Share your experience using Continuous Dynamic (formerly WhiteHat Dynamic)

My main use case for StackHawk is to analyze our application live in our EKS cluster.

A specific example of how we use StackHawk in our EKS cluster is that we deployed an agent authenticated to the StackHawk platform and it is in charge of analyzing our different repositories, letting us know if we have any open vulnerabilities within our base code. Every scenario of analysis is completely published into the StackHawk platform so we can see if we have open vulnerabilities to solve and how much time it takes to perform the analysis.

The best feature StackHawk offers is called Attack Surface, which is a way of letting us know what repositories that we have hosted in any repository system have a surface attack, and in that case, we integrate the platform into StackHawk, then they let us know the application code base and how we have to integrate it and easily set up the application.

The Attack Surface feature has helped our team by having an inventory of our repositories and which of them have a surface attack.

StackHawk has positively impacted my organization by giving us a new vision of how vulnerabilities were seen, as we now have more visibility in that matter. We now take care of not just the static analysis and the composition analysis, but the dynamic analysis. When our microservices are running, we do have a vision of how it performs, and it also lets us know if we have any open vulnerabilities so we can close them.

Since we started using StackHawk, we've seen reports on different vulnerabilities that we have in our current microservices within the cluster, so now we have a wide vision and a wide perspective, and also we have new ideas about what we need to do. We also have similar microservices, so most of them are common errors and now we are closing up that gap of vulnerabilities.

StackHawk can be improved in the way that it is integrated, as at the very beginning, the idea was to, within the pipeline, mount the different resources that our microservices needed to start to run. For example, if we have a service that needed Redis, maybe Kafka, or a database to initialize, we did need to have a Docker Compose file, get up those services, and after that, do the analysis. It didn't have that; it wasn't reachable at the very beginning and it wasn't that good as we expected. But at some point, we decided to mount it as an agent in the Docker file, and it was waiting for new jobs. It was even better, and when we figured out how to integrate it within our EKS cluster, suddenly we started reaching to the services, knowing what was going on, and everything related to security. As long as we have a P2T to our QA site or cluster, we do not have garbage in our databases, but StackHawk does put a little information, a garbage information, doing their job.

That's the main area I'm focusing on right now regarding needed improvements.

I've been using StackHawk for almost a year.

StackHawk is stable.

Regarding StackHawk's scalability, I don't have a clear vision about how scalable it is, but we can use it in every microservice that we have, and we have almost 300 microservices and all of them can be analyzed within the cluster with our agent.

The customer support was amazing; every time they could, they brought a Spanish translator, so the communication was really smooth. I would rate the customer support ten out of ten.

I didn't previously use a different solution for dynamic analysis.

Regarding my experience with pricing, setup cost, and licensing, I'm not sure about pricing since I wasn't part of the team that got the application. The setup cost was actually really cheap; I hosted a self-runner with an image based on the StackHawk one, so it was really cheap and easy. I want to emphasize that I was not part of the pricing details and I'm also not sure about what kind of license we have.

I was just in charge of implementing StackHawk, and I'm actually not part of the security team, so I cannot measure its accuracy and reliability.

Since we started using StackHawk, we've seen reports on different vulnerabilities that we have in our current microservices within the cluster, so now we have a wide vision and a wide perspective, and also we have new ideas about what we need to do. We also have similar microservices, so most of them are common errors and now we are closing up that gap of vulnerabilities.

Actually, I cannot say that we have seen a return on investment, as we've been using it recently and the company hasn't adopted it with all the services, so there isn't any measurement about that. Also, at the very beginning, we were just working with two engineers, and now we have maybe just one, but I don't know, it's complicated.

Actually, I cannot say that we have seen a return on investment, as we've been using it recently and the company hasn't adopted it with all the services, so there isn't any measurement about that. Also, at the very beginning, we were just working with two engineers, and now we have maybe just one, but I don't know, it's complicated.

The setup cost was actually really cheap; I hosted a self-runner with an image based on the StackHawk one, so it was really cheap and easy.

We did not evaluate other options before choosing StackHawk; we went straightforward to it.

I don't actually have a clear perspective on StackHawk's AI capabilities regarding its governance and security.

My advice to others looking into using StackHawk is to stay prepared. Document how your architecture works, whether you have decoupled services or not. Based on that, it will be easier or not to use the application. In our case, we had to deploy an agent within our cluster and that was the only way we could analyze our microservices. So be prepared, especially technically, because they can help a lot in different areas, but you're the owner of your own infrastructure, so it relies on you how you're going to implement the solution.

My overall rating for this review is seven out of ten.

Public Cloud

Amazon Web Services (AWS)

My main use case for Aikido Security is to perform SAST, security code review of codes provided by developers, and SCA determination or dependency checks.

I used Aikido Security during an engagement where I performed SAST on a code to review what flags or vulnerabilities are part of the codebase. I identified many critical and high-level vulnerabilities, which helped to further mitigate those so that in production, there are no such issues.

Additionally, I perform SCA determination with Aikido Security to check that dependencies are not vulnerable in nature, ensuring all are safe and no vulnerabilities are present in the dependencies.

Aikido Security offers the best features including being very easy to use, allowing even a normal tech person with some hands-on experience to use this tool and clearly get the results they want. If we go for DAST also, it is very good.

The ease of use of Aikido Security helps my daily workflow since I can upload my whole codebase, and it will identify at each line where the vulnerabilities are present and provide recommendations to fix and related vulnerabilities, detailing what those vulnerabilities are and how they will impact the whole code or the infrastructure.

Aikido Security has positively impacted my organization by reducing a lot of work to manually check each line of code; the process goes on and on. Iterations have increased due to manual work, but the iterations which earlier took around seven to eight are now only taking two to three. Using that, a lot of our time gets saved.

For a secure code review or SAST, usually we are taking around seven to ten days, but using Aikido Security, we complete the activity within two to three days.

I think Aikido Security could improve by reducing some pricing model. I checked the pricing, but it is a little high for a normal person if a single person wants to use it for themselves. Pricing is quite high for a normal user, and if they can make it a little less, it will be much better.

I started with a free tier, which could include some features of DAST so that users can understand how it will work when a person purchases a license for Aikido Security. This way, new users will be much more aware of the good features of this product, demonstrating that this tool will definitely help them.

Aikido Security's pricing model is a little bit high for a normal person, around $250 per month. If you have a small team, you can definitely go for that and work within their designated period of time. However, if you are a normal person just wanting to perform DAST for entry-level and understand its workings, you can choose the free tier, which also provides a lot of information.

I have been using Aikido Security for the last four to five months,

Aikido Security is very stable.

Aikido Security is quite scalable in nature; you can deploy it on your team, and if you have a large team, it works very well.

Customer support is good; if you raise a query, hardly within a day, your issues get resolved, and designated teams contact you instantly, with tickets getting created and all the tracking happening very smoothly.

I haven't used a different solution, but I have listened about Checkmarx and other tools; however, they don't seem to perform well. I definitely used Aikido Security, and after that, I don't want to switch to any other. It is very good.

You can say we have seen a return on investment in time saved. Regarding pricing, I don't know how much ROI we have saved, but you can say the task, which usually took around seven to eight days, now takes two to three days, hardly three days. Within that, we just complete the task using Aikido Security, so we save around three to four days.

Before choosing Aikido Security, I evaluated other options such as Checkmarx, Semgrep, and SonarLint. These are in the market, but Aikido definitely performs better than all of them, and its customer support is very good. That's why I chose Aikido Security. I compared online reviews, and Aikido seems to be very promising in that nature, so I chose Aikido Security from my point of view.

Regarding Aikido Security's accuracy and reliability of output, I can say its reliability is 80 to 90%. It definitely works and delivers very good results, easily identifying if you need clarification with the type of vulnerability it has identified and providing a more detailed review of each of them.

If a person is looking for a SAST, DAST, and a complete combination of a pack of security tools, then Aikido Security is best. It helps to perform SAST, DAST, which is dynamic application testing, and most tools don't combine all of them in one. You can also scan your cloud and your infrastructure as code things, covering all the wide areas of your project, so that type of person can definitely choose Aikido Security.

I would rate my overall experience with Aikido Security as an 8 out of 10.

On-premises

Other