1. leader badge
    The good thing with SonarQube is it covers a lot of issues, it's a very robust framework.Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards.
  2. leader badge
    It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail.
  3. Find out what your peers are saying about SonarSource, Veracode, Checkmarx and others in Application Security. Updated: January 2021.
    456,966 professionals have used our research since 2012.
  4. leader badge
    The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking.
  5. leader badge
    When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages.
  6. It is easy for developers to use. The documentation is clear as well as the APIs are good and easily readable. It's a good solution overall.From the software composition analysis perspective, it first makes sure that we understand what is happening from a third-party perspective for the particular product that we use. This is very difficult when you are building software and incorporating dependencies from other libraries, because those dependencies have dependencies and that chain of dependencies can go pretty deep. There could be a vulnerability in something that is seven layers deep, and it would be very difficult to understand that is even affecting us. Therefore, Snyk provides fantastic visibility to know, "Yes, we have a problem. Here is where it ultimately comes from." It may not be with what we're incorporating, but something much deeper than that.
  7. I find the attack model quite amazing, where I can write my scripts and load my scripts as well, which helps quite a bit. All the active scanning that it can do is also quite a lot helpful. It speeds up our vulnerability assessment and penetration testing. Right now, I am enjoying its in-browser, which also helps quite a bit. I'm always confused about setting up some proxy, but it really is the big solution we all want.
  8. report
    Use our free recommendation engine to learn which Application Security solutions are best for your needs.
    456,966 professionals have used our research since 2012.
  9. One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that.
  10. Acunetix has an awesome crawler. It gives a referral site map of near targets and also goes really deep to find all the inputs without issues. This was valuable because it helped me find some files or directories, like web admin panels without authentication, which were hidden.

Advice From The Community

Read answers to top Application Security questions. 456,966 professionals have gotten help from our community of experts.
Rony_Sklar
There are many cybersecurity tools available, but some aren't doing the job that they should be doing.  What are some of the threats that may be associated with using 'fake' cybersecurity tools? What can people do to ensure that they're using a tool that actually does what it says it does?
author avatarSimonClark
User


Dan Doggendorf gave sound advice.


Whilst some of the free or cheap platforms will provide valuable information and protection, your security strategy has to be layered. Understand what you want to protect and from whom. At some point you will need to spend money but how do you know where to spend it? There are over 5,000 security vendors to choose from.


There is no silver bullet and throwing money at it won’t necessarily fix what you are at risk from but at the same time free products are free for a reason.


If your organisation doesn’t have a large team of security experts to research the market and build labs then you need to get outside advice. Good Cyber-advisors will understand your business and network architecture therefore will ask the right questions to help you to navigate the plethora of vendors and find the ones that are right for where your business is now and where you intend it to be in the future.


Large IT resellers will sell you what they have in their catalogues based on what you ask for and give a healthy discount too but that may not fix the specific risks your business is vulnerable to. A consultative approach is required for such critical decisions.


By the way, there are free security products and services that I recommend.


author avatarDan Doggendorf
User

The biggest threat is risks you think you have managed are not managed at all so you and your executive team have a completely false sense of security.  This is even worse than not having any tool in place.  With no tool in place, you at least know you have a vulnerability.


There several ways to ensure a tool is doing what it is supposed to do.


1. Product Selection - when selecting a tool, do not focus on what a tool can do.  Focus on what you want the tool to do.  You drive the direction of the sales demo, not the sales team.


2. Product Implementation - use professional services to implement and configure the solution.  Your team should be right there with them as a knowledge transfer session but the professional who installs and configures the product every day should drive the install, not someone who wants to learn.


3. Trusted Partners - find yourself a trusted partner(s) who can help guide you.  This should consist of product testing labs partners, advisors who live and breathe the space daily, and resellers with a strong engineering team.

author avatarDanny Miller
User

Tools are not necessarily bogus. Sometimes they are just 'legacy' tools that have been around for too long and no longer fit the problem they were designed to solve, simply because IT infrastructure, organizational needs, and cybersecurity threat complexity have evolved. 

author avatarreviewer1266459 (Network Security Engineer at a performing arts with 201-500 employees)
Real User

Refrain from free products


Delete products and traces of product after evaluation


Always know what you want from the cybersecurity solution. Can identify illegal operations of the products if different from its stipulated functions.


Work with recognised partners and solution providers


Download opensource from reputable sites


author avatarDoctor Mafuwafuwane (Altron Systems Integration )
Real User

Open Source or Free products need proper management. Based on my experience I have found that many people who uses open source don't bother to patch them and attackers then utilize such loopholes.



One of the great example one client was using free vulnerability management plus IP scanner. And they got hit with ransomware. During the investigation I realise the attacker utilized the same tool to affect other devices on the network. The attack took his time at least 2 months unnoticed. 

author avatarBasil Dange
Real User

One should 1st have details understanding of what he/she is looking to protect within environment as tool are specially designed for point solution. Single tool will not able to secure complete environment and you should not procure any solution without performing POC within your environment 


As there is possibility that tool which works for your peer organisation does not work in similar way for yours as each organisation has different components and workload/use case

author avatarJavier Medina
Real User

You should build a lab, try the tools and analyze the traffic and behavior with a traffic analizer like wireshark and any sandbox or edr that shows you what the tools do, but all this should be outside your production environment, use tools that has been released by the company provider and not third party downloads or unknown or untrusted sources.

author avatarAlan
Real User

Bogus cybersecurity tools might bring about the data exfiltration, trojan horse 

Menachem D Pritzker
On July 15, 2020, several verified Twitter accounts with millions of followers were compromised in a cyberattack. Many of the hacked accounts we protected using two-factor authentication, which the hackers were somehow able to bypass. Hacked accounts included Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Mike Bloomberg, Warren Buffett, Kim Kardashian, and Kanye West, Benjamin Netanyahu, and several high profile tech companies, including Apple and Uber. The hackers posted variation of a message asking follower to transfer thousands of dollars in Bitcoin, with the promise that double the donated amount would be returned. How could Twitter have been better prepared for this? How do you rate their response?
author avatarKen Shaurette
Real User

I like the potential for catching an unusual activity like that with our recently implemented endpoint detection tool, Cynet360.  It seems so far to have about the highest level of transparency into the endpoint with a 24x7x365 backing of monitoring.  

author avatarPrasanna VA
Real User

It's understood that internal tool probably shared by Internal Employee as RCA. The tool was used to reset associated Mail Address of account thereby Password Reset of Choice. In MFA of Identity related features, it's more secured on keeping it with associated Mobile Secure Pin or SoftCrypto Code in Future to avoid compromise at this moment is the lesson learned. 

author avatarreviewer989748 (Security Analyst at a financial services firm with 201-500 employees)
Real User

The use of two factor authentication by Twitter

author avatarParesh Makwana
Reseller

This is one of the Identity theft issue, which means some one hack your password or account and do activity which he she is not suppose to do. basic reason of hack of your identity or password is Social engineering. second reason is system has week privilege access management. If you have less control on admin id or privilege id then enter firm has to suffer along with the customer of that firm. For me the take away of this event is to protect privilege ID and you good PAM PIM tool with two factor and UBA included.  

author avatarRussell Webster
Real User

Span of control, Solid RBAC, Privileged Access Management (PAM) 

CK Low
I am researching application security software for my organization. We provide systems to the airline industry. Which products provide both vulnerability scanning and quality checks? Which one(s) do you recommend and why? Thanks, CK
author avatarTundeOgunkoya
Reseller

Whilst it may appear as though the real solution to a question like yours is to name a particular tool and say it is the best tool in the market because of what an analyst company like Gartner or Forrester says, I would rather ask if you have an Appsec Programme in your organization and what that AppSec Programme is like.

Yes, a tool will help you find the bugs and security vulnerabilities, but a tool or combination of a tool in itself does not solve your security challenges without a proper programme.

In any case, depending on what part of the SDLC you want to introduce a tool into, then it may be easier to recommend a tool. For clarification purposes, you may want to share more light into the time you want to use the tool e.g during QA, Dev, Testing, production or Post-production, also the type of integration needs you have for your CI/CD, language or protocol support that you need to look into, as well as if you are looking at continuously monitoring your systems which you supply to the Airline industry.

A quick look into Gartner Application Security Testing quadrant or Forresters may give you some guidelines with respect to tools alone. but an AppSec programme is very key to the success of whatever tool you acquire.

author avatarTiago Stello
User

I use and recommend Micro Focus Fortify for SAST, DAST, and real-time code analysis.

There support 25+ language programming and it integrates into your CI/CD environment for an unbreakable pipeline, i.e.: Jenkins, Jira, and others.

Fortify has a plugin for IDE for Eclipse, Visual Studio, and other IDE's and real-time analysis code is functional, with solutions and best practices.

author avatarVolker Koenigsbuescher
User

I don’t know any. Either they do quality checks (which can also contain some vulnerabilities, but not to a great extent) or security scans, but not both, afaik. But my market knowledge is limited.

author avatardavidstrom
Writer

Burp Suite from PortSwigger (pen testing and vuln scans) and WebGoat from OWASP (code testing) are two that I would recommend. See this article for other recommendations: https://www.csoonline.com/article/3317523/top-application-security-tools-for-2019.html?nsdr=true#tk.twt_cso

author avatarWanda Thomas
MSP

It depends if the application is a web app. Does it have a database? Are the systems built to any regulations required for compliance (i.e. CIS benchmarks)? Do you want an automated means to "act" on findings?

author avatarElina Petrovna
Real User

My experience said there is no perfect all-in-one product doing its best for SAST, DAST and IAST together. If you're looking on Gartner-remarked products only, the most recent version of Micro Focus Fortify (today is 19.2.1) represents the best combination. If you are price-oriented, and also you don't trust on remarked products, you should take a look to niche players, like Security Reviewer: www.securityreviewer.net offering SAST, DAST, IAST and Software Composition Analyis. Most of my customers use a remarked product and a niche onw together, in order to solve as many false negative as possible.

author avatarShen Dong (Huawei Technologies)
Vendor

For vulnerablity, from your requirement, your checking app is for airline industry, i assuem it will be C related. Base on my current usage experience, you can choose Coverity or Klocwork, this 2 tools can support many C related compiler, this will be very important for your application project. And this is main the reason i dont suggest you to chose Fortify, Fortify can support many programe language, but it is not good on C programe compared with Coverity and Klocwork.

For quality check, this is another question, normally commercial static analysis tools already provide some checker for bad practices, it is not big issue.

author avatarkikyou
User

你们是基于什么语言?我比较推荐parasoft因为它在漏洞扫和描质量检查方面应用在航空公司(民用)都是有案例的,如果需要案例和工具的详细信息请发邮件给我wenya.xia@ruitde.com

See more Application Security questions »

What is Application Security?

The members of IT Central Station were clear on what was most important when evaluating Application Security: while some also mentioned that the software should be silent and have the ability to lock down configuration settings, everyone agreed that quality Application Security should provide intelligent data and come with a solid reputation, a strong usage pattern, efficient data handling, and a clean design. Members also mentioned documentation and maintenance as benefits.

Find out what your peers are saying about SonarSource, Veracode, Checkmarx and others in Application Security. Updated: January 2021.
456,966 professionals have used our research since 2012.