Share your experience using WhiteHat Dynamic

Our main use case for Rapid7 InsightAppSec is to perform internal assessment of applications and external facing applications. We have a cloud engine plus on-premises engine, and we have been leveraging both to conduct our internal app sec and external web application security scanning.

There are some areas for improvements regarding false positives. The integration capabilities are limited, as options for integrations with other tools such as SNOW, Jira, or other integration tools have been lacking in Rapid7 InsightAppSec. Rapid7 has InsightConnect for automation, but it has not been readily available to us. We would appreciate the ability to integrate with other tools, which is currently lacking in the Rapid7 InsightAppSec platform.

We heavily rely on this platform to do our security work. We also use Security Scorecard, which is another vendor providing external security intelligence and external web application monitoring. We would appreciate if Rapid7 InsightAppSec could leverage its inbuilt functionalities and possibly integrate our own written tools.

From the strong points, it provides very good scan coverage and has excellent cloud-based engine scanning capabilities. It has a user-friendly interface, though it can be glitchy sometimes. The platform currently does not support AI-driven capabilities. They have recently released AI integrations to detect LLM-based attacks, but it is not leveraging LLMs; it's merely detecting LLM attack scenarios.

The centralized dashboard feature is very important in Rapid7 InsightAppSec. As part of the red teaming, while vulnerability management is not the only thing I do, it's crucial to see the statistics. If one engine is failing, I would mobilize my internal team to address it properly. It's super important to analyze critical issues, running scans, their effectiveness, and accessible metrics; these details are easily available in the centralized dashboard.

The flexibility in deployment options, including cloud native and on-prem, is very helpful for our infrastructure. We have Rapid7 AppSec installers, and when we attempt to leverage this platform for internal application scanning, the cloud engine cannot interact with our internal applications. This is why we need to depend on our own servers to install those installers from Rapid7 and use the on-premises feature.

We are leveraging the reporting feature of Rapid7 InsightAppSec, and the reporting functionality is excellent. The only issue occurs when using the user interface and exporting files, as it sometimes doesn't work. The issue stems from browser settings where cookies interfere with the user interface. A support technician confirmed they are working on improving this aspect, as browsers' built-in capabilities interfere with their ability to import or export files. The reports themselves are accurate and very good, except where many entries may be false positives.

There are areas for improvements regarding false positives. Integration capabilities are lacking, as options for integrations with other tools such as SNOW, Jira, or other integration tools are not sufficient in Rapid7 InsightAppSec.

The user interface sometimes has glitches, which may prevent appropriate results during navigation, and even when we get appropriate results, it can be impossible to export them to CSV records or download files.

Regarding scalability, Rapid7 InsightAppSec is not a scalable solution for our industry due to limited integration capabilities. Rapid7 relies on another tool called InsightConnect, which requires additional investment, detracting from scalability.

Another area that needs improvement is the integration of AI capabilities into the platform. Both Rapid7 InsightAppSec and InsightVM need to advance in that area.

In terms of behavioral and pattern recognition, identifying complex attacks such as SQL, blind SQL, JSON, and LDAP injections often results in 94% false positives. This necessitates improvement in their behavioral-based analytics feature.

Regarding stability, there are no complaints as it works as it should, but the issue of false positives is significant. Stability is fine, but we have to question the false positives. If those false positives were eliminated, it would be good; however, stability in general is not a concern for us.

Rapid7 InsightAppSec is not a scalable solution for our industry. Scalability will always factor in terms of integration possibilities. To scale something, you will always need the ability to integrate with other tools. At the moment, the integration capabilities are not very good, which is disappointing. Rapid7 tends to rely on another tool called InsightConnect for which you must spend more money, which detracts from scalability. If I had to rate scalability on a scale of one to ten, I would give it a four or five.

I have a very good impression of Rapid7's technical support. They have provided excellent technical support, and they are responsive. However, they seem to struggle with their own methods of handling tickets. We have support both on call and for any issues that arise, and it is always timely. What I would suggest is that while the technicians understand the problems and accept them, they do not adequately integrate feedback into their products. Hundreds of feedback items have been submitted over the past three years without notable improvements being integrated or implemented, which is disappointing. Otherwise, the technical support itself is satisfactory.

The initial setup for Rapid7 InsightAppSec is very straightforward, and the installations have been seamless. That is why I have been recommending it; there were no errors or technical difficulties in the process. Anyone can easily set it up, provided they have appropriate and powerful servers. It truly boils down to your own infrastructure if you can deploy it correctly.

For us, it took approximately 40 minutes to deploy. We did not use an integrator, reseller, or consultant for deployment because the documentation was so apt that we managed to set it up ourselves. Although we had various kinds of consultants available, we didn't need to leverage them since we had the knowledge to install it, and it was super easy.

The behavior-based analytics feature in Rapid7 InsightAppSec has not been leveraged. From what I believe, it does not come out of the box within the Rapid7 InsightAppSec. The behavioral aspect appeared to focus on scanning, where blind SQL injections were mostly false positives that required manual tests to confirm.

The pricing for Rapid7 is very expensive. We are paying $14 per asset for Rapid7 InsightVM and have 6,000 assets, which amounts to approximately $29,000. We've compared this with other tools such as Burp Suite's DAS platform, QualysGuard, and HP Fortify. Despite having E5 and E3 licenses that offer free access to Microsoft's Vulnerability Management dashboard, our significant investments in Rapid7 prevent us from switching.

I would recommend Rapid7 InsightAppSec if you have a stable industry, not a hybrid one that relies on too many technologies. If you use different stacks in your technology, Rapid7 might not be the tool for you. It can be very efficient if you have a similar stack, such as a Linux environment or Windows environment, which is very specific to this profiling.

On a scale of one to ten, I rate this solution a seven.

I use CucumberStudio as a test case repository. All of our test cases are stored there. It is also part of our test planning process. For every sprint, we plan the test cases in CucumberStudio and integrate it with project management tools such as Jira. This enables us to link user stories in Jira with CucumberStudio and track our test cases.

The most valuable feature of CucumberStudio is its use of action words, which allows me to avoid writing test cases from scratch for the most common scenarios. Moreover, CucumberStudio's support for code integrations and API calls is excellent. The platform provides the benefit of unlimited read-only accounts, enabling various roles like engineers and product managers to review test cases and results. The structure of CucumberStudio is also commendable, as it supports BDD style Gherkin syntax, which is useful for our test management processes.

CucumberStudio's API integration could be improved both in terms of reliability and design. The API requires data to be sent in a specific format, which takes time to build. Additionally, the reporting features could be made more intuitive.

I have been working with CucumberStudio for about five years.

CucumberStudio is stable for the most part, although there have been a few outages, both planned and unplanned. However, these outages were infrequent. Overall, it worked well most of the time.

CucumberStudio is a scalable cloud-based solution. The scalability depends on the number of user accounts, allowing us to scale according to our needs.

I contacted SmartBear support a couple of times for feature requests and during downtimes. They were quite responsive.

Neutral

I have used other test management tools in the past, but I'm not using any currently.

The initial setup was easy. Since it is a cloud-based solution, we only needed to create our accounts.

Testing efficiency improved, but it is difficult to quantify the benefits in terms of money.

CucumberStudio was affordable for us. We negotiated good deals with SmartBear, and affordability can vary based on individual perspectives.

For teams following a BDD style software development approach, CucumberStudio is a great collaborative tool that covers all the basic requirements of a test management tool. I would rate CucumberStudio an eight out of ten.