The setup was easy and straight forward. We had some issues with API calls from our build automation tools, but this was related to networking issues in reaching the Veracode servers on the Internet, not the Veracode product itself.
Application Security Server Reviews
Showing reviews of the top ranking products in Application Security, containing the term Server
reviewer1436241 says in a Veracode review
DevSecOps Consultant at a comms service provider with 10,001+ employees
We use the Veracode SAST solution to scan the Java, Node.js, and Python microservices as part of our CI/CD pipeline, wherein we are using our CI/CD server as Bamboo, Jenkins, and GitLab CI/CD.
We have teams for both our cloud pipeline and on-prem pipeline, and both teams use this solution. We are using Veracode to constantly run the internal application source code and ensure the code's security hygiene.
It is good in terms of the efficiency of creating secure software.
My team only does cloud-native applications. Ultimately, the part that we are interested in, in testing, works fine.
There are some false positives, like any products that we have tried in this area, but slightly less. I would trust Veracode more than the others. For example, we had quite a few issues with Snyk which was much worse in terms of false positives, when we tested it for open source.
reviewer1451970 says in a Veracode review
R&D Director at a computer software company with 201-500 employees
We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it.
We use Veracode primarily for three purposes:
- Static Analysis, which is integrated into our CI/CD pipeline, using APIs.
- Every release gets certified for a static code analysis and dynamic code analysis. There is a UAT server, where it gets deployed with the latest release, then we perform the dynamic code scanning on that particular URL.
- Software Composition Analysis: We use this periodically to understand the software composition from an open source licensing and open source component vulnerability perspective.
Qualys Web Application Scanning: Server
reviewer1387992 says in a Qualys Web Application Scanning review
Senior Software Developer at a tech vendor with 1,001-5,000 employees
One area that could be improved is the a data server. That's probably what I most noticed in comparison with the Rapid7. Also, the UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs. This is not good.
Additionally, you don't have a recording feature, where you can record your screen navigation. Like a macro, you want to create the full screen, and they don't provide a tool which can record your navigation and then do a replay.
In terms of what should be included in the next release, like I mentioned, just the UI, the user interface screen. Also, it would be good If they could improve and enrich the reports. These are the fundamental differences with Rapid7.
Acunetix by Invicti: Server
Initially, I believe Acunetix provided us with two solutions. One was a SaaS, which means that they host it on their cloud. They also provide the option to host Acunetix on our internal servers, behind our firewalls, with an on-premise version.
The problem with the on-premise version is that it works only on Windows Servers. I can't install it on a Mac or a Linux-based machine. That was quite challenging for us because all of our cloud infrastructure has been AWS instance, which is of a Linux-based operating system.
As far as security testing is concerned, we would prefer to host Acunetix, on-premise, because everything would be within our firewall. If we wanted to host it on the cloud, then we would have to sign a non-disclosure, because they know what vulnerabilities exist on our site.
For this reason, we generally prefer to host it on-premise so that they will have a restriction within our firewall, so no one can gain access from the outer wall. Setting up the on-premise version of Acunetix is quite challenging and it's not that straightforward because it only supports one operating system.
However, we found it so difficult to host on-premise that we actually had to stop. Instead, we have decided to go for the cloud version. All we have to do is send them our application to scan in their cloud.
We don't scan more than 35 solutions, but we are always working on improving them and, whenever an improvement comes up, we scan it.
We initially decided that it was going to be deployed on a central server and we didn't look into the scalability. We set up the environment and we have been using it for some time. We haven't come across the need for scalability.
We have five usernames for Acunetix, but most of the time only two of them are being used. Generally, in a week, we may conduct five or six tests. We don't have much load on it. We do intend to expand the number of users in another six months' time with an additional three or four users, as we are expecting more application testing in that time.
It was very easy to set up Acunetix, as they give you an installer that does everything. You just need to click: "Install".
It takes a maximum of 10 minutes to deploy, if you want to read everything.
We did other configurations to enable the IP address to talk to all the networks.
We also used Acunetix on a Linux server. The deployment process was the same as Windows. It was just another installer, but for Linux.
PortSwigger Burp Suite Professional: Server
With the open edition, it's not a problem to install on any number of machines. When it comes to the professional edition, you need a license and you have to pick a license type. I have to use it against a particular machine on which I would run. From there I would run my scans. Let's say I don't find my laptop or my computer fast enough, and I decide to move my license across to a higher processor, higher memory laptop or computer, I can easily move the license across to the new machine.
As long as I am on that particular license use, I have one license that I'm able to move across to one instance at any given point of time. That is quite stable. I think even more than that, for a top-priced edition you can take multiple contract licenses. Something like a license server where you might have five licenses. You might have 10 installations and you can have different people working on various routes use the tool. Only those five licenses will be needed. In that instance, scalability is definitely a great point for most uses.
Currently, if you look at the users that are linked to roles that we have, one is the security test engineer and one is the security test analyst. At any given point in time, only one person uses the tool for engagement in the professional edition. We have about two to three people working with us on these projects.
reviewer1223976 says in a PortSwigger Burp Suite Professional review
Cyber Security Specialist at a university with 10,001+ employees
The initial setup is simple and very straightforward. We were not setting up a server, so it took perhaps five minutes to get up to speed and begin using it.
The most valuable feature of Burp Suite is probably how we can intercept the request and response. We can manipulate a request and send it back to the server. Intercepting is one of the best features for sure.
The scanner is excellent. The scanner is one of the good features. If you compare it to more expensive tools like WebInspect or IBM AppScan, you'll realize that, at a very low cost, Burp Suite can provide good results.
The is a good amount of documentation available online. The solution is stable.
The initial setup isn't too complex.
The solution offers some great extensions through a BApp store. Users can implement extensions and upload them to the BApp store.
The solution has a great user interface.
Its strong user community is always helpful when it comes to any problem regarding the tool.
It has partially improved the organization requirement however, The scanning mechanism is pretty slow and takes long duration to scan. Moreover, The server hangs up while scanning.
I have found this solution has more plugins than other competitors which is a benefit. You are able to attach different plugins to the security scan to add features. For example, you can check to see if there are any payment systems that exist on a server, or username and password brute force analysis. You are able to do many different types of scans, such as SQL injection. There are a lot of deep packages analyzing functions that make this solution have more usability.
Micro Focus Fortify on Demand: Server
Prakash-Rao says in a Micro Focus Fortify on Demand review
Vice President - Solution Architecture at a financial services firm with 10,001+ employees
Our server infrastructure team handles the deployment and maintenance of this solution. They update it regularly as patches or new versions are released. They look into all of the tools that we use and perform the installation, as well as manage them.
reviewer1263261 says in a Micro Focus Fortify on Demand review
Sr. Enterprise Architect at a financial services firm with 5,001-10,000 employees
The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira. When a vulnerability is found then it is classified as a bug and sent to IT.
reviewer1468542 says in a Micro Focus Fortify on Demand review
Principal Solutions Architect at a security firm with 11-50 employees
It could have a little bit more streamlined installation procedure. Based on the things that I've done, it could also be a bit more automated. It is kind of taking a bunch of different scanners, and SSC is just kind of managing the results. The scanning doesn't really seem to be fully integrated into the SSC platform. More automation and any kind of integration in the SSC platform would definitely be good. There could be a way to initiate scans from SSC and more functionality on the server-side to initiate desk scans if it is not already available.
The particular way the tool works for the scanning at the IDE level, is very expensive. It makes it very expensive to deploy this tool on to multiple different developers' machines. Right now, the way it scans, the request is raised to the IDE of the developer but then the actual scanning gets done in the centralized scan server. This increases the load on the scanning server and that will make it difficult to use Checkmarx at the developer end. That forces me to look for another solution for implementing at the developer IDE level. I would strongly recommend Checkmarx relook into their approach.
From a technical point of view, it's better to integrate with other systems within my ecosystem. For example, when I'm connecting Checkmarx with my DevSecOps pipeline and then wiring Checkmarx with other security systems as well as the pipeline (and my defect management system), it provides the connectivity to some of the tools, but there are tools which are excluded. It would be nice if they were added to the solution itself, otherwise, it requires us to do custom development.
In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now. I would recommend much more flexibility in terms of dashboarding to help us customize more effectively.
Their licensing model is rigid and difficult to navigate.
This solution is expensive.
The customized package allows you to buy additional users at any time.
You could advise the vendor that you are in need of some more resources, and they can send you a trial license which lets you pay later. In the meantime, you can start working with the trial license.
They have subscriptions for licenses, but this is confidential information and I cannot share the price as per our non-disclosure agreement.
If you purchase a typical package then it is clear licensing with no hidden payments. You can add integration services for Checkmarx if you needed to, but it's optional.
The hardware is on the customer site. It could be virtual, or a physical server, or even cloud-based. You can choose what you want to use and there are still no hidden fees. Licensing and policy are clear.
reviewer1263726 says in a Checkmarx review
Sr. Application Security Manager at a tech services company with 201-500 employees
The basic installation is easy for us but in our case, we had some additional configuration that had to be done to access our documents on the server. We were not able to complete it without help from Checkmarx because there are a lot of configuration options, and we had to make manual changes to the database as well.
We deploy SonarQube on-premise on a Linux server and our pipelines were created with GitLab and Azure DevOps. Meaning that Azure DevOps and GitLab are the tools that do the build and release process.
We use Microsoft Azure and Google Cloud Platform a little.
Kien-Nguyen says in a SonarQube review
Web Developer at a tech services company with 51-200 employees
We use SonarQube to help with our software development and testing. At the moment, we're mainly using it for static analysis and code inspection. We have an on-premises server and we connect to it from there.
Our main use case is testing software for security weaknesses, but we also use it to help eliminate code smells and to make sure our code is compliant with established coding standards.
It is very stable. We are still new to this product and learning, but there are times where SonarQube disconnects from the server with no alert or notification, and we have to run it again.
It can be managed by running different scripts. From time to time we have claims that SonarQube is not running on the server and discovered that the server was restarted but SonarQube did not restart.
I don't know if it is a flaw in the product itself or if we can manage it from our infrastructure.
It's stable but could be improved.
reviewer1565832 says in a SonarQube review
DevOps Lead at a marketing services firm with 1,001-5,000 employees
I don't have the user count, however, from the application perspective, we have around 30 to 50 applications, which are on SonarQube. All of the teams that are managing those applications have access to that.
It is integrated within our pipelines. It gets used every day.
Right now we are not scaling the solution. It is just one server that we have. It is static of sizing and we do not scale it.
SonarQube does not cover BPM programming language. It only covers the Java layer from BPM WebMethods. When we were faced with this issue with one of your applications, we found that we were not able to scan the BPM code for configurations generated from the WebMethod.
The BPM language is important and should be considered in SonarQube.
It utilizes a lot of resources from the servers. I think this issue should be resolved because it takes approx 20% of the CPU utilization.
Reporting related to SonarQube only exists in the enterprise edition, and not in the Community Edition.
There are no limitations in the lines of code with the Community Edition, but with the Enterprise Version, there are limitations related to the lines of code.
I don't understand why you can use an infinite line code amount with the Community Edition and the Enterprise Edition is limited.
reviewer1593939 says in a SonarQube review
Systems Analyst at a manufacturing company with 5,001-10,000 employees
I am a customer of SonarQube.
At the moment, SonarQube is deployed on-premises. We have an installation running in one of our servers.
When we deploy on-cloud, we normally use Amazon Web Services.
I rate SonarQube as a ten out of ten, easily. I think its fantastic, a wonderful tool. Even if I don't use it directly, it frees me up to focus on other tasks in my daily routine.
reviewer1580592 says in a SonarQube review
Technical Architect at a insurance company with 1,001-5,000 employees
The initial setup on-premise may take a while because you have to procure all the servers and do the reconfiguration yourself. But I think they have provided their steps very elaborately, and that certainly helps. However, you need to make an effort to set it up. It doesn't come with an installer, and you have to download it, extract it, then configure it to run on your server automatically with every server system. If they could have provided us with an installer setup, it could have made it much easier.
We use Klocwork in two different configurations, on-prem and cloud. Basically we can summarize on-premises. We connect the client directly to the server on-premises remotely. But for certain products and features, we also use a local server that is on-premise but with different configurations. In this case, the server is deployed with some rule set and configured in a certain manner locally with the second option of redirecting the connection directly to our headquarter.
I would recommend the latest version. In the roadmap of the product, a lot of improvements have been made. We are currently on hold with moving over to this tool because of the license but once we're able to, we'll import our profiles from the previous version to the new one.
The previous version was not compatible with the .NET framework. 4.7.2 it didn't fully consider the retargeting option of C++
I would rate Klocwork seven out of ten.
reviewer1184322 says in a Klocwork review
Software Chief Engineer at a transportation company with 10,001+ employees
When an upgrade is carried out it must be done on both the server and client side, which can make it a bit hectic for all projects to be configured on the private server. Every update that we receive requires of us a lengthy and involved process.
The project reporting status dashboard should also be addressed. As I am on the compliance team, I must open every project to resolve all issues. The solution does not provide consolidated views. Meanwhile, Kuiwan has a very good feature on its dashboard.
Moreover, Klocwork makes a limited number of languages available to the user, only four. In addition, a good consolidated dashboard, in respect of compliance, would be nice to see.
We faced a lot of problems with the initial setup and support gave us difficulties around the installation. That made us a little bit confused. When you lose your servers for the week, it's not a good thing.
With support, we had to troubleshoot the issues and that took about eight working days. It took us around 11 days to overcome the issues and to upgrade.
As an information security team, we were providing some services and were trying to make a vulnerability assessment. The security testing let us note a lot of vulnerabilities. We contacted support and it took us three months to overcome those particular issues.
In terms of maintenance, we have system admins that just look to see if the servers are running or not, however, for managing the servers, the servers implementation security team will handle that.
We use WhiteSource mainly to:
- Detect and automate vulnerability remediation. We started to research solutions since our dev teams are unable to meet sprint deadlines and keep track of product security. Most of our code scans are automated and integrated within our pipeline, which integrates with our CI server. With some, we run them manually using an agent. We recently started using the repository integration with Github, too, pre-build.
- License reporting and attribution reports. We use attribution reports and due diligence reports to asses risks associated with open-source licenses.
We needed a tool to ensure that we are not using vulnerable libraries or open-source libraries with a copyleft license. We integrated WhiteSource with our repositories and CI server and set up automated policies to reject copyleft licensed libraries because our legal department doesn't allow them. We also have it open Jira issues automatically when a vulnerable library is detected and assign it to an engineer so we can shorten our response time to vulnerabilities detected in our applications. It integrates nicely with our existing workflow.
We use WhiteSource mainly to automate open source vulnerability detection and remediation, as well as for license compliance.
I’m less on the side of the license but mainly use the service to get control over vulnerabilities, detect the ones that affect us and remediate accordingly.
Sonatype Nexus Firewall: Server
reviewer1534461 says in a Sonatype Nexus Firewall review
Senior Cyber Security Architect and Engineer at a computer software company with 10,001+ employees
With the security concerns around open source, the management and vulnerability scanning, it's relatively new. In today's world more and more people are going through the open source arena and downloading code like Python, GitHub, Maven, and other external repositories. There is no way for anyone to know what our users, especially our data scientists and our developers, are downloading. We deployed Sonatype to give us the ability to see if these codes are vulnerable or not. Our Python users and our developers use Sonatype to download their repositories.
Given the confidentiality of our customer, we keep everything on-prem. We have four instances of Sonatype running, two Nexus Repositories and two IQ Servers, and they're both HA. If one goes down, then all the data will be replicated automatically.
Sonatype Nexus Lifecycle: Server
Overall, the stability is pretty good. I haven't figured this out yet, but occasionally we do see failures in the Jenkins build. I haven't figured out why yet. I don't know if it's an issue with our Jenkins server or if it's with Sonatype. But otherwise, it seems pretty stable.
A bigger, ongoing use case is security. Sonatype checks security vulnerabilities that come up for all these libraries. Oftentimes, as a developer, you add a library that you want to use, and then you might check for security issues. Sometimes a problem comes up after your product is already live. IQ Server checks all libraries that we're using for security issues, reporting these, and allowing us to go through and see them to determine, "Is this something that we can waive?" It might be a very specific use case which doesn't actually affect us or we might have to mitigate it. Also, if a vulnerability or security issue is found in libraries later, it will send out alerts and notifications if a library is being used in our production environment, letting us know there is an issue. This allows us to address it right away, then we can make the decision, "Do we want to do a hotfix to mitigate this? Or is it something that isn't an issue in our case because we're not using it in a way that exposes the vulnerability?" This gives us peace of mind that we will be notified when these types of things occur, so we can then respond to them.
We are using the Nexus Repository Manager Pro as exactly that, as an artifact repository. We tend to store any artifact that our application teams build in the repository solution. We also use it for artifacts that we pull down from open-source libraries that we use and dependencies that come from Maven Central. We use it to proxy a few places, including JCenter. We also use it as a private Docker registry, so we have our Docker images there as well.
We're on version 3.19. We also have Nexus IQ server, which wraps up within it Nexus Firewall.
Before IQ server we used an open-source solution called OWASP Dependency-Check. We wanted something a little more plug-and-play, something a little more intuitive to configure and automate.
reviewer1342230 says in a Sonatype Nexus Lifecycle review
Application Development Manager at a financial services firm with 501-1,000 employees
One thing that I would like to give feedback on is to scan the binary code. It's very difficult to find. It's under organization and policies where there are action buttons that are not very obvious. I think for people who are using it and are not integrated into it, it is not easy to find the button to load the binary and do the scan. This is if there is no existing, continuous integration process, which I believe most people have, but some users don't have this at the moment. This is the most important function of the Nexus IQ, so I expect it should be right on the dashboard where you can apply your binary and do a quick scan. Right now, it's hidden inside organization and policies. If you select the organization, then you can see in the top corner that there is a manual action which you can approve. There are multiple steps to reach that important function that we need. When we were initially looking at the dashboard, we looked for it and couldn't find it. So, we called our coworker who set up the server and they told us it's not on the dashboard. This comes down to usability.
There is another usability thing in the reports section. When the PDF gets generated, it is different from the web version. There are some components from some areas which only reside inside the PDF version. When I generate the PDF for my boss to review, she comes back with a question that I didn't even see. I see on the reporting page whatever the PDF will be generating. The PDF is actually generating more information than the web version. That caught me off guard because she forwarded this to the security officer, who is asking, "Why is this? Or, why is that?" But, she has no idea. I didn't have anything handy because I saw the PDF version, which should be same as what I see on the web. This is a bit misrepresented. I would like these versions to speak together and be consistent. Printing a PDF report should generally reflect whatever you have on the page.
reviewer1380810 says in a Sonatype Nexus Lifecycle review
Computer Architecture Specialist at a energy/utilities company with 10,001+ employees
It's very stable. I don't recall ever seeing problems. The main concern would be data-disk corruption, but I haven't seen it, even though the server, due to patching, has been rebooted multiple times.
We have a few applications that we're developing that use several different languages. The first ones we did were Python and Yum Repository applications. Recently we've started scanning C and C++ applications that use Conan Package Manager. We will soon start doing node applications with NPM. Our use case is that we primarily rely on the IQ server to ensure we don't have open source dependencies in our applications that have security vulnerabilities, and to ensure that they're not using licenses our general counsel wants us to avoid using.
reviewer1381962 says in a Sonatype Nexus Lifecycle review
Application Security at a comms service provider with 1,001-5,000 employees
We have it implemented and integrated into our CI/CD pipeline, for when we do builds. Every time we do a build, Jenkins reaches out and kicks off a scan from the IQ Server.
We use it to automate open source governance and minimize risk. All of our third-party libraries, everything, comes through our Nexus, which is what the IQ Server and Jenkins are hooked into. Everything being developed for our big application comes through that tool.
We have Nexus Firewall on, but it's only on for the highest level of vulnerabilities. We have the firewall sitting in front to make sure we don't let anything real bad into the system.
Our environment is your standard, three-tiered environment. We have the developers develop in their Dev and Test environments, and as the code moves through each environment — Test and a QA environment — it goes through a build process. We build each time we deploy.
We're addressing anything that is a nine and above. If it's a 10, we don't let it into our system; the firewall server stops it. If we have nines we'll let it in, but I'll tag the developers and they'll have to do a little triage to figure out if the problem that is being reported is something we utilize in our system — if it's something that affects us — and if it's not, we flag it as such and let it go. We either waive it or I'll acknowledge it depending on how much it's used throughout the system and how many different components are being built with that bad library.
We are in the education industry, but we are a developer-based company. We heavily use lots of public libraries. We use Sonatype Nexus Lifecycle mainly for protecting us from vulnerabilities and license copyright issues. We heavily depend on its database.
It's a hybrid. We have our on-premises instance for our internal security. With Sonatype itself, we use the cloud service, but we have a few modules on-premises, such as IQ Server and the report server. We have deployed those modules on AWS. As a company, we use cloud services 100 percent.
reviewer1535436 says in a Sonatype Nexus Lifecycle review
Senior Architect at a insurance company with 1,001-5,000 employees
IQ Server is part of BT's central DevOps platform, which is basically the entire DevOps CI/CD platform. IQ Server is a part of it covering the security vulnerability area. We have also made it available for our developers as a plugin on IDE. These integrations are good, simplistic, and straightforward. It is easy to integrate with IQ Server and easy to fetch those results while being built and push them onto a Jenkins board. My impression of such integrations has been quite good. I have heard good reviews from my engineers about how the plugins that are there work on IDE.
It basically helps us in identifying open-source vulnerabilities. This is the only tool we have in our portfolio that does this. There are no alternatives. So, it is quite critical for us. Whatever strength Nexus IQ has is the strength that BT has against any open-source vulnerabilities that might exist in our code.
The data that IQ generates around the vulnerabilities and the way it is distributed across different severities is definitely helpful. It does tell us what decision to make in terms of what should be skipped and what should be worked upon. So, there are absolutely no issues there.
We use both Nexus Repository and Lifecycle, and every open-source dependency after being approved across gets added onto our central repository from which developers can access anything. When they are requesting an open-source component, product, or DLL, it has to go through the IQ scan before it can be added to the repo. Basically, in BT, at the first door itself, we try to keep all vulnerabilities away. Of course, there would be scenarios where you make a change and approve something, but the DLL becomes vulnerable. In later stages also, it can get flagged very easily. The flag reaches the repo very soon, and an automated system removes it or disables it from developers being able to use it. That's the perfect example of integration, and how we are forcing these policies so that we stay as good as we can.
We are using Lifecycle in our software supply chain. It is a part of our platform, and any software that we create has to pass through the platform, So, it is a part of our software supply chain.
Ingmar Vis says in a Sonatype Nexus Lifecycle review
Product Owner Secure Coding at a financial services firm with 10,001+ employees
We use it in the pipeline. So, software development is done in a pipeline in automated steps. One of those steps is Quality Assurance for which we use, amongst others, Sonatype, and this is done automatically. Based upon the outcome of this scan, the software product can proceed to the next step, or its blocks need to be rebuilt with updates.
We are using Nexus IQ Server 114, and we're about to upgrade to 122.
Our whole process of deploying code uses Snyk either as a gateway or just to report on different build entities.
The solution's ability to help developers find and fix vulnerabilities quickly is a great help, depending on how you implement it at your company. The more you empower your developers to fix their stuff, the less policies you will have to implement. It's a really nice feeling and just a paradigm shift. In our company, we had to create the habit of being proactive and fixing your own stuff. Once the solution starts going, it eases a lot of management on the security team side.
Snyk's actionable advice about container vulnerabilities is good. For the Container tool, they'll provide a recommendation about what you can do to fix your Docker, such as change to a slimmer version of the base image. A lot of stuff is coming out for this tool. It's good and getting better.
The solution’s Container security feature allows developers to own security for the applications and the containers they run in in the cloud. That is its aim. Since we are letting the developers do all these things, they are owning the security more. As long as the habit is there to keep your stuff up-to-date, Snyk won't have any effect on productivity. However, it will have a lot of effect on security team management. We put some guardrails on what cannot be deployed. After that, we don't have to check as much as we used to because the team will just update their stuff and try to aim for lower severities.
Our overall security has improved. We are running fewer severities and vulnerabilities in our packages. We fixed a lot of the vulnerabilities that we didn't know were there. Some of them were however hard to exploit, mitigating the risks for us, e.g., being on a firewalled server or unreachable application code. Though I don't recall finding something where we said, "This is really bad. We need to fix it ASAP."
Contrast Security Assess: Server
reviewer1361742 says in a Contrast Security Assess review
Director of Innovation at a tech services company with 1-10 employees
The effectiveness of the solution’s automation via its instrumentation methodology is good, although it still has a lot of room for growth. The documentation, for example, is not quite up to snuff. There are still a lot of plugins and integrations that are coming out from Contrast to help it along the way. It's really geared more for smaller companies, whereas I'm contracting for a very large organization. Any application's ability to be turnkey is probably the one thing that will set it apart, and Contrast isn't quite to the point where it's turnkey.
Also, Contrast's ability to support upgrades on the actual agents that get deployed is limited. Our environment is pretty much entirely Java. There are no updates associated with that. You have to actually download a new version of the .jar file and push that out to the servers where your app is hosted. That can be quite cumbersome from a change-management perspective.
It depends on how many apps a company or organization has. But whatever the different apps are that you have, you can scale it to those apps. It has wide coverage. Once you install it in an app server, if the app is very convoluted, it has too many workflows, that is no problem. Contrast is per app. It's not like when you install source-code tools, where they charge by lines of code, per KLOC. Here, it's per app. You can pick 50 apps or 100 apps and then scale it. If the app is complex, that's still no problem, because it's all per app.
We have continuously increased our license count with Contrast, because of the ease of deployment and the ease of remediating vulnerabilities. We had a fixed set for one year. When we updated about six months ago, we did purchase extra licenses and we intend to ramp up and keep going. It will be based on the business cases and the business apps that come out of our organization.
Once we get a license for an app, folks who are project managers and scrum masters, who also have access to Contrast, get emails directly. They know they can put defects right from Contrast into JIRA. We also have other different tools that we use for integration like ThreatFix, and risk and compliance and governance tools. We take the results and upload them to those tools for the audit team to look at.
reviewer1383270 says in a Contrast Security Assess review
Manager at a consultancy with 10,001+ employees
We've been using Contrast Security Assess for our applications that are under more of an Agile development methodology, those that need to deliver on faster timelines.
The solution itself is inherently a cloud-based solution. The TeamServer aspect, the consolidated portal, is hosted by the vendor and we have the actual Assess agent deployed in our own application environments on-prem.
For what it offers, it's a very reasonable cost. The way that it is priced is extremely straightforward. It works on the number of applications that you use, and you license a server. It is something that is extremely fair, because it doesn't take into consideration the number of requests, etc. It is only priced based on the number of applications. It suits our model as well, because we have huge traffic. Our number of onboarded applications is not that large, so the pricing works great for us.
There is a very small fee for the additional web node we have in place; it's a nonexistent cost. If you decide to apply it on existing web nodes, that is eliminated as well. It's just something that suits our solution.
reviewer1605099 says in a Contrast Security Assess review
Director of Threat and Vulnerability Management at a consultancy with 10,001+ employees
The primary use case is application security testing, where we try to identify vulnerabilities within applications developed by our company.
Contrast a cloud-hosted solution. That's where most of the data and analysis takes place. It's also how most users interact with that data. Data is collected by agents that are deployed to servers within our environment. The agent component is internal to our organization, gathering data that is sent back to the cloud.