Application Security Testing Reviews and Ratings

Best application of code analysis for identifying and remediation of vulnerabilities.

Checkmarx being a SAST tool fits many aspects of the shift left security in the current software landscape where we are able to identify app security risks even before going live. I personally feel their SAST engine scan accuracy is very good compared to other products that are currently in the market. I see less false positives and very efficient vulnerability detection.

Burp Suite stands out as a powerful and versatile tool for web application security testing. Its extensive range of features makes it the first go-to tool choice for any Cyber Security professional conducting web application testing, and it aligns with OWSAP's top 10 vulnerabilities. Some of the features I would love to call out which help the Bank are as follows Ease of deployment, straight forward installation & User-friendly interface makes it accessible to both beginners & experienced users. Mimicking MIM (Man in the Middle) attacks, intercepts & modifies parameters of message for protocols such as http, https. Automated scanning capabilities with active and passive scans. The repeater feature allows you to repeat the "n" number of requests and analyze responses based on different parameters. Automatically discover hidden functionalities by identifying invisible content. Collaborative testing facilitates collaboration among testers by sharing findings. Information Rich testing provides essential information on targeted applications such as site maps and requests.

My overall experience has been very good using the InsightAppSec platform. Very detailed scan results and straightforward UI.

Qualys Web Application Scanning makes out a standout choice for pro-active/reactive security assessments approach, with a user-friendly designed interface and rapid performance to help organizations identify and remediate security vulnerabilities in them. Some of the features that helped the Bank are as follows Automated scans allow organizations to identify a wide range of vulnerabilities, continuously monitor and incrementally detect new vulnerabilities. Web application enumeration helps in discovering apps that are undocumented / ghost application, thus helps in maintaining a comprehensive security posture. Security vulnerabilities such as weak passwords, brute force, authentication bypass, etc. are able to detect and remediate. Tailored scanning policies as security & compliance requirements such as PCI-DSS standards, ISO 27001. Complex visualization through the use of Boolean logic queries and simplifying the overview in getting a complete picture of remediation progress. Latest threat detection signatures, including zero-day detection, are crucial for effective security management. SIEM integrations help in better tracing the vulnerability management lifecycle.

fully integrated security first with a lot of good tools. very happy.

it was a very positive experience, contrast is a very effective tool that can detect and help fix vulnerabilities in code. contrast also provides details on how to remediate the vulnerabilities that they find. contrast is also very fast and lightweight, hence the stress on infrastructure is less, causing no problems to app teams, hence contrast is a very good fit for devsecops teams, also the customer support is at an exceptional level, the teams are very friendly and concerning.

Enrollment and deployment was really easy and HCL was with us the whole time providing support, directions and how-to.

Very friendly, helpful team. Quick response time to communications.

Our organization has been using acunetix web vulnerability scanner for the 6th year, i have been working as an administrator of the system for the 6th year. Purchase are made based on the Gartner magic quadrant's annual report and discussion of renewal of the system.

We use Coverity, I'm the Sys Admin which implements this product in our servers.

I have used this product since it was called NetSparker. They just keep making it better and better. We moved to a different product for a while and we were disappointed. We moved back to Invicti (NetSparker).

We have been working with Appknox for last 3 years , we have been using there services for purpose of security audit of applications and web deployments, overall the team is professional and there process is quite robust , reports are quite good which help the application team to close the necessary gaps identified in the environment. The product we used in our environment for us and our customers was Web VAPT and Monile application VAPT , the integration was quite easy for uploading the mobile application , all reports were in proper report format.

Fotyify SCA provices accurate assessments, the GUI interface is not too difficult to navigate, and the compliance reports are very detailed. I would recommend it to more people for use.

Evaluating the Snyk code generally involves considering several aspects, including cases of use, integration capabilities, accuracy of findings and overall impact on the development workflow. Here are some key points based on typical user experience... Ease of integration: Snyk code integrates seamlessly with various CI/CD pipelines, IDEs, and repositories, making it easy to incorporate security into the development process. Developer friendly: The tool is designed with developers in mind to provide actionable insights and suggestions to fix vulnerabilities directly within the development environment. Real-time scanning: The ability to scan code in real-time helps in identifying vulnerabilities early in the development process, reducing the cost and effort of fixing issues later.

I have nothing but positive things to say about the overall experience.

Sonarqube is very useful in finding the vulnerabilities in code. its a useful tool to manage code coverage across services. It also finds code complexity by quantizing it as a number which is very good

Black Duck is appreciated for it's ease of use, speed and simplicity. It is known for effectively identifying most open-source packages and automatically performing identification. We use it for analysis and vulnerability identification in open-source libraries, emphasizing security, compliance and risk management. We like the way in security scanning and vulnerability scanning, ensuring that no high risk libraries or dependencies are pushed into production.

GitHub Enterprise is super helpful for developers and for testers as well. It's easy to use. All the latest changes to the code are visible instantly to Testers. For testers like me, it's great for doing lots of automation. It makes automation tests pretty easy. Many people can work at the same time to make the code better. It also works really well with other tools to make our tests even better and faster.

From demo to negotiations, implementation and rollout, this went extremely well. We were able to scale out our scanning in very short time which enabled us to go from 200 manual scans per year, to over 1,000 source code repositories scanned weekly to detect issues. Developers have adopted the use of Snyk, the information provided and the IDE plugin to help remediate issues. It has truly been a great success for us!