Which application security tools do IT professionals such as QA engineers and software developers choose to protect their applications from external threats?
According to Margaret Rouse from TechTarget, as applications become more accessible across networks, application security has become a critical element in software design.
According to IT Central Station users, features that help them decide which application security tool is right for them include comprehensive application security testing, support for major coding languages and centralized analysis capabilities.
In the new application security reviews quoted below, real users share up-to-date feedback and compare the top application security solutions in the industry.
A Specialist Master/Manager at a consultancy with 1,001-5,000 employees finds particular value in HPE Fortify on Demand’s static code analyzer;
“The static code analyzer provides views from a security perspective and it is easy to use compared to others. We use it to evaluate security from the code and provide results from a security perspective as opposed to a developer’s perspective.”
This user suggests another piece of advice for IT pros considering HPE Fortify on Demand:
“It is a good product to choose for SCA and cloud deployment. If you choose SSC, don’t always look at the price, as the other products might not conduct the same analysis as HPE Fortify does. Not all products are created equal.”
Bablu Dutt Kumaran, Senior Lead at a software R&D company with 1,001-5,000 employees, suggests improvements be made to the Visual Studio plugin:
“The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there. Also, the comments added on each issue were getting lost on multiple iterations of scans, which could be fixed.”
Yafes Duygulutuna, Penetration Tester at Turkcell, suggests improvements be made to the blackout time implementation capabilities:
“Implementing a blackout time for any user or team(s) needs improvement. I need to place limits for some users or teams within a specific time frame. For example, between 02:00 am to 06:00 am. They can't start any scanning during that time, even if they have scanner privileges.”
Risto Uibo, Senior Software Developer at a tech vendor, describes how SonarQube has established a better live process for his company:
“[There is] more automated quality control in the lifecycle of development / testing / deployment / production. This includes the prevention of potential bugs due to ineffective code, as well as keeping a more unified style of solutions. This is thanks to standard solutions offered by the issue tips. It raises code maintainability as well as flexibility, to some extent.”
Idan Adar, DevOps at a tech services company with 10,001+ employees, describes what SonarQube’s initial setup process involves:
“The initial setup required unzipping it and having MySQL install. We then set up a couple of configuration files. There was no need for IT for this.”
Rann Lifshitz, SW Automation Team Leader at a tech services company with 201-500 employees, points out the need for additional languages to be supported by SonarQube:
“There is need for support for the additional languages and ease of use in adding new rules for detecting issues. Some issues that were detected after committing to the CSM by SonarQube were not displayed in SonarLint scans (hopefully this was fixed in later versions).”
Efe Oral, Software Developer/Architect at an insurance company with 201-500 employees, shares how Veracode helped his company fix several security flaws:
“We used the application for the web. Static, dynamic, and manual scan features were all very useful for us. All of them helped us fix many security flaws. It made us change our approach to coding. We tried to make sure our application stayed secure and safe.”
Efe Oral also lends advice to those who are using Veracode for the first time:
“If it's the first time you are using a security application, be ready for some new tools which you will require you to revitalize the flaws reported.
Reports are very well documented. Once you understand what it means and you get used to it, you will see that it is detailed and clearly explained.”
Gustavo Gonzalez, Product Marketing Engineering at a manufacturing company with 1,001-5,000 employees, suggests more options be made available for uploading source codes:
“To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources.
Compiled code means that the code written is stored in binaries for machine reading only. Veracode reads only those binaries (compiled code).”
Golnaz Elahi, Information Systems Security Officer at a financial services firm with 1,001-5,000 employees, describes the benefits of PortSwigger Burp for application security:
“Burp Suite is a versatile tool for manual web application penetration testing; mainly used by skilled ethical hackers to test security of web-based applications. It helps capturing and modifying HTTP packets and variables, and observing the application’s response. It allows fuzzing the variable in an intuitive way, repeating the same method, crawling a web application, and similar functionalities.”
Razvan Gabriel Coman, Penetration Testing Advisor at a tech services company with 1,001-5,000 employees, hopes to see some extra features made available “in the core product”;
“Some extra features are not available in the core product (WSDL parsing, SOAP calls, Error checks, Authorization bypass), but additional modules created by the community can be easily installed from the BApp store through Extender, or you can write your own in Java, Python or Ruby.”
Uğur Tanık Güdekli, IT Engineer at an aerospace/defense firm with 1,001-5,000 employees, describes how Netsparker has contributed to his organization’s security testing needs:
“Before Netsparker, we were opening internal web pages to the outside for manual tests. Health tests were limited by a system admin’s capabilities.
After Netsparker, a lot of the security tests became automated. We added a step in our policy document to scan pages with Netsparker before opening a site to the outside.”
Lav Thaiba, Software Test Engineer at ITONICS GmbH, points out that Netsparker tends to slow down other applications when they are operating in parallel:
“Sometimes, it is slow; when we are running this application and browsing other applications concurrently, it makes other applications work slow. Besides that, it seems fine.
When I use Netsparker along with other applications such as testing web apps on browsers like Chrome or Firefox for a little longer than normal, there are issues that might be due to the CPU high usage. I'm unable to work on other applications (mainly browsers such as Chrome/Firefox) and ultimately, it hangs and takes time to browse on browsers.”
Read more 2017 application security reviews from IT Central Station users.
