Application Security Features

Read what people say are the most valuable features of the solutions they use.
Kyle Engibous says in a Veracode review
Systems Architect at a tech vendor with 201-500 employees
The most important one is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to production or provide something to a client. We pair that with dynamic scanning, which actually hits our Web applications, to try to detect any well-known Web application vulnerabilities as well. It's really just a way for us to stay ahead of it and provide some assurances and security with the software that we deliver. Also, Veracode has a nice API that they provide to allow for custom things to be built, or automation. We actually have integrated Veracode into our software development cycle using their API. We actually are able to automatically, every time a new build of a software is completed, submit that application, kick off a scan, and we get results in a much more automated fashion. So the API is a huge thing that we use from Veracode, in addition to those two types of scans. In terms of integrating Veracode into our existing software development life cycle, we heavily use JIRA today for bug tracking issues, time management, and the like, for our development team. When those scans kick, Veracode integrates back into our JIRA and actually open tickets with the appropriate development teams. We can use that as a measurement of vulnerabilities opened, closed; we can tie them to releases. So, we get a whole lot more statistical information about security in our software products. That's really what we use in measuring there, the integration back to JIRA in issues found. View full review »
Application Security Specialist at a tech services company with 5,001-10,000 employees
The most important feature of the product is to follow today's technology fast, updated rules and algorithms (of the product). It also allows for more efficient and custom integration by allowing customized enhancements through the API support offered through the SSC portal. View full review »
ServiceLineLead817 says in a SonarQube review
Service Line Leader at a tech services company with 10,001+ employees
This product is open source and very convenient. View full review »
Ravi says in a Klocwork review
Software Solutions Engineer at a tech services company with 11-50 employees
First will be the on the fly analysis as it is reducing the time for developing a code. One more best thing is the reports section which is very nice to understand. View full review »
Directord98b says in a Veracode review
Director Security and Risk OMNI Cloud Operations at a tech vendor with 1,001-5,000 employees
* The static scanning of the software is very important to us. * The ability to set policy profiles that are specific to us. * The software composition analysis, to give us reports on known vulnerabilities from our third-party components. View full review »
Assistan84a9 says in a Veracode review
Assistant Vice President of Programming and Development at a financial services firm with 501-1,000 employees
* Code analysis tool to help identify code issues before entered into production. * Vulnerability Management and mitigation recommendations help with resolution of issues found, prior to deployment to production. * Developer Sandboxes help move scanning earlier within the SDLC. * The platform itself has a lot of AppSec best practices information, especially in the mitigation recommendation process. They have also offered cybersecurity e-learning for our team. View full review »
Josep Barranco says in a WhiteSource review
Director at a media company with 1,001-5,000 employees
Scanning/collecting third-party libraries and classifying license types. In this way we ensure our third-party software policy is followed and that we’re not using “forbidden” libraries. View full review »
SeniorIneab1 says in a Veracode review
Senior Information Security Program Manager at a financial services firm with 10,001+ employees
* The ability on static scans to be able to do sandbox scans which do not generate metrics. * Gives us every vulnerability that has been identified, so there is no human intervention. Therefore, we can actually look and prioritize our own vulnerabilities as opposed to having someone else try to get in between. View full review »
Sivanesh Waran says in a Klocwork review
Sr. Software Solution Engineer at Meteonic Innovation Pvt Ltd at a tech services company with 11-50 employees
The pre-checkin code review, industry standard checks, continuous integration (CI) and customized checkers are the most valuable features. View full review »
EduardoBeltran says in a Checkmarx review
Director and Co-Founder at Ushiro-tec
The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time. View full review »
DanaFrost says in a Coverity review
User
* I like that it gives advice and training on how to resolve the most common quality issues. * Links to more details on each issue and the background and risks. View full review »
Senior Security Engineer at a insurance company
The ability to be on the website and test for different vulnerabilities. We are able to create a report which shows the PCI DSS scoring and share it with the application teams. Then, they can correlate and see exactly what they need to fix, and why. I can have a scan set up within five to ten minutes by double checking the login script works, so it doesn't take long at all. We have found a few cross-site scripting vulnerabilities. View full review »
Security Engineer at a tech services company with 51-200 employees
The crawl only scan for trying to figure out at which points of the site that you'll actually be able to reach within the full scan. That's pretty useful. If you're just trying to test your login sequence, it is nice. It'll tell you which parts of your website it will initially scan, and you can actually go through and disable parts if you know you're not going to have to scan those parts. Then, later on, you go back and do a full scan for deep penetration of the site. View full review »
Gus Orologas says in a Sonatype Nexus Lifecycle review
Lead IT Security Architect at a transportation company with 10,001+ employees
* The application onboarding and policy grandfathering features are good. * The solution integrates well with our existing DevOps tools. * It also blocks undesirable open-source components from entering our development lifecycle. It scans code libraries and it flags them if there's a vulnerable version. It shows us very quickly if there is a newer version available, and what generation that non-vulnerable version is. View full review »
Sungmin Chun says in an IBM Security AppScan review
Chief researcher with 11-50 employees
AppScan seems to be very good at detecting reflected XSS vulnerabilities. This increases the security of web applications that are in operation. View full review »
ChiefSpe9178 says in a Coverity review
Chief Specialist at a government with 501-1,000 employees
It improves the quality of my work. View full review »
Security Team Lead at Tyro Payments Limited
The are two things that allow us to do what we want to and that's why we chose Nexus Lifecycle. First, it scans and gives you a low false-positive count. When we were looking for a product to solve this need, we looked at different products, Nexus Lifecycle being one of them. The reason we picked Lifecycle over the other products is, while the other products were flagging stuff too, they were flagging things that were incorrect. Nexus has low false-positive results, which give us a high confidence factor, which is something we like about it. The other thing that we thought that was really good about it was that it gives an overview. We find something that has a vulnerability and say, "Hey, what can I upgrade to?" What's really nice about that is it shows us a graph of all the versions for that particular component, and it marks out the ones that have a vulnerability and the ones that don't have a vulnerability. It also shows the popularity, so we can look at it and say, "Alright, from where we are, what is the next version that we can move to that is not vulnerable and that is quite popular?" If it's popular, we tend to prefer it because then more people are looking into it, and it gets a bit more scrutiny. View full review »
Devin Duffy says in a Sonatype Nexus Lifecycle review
Information Security Specialist at a financial services firm with 1,001-5,000 employees
The most valuable feature is the aggregation of threat details. In addition, it's their customer service. They've got really great customer service. I encourage developers to challenge whenever they see a security vulnerability that may not actually be a vulnerability, or that may be a false positive. When I bring that up with Sonatype - whereas a lot of vendors try to excuse their product or excuse their thinking - if it is, in fact, an issue or mistake, they'll own up to it and they'll fix it. The data integrity of the feeds that we get from them is a solid eight or nine out of ten. There have been some discrepancies but when we have brought them they have fixed them immediately. Their data is good enough to run a lot of orchestrated frameworks off of. It's been good. View full review »
Axel Niering says in a Sonatype Nexus Lifecycle review
Achitekt at SV Informatik GmbH
The most valuable feature is that I get a quick overview of the libraries that are included in the application, and the issues that are connected with them. I can quickly understand which problems there are from a security point of view or from a licensing point of view. It's quick and very exact. The onboarding and policy grandfathering are quite useful, to keep in mind what we have already discussed around parts of the application, and to identify our own parts of the application which are not discovered by Nexus Lifecycle. The data quality is really very good. We have also checked other products and they do not provide such good quality data. Still, we must look very closely at a single vulnerability from a single issue. We have to understand what problem it's indicating. However, without this tool there would be no way to do this. The data quality is really very good. It was very easy to integrate into our build pipeline, with Jenkins and Nexus Repository as the central product. It was very easy to integrate the evaluation of the application to be built into the Jenkins process so that we had the ability to check how good the application is thus far. It also helps when you look at the stage we are at in building this application, whether test or production. View full review »
ManojKumar9 says in a Sonatype Nexus Lifecycle review
Systems Analyst at Thrivent Financial for Lutherans
* Easy to handle and easy to configure * User-friendly * Easy to map and easy to integrate * Easy to update * Fulfills a lot of security purposes It has all the features we need. View full review »
Charles Chani says in a Sonatype Nexus Lifecycle review
DevSecOps at a financial services firm with 10,001+ employees
When developers are consuming open-source libraries from the internet, it's able to automatically block the ones that are insecure. And it has the ability to make suggestions on the ones they should be using instead. Also, you can get reports, either in PDF format or in JSON. If you get them in JSON you can have them ingested into something like Splunk, so you can mine those reports as well. The application onboarding and Policy Grandfathering features are new and quite useful. They allow you to focus on what you're currently working on and the stuff that's grandfathered can go in your backlog. It's another feature that helps organize your workload. The data is as good as can be. It's online, which means if a change is made to the Nexus database today, or within the hour, my developers will benefit instantly. The security features are discovered continuously. So if Nexus finds out that a library is no longer safe, they just have to flag it and, automatically, my developers will know. In addition to that, anything that I've used in the past will also flag up. Because it's proactive and it's live data, you know instantly if any part of your application is now vulnerable. Not only that but when you get the information about the vulnerability, part of the Lifecycle mechanism actually gives you alternatives that you can use. It also integrates well with your existing DevOps tools. They've got very good plugins for most of the common DevOps tools, like Jenkins and GitHub. There are ways that you can work around things like TeamCity. The product is designed to help the DevOps process to be seamless in terms of security. Regarding open-source intelligence and policy enforcement across the SDL, that's exactly what they're trying to do. They realized that there's so much ingestion of open-source software in most of the software development lifecycles, that there was a need to automate the detection of the ones that are not deemed to be safe. What Lifecycle does to its Firewall product is that, as the binaries are being ingested, it's able to fingerprint them. And because there's a fingerprint, it can check with the Sonatype website and tell you exactly what you're ingesting. If what you're ingesting is not secure, it can block it. Then, you can manually say, "Okay I understand, use this." Or you can go with the suggestion that Sonatype gives you, which is a more secure alternative. So we use it to automate open-source governance and to minimize risk. There is also a feature called Continuous Monitoring. As time goes on we'll be able to know whether a platform is still secure or not because of this feature. It's integrated, it's proactive, it's exactly what you want for a security product. View full review »
Vijayanathan Naganathan says in an Acunetix Vulnerability Scanner review
Director - Head of Delivery Services with 11-50 employees
* Login Sequence Recorder * Scan throttling * Fantastic reporting output. View full review »
Senior Security Engineer at a media company with 1,001-5,000 employees
Scheduling of testing cuts down on the manual, tedious activities that go into setting up a test site. One of the features that I feel is groundbreaking, that I would like to see expanded on, is the IAS feature: The Interactive Application Security Testing module that gets loaded onto an application on a server, for more in-depth, granular findings. I think that is really neat. I haven't seen a lot of competitors doing that. View full review »
Lead Information Security Engineer at a financial services firm with 1,001-5,000 employees
The most important feature is that it's a web-based graphical user interface. That is a great addition. Also, the ability to schedule scans is great. The speed of Acunetix has been pretty good. It's been the same as most other tools that we use, but it's been good. View full review »
Securitydbe0 says in a PortSwigger Burp review
Security Analyst at a tech services company with 201-500 employees
In my opinion, all of the features seem to be of equal value really. I'm currently using the latest version. View full review »

Sign Up with Email