Application Security Forum

Senior Project Manager
IT Central Station
Apr 12 2018
One of the most popular comparisons on IT Central Station is Netsparker Web Application Security Scanner vs OWASP Zap. People like you are trying to decide which one is best for their company. Can you help them out? Which of these two solutions would you recommend for Application Security? Why? Thanks for helping your peers make the best decision! --Nick
Content Specialist
IT Central Station
Apr 04 2018
One of the most popular comparisons on IT Central Station is Checkmarx vs SonarQube. One user said about Checkmarx that "It pinpoints the vulnerability in the code and also presents the flow of malicious input across the application." However, a user with experience with SonarQube has said "With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas." Which of these two solutions would you recommend and why? Thanks for your help! --Rhea
Giovanni Molin BrosaSonarQube is not really an AppSec tool. It is widely used by developers and has security plugins that offer a limited visibility for vulnerabilities. Checkmarx is a real AppSec tool, with deep insight for vulnerabilities in all current languages. Security manager should consider only Checkmarx, and eventually compare with same quality tools, but should drop SonarQube plugins. On the other hand, Checkmarx is expensive, while SonarQube plugins are cheap and easy to setup if the base product is already used. The choice depends on budget and scope: if you have money and really want to reduce risk, choose Checkmarx. If you do not have the money or if your goal is just to show management you are doing something for AppSec, without bothering to lower risk, then choose SonarQube plugins.
Tusnin DasCheckmarx (costly commercial license) is for application security and SonalQube is for code quality. You can write security rules in sonarQube. However, that will require time and effort. Selecting either of these two depends on your requirement.
reviewer557727SonarQube is a hub for code quality, its own security analysis capabilities are very limited, as it doesn’t perform in-depth data and code flow analysis. Checkmarx SAST (Static Application Security Testing) AppSec static code analysis is done on top of data and code flows thoroughly built from the source. So these two products don’t compete in the same space. For pure SAST, Checkmarx is a far more superior solution. However, Checkmarx SAST results can be reported together with other code quality metrics back into the SonarQube dashboard using the provided integration. You can find more information from https://checkmarx.atlassian.net.
Content Specialist
IT Central Station
Feb 27 2018
One of the most popular comparisons on IT Central Station is SonarQub and Veracode. People like you are trying to decide which one is best for their company. Can you help them out? Is SonarQube better than Veracode? What is the biggest difference between these two solutions, and which would you recommend? Thanks for helping your peers make the best decision! --Rhea
John PackThey are used for two different purposes. If your preference is Software/Application Security then Veracode or Fortify or Checkmarx can be evaluated based on the programming language and issue coverage, also integration and usability options. If your preference is code quality then SonarQube or CAST can be evaluated based on your requirement or wish list. Keep in mind, one (quality) can not replace another one (software) so decide based on your needs. Good luck!
Ramesh KaranamI didn't get an opportunity to work on Veracode. However I would like put my thoughts on SonarCube a.) It is very to easy ingrate with multiple open source configuration tools like Jenkins b) It is collaboration with Microsoft and SonarQube and Microsoft integration is much easier and should be able to all Code analysis based configured rules from TFS build / even from Visual Studio IDE. c.) There are plug-ins available from SonarQube, once you install them, user can able to see Sonar results on Visual studio IDE for that project d.) supports multiple language static code analysis like c#, java, angular, SQL etc. e.) option to create our user management and provided access rights based on user role. f.) Its Dashboard representation is very good and also lots of options to customize dashboard h.) Easy installation I.) Easy navigation to source code (or even particular code part) based on code analysis error.
Rambabu KanugulaBoth tools are important and meant for different purpose. Sonarcube for code quality and veracode for static, dynamic and third party code analysis which is specific to understand security flaws
Category Analyst at a financial services firm with 1,001-5,000 employees
Hi Everyone, I am currently sourcing for an alternative firewall solution to replace the existing solution being used by my organization on commercial considerations and Palo-Alto has been recommended. I have done a lot of research but I also need to compliment that with expert opinions.
Senior Web Developer at KPMG
We have always heard that if we compress the file it reduces the size and we can send it easily. But my question is, does compressing always decrease the size of the file or does it increase as well? 
Senior Web Developer at KPMG
Encrypt means to convert (information or data) into a cipher or code, especially to prevent unauthorized access. Compression is a reduction in the number of bits needed to represent data. So the question is, what do we do first? Encrypt or compress during data transmission?
Jim BrayThis question regarding encrypt and compress data, in which order was a good exercise. Other decision factors that you have to include in the decision process are, what are the business requirements, regulatory requirements, compliance requirements, cyber insurance requirements and the most important requirements are where is the data being stored and who will have access to it. Digital certificates, de-crypt keys and tokens have to be managed in a highly controlled environment. OneSignOn experienced a security breach in March 2017 that got to the de-crypt keys. Most likely an inside job. Here is the link to the news article. https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/
reviewer570081First compress and then encrypt.
Hello I use Acunetix 11, There is an internal Server Error in all web service scans (V10 , V11). I wonder what is the reason of this error and how can I fix it. For further details, We have a WCF web service. Best Regards.

Sign Up with Email