Synopsys Defensics Review

Technical support provided protocol-specific documentation to prove that some positives were not false.

What is most valuable?

This collection of storage-related components were most valuable in extending a security assurance program into the area of black-box security testing for a NAS appliance.

How has it helped my organization?

A security assurance engineer was able to perform due diligence across all network-facing protocols.

My prior organization designed, developed and deployed a Network Attached Storage (NAS) appliance. A key part of the company wide security assurance program for all products, is to perform penetration testing against all network facing IP ports.

For the web, SSL and RESTful APIs, there are very good COTS and open source tools to perform Dynamic Application Security Testing (DAST) testing. Unfortunately for NAS protocols like SMB, NFS, CIFS, and iSCSI, I researched and found that Codenomicon Defensics was the only viable source to satisfy our DAST requirements.

Through the use of Selenium for automated web testing, it was easily found out that Codenomicon Defensics could be integrated into our Continuous Integration / Continuous Deployment (CI / CD) Agile processes, specific to automated testing.

Also, like many of the other application security testing products, Defensics incorporates automatic update support and works on Windows, MacOS and Linux desktops.

What needs improvement?

It requires understanding the Defensics protocol.

For how long have I used the solution?

I have used it for five years.

What was my experience with deployment of the solution?

I have not encountered any deployment issues. The product works as, or even better than, expected.

What do I think about the stability of the solution?

I have not encountered any stability issues.

What do I think about the scalability of the solution?

I have not encountered any scalability issues.

How is customer service and technical support?

Customer Service:

Customer service is excellent.

Technical Support:

As with most application security test suites, there are "false positives". On multiple occasions, Codenomicon technical support provided the details and protocol-specific documentation to prove that the positive was not false.

How was the initial setup?

The step was very straightforward, error free, on multiple OS platforms.

What about the implementation team?

An in-house team implemented it.

What was our ROI?

ROI was 100%. Since there are no product suites available that provide the level of testing available with Codenomicon, the development, quality and security assurance departments know that the investment was correct.

What's my experience with pricing, setup cost, and licensing?

Start out with a single use per protocol, and expand to multiple units as needed.

Which other solutions did I evaluate?

No other COTS or open-source software fulfilled this testing requirement.

There are various protocol-specific testing suites, but most do not focus both the depth and breadth of each of the protocol's specific features.

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment