Application Security Tools Azure Reviews

Showing reviews of the top ranking products in Application Security Tools, containing the term Azure
Veracode logo Veracode: Azure
Ajit Matthew - PeerSpot reviewer
Sr. Partner IT and Information Security at TheMathCompany

We use Veracode for static and dynamic code analysis, as well as software composition analysis (SCA). Using it ensures that our products are compliant, and it also provides an external method to assure our customers that our products are free from any flaws, or application security issues.

Our product resides on the Azure Cloud, and we have Veracode access it directly.

View full review »
Daniel Krivda - PeerSpot reviewer
DevOps Engineer at a insurance company with 10,001+ employees

We use it for static scans. It is mandatory in our company for every sort of project.

Veracode provides the organization an understanding of security bugs and security holes in our software, finding out if the software is production-ready. It is used as gate management, so we can have a fast understanding if the software is suitable for deployment and production.

My job is to help projects by getting the data integrated in Veracode. I don't own the code or develop code. In this area, I am a little bit like an integration specialist.

We use Azure and AWS, though AWS is relatively fresh as we are now just starting to define guidelines and how the architecture will look. Eventually, within a half year to a year, we would like to have deployments there. I am not sure if dynamic scanning is possible in AWS Cloud. If so, that would be just great.

View full review »
PortSwigger Burp Suite Professional logo PortSwigger Burp Suite Professional: Azure
Mouli Siramdasu - PeerSpot reviewer
Associate Consultant at ATOS
Microsoft Azure
View full review »
Micro Focus Fortify on Demand logo Micro Focus Fortify on Demand: Azure
Jayashree Acharyya - PeerSpot reviewer
Executive Manager at PepsiCo

Whenever we have a new application we scan it using Micro Focus Fortify on Demand. We then receive a service connection from Azure DevOps to Micro Focus Fortify on Demand and the information from the application tested.

We are using Micro Focus Fortify on Demand in two ways in most of our processes. We are either using it from our DevOps pipeline using Azure DevOps or the teams which are not yet onboarded in Azure DevOps, are running it manually by putting in the code then sending it to the security team where they will scan it.

We use two solutions for our application testing. We use SonarQube for next-level unit testing and code quality and Micro Focus Fortify on Demand mostly for vulnerabilities and security concerns.

View full review »
SonarQube logo SonarQube: Azure
Gustavo Lugo - PeerSpot reviewer
Chief Solutions Officer at CleverIT B.V.

I am now working in a consultancy company and I work with different clients in different industries. For this reason I implement, for example, a delivery pipeline with the process whereby we need to validate the quality gate of the quality code. Meaning, the developer creates the unit testing and the code coverage, but grants the code coverage for a specific person. In other cases, we used to see what the technical depth was to see if if there are any bugs in the applications - the web application, mobile application and different languages, like, C-Sharp, JavaScript or Java, et cetera.

We deploy SonarQube on-premise on a Linux server and our pipelines were created with GitLab and Azure DevOps. Meaning that Azure DevOps and GitLab are the tools that do the build and release process.

We use Microsoft Azure and Google Cloud Platform a little.

View full review »
AN
Project Manager at a manufacturing company with 1,001-5,000 employees

We found the solution to be scalable. We already integrated SonarQube with our CI/CD pipeline in Azure DevOps, and it works really well. We also integrated with the Jenkins CI/CD pipeline, and we also linked with the Visual Studio using SonarLint. That works really well.

We plan on expanding and need more licenses. 

View full review »
PJ
Staff DevOps Specialist at a computer software company with 201-500 employees

It is mainly used as part of the CI/CD pipeline through Azure DevOps and Jenkins to do static code analysis.

We have the enterprise version. In terms of deployment, on-premise is the best description because they have their own cloud, but it is not a real cloud. It is like VMware.

View full review »
IH
Head of IT Security Department at a tech services company with 501-1,000 employees
Mend logo Mend: Azure
GM
Senior Lead Software Engineer at a tech services company with 10,001+ employees

The integration with Azure DevOps was good.

The results and the dashboard they provide are good.

It was pretty straightforward for me.

View full review »
Ben Dyer - PeerSpot reviewer
Head of Software Engineering at a legal firm with 1,001-5,000 employees

There was a little hiccup with the Azure DevOps extension. Three or four months ago there was a release that caused a problem, and since then they fixed it. At the time, there was a week or so where we had some issues regarding not being able to scan properly, however, that was fixed reasonably swiftly.

View full review »
Jeffrey Harker - PeerSpot reviewer
System Manager of Cloud Engineering at Common Spirit

Finding vulnerabilities is pretty easy. Mend (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Governance up until that time had been manual and when we tried to do manual governance of a large codebase, our chances of success were pretty minimal. Mend (formerly WhiteSource) does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release.

We use Mend (formerly WhiteSource) Smart Fix. I’d say pretty much everything in Mend (formerly WhiteSource) is easy to use. We really don't have too much difficulty using the product at all. I've implemented other scanners and tools and had much more trouble with those products than we've ever had with Mend (formerly WhiteSource). That’s extremely important. It's hard to sell to some of these teams to put any level of overhead on top of their product development efforts and the fact that Mend (formerly WhiteSource) is as easy as it is to use is a critical aspect of adoption here. It scores very highly on that scale.

Mend (formerly WhiteSource) Smart Fix helps our developers fix vulnerable transitive dependencies. It's all very helpful to our development community. First of all, we're able to find that there are issues. Second of all, we're able to figure out very quickly what needs to be done to remediate the issues. 

Mend (formerly WhiteSource) helped reduce our mean time to resolution since adopting it. A lot of it is process improvement and technical aspects that can tell us how to go about remediating the issues. We get that out of Mend (formerly WhiteSource). Making the developers aware that these issues are there and insisting they be corrected and making the effort to do that visibly is very valuable to us.

Overall, Mend (formerly WhiteSource) helped dramatically reduce the number of open-source software vulnerabilities running in our production at any given point in time. I won't give metrics, however, it's fair to say that our state before and after Mend (formerly WhiteSource) is dramatically different and moved in a positive direction.

Mend's ability to integrate our developer's existing workflows, including their IDE repository and CI is good. Azure DevOps is really important. That's what the pipelines are. That's a very important piece of the entire puzzle. If this was just an external scanner where periodically we'd go through and scan our repos and give them a report, we’d do that with pen testing products, for example, for security testing. The problem is, by the time they get those reports, they've already shipped the code to multiple environments and it's too late to stop the train. With these features being baked into the pipelines like this, they know immediately. As a result, we're able to quickly take action to remediate findings.

View full review »
Nils Hedström - PeerSpot reviewer
Architect/Developer at a insurance company with 5,001-10,000 employees

We use WhiteSource for scanning open source libraries called SCA and both the vulnerabilities and open source licenses. We deployed WhiteSource with Azure DevOps.

View full review »
HCL AppScan logo HCL AppScan: Azure
EE
Innovation manager at a computer software company with 51-200 employees
Microsoft Azure
View full review »
Sonatype Nexus Firewall logo Sonatype Nexus Firewall: Azure
UJ
Senior Cyber Security Architect and Engineer at a computer software company with 10,001+ employees

For people who don't have a lot of Linux knowledge—including myself, I'm purely a Windows guy—it can be very tricky. It did take us a long time to stand up the environment.

The fact they don't have professional services to implement it for you is a big gap. I have a good relationship with everyone on the Sonatype team. I sent them an email and they made time to jump on a call and help us build it. That is what is expected from a large, enterprise-level company. We have Azure Sentinel and F5 and these companies have professional services. They help you from end-to-end, starting with the implementation. Sonatype does not have been at the moment. It does become challenging when you're not a Linux guy and you need to learn and implement it and to make sure that you're deploying it securely.

To be fully ready, it took us two months. I was involved, along with one of my engineers, and we had the help from Sonatype team.

In terms of an implementation strategy, we had the whole high-level architecture set up, which was not very hard. But to engineer it and do it was a little challenging for me, but it could be different for people who have Linux knowledge.

There are about 200 people using it across our organization. Most of them are developers and data scientists. I take care of the day-to-day maintenance. The upgrades are easy, the directions are easy. If you do need help, you can reach out to the support.

View full review »
Sonatype Nexus Lifecycle logo Sonatype Nexus Lifecycle: Azure
Chris Coetzee - PeerSpot reviewer
Managing Director at Digalance

Most software innovation happens in an open-source environment, and developers generate only a small amount of code. The customers we encounter generally perform static code analysis immediately before they move code into production. If the security guys detect issues, they will send the code back into development. 

Lifecycle integrates everything from IDE down to production. It's a unique solution that helps customers embrace open-source development because that's where the innovation is happening. At the same time, I know the code coming into my environment is clean. A lot of our customers have adopted Azure DevOps, especially on the banking side. Some parts of the solution are in the cloud, while others are on-prem.

View full review »
Tenable.io Web Application Scanning logo Tenable.io Web Application Scanning: Azure
MC
Security Specialist at a tech services company with 51-200 employees

It collects the vulnerabilities on the hostnames and sends them to the Tenable.io cloud. Tenable has its own cloud where Tenable.io is running, but there are many connectors to other cloud solutions. Tenable can do vulnerability scanning for other cloud managers such as Azure, Amazon, and so on.

View full review »
Snyk logo Snyk: Azure
Nawal Singh - PeerSpot reviewer
Senior DevSecOps/Cloud Engineer at Valeyo

We are using Snyk along with SonarQube, and we are currently more reliant on SonarQube.

With Snyk, we've been doing security and vulnerability assessments. Even though SonarQube does the same when we install the OWASP plugin, we are looking for a dedicated and kind of expert tool in this area that can handle all the security for the code, not one or two things.

We have the latest version, and we always upgrade it. Our code is deployed on the cloud, but we have attached it directly with the Azure DevOps pipeline.

View full review »
GitGuardian Internal Monitoring logo GitGuardian Internal Monitoring: Azure
BK
DevSecOps Engineer at a computer software company with 1,001-5,000 employees

The most valuable thing about GitGuardian is the speed with which it works. If you accidentally commit a private key to a public repo, you need to know that instantly. GitGuardian has this thing called "Dev in the loop." The developer who committed the secret is notified, and they get a form to fill out so they can give us instant feedback, which is super helpful for us. Due to the nature of the software we write, sometimes we get false positives. When that happens, our developers can fill out a form and say, "Hey, this is a false positive. This is part of a test case. You can ignore this." What's more, the tool helps us with triage. As soon as the secret is committed, we receive Slack alerts and jump right on it.

GitGuardian's "Dev in the loop" feature has sped up our time to remediation quite a bit. Of course, not every developer is responding, but that's just the nature of the organization itself. It's not the fault of the product. It's just that some people are not as quick to act. So when developers do respond, I would say issues get resolved several times faster because we know from the jump if it's an issue or not.

It's hard to evaluate how accurate the tool is because of the type of software we write. We're a vulnerability company here, so we write a lot of test cases using test data that are looking for things like secrets, so we have false positives. Some of GitGuardian's detectors take that information into account. With things like a general high-entropy detector, we expect a potentially high false-positive rate. However, for something like an AWS key detector, GitGuardian's efficacy is near a hundred percent, if not 100%. I can't recall any instances off the top of my head where it inaccurately flagged an AWS key or an Azure key.

View full review »
Abbas Haidar - PeerSpot reviewer
Head of InfoSec at a tech services company with 51-200 employees

There is room for improvement in GitGuardian on Azure DevOps. The implementation is a bit hard there. This is one of the things we requested help with. I would not say their support is not good, but they need them to improve in helping customers on that side.

View full review »
Andrei Predoiu - PeerSpot reviewer
DevOps Engineer at a wholesaler/distributor with 10,001+ employees

We played around with others. GitHub has a big advantage because they are GitHub. Their focus is on zero false positives, but we would rather have a few false positives and get everything.

We tried TruffleHog once. I don't remember why, but it didn't work quite right for us. We did see a lot more secrets being detected by GitGuardian than TruffleHog.

We ran GitGuardian and TruffleHog in parallel. We noticed that GitGuardian was finding a bunch of random secrets that TruffleHog did not. I think that GitGuardian is using machine learning, or something like that, to understand Azure, AWS, Google API keys, or standard secrets very commonly pushed into GitHub. They figure out even random API keys or secrets that developers made up by themselves and put them in their code. Other solutions do not detect these unless we put a specific rule for that, but how can we put a rule for something that a developer just thought up in their head.

GitGuardian's surveillance perimeter is better for removing blind spots than any of the other products that we tested.

With the Git solutions, we spent a lot of time doing research. Because we have a big contract with GitHub, we were leaning heavily towards them. GitHub relies on some very hard-coded rules that they build themselves about, "What do secrets look like? What does a password look like? What does a key look like?" If you want to catch new types of secrets, you need to make the rules yourself or wait until GitHub adds new rules. While GitGuardian is very flexible, it will show you, "Hey, we think this might be something that you should look at." Then, we just say, "No, it's not," or, "Oh my God. That is definitely something that we should look at." That is the main advantage of GitGuardian.

This is where they are at a disadvantage. One of our biggest issues is that GitGuardian doesn't just search the code as it is right now. It searches the whole history of your code change in every repository. So, if we ever push a secret, even if you deleted it, it is still in the history because that is how Git works. We can reset those keys, secrets, and even delete them from the history itself. We can rewrite the history so they were never there to begin with if you search for them now. What we cannot do is delete them from pull requests and such. Those pull requests are controlled by GitHub and only GitHub can do it. We actually have to call GitHub support to erase the secrets from our requests. So, it's not really GitGuardian's problem; it's GitHub's.

View full review »
Edvinas Urbasius - PeerSpot reviewer
IT Security Specialist – SOC analyst at a wholesaler/distributor with 10,001+ employees

We use the GitHub integration. In our company, we use a lot of different systems. I can see CircleCI, Azure, GitHub Actions, and other alert options. In the future, we will implement that. However, just knowing that there are options is already nice since some other security tools don't have many options. That is what I like about GitGuardian, there are a lot of choices. You can plan your strategy about how you will implement things and what you are going to do.

View full review »
Check Point CloudGuard Application Security logo Check Point CloudGuard Application Security: Azure
alvarado - PeerSpot reviewer
Cloud Support Leader at a tech company with 51-200 employees

In our public cloud infrastructure, in this case, Microsoft Azure, we have carried out this implementation to be able to integrate CloudGuard application security through the Check Point Infinity Portal, since it was important to have a WAF of Check Point quality, its guarantee of zero false positives. It is something that helps to have total confidence in this tool, generating OWASP Top 10 protection, in addition to AI protection in our infrastructure. Everything is centralized under Check Point Infinity and is quite good. We are able to have a broad protection scheme from the same place.

View full review »
DH
Support at a tech services company with 51-200 employees

We require the use of a solid security tool for our websites provisioned in Microsoft Azure App Service, which is used for internal use by the company and for external use by the client.

The key requirements that we needed to solve were to have automated protection, to have little administration in addition to providing few false positives, all this was successfully solved or provided through CloudGuard Application Security, in addition to the fact that we were able to centralize everything in the whole family. 

View full review »
GitHub logo GitHub: Azure
SK
CTO at Cantier Inc

It is currently only from the development perspective. It doesn't have features related to project management and testing. It is not like Azure DevOps. So, there is a lot of room for improvement.

It is a version control product, and it would be good if they can come up with a complete DevOps product.

View full review »
Gustavo Lugo - PeerSpot reviewer
Chief Solutions Officer at CleverIT B.V.

We are an IT service company that specializes in DevOps, and we use many tools for application lifecycle management, such as GitHub, GitLab, SonarCloud, SonarQube, Docker, Kubernetes, and Azure DevOps. 

We mainly use this solution for storing the code of our applications and our scripts. We also use it for our automated functional testing and for building applications and releasing applications. It is also used to manage our team and our product, as well as to check the security of our product. 

We are a partner and reseller, and we use GitHub Cloud.

View full review »
Daniel Piessens - PeerSpot reviewer
CEO at RevealRx LLC

We were using Azure DevOps previously, and we switched to GitHub primarily due to cost. The automated build platform is costly on the Azure DevOps side but significantly less expensive on the Azure side.

View full review »
PE
Software Test Automation Engineer at a manufacturing company with 5,001-10,000 employees
Microsoft Azure
View full review »
Subodh Ghuge - PeerSpot reviewer
UiPath developer at Tata Consultancy

I think Microsoft SVN is also a good solution compared to GitHub. Our organization is tied up with Azure, and many of the Microsoft tools like Office or 365 are provided. It's easy to have Microsoft for the code repository as well rather than getting GitHub.

Using the microsoft.net framework is easier than using UiPath on .NET.

View full review »
Michael Barlow - PeerSpot reviewer
Chief Web Application Architect at Dbitpro, llc
Microsoft Azure
View full review »
VivekSaini - PeerSpot reviewer
IT Consultant at Aon Corporation

GitHub can integrate with AWS, Azure, and Google Cloud. If you are using a VPN, the integration will be more difficult. I would rate this product an eight out of ten.

View full review »
Athmabhuthi H - PeerSpot reviewer
Managing Consultant at Wipro Limited

We used open-source Git and later used GitLab, which is a flavor of Git. GitHub, GitLab, Bitbucket, and Azure Repos are all flavors of Git. The underlying version-control functionalities come from Git, but different vendors have their own flavors. I have experience in all four of these, which are Git.

View full review »
CirveshDaga - PeerSpot reviewer
Enterprise Architect at Tech Mahindra

We are using GitHub as a repository for a couple of customers to be able to do Infra as Code in Microsoft Azure for them.

View full review »
MA
Solutions Consultant at a computer software company with 11-50 employees

We use this solution for completing repository services code on Azure. We use it for different customers and to design and test environments. We also use it for some background testing.

View full review »
DK
User at a pharma/biotech company with 51-200 employees

Using GitHub has been beneficial for us because it was an easy process for users and it has improved efficiency. In contrast to Bitbucket or Azure Repos, moving things over to GitHub was simple.

View full review »
AS
CTO at a construction company with 1,001-5,000 employees
Microsoft Azure
View full review »