PeerSpot takes a user-centered approach to creating product comparisons that help IT decision-makers arrive at informed decisions. Instead of relying on the word of the companies that create the technological solutions, they go to the users themselves. Real users offer true feedback without any of the partiality that the solutions’ vendors may have. This is a place where peers in the tech world unite to help each other choose the products that are most appropriate for their needs.
PeerSpot’s users have made it easy for decision-makers to choose the Application Security Solutions that most fit their business objectives. They have created a ranked list of solutions according to how potentially valuable they feel these products may be to other users. What follows are the top six ranked products for 2022:
1. SonarQube
SonarQube has been PeerSpot’s top ranked application security solution for almost 2 years. It is also ranked as the number 1 software development analytics solution. SonarQube is an open-source solution that allows users to inspect their programs for defects or bugs in their codes. Users can check for issues in code written in 27 different programming languages. It provides guides that can help programmers resolve many different types of problems. SonarQube makes finding coding issues easy by highlighting the lines of code that require fixing.
The lead engineer at a healthcare company writes, “I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are.”
Raja R., a manager at Kellton, writes, “SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually."
2. Veracode
Veracode is PeerSpot users’ second favorite application security solution. It is a flexible solution that gives users a number of options to choose from when they are trying to decide how to diagnose their applications. Users can accurately test thousands of programs at one time. Additionally, all of the scan results are gathered in a single location. This gives users a complete picture of any and all potential risks that their systems face. Veracode also offers users the ability to test the strength of their infrastructure security.
The senior vice president of engineering at a technology vendor writes, “One thing I would strongly encourage Veracode to do, early on in the process—in the first 30 days—is to provide a strong professional services-type of engagement where they come to the table with the front solution engineers, and work with their customer's team and their code base to show how the product can be integrated into GitHub or their own repository. They should guide them on best practices for getting the most out of Veracode, and demonstrate it with live scanning on the customer's code. It should be done in a regimented way with, say, a 30-minute call on a Tuesday, and a 30-minute call on a Friday.”
Karen M, the information assurance manager at xMatters, writes, “Its policy reporting for ensuring compliance with industry standards and regulations is very helpful. We can create our own policy, based on our internal risk management guidelines, and run the scans against our own customized policy. That way we can set expectations to fix flaws based on our internal timeline, and we can issue reports based on that. We usually share those reports with clients. That's very useful.”
3. Sonatype Nexus Lifecycle
Sonatype Nexus Lifecycle is PeerSpot’s third highest ranked application security solution. It is an open-source security solution that can automatically address security threats that are defined by the policies that users put in place. Sonatype Nexus Lifecycle generates reports that can show users every component of their applications as well as all of the potential risks they face. This report can also give users an idea of how long it might take to resolve the issues it describes.
Michael E., the senior enterprise engineer at the MIB Group, writes, “Some of the APIs are just REST APIs and I would like to see more of the functionality in the plugin side of the world. For example, with the RESTful API I can actually delete or move an artifact from one Nexus repository to another. I can't do that with the pipeline API, as of yet. I'd like to see a bit more functionality on that side.”
Shubbham S., the engineering tools and platform manager at British Telecom, writes., “Its default policies and the policy engine are quite good. So far, we haven't found anything that went through IQ but wasn't caught. We are quite happy with it. The policy engine pretty much provides the flexibility that we need. I haven't seen a case where any of my customers came in and said that they don't have a certain policy in place for IQ, or they wanted to change or remove any policies. At times, they wanted to suppress warnings or altogether skip them if possible, but it doesn't happen or is required very often.”
4. Snyk
Snyk is PeerSpot’s fourth highest ranked application security solution. It is an open-source security solution for application developers. Snyk gives users access to a massive database cobbled together from a number of different sources. This database is coupled with a machine learning algorithm that notifies users of emerging threats faster than other similar solutions.
Cameron G., a security software engineer at a tech company, writes, “The solution's ability to help developers find and fix vulnerabilities is pretty fast. The scanning for all of our various code bases could probably be done in under five minutes. It gives pretty clear information to developers, right away, about what we are vulnerable to and what we will be vulnerable to. Even if a fix or a patch is not out yet for a certain vulnerability, it will still give us that information. It also tells us what versioning, specifically, we need to upgrade to, which helps us determine the best upgrade path for ourselves, because sometimes our projects are a little bit restricted as far as versioning goes.”
The vice president of engineering at a tech vendor writes, "There is always more work to do around managing the volume of information when you've got thousands of vulnerabilities. Trying to get those down to zero is virtually impossible, either through ignoring them all or through fixing them. That filtering or information management is always going to be something that can be improved."
5. Checkmarx
Checkmarx is PeerSpot’s fifth highest ranked application security solution. It is a flexible and accurate tool that enables users to scan their applications for hundreds of potential threats. Checkmarx can analyze code written in every major programming language and run on every major software framework platform. It can be managed from a single central dashboard. Threats can be detected with only a few clicks.
The CEO of a technological services company writes,“The most valuable features are the easy to understand interface, and it 's very user-friendly. We spend some time tuning to start scanning a new project, which is only a few clicks. A few simple tunes for custom rules and we can start our scan.”
Deepak K., the vice president at Arisglobal Software Pvt Ltd, writes, “In terms of dashboarding, the solution could provide a little more flexibility in terms of creating more dashboards. It has some of its own dashboards that come out of the box. However, if I have to implement my own dashboards that are aligned to my organization's requirements, that dashboarding feature has limited capability right now."
6. PortSwigger Burp Suite Professional
PortSwigger Burp Suite Professional is PeerSpot’s sixth highest ranked application security solution. It is a solution that functions as a toolbox of features enabling users to ensure that their applications are secure. PortSwigger Burp Suite Professional can automate and customize attacks against incoming threats. Scans for threats can also be automated. Users gain the ability to maximize their protection and ROI.
Vishal D., the lead security architect at SITA, writes, “The most valuable feature of Burp Suite is probably how we can intercept the request and response. We can manipulate a request and send it back to the server. Intercepting is one of the best features for sure. “
Vinoth K., the senior technical architect at Hexaware Technologies Limited, writes, "There could be an improvement in the API security testing. There is another tool called Postman and if we had a built-in portal similar to Postman which captures the API, we would be able to generate the API traffic. Right now we need a Postman tool and the Burp Suite for performing API tests. It would be a huge benefit to be able to do it in a single UI."
