What are the best application security testing tools?
IT Central Station’s crowdsourced platform helps technology professionals make informed decisions, by providing user reviews without vendor bias.
Our users have ranked the top five application security testing solutions according to their valuable features, while also discussing where they see room for improvement.
According to our user community, the top solutions of Q2 2017 are:
According to user reviews, HPE Fortify on Demand is the #1 security testing tool on the market.
What added value has this tool given users, and how does it compare to others they have used? In addition to the added value, how could these solutions be improved later on?
“The solution simply identifies any security flaws that any of our applications might have”, writes a Development and Database Manager at a financial services firm with 501-1,000 employees.
He explains further that “This identification provides us an advantage in that the service itself works to stay abreast and knowledgeable about emerging threats. Rather than have a security team dedicated to that effort, we don’t have to deal with that in a time consuming, direct manner. We don't need to have these skills in-house.”
Bablu Dutt Kumaran, Senior Lead at a software R&D company with 1,001-5,000 employees, points out that as far as future improvements, “The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there. Also, the comments added on each issue were getting lost on multiple iterations of scans, which could be fixed.”
Checkmarx ranks as the #2 application security testing solution among IT Central Station users. For Gustavo-Gonzalez, Product Marketing Engineer at a manufacturing company with 1,001-5,000 employees, the manual code testing feature is of noted value;
“For manual code testing, Checkmarx has been very helpful discarding false positives, filtering and removing a lot of files that are not presenting any threat, as well as indicating the files or functions that should be focused upon.
Checkmarx acts as the first checkpoint during our consulting for apps that are looking for a security assessment or Penetration Testing.”
For Abhishek Pratap Singh, a Security Test Engineer at a tech vendor with 1,001-5,000 employees, beneficial improvements would be addressing that “the resolutions should also be provided.
For example, if the user faces any problem regarding an installation due to the internal security policies of their company, there should be a resolution offered.”
Ranked by IT Central Station users as the number three application security testing solution, Veracode is described by this security consultant at a tech company with 501-1,000 employees as having:
“Reduced dependency on the security team to run scans. It helped the organizations to scan a large number of applications on a regular basis.”
Gustavo Gonzalez, Product-marketing engineer at a manufacturing company with 1,001-5,000 employees also suggests potential features that would improve Veracode’s software, such as:
“To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources.”
IBM Security AppScan ranks among IT Central Station users as the number four application security testing solution.
“The most valuable feature of this product is its capability to detect XSS and SQL injection”, writes a security consultant at a tech vendor with 501-1,000 employees.
In parallel, this security consultant would also hope to see “Better detection of DOM-based XSS and Better remediation guidance using code examples and contexts.”
Ranked as the number five application security testing tool, QualysGuard Web Application Scanning is discussed by several IT Central Station users:
A senior security systems engineer at a software R&D company with 501-1,000 employees writes:
“WAS gave us visibility into our externally exposed web applications and showed us vulnerabilities that we were not aware of and did not know how to test for. We didn't need any knowledge of these vulnerabilities or how they worked to scan for them and to gain the visibility.”
Later on in his review, this same user adds that “The organization of the assets was a little confusing and overwhelming. The system could also use some work in pivoting from a VM scan to add the servers with web applications exposed to the WAS server. It frequently created WAS assets that did not have web applications.”
Learn more about application security testing tools from real users at IT Central Station.
Not listing any IAST/RASP solutions, such as Contrast Security, seems very wrong. The tools listed here generate tons of false alarms, don't work on APIs, and aren't compatible with modern software development (Agile/DevOps).