Gartner defines the application security testing (AST) market as the buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities. This market is highly dynamic and continues to experience rapid evolution in response to changing application architectures and enabling technologies. AST tools are offered either as software-as-a-service (SaaS)-based subscription offerings, or less often, as on-premises software. Many vendors offer both options.
"Recounting a Nine-Year Journey with Veracode: Successes and Challenges"
Our company has been using Veracode for nine years, and our experience has been outstanding. Veracode has consistently met our needs and kept improving. The features and capabilities have helped us streamline our processes and significantly improve our efficiency. Support has always been responsive and helpful, ensuring that any issues we encounter are resolved quickly. We have also developed a great relationship with our account manager, who understands our business and always goes above and beyond to assist us.
"Checkmarx's Role in Advancing Shift Left Security"
Checkmarx being a SAST tool fits many aspects of the shift left security in the current software landscape where we are able to identify app security risks even before going live. I personally feel their SAST engine scan accuracy is very good compared to other products that are currently in the market. I see less false positives and very efficient vulnerability detection.
"Must Have tool in Cyber Security professional's arsenal "
Burp Suite stands out as a powerful and versatile tool for web application security testing. Its extensive range of features makes it the first go-to tool choice for any Cyber Security professional conducting web application testing, and it aligns with OWSAP's top 10 vulnerabilities. Some of the features I would love to call out which help the Bank are as follows Ease of deployment, straight forward installation & User-friendly interface makes it accessible to both beginners & experienced users. Mimicking MIM (Man in the Middle) attacks, intercepts & modifies parameters of message for protocols such as http, https. Automated scanning capabilities with active and passive scans. The repeater feature allows you to repeat the "n" number of requests and analyze responses based on different parameters. Automatically discover hidden functionalities by identifying invisible content. Collaborative testing facilitates collaboration among testers by sharing findings. Information Rich testing provides essential information on targeted applications such as site maps and requests.
"Simple deployment with immediate, actionable data and meets all of our SOC requirements"
My overall experience has been very good using the InsightAppSec platform. Very detailed scan results and straightforward UI.
"Tackling Cybersecurity Challenges with Qualys Web Application Scanning"
Qualys Web Application Scanning makes out a standout choice for pro-active/reactive security assessments approach, with a user-friendly designed interface and rapid performance to help organizations identify and remediate security vulnerabilities in them. Some of the features that helped the Bank are as follows Automated scans allow organizations to identify a wide range of vulnerabilities, continuously monitor and incrementally detect new vulnerabilities. Web application enumeration helps in discovering apps that are undocumented / ghost application, thus helps in maintaining a comprehensive security posture. Security vulnerabilities such as weak passwords, brute force, authentication bypass, etc. are able to detect and remediate. Tailored scanning policies as security & compliance requirements such as PCI-DSS standards, ISO 27001. Complex visualization through the use of Boolean logic queries and simplifying the overview in getting a complete picture of remediation progress. Latest threat detection signatures, including zero-day detection, are crucial for effective security management. SIEM integrations help in better tracing the vulnerability management lifecycle.
"GitLab's Automated Security Application Testing: A Comprehensive Protection"
GitLab offers an exceptional solution for automated security application testing, providing comprehensive protection for our software. By integrating SAST, secret detection and dependency scanning, it ensures that potential vulnerabilities are identified and mitigated early in the development process. This multi-layered approach not only enhances the security of our codebase but also builds confidence that our application meet the highest security standards.
"go get latest@contrast :) "
it was a very positive experience, contrast is a very effective tool that can detect and help fix vulnerabilities in code. contrast also provides details on how to remediate the vulnerabilities that they find. contrast is also very fast and lightweight, hence the stress on infrastructure is less, causing no problems to app teams, hence contrast is a very good fit for devsecops teams, also the customer support is at an exceptional level, the teams are very friendly and concerning.
"HCL Appscan Cloud"
Enrollment and deployment was really easy and HCL was with us the whole time providing support, directions and how-to.
"Feedback on Efficient Static Scan Feature in Product Testing"
The overall experience was very decent. The types of test cases covered in the product are really good. The static scan itself covers a lot of test cases and the static scan gets completed within a few seconds. This really helped us a lot.
"Positive Experience"
Very friendly, helpful team. Quick response time to communications.
"easy to use securing web sites but non friendly in licensing"
Our organization has been using acunetix web vulnerability scanner for the 6th year, i have been working as an administrator of the system for the 6th year. Purchase are made based on the Gartner magic quadrant's annual report and discussion of renewal of the system.
"Usage of Coverity by Sys Admin"
We use Coverity, I'm the Sys Admin which implements this product in our servers.
"Invicti is one of the best DAST scanners on the market"
I have used this product since it was called NetSparker. They just keep making it better and better. We moved to a different product for a while and we were disappointed. We moved back to Invicti (NetSparker).
"Fortify Explores AI and Machine Learning for Enhanced Security Solutions"
We have been using fortify for more than 5 years now. It's a comprehensive solution with the largest rules based on my research. While accuracy is debatable and I believe it's the same for all the static solutions I guess. It can be resource intensive for some programming languages so you need to consider good resourcing for your scanning machines when it comes to use fortify to its great potential. Fortify has announced that they are embarking on a journey in AI and machine learning to enhance and reduce noise and build auto remediation features in Fortify, which I believe will be very useful to our company and the team.
"Seamless Testing with Fortify On Demand: A User Experience"
Fortify on Demand is a comprehensive security and one-stop solution for all appsec technology needs. My experience till date with Fortify On Demand FOD has been great and highly positive. The testing is seamless as we can scan and find issues hassel free. The best part of FOD is ease of use. From both developers and from automation solutions, the scan submission is simple and smooth. Sometimes the scan gets delayed on delivery which we understand as its a cloud service. One area of advice is that when the audit assistant marks an issue as false positive it would be better to have some idea or justification around it. Overall its a good and positive experience for me and my company. We would recommend to any one who wants to start Application security from day one.
"Snyk Code's Seamless Integration: Enhancing Developer Experience"
Evaluating the Snyk code generally involves considering several aspects, including cases of use, integration capabilities, accuracy of findings and overall impact on the development workflow. Here are some key points based on typical user experience... Ease of integration: Snyk code integrates seamlessly with various CI/CD pipelines, IDEs, and repositories, making it easy to incorporate security into the development process. Developer friendly: The tool is designed with developers in mind to provide actionable insights and suggestions to fix vulnerabilities directly within the development environment. Real-time scanning: The ability to scan code in real-time helps in identifying vulnerabilities early in the development process, reducing the cost and effort of fixing issues later.
"Unearthing Code Vulnerabilities with Sonarqube"
Sonarqube is very useful in finding the vulnerabilities in code. its a useful tool to manage code coverage across services. It also finds code complexity by quantizing it as a number which is very good
"Navigability and Ease of Use Enhance Product Value"
The implementation was smooth, we were able to get any questions answered quickly through some stellar support. Our contact point is exceptional and always addresses our needs in a timely manner. Using this product has helped us detect and fix vulnerabilities reliably.
"GitHub Enterprise Makes Development and QA Work Efficient and Easy"
GitHub Enterprise is super helpful for developers and for testers as well. It's easy to use. All the latest changes to the code are visible instantly to Testers. For testers like me, it's great for doing lots of automation. It makes automation tests pretty easy. Many people can work at the same time to make the code better. It also works really well with other tools to make our tests even better and faster.
"In-depth Look at Fortify's Strengths and Weaknesses in Security Testing"
We choose fortify for its strength and reduced false positive results during our review. Fortify performs static analysis based on control flow and dataflow analysis. So, yes, reduced false positives during our analysis when we chose this product. But not in all languages, for example they are weak in c and c++ language which was not a great impact for us but for others it may be. Another good feature is the centralized dashbord called ssc. This feature comes as free of cost compared to others in the market. Other vendors were charging us to buy this product where as Fortify didn't charge us even a penny. Also, their local technical team was very strong during the proof of concept fortify outstands compared to others.