexus Lifecycle review
Java Development Manager at a government with 10,001+ employees

Before, we had open-source Nexus Repository, but with Lifecycle we have Nexus RM and IQ Server as well and we can scan .jars. In addition, we have the plugins for individual developers, which benefits us and the developers when they introduce a new artifact into their applications. It helps them identify what are potential risks and defects. They can resolve them right there and proceed there with their development.

It also brings intelligence to the open-source artifacts, because intelligent servers scan all the vulnerabilities, identify the problems, and then we can ask the individual teams to fix them. That is a plus.

The solution blocks undesirable open-source components from entering our development lifecycle. There are certain .jars which we can block.

In terms of open-source governance, the tool tells us all the threats that are out there in the public sector repositories, threats which, potentially, no one knows. We get to know them and we can use the tool to let other people know which direction to go in.

The solution has improved the time it takes us to release secure apps to market by at least 50 percent. It has also increased developer productivity to some extent because of the plugin which is included for the IDE. It gives a report of the vulnerabilities. It does save time in figuring out the right open-source versions that we need to use. It has helped improve the productivity of the developers by about ten percent.

View full review »
Russell Webster says in a Sonatype Nexus Lifecycle review
VP and Sr. Manager at a financial services firm with 1,001-5,000 employees

Its core features are the most valuable:

  • protection
  • scanning
  • detection
  • notification of vulnerabilities.

It's important for us as an enterprise to continually and dynamically protect our software development from threats and vulnerabilities, and to do that as early in the cycle as possible.

Also, the onboarding process is pretty smooth and easy. We didn't feel like it was a huge problem at all. We were able to get in there and have it start scanning pretty rapidly.

The data quality is really good. They've got some of the best in the industry as far as that is concerned. As a result, it helps us to resolve problems faster. The visibility of the data, as well as their features that allow us to query and search - and even use it in the development IDE - allow us to remediate and find things faster.

The solution also integrated well with our existing DevOps tool. That was of critical importance to us. We built it directly into our continuous integration cycles and that's allowed us to catch things at build time, as well as stop vulnerabilities from moving downstream.

View full review »
ConfigManag73548 says in a Sonatype Nexus Lifecycle review
Configuration Manager at a health, wellness and fitness company with 5,001-10,000 employees

Our primary use case is preventing major security vulnerabilities.

We use it as part of build our pipeline. We have a plugin that gets scanned by Sonatype as the build runs and it scans for all third-party dependencies. We haven't yet gotten to the point where we fail a build, but we make the matrix visible so we know where we need to focus. In the coming months, we plan to actually start failing builds and preventing releases which have certain vulnerabilities, from going into production.

View full review »
Sebastian Lawrence says in a Sonatype Nexus Lifecycle review
Solutions Delivery Lead at a financial services firm with 201-500 employees

Our primary use case is for the SAS testing. This is the dynamic composition analysis that we need to do. In our apps, we do a lot of bespoke development and use a lot of third-party components. Therefore, it is critical to know what number is embedded within the third-party components that we may not directly be responsible for. The main use case is for scanning and ensuring that the deployments that we are adding to our servers is as secure as we can make it.

We use it for scanning alone. That is our way of mitigating risk.

We just upgraded to the latest version.

View full review »
reviewer1268016 says in a Sonatype Nexus Lifecycle review
IT Security Manager at a insurance company with 5,001-10,000 employees

For the application onboarding, we are focusing on automating that as much as possible. Considering the amount of applications that we scan, it's probably not feasible to do all that within the GUI, but the APIs provided by the solution are really good. We have some positive impressions for that. The automatic onboarding seems to work quite well.

One thing we recently did is we automatically onboarded every application that we deployed to production. We scanned each one of them and now have a complete picture of our estates. Every single vulnerability introduced from an open source component is now visible, and we have a clear number. That number was big. Really, we have a lot of issues which we were unaware of. We suspected that we had them, but we now have a clear number that makes selling the solution internally a lot easier.

The solution brought open source intelligence and policy enforcement to a small extent across our SDLC (software development lifecycle) because we have only fully rolled it out in a small number of teams. However, where we did do this, we have started scanning right at the built face, seeing issues really early in the lifecycle.

The solution automates open source governance and minimizes risk. We are trying to reduce the amount of vulnerabilities that we introduce using open source codes. The entire goal of why we're doing this solution is to have it in the lifecycle of our software development and reduce risk.

View full review »
Product Strategy Group Director at Civica

We have two use cases. We're predominantly a products company and we scan our products, in a controlled way, to make sure they're not using open-source software. We want to make sure that we're licensed correctly for our products and the way they are deployed. There are also security reasons for making sure that our products aren't introducing vulnerabilities and, if they are, that we can address them. 

And part of our business is that we build bespoke software. Some of our customers want to make sure that the open-source software is being used correctly in the software we build for them. And, again, we want to protect that software against security vulnerabilities that might be introduced by open-source software.

We also use the solution to help with open-source governance and minimize risk. When we are acquiring a new company, for example, we will automatically, as part of the due diligence on that purchase, scan their products to make sure they don't have vulnerabilities that we are not prepared to accept. So it helps us to make sure, before we make any purchase, that the target acquisition is of suitable quality, in terms of its open-source use.

View full review »
Wes Kanazawa says in a Sonatype Nexus Lifecycle review
Sr. DevOps Engineer at Primerica

It's allowed our developers, instead of waiting till the last minute before a release, to know well ahead of time that the components are bad and they are able to proactively select different components that don't have a vulnerability or a licensing issue.

Also, the solution's data quality seems to be good. We haven't had any issues. We're definitely able to solve problems a lot faster and get answers to the developers a lot faster.

And Nexus Lifecycle integrates well with your existing DevOps tools. We were able to put it right into our build pipelines. We use Jenkins and we're able to stop the builds right in the actual build process whenever there's a quarantined item.

In addition, it has brought open-source intelligence and policy enforcement across our SDLC. It has totally changed the way we do our process. We have been able to speed up the approval process of OSS. Given the policies, we're able to say, "These are okay to use." We've been able to put in guardrails to allow development to move faster using the product. Our pipelines are automated and it is definitely a key component of our automation.

Finally, the developers like it because they're able to see and fix their issues right away. That has improved. For example, let's say a developer had to come to us and said, "Hey, scan this. I want to use it," and we scan it and it has a vulnerability. They've already asked us to do something that they could have done through the firewall product or Lifecycle. Suppose it takes us a day and then we turn around and say, "Okay, here are the results," and we say they can use this version of that product. They've got to download it and see if it works. So we're already saving a day there. But then let's say they have to send it off to security to get approval on something that security would probably approve anyways. It's just they didn't know security would approve it. They would have to wait two or three days for security to come back and give them an answer. So we're looking at possibly saving four days on a piece of code.

View full review »
Ricardo Van Den Broek says in a Sonatype Nexus Lifecycle review
Software Architect at a tech vendor with 11-50 employees

The stability is good. We have never had an issue with it being unreachable. I've not noticed any downtime with it. 

The single issue and change that our administrator ran into was that after he setup the solution, it used a file database locally. After he switched it from running in the foreground to running as a service on a VM, we realized that the database was gone, it had somehow reset. He was able to find the previous file used as the database though and successfully migrated the data to Postgres. That was all the way in the start and we noticed the issue right away. After that, we've had no issues with it.

Our system administrator has not had any issues installing updates to IQ Server.

We haven't had any major security things that we had to fix last minute or on production, which is a good thing. However, we have had vulnerability issues come up. We were able to check them out and notice that they wouldn't affect us immediately because they applied to a specific use case which doesn't occur in our application. However, it does show that things come up. Security issues are found, and if we would've done a manual scan with our previous product/project, we may not have known that something happening on production or we would have found it a lot later. Whereas now, these things pop up right away. It has seemingly increased the overall stability and how fast we can respond to things.

We think about software issues in healthcare. We always want to be very careful of security things in this application because of HIPAA and patient privacy and vulnerabilities to applications from things like ransomware. We get questions about this stuff from potential clients about how we can protect ourselves. We have continuous monitoring of security vulnerabilities, which is very good advertisement for our company. This was not something we could say before because we'd have to do it manually. Sometimes, a few months would go by before we could run another scan.

View full review »
Michael Esmeraldo says in a Sonatype Nexus Lifecycle review
Sr. Enterprise Architect at MIB Group

We have a lot of legacy applications here and they're all built with Ant scripts and their dependencies come from a shared folder. There's not a lot of "accountability" there. What we get out of using Nexus is that all of our dependencies are in the same place and we can specify a specific version. We no longer have a situation where somebody has pulled down a .jar file and stuck it in this folder and we don't know what the version is or where, exactly, it came from. That's one of the benefits.

Another of the main things we get is what Sonatype calls a "bill of materials." We can go into our Nexus product and say, "Okay, here is our ABC application. What are its dependencies?" And we can be specific down to the version. We know what's in it and, if a vulnerability gets reported, we can look and see if we use that particular component and in which applications, to know if we're vulnerable. If we find we're exposed to that vulnerability we know we need to go and remediate it.

The biggest benefit we get out of it is the overall ease of development. The ability to automate a lot of the build-and-deploy process comes from that.

The data quality helps us solve problems faster, as in the security vulnerability example I just mentioned. In those circumstances, we have to solve that problem. Previously, we wouldn't have seen that vulnerability without a painstaking process. Part of the Nexus product, the IQ Server, will continually scan our components and if a new CVE is reported, we get that update through Nexus IQ. It automatically tells us, "Hey, in this open-source library that you're using, a vulnerability was found, and you use it in these four applications." It immediately tells us we are exposed to risk and in which areas. That happens, not in near real-time, but very quickly, where before, there was a very painstaking process to try to find that out.

A year ago we didn't have DevOps tools. We started building them after I came on. But Nexus definitely integrates very well with our DevOps tools. Sonatype produces plugins for Jenkins to make it seamlessly interact, not only with the repo product, but with the Nexus IQ product that we own as well. When we build our pipelines, we don't have to go through an array of calls. Even their command-line is almost like pipeline APIs that you can call. It makes it very simple to say "Okay, upload to Nexus." Because Jenkins knows what Nexus is and where it is — since it's configured within the Jenkins system — we can just say, "Upload that to Nexus," and it happens behind the scenes very easily. Before, we would have to either have run Maven commands or run Gradle commands via the shell script to get that done. We don't need to do that sort of thing anymore.

The solution has also brought open-source intelligence and policy enforcement across our SDLC. We have defined policies about certain things at various levels, and what risks we're willing to expose ourselves to. If we're going to proxy a library from Maven Central for example, if the Nexus IQ product says it has a security-critical vulnerability or it's "security high" or it's "component unknown," we can set different actions to happen. We allow our developers to pull down pretty much anything. As they pull something down from say, Maven Central, it is scanned. If it says, "This has a critical vulnerability," we will warn the developer with the report that comes out: "This has a security-critical vulnerability. You're allowed to bring it down in development, but when you try to move to QA or staging, that warning about the 'security-critical' component will turn to a failure action." So as we move our artifacts through that process, there are different stages. When someone tries to move that component to our staging environment, it will say, "Oh no, you can't because of the security-critical thing that we've been warning you about. Now we have to fail you." That's where we get policy enforcement. Before, that was a very manual process where we'd have to go out and say, "Okay, this thing has these vulnerabilities, what do we do with it?" It's much more straightforward and the turnaround time is a whole lot faster.

Automating open-source governance and minimizing risk is exactly what Nexus is for. Our company is very security conscious because we're governed by a number of things including the Fair Credit Reporting Act, which is very stringent in terms of what we can and cannot have, and the level of security for data and information that we maintain. What Nexus does is it allows us to look at the level of risk that we have in an application that we have written and that we expose to the companies that subscribe to us. It's based on the components that we have in the application and what their vulnerabilities are. We can see that very clearly for any application we have. Suppose, all of a sudden, that a Zero-day vulnerability — which is really bad — is found in JAXB today. We can immediately look for that version in Nexus. We can see: Do we have that? Yes, we do. Are we using it? Yes, we are. What applications are we using it in? We can see it's in this and that application and we can turn one of our teams to it and get them to address it right away.

I don't know exactly how much time it has saved us in releasing secure apps to market, but it's considerable. I would estimate it saves us weeks to a month, or more, depending upon the scope of a project.

And it has definitely increased developer productivity. They spend a lot less time looking for components or libraries that they can download. There was a very manual process to go through, before Nexus, if they wanted to use a particular open-source library. They had to submit a request and it had to go through a bunch of reviews to make sure that it didn't have vulnerabilities in it, and then they could get a "yes" or "no" answer. That took a lot of time. Whereas now, we allow them to download it and start working with it while other teams — like our enterprise security team — look at the vulnerabilities associated with it. That team will say, "Yeah, we can live with that," or "No, you have to mitigate that," or "No, you can't use this at all." We find that out very much earlier in the process now.

It allows us to shift gears or shift directions. If we find a component that's so flawed that we don't even want to bring it into the organization from a security standpoint, we can pivot and say, "Okay, we'll use this other component. It doesn't do everything we needed, but it's much more solid."

View full review »
Ryan Carrie says in a Sonatype Nexus Lifecycle review
Security Analyst at a computer software company with 51-200 employees

It gives alerts for new vulnerabilities before our clients do, so we have time to review them, audit them, and determine how we need to proceed with resolving the issues before we get any client communication.

Before we had this in place, we had a much more reactive approach to CVE listings.   Since integrating this, and as we've refined our process over the past eight months or a year, we have moved to a proactive approach allowing auditing and decisions on mitigation before any incoming client submissions.

In addition, it has brought open-source intelligence and policy enforcement across our software development lifecycle. As a component of the lifecycle, it gives us more controls in place. As far as bringing in dependencies goes, we're able to see what a dependency is introducing, from a security and licensing perspective, before we publish a release to the public. So within the build stage, if we pull in a new dependency, Nexus will very quickly tell us whether it has issues or not. And we catch it. It scans in the build stages; we have it checking our staging where we're doing our regression; and it's also monitoring our released branches and letting us know if issues are found in our releases. It really does hit all stages of that lifecycle.

View full review »
reviewer1342230 says in a Sonatype Nexus Lifecycle review
Application Development Manager at a financial services firm with 501-1,000 employees

During the development, if there are new libraries that need to be used, then we scan them first to see if they are secure or valid. If there is a threat, can we avoid it or use alternatives. Also, before each release, it is mandatory for us to scan the code before we go to release it.   

It was installed at the beginning of the year, so I think we are using the latest version.

View full review »
reviewer1380810 says in a Sonatype Nexus Lifecycle review
Computer Architecture Specialist at a energy/utilities company with 10,001+ employees

We use it to scan applications for open source libraries and to find libraries with a clean version for developers. If one version is vulnerable, they can switch to another version which is clean.

Our situation is that we are running it as a pilot. Hopefully, this year we will be moving the environment into production. Delays happened due to some of our workforce being allocated to different organizations, and then we had the pandemic.

It's deployed on-premise, on a virtual host.

View full review »
Austin Bradley says in a Sonatype Nexus Lifecycle review
Enterprise Infrastrcture Architect at Qrypt

We have a few applications that we're developing that use several different languages. The first ones we did were Python and Yum Repository applications. Recently we've started scanning C and C++ applications that use Conan Package Manager. We will soon start doing node applications with NPM. Our use case is that we primarily rely on the IQ server to ensure we don't have open source dependencies in our applications that have security vulnerabilities, and to ensure that they're not using licenses our general counsel wants us to avoid using.

View full review »
reviewer1381962 says in a Sonatype Nexus Lifecycle review
Application Security at a comms service provider with 1,001-5,000 employees

We have it implemented and integrated into our CI/CD pipeline, for when we do builds. Every time we do a build, Jenkins reaches out and kicks off a scan from the IQ Server.

We use it to automate open source governance and minimize risk. All of our third-party libraries, everything, comes through our Nexus, which is what the IQ Server and Jenkins are hooked into. Everything being developed for our big application comes through that tool.

We have Nexus Firewall on, but it's only on for the highest level of vulnerabilities. We have the firewall sitting in front to make sure we don't let anything real bad into the system.

Our environment is your standard, three-tiered environment. We have the developers develop in their Dev and Test environments, and as the code moves through each environment — Test and a QA environment — it goes through a build process. We build each time we deploy.

We're addressing anything that is a nine and above. If it's a 10, we don't let it into our system; the firewall server stops it. If we have nines we'll let it in, but I'll tag the developers and they'll have to do a little triage to figure out if the problem that is being reported is something we utilize in our system — if it's something that affects us — and if it's not, we flag it as such and let it go. We either waive it or I'll acknowledge it depending on how much it's used throughout the system and how many different components are being built with that bad library.

View full review »
Tenable.io Web Application Scanning: Scan
Security Consultant at a tech consulting company with 51-200 employees

There is no need to scale, because generally the customers, whenever they scan their applications, they generally take a couple of applications at a time. And Tenable.io is already cloud instituted so you don't have to worry about that aspect.

View full review »
IT Manager at a manufacturing company with 10,001+ employees

We primarily use Tenable.io to scan all of our assets to identify vulnerabilities and determine risk percentages for each.

View full review »
Snyk: Scan
reviewer1258746 says in a Snyk review
Engineering Manager at a comms service provider with 51-200 employees

We use the product to scan our code for any vulnerable dependencies we might have. We depend on open source libraries and need to make sure they're secure. If not, we need to highlight the areas and replace them, update them quickly. A secondary, minor use case is to also look at licensing and make sure that we're not using open source licenses we should not be using. Those are our two use cases.

View full review »
Reviewer636936 says in a Snyk review
Information Security Engineer at a financial services firm with 1,001-5,000 employees

It is pretty easy and straightforward to use because integration won't take more than 15 minutes to be honest. After that, developers don't have to do anything. Snyk automatically monitors their projects. All they need to do is wait and see if any vulnerabilities have been reported, and if yes, how to fix those vulnerability. 

So far, Snyk has given us really good results because it is fully automated. We don't have to scan projects every time to find vulnerabilities, as it already stores the dependencies that we are using. It monitors 24/7 to find out if there are any issues that have been reported out on the Internet.

Whenever Snyk reports to us about a vulnerability, it always reports to us the whole issue in detail:

  • What is the issue.
  • What is the fix.
  • What version we should use.

E.g., if upgrading to a new version may break an application, developers can easily understand the references and details that we receive from Snyk regarding what could break if we upgrade the version.

The solution allows our developers to spend less time securing applications, increasing their productivity. As soon as there is a fix available, developers don't have to look into what was affected. They can easily upgrade their dependencies using Snyk's recommendation. After that, all they need is to test their application to determine if the new upgrade is breaking their application. Therefore, they are completely relaxed on the security side. 

Snyk is playing a big role in our security tooling. There were a couple of breaches in the past, which used vulnerability dependencies. If they had been using Snyk and had visibility into what vulnerabilities they had in their dependencies, they could have easily patched it and saved themselves from their breaches.

So far, we have really good feedback from our developers. They enjoy using it. When they receive a notification that they have a vulnerability in their project, they find that they like using Snyk as they have a very easy way to fix an issue. They don't have to spend time on the issue and can also fix it. This is the first time I have seen in my career that developers like a security tool.

I'm the only person who is currently maintaining everything for Snyk. We don't need more resources to maintain Snyk or work full-time on it. The solution has Slack integration, which is a good feature. We have a public channel where we are reporting all our vulnerabilities. This provides visibility for our developers. They can see vulnerabilities in their projects and fix them on their own without the help of security.

View full review »
reviewer1354494 says in a Snyk review
Manager, Information Security Architecture at a consultancy with 5,001-10,000 employees

It is a source composition analysis tool that we use to perform vulnerability scanning for those vulnerabilities within open source libraries.

This is a SaaS solution.

View full review »
reviewer1354503 says in a Snyk review
Security Analyst at a tech vendor with 201-500 employees

I find many of the features valuable: 

  • The capacity for your DevOps workers to easily see the vulnerabilities which are impacting the code that they are writing. This is a big plus. 
  • It has a lot of integration that you can use even from an IDE perspective and up to the deployment. It's nice to get a snapshot of what's wrong with the build, more than it is just broken and you don't know why. 
  • It has a few nice features for us to manage the tool, e.g., it can be integrated. There are some nice integrations with containers. It was just announced that they have a partnership with Docker, and this is also nice. 

The baseline features like this are nice. 

It is easy to use as a developer. There are integrations that will directly scan your code from your IDE. You can also use a CLI. I can just write one command, then it will just scan your old project and tell you where you have problems. We also managed to integrate it into our build pipeline so it can easily be integrated using the CLI or API directly, if you have some more custom use cases. The modularity of it is really easy to use.

Their API is well-documented. It's not too bad to integrate and for creating some custom use cases. It is getting extended going forward, so it's getting easier to use. If we have issues, we can contact them and they'll see if they can change some stuff around. It is doing well.

Most of the solution's vulnerability database is really accurate and up-to-date. It has a large database. We do have some missing licenses issues, especially with non-SPDX compliant one, but we expect this to be fixed soon. However, on the development side, I rarely have had any issues with it. It's pretty granular and you can see each package that you're using along with specific versions. They also provide some nice upgrade paths. If you want to fix some vulnerabilities, they can provide a minor or major patch where you can fix a few of them.

View full review »
Reviewer109374 says in a Snyk review
Sr. Security Engineer at a tech vendor with 201-500 employees

We enable Snyk on all of our repos to do continuous scanning for open-source dependency, vulnerabilities, and for license compliance. We also do some infrastructure and code scanning for Kubernetes and our Docker containers.

Snyk integrates with GitHub which lets us monitor all private and public repositories in our organization and it enables developers to easily find and fix up source dependency vulnerabilities, container-image vulnerabilities, and ensures licenses are compliant with our company policies.

View full review »
reviewer1367229 says in a Snyk review
Senior Manager, Product & Application Security at a tech services company with 1,001-5,000 employees

There are two use cases that we have for our third-party libraries:

  • We use the Snyk CLI to scan our pipeline. Every time our developer is building an application and goes to the building process, we scan all the third-party libraries there. Also, we have a hard gate in our pipeline. E.g., if we see a specific vulnerability with a specific threshold (CDSS score), we can then decide whether we want to allow it or block the deal.
  • We have an integration with GitHub. Every day, Snyk scans our repository. This is a daily scan where we get the results every day from the Snyk scan

We are scanning Docker images and using those in our pipeline too. It is the same idea as the third-party libraries, but now we have a sub-gate that we are not blocking yet. We scan all the Docker images after the build process to create the images. In the future, we will also create a hard gate for Docker images.

View full review »
Dirk Koehler says in a Snyk review
Senior Director, Engineering at Zillow Group

There were some feature requests that we have sent their way in the context of specific needs on containers, like container support and scanning support. 

There are some more language-specific behaviors on their toolchains that we'd like to see some improvements on. The support is more established on some than others. There are some parts that could be fixed around the auto-fix and automitigation tool. They don't always work based on the language used.

I would like them to mature the tech. I am involved with Java and Gradle, and in this context, there are some opportunities to make the tools more robust.

The reporting could be more responsive when working with the tools. I would like to see reports sliced and diced into different dimensions. The reporting also doesn't always fully report.

Scanning on their site, to some extent, is less reliable than running a quick CLI.

View full review »
Nicholas Secrier says in a Snyk review
Information Security Officer at a tech services company with 51-200 employees

We are using it to identify security weaknesses and vulnerabilities by performing dependency checks of the source code and Docker images used in our code. We also use it for open-source licensing compliance review. We need to keep an eye on what licenses are attached to the libraries or components that we have in use to ensure we don't have surprises in there.

We are using the standard plan, but we have the container scanning module as well in a hybrid deployment. The cloud solution is used for integration with the source code repository which, in our case, is GitHub. You can add whatever repository you want to be inspected by Snyk and it will identify and recommend solutions for your the identified issues. We are also using it as part of our CI/CD pipelines, in our case it is integrated with Jenkins. 

View full review »
Cameron Gagnon says in a Snyk review
Security Software Engineer at a tech company with 10,001+ employees

We use it as a pretty wide ranging tool to scan vulnerabilities, from our Docker images to Ruby, JavaScript, iOS, Android, and eventually even Kubernetes. We use those findings with the various integrations to integrate with our teams' workflows to better remediate the discoveries from Snyk.

View full review »
reviewer1412625 says in a Snyk review
Application Security Engineer at a tech services company with 501-1,000 employees

We have a lot of code and a lot of microservices and we're using Snyk to test our third-party libraries, all the external dependencies that our code uses, to see if there are any vulnerabilities in the versions we use.

We use their SaaS dashboard, but we do have some internal integrations that are on-prem.

We scan our code and we go through the results on the dashboard and then we ask the teams to upgrade their libraries to mitigate vulnerabilities.

View full review »
Raman Zelenco says in a Snyk review
Lead Security System Engineer at a health, wellness and fitness company with 51-200 employees

Talking about the current situation in our security posture, we decided to choose a platform which could help us to improve our Security Development Lifecycle process. We needed a product that could help us mitigate some risks related to the security side of open source frameworks, libraries, licenses, and IT configuration. We were interested in a solution that could also utilize Docker images that we are using for the deployment. In general, we were interested in a vulnerability scanner platform for performance scans to deliver and calculate our risks related to code development.

View full review »
Matt Spencer says in a Snyk review
Senior Security Engineer at Instructure

The primary use case is dependency vulnerability scanning and alerting.

View full review »
reviewer1417671 says in a Snyk review
VP of Engineering at a tech vendor with 11-50 employees

We are a business that sells services to other businesses. One of the things that we have to sell is trust. As a small company, we've had to go quite a long way to mature our development and security processes. We've been ISO 27001-certified for a while and we got that very early, compared to the life cycle of most businesses. But that's because when we're talking contracts with customers, when we're talking information security reviews with customers, it's really powerful to be able to say, "We have Snyk, we use it in this way." A lot of the questions just go away because people understand that that means we've got a powerful and comprehensive tool.

Certainly, from a finding-of-vulnerabilities perspective, it's extremely good. Our problem is scale. We have something like 7,000 dependencies in our code and we could go and check those ourselves, but that would be a huge waste of time. Snyk's ability to scan all of those every time we build, and keep a running status of them and recheck them daily, is extremely valuable for making us aware of what's going on. We've wired Snyk up into Slack and other things so that we get notifications of status, and that's useful.

It has reduced the amount of time it takes to find problems by orders of magnitude because it's scanning everything. Without the tool it would be horrific; we just couldn't do it. It takes seconds for a scan to run on each of our libraries and so that's an amazing performance improvement. Compared to having nothing, it's amazing.

In terms of developer productivity, because of the way that our development community works, they're pulling in third-party libraries. So they worry less about the choice of the third-party library, but it could inform them that there's a risk, and then they then have to take action. We probably spend more time securing our product, but get a more secure product, which is actually what we want.

Overall, knowing what the risks are, and being able to make considered judgments about those risks, means that we are much more comfortable that our product is secure. And when there are high-risk issues, we're able to take action very quickly. The time to resolution for anything serious that is discovered in downstream libraries is dramatically reduced, and that's really useful.

View full review »
reviewer1419804 says in a Snyk review
Security Engineer at a tech vendor with 201-500 employees

It helps us meet compliance requirements, by identifying and fixing vulnerabilities, and to have a robust vulnerability management program. It basically helps keep our company secure, from the application security standpoint.

Snyk also helps improve our company by educating users on the security aspect of the software development cycle. They may have been unaware of all the potential security risks when using open source packages. During this process, they have become educated on what packages to use, the vulnerabilities behind them, and a more secure process for using them.

In addition, its container security feature allows developers to own security for the applications and the containers they run in the cloud. It gives more power to the developers.

Before using Snyk, we weren't identifying the problems. Now, we're seeing the actual problems. It has affected our security posture by identifying open source packages' vulnerabilities and licensing issues. It definitely helps us secure things and see a different facet of security.

It also allows our developers to spend less time securing applications, increasing their productivity. I would estimate the increase in their productivity at 10 to 15 percent, due to Snyk's integration. The scanning is automated through the use of APIs. It's not a manual process. It automates everything and spits out the results. The developers just run a few commands to remediate the vulnerabilities.

View full review »
CodeSonar: Scan
CodeSonar677 says in a CodeSonar review
Senior Solutions Architect at a tech vendor with 1-10 employees

The scanning tool for core architecture could be improved. The core complex is something that we really need to analyze, but the complex feature as a whole is not present in the tool.

I would like CodeSonar to support many other programming languages, apart from C and C++. They should support things like AngularJS and Node.js, which are trending in the market right now.

View full review »
ERPScan SMART Cybersecurity Platform: Scan
Consulting Partner, Cyber Security Delivery - Africa at DeltaGRiC Consulting

The core scanning, the scanning process, has got a very nice pass management module. It's fantastic. The last time we did it, the customer was trying to make the SAP system match the GDPR process. We were able to use it for that benchmark. It was very important. The GDPR assessment template that is being used in the process application benchmark and analyzing landscape came in very handy. It was very useful because it also gave notifications.

View full review »
CAST Highlight: Scan
Kangkan Goswami says in a CAST Highlight review
Digital Solution Architect at a tech services company with 10,001+ employees

I have not seen any issues related to scalability, although we were not using a great deal of code. It was quite possibly only three or four repositories that we were scanning, which means that we did not really test the scalability.

We only had six or seven people in our DevOps team for this project.

View full review »
Contrast Security Assess: Scan
C. Ray Mallory says in a Contrast Security Assess review
Lead Application Security Engineer at FEPOC

The daily reporting of vulnerabilities is very helpful for our development team. They can log in to the Contrast tool and see the vulnerabilities and start working to mitigate them before my test-app team reaches out to them inquiring about when certain vulnerabilities are going to be remediated. A case in point was last week, when I followed up with one of my developers. I said, "We need to mitigate this set of vulnerabilities," and he said, "Well, I've already started mitigating them. You should see the JIRA ticket out pretty soon." It's that type of response that we really like with Contrast. It allows us to move faster than if we were just using a SAST tool.

Before Contrast, everything was done manually. The developers were doing their own code reviews as best they could. When I came in and I started having the application security meetings, I found that most of the developers were very adept at building code for functionality, and testing functionality based on their unit tests. We had something like 25 or 30 developers in my class, and only one person was familiar with application security. That should tell you how far behind we were. So we had a heavy educational push, bringing in Contrast personnel for onsite application security training and to learn how to integrate Contrast into our SDLC. They showed them what the vulnerabilities are and how to mitigate them. The change from three years ago to now is one of the benefits.

Once we got it implemented — deployed the agents onto the application servers and got those vulnerabilities to populate into our team server — it was coming up with a Visio diagram of our processes for Agile development and our process for Waterfall development and it really turned around how our company is is a able to identify and mitigate and roll out fixes for our security vulnerabilities.

It also helps developers incorporate security elements while they're writing code. Our development team has it on their local box, through the IDE, and as they are building the functionality they're running the scans at that time. They correct some of the vulnerabilities right there before passing it along on the SDLC. Sometimes they will miss things and we'll catch them in our QA environment. It has positively affected our software development because, before that, everything was manual. When we brought in Contrast, it exposed how many vulnerabilities, criticals and highs, had been missed. The difference between doing purely manual reviews and doing a review with instrumentation was very stark.

It's hard to quantify how much time and money it has saved us by fixing software bugs earlier in the software development lifecycle. There's time, cost, and public image. In terms of the costs saved, we had something like 2,000 vulnerabilities — some critical and some high — and I don't even know how to put a price on that. Sometimes a vulnerability can end up costing 100 times what it would cost to fix in a development environment. So you can start to calculate what that cost would be, per vulnerability. And then we're looking at the time to detect, mitigate, validate, and then roll out to production. And correcting these vulnerabilities before they get into our production network is crucial to our image. If we were still doing manual reviews, we probably would not know of the critical and high vulnerabilities that we've found using Contrast. It would just be a matter of time before some hacker exploited those vulnerabilities for PHI data.

Another great benefit that Contrast has allowed us to enjoy is that there was no push-back from our development teams. Normally, in an organization, when you bring up security, developers gripe and moan because they look at security as a hindrance. But they were very receptive, very eager, and asked a lot of questions. We had two or three sessions with Contrast and, even today, developers are highly engaged with using the tool. They have implemented it into their development lifecycle process, both for our Agile teams and our Waterfall teams. It's been a huge turnaround here at FEPOC.

Management loves it. Having Contrast expose so many vulnerabilities that are in the applications means there's this heavy pressure now for 2020 to mitigate the vulnerabilities But it's a funny thing. Normally this task would be very cumbersome and problematic because of the number of vulnerabilities, but everyone loves the tool and the Contrast personnel are very helpful and very responsive. I'm enjoying it and I think our development and our test-app teams are as well. We have a very high adoption rate in our company.

View full review »
reviewer1361742 says in a Contrast Security Assess review
Director of Innovation at a tech services company with 1-10 employees

The most valuable feature is the IAST part. Institutionally, we're not quite at the point of using Contrast for the Protect functionality because we have other tools that overlap with the web application firewall component of it. But for the Assess component, there's a direct correlation to other tools that we've used and the failures of those tools. Contrast, in terms of providing that vulnerability assessment, it provides an immediate benefit there.

The effectiveness of the solution’s automation via its instrumentation methodology is a solid eight out of 10.

The accuracy of the solution in identifying vulnerabilities is better than any other product we've used, far and away. In our internal comparisons among different tools, Contrast consistently finds more impactful vulnerabilities, and also identifies vulnerabilities that are nearly guaranteed to be there, meaning that the chance of false positives is very low. The number of false positives from this product is much lower compared to competing tools that we use right now: WebInspect and AppScan. It reduces the number of false positives we encounter by more than 50 percent.

View full review »
Ramesh Raja says in a Contrast Security Assess review
Senior Security Architect at a tech services company with 5,001-10,000 employees

We use the solution for application vulnerability scanning and pen-testing. We have a workflow where we use a Contrast agent and deploy it to apps from our development team. Contrast continuously monitors the apps.

When any development team comes to us and asks, "Hey, can you take care of the Assess, run a pen test and do vulnerability scanning for our application?" We have a workflow and deploy a Contrast agent to their app. Because Contrast continuously monitors the app, when we have notifications from Contrast and they go to the developers who are responsible for fixing that piece of the code. As soon as they see a notification, and especially when it's a higher, critical one, they go back into Contrast, look at how to fix it, and make changes to their code. It's quite easy to then go back to Contrast and say, "Hey, just consider this as fixed and if you see it come back again, report it to us." Since Contrast continuously looks at the app, if the finding doesn't come back in the next two days, then we say, "Yeah, that's fixed." It's been working out well in our model so far.

We have pre-production environments where dedicated developers look at it. We also have some of these solutions in production, so that way we can switch back.

It's hosted in their cloud and we just use it to aggregate all of our vulnerabilities there.

View full review »
reviewer1380801 says in a Contrast Security Assess review
Product Security Engineer at a tech services company with 10,001+ employees

The product scans runtime and that is our main use case. We have deployed it for one application in our testing environment, and for the other one on in our Dev environment. Whatever routes are exercised with those environments are being scanned by Contrast.

View full review »
reviewer1383270 says in a Contrast Security Assess review
Manager at a consultancy with 10,001+ employees

We've historically run dynamic and static scans for all of our applications, but for these teams that need to deploy on a much faster basis, we prefer using Contrast because there are no point-in-time scans required. There isn't a lot of triage required when it comes to reviewing the results. Everything is instant and requires little bottleneck from the security-team side, and the developers can continue on with their development and testing without us.

We have a very large backlog at the moment for DAST scan requests, from our application teams. That backlog has grown so much that some of the teams have missed their initial deployment timelines because they're waiting on us to become available to run dynamic scans. Now, with teams that have Contrast, they're not seeing any delays in their deployment process because they're not waiting on us to complete the scans on their behalf. The vulnerabilities are being automatically identified using the tool.

View full review »