Application Security Forum

Content Specialist
IT Central Station
Aug 15 2018
One of the most popular comparisons on IT Central Station is Kiuwan vs SonarQube. One user says about Kiuwan, "It is the most effective tool for IT procurement managers and directors. It includes technical debt metrics and is action plan oriented to rejected deliveries." Another user says about SonarQube, "A usual addition to this tool is the IntelliJ plugin called SonarLint, which integrates into your IDE. Then, it allows you to run the convention rules file by file and receive immediate feedback when making changes. This removes the need to push to the server before finding out what issues you need to resolve." In your opinion, which is better and why?
Arthur HickenIt depends on your role and what you're trying to accomplish. If you're trying to harden your own code then a tool that does SAST or static code analysis like SonarQube is a great idea. For example, Parasoft C/C++test is the only tool that has full support for every rule in the CERT-C standard. If you're trying to secure applications that aren't yours, systems, etc., then SAST tools aren't for you. You have to have the code for them to be useful.
CindyBlakeIt's generally better to test for security early in the SDLC so my choice would be Sonarqube over Kiuwan because it includes static application security testing.
Content Specialist
IT Central Station
Aug 14 2018
One of the most popular comparisons on IT Central Station is SonarQub and Veracode. People like you are trying to decide which one is best for their company. Can you help them out? Is SonarQube better than Veracode? What is the biggest difference between these two solutions, and which would you recommend? Thanks for helping your peers make the best decision! --Rhea
John PackThey are used for two different purposes. If your preference is Software/Application Security then Veracode or Fortify or Checkmarx can be evaluated based on the programming language and issue coverage, also integration and usability options. If your preference is code quality then SonarQube or CAST can be evaluated based on your requirement or wish list. Keep in mind, one (quality) can not replace another one (software) so decide based on your needs. Good luck!
Ramesh KaranamI didn't get an opportunity to work on Veracode. However I would like put my thoughts on SonarCube a.) It is very to easy ingrate with multiple open source configuration tools like Jenkins b) It is collaboration with Microsoft and SonarQube and Microsoft integration is much easier and should be able to all Code analysis based configured rules from TFS build / even from Visual Studio IDE. c.) There are plug-ins available from SonarQube, once you install them, user can able to see Sonar results on Visual studio IDE for that project d.) supports multiple language static code analysis like c#, java, angular, SQL etc. e.) option to create our user management and provided access rights based on user role. f.) Its Dashboard representation is very good and also lots of options to customize dashboard h.) Easy installation I.) Easy navigation to source code (or even particular code part) based on code analysis error.
Rambabu KanugulaBoth tools are important and meant for different purpose. Sonarcube for code quality and veracode for static, dynamic and third party code analysis which is specific to understand security flaws
Content Specialist
IT Central Station
Aug 14 2018
One of the most popular comparisons on IT Central Station is Checkmarx vs SonarQube. One user said about Checkmarx that "It pinpoints the vulnerability in the code and also presents the flow of malicious input across the application." However, a user with experience with SonarQube has said "With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas." Which of these two solutions would you recommend and why? Thanks for your help! --Rhea
Giovanni Molin BrosaSonarQube is not really an AppSec tool. It is widely used by developers and has security plugins that offer a limited visibility for vulnerabilities. Checkmarx is a real AppSec tool, with deep insight for vulnerabilities in all current languages. Security manager should consider only Checkmarx, and eventually compare with same quality tools, but should drop SonarQube plugins. On the other hand, Checkmarx is expensive, while SonarQube plugins are cheap and easy to setup if the base product is already used. The choice depends on budget and scope: if you have money and really want to reduce risk, choose Checkmarx. If you do not have the money or if your goal is just to show management you are doing something for AppSec, without bothering to lower risk, then choose SonarQube plugins.
Tusnin DasCheckmarx (costly commercial license) is for application security and SonalQube is for code quality. You can write security rules in sonarQube. However, that will require time and effort. Selecting either of these two depends on your requirement.
reviewer557727SonarQube is a hub for code quality, its own security analysis capabilities are very limited, as it doesn’t perform in-depth data and code flow analysis. Checkmarx SAST (Static Application Security Testing) AppSec static code analysis is done on top of data and code flows thoroughly built from the source. So these two products don’t compete in the same space. For pure SAST, Checkmarx is a far more superior solution. However, Checkmarx SAST results can be reported together with other code quality metrics back into the SonarQube dashboard using the provided integration. You can find more information from https://checkmarx.atlassian.net.
Senior Project Manager
IT Central Station
Apr 12 2018
One of the most popular comparisons on IT Central Station is Netsparker Web Application Security Scanner vs OWASP Zap. People like you are trying to decide which one is best for their company. Can you help them out? Which of these two solutions would you recommend for Application Security? Why? Thanks for helping your peers make the best decision! --Nick
Category Analyst at a financial services firm with 5,001-10,000 employees
Hi Everyone, I am currently sourcing for an alternative firewall solution to replace the existing solution being used by my organization on commercial considerations and Palo-Alto has been recommended. I have done a lot of research but I also need to compliment that with expert opinions.

Sign Up with Email