Share your experience using Panorays

My main use case for Bitsight when I was at Virtusa was to monitor the external security posture for Virtusa, as Bitsight rates your company based on findings on external assets.

I was part of the internal security team and Bitsight used to report findings, such as open ports on specific IP addresses or web applications owned by Virtusa, and based on that it used to give a rating on the severity based on how severe the vulnerability is or the possibility of any vulnerability. I used to take that information and then fix that problem internally. That is how we used to use Bitsight. Our main aim was to use Bitsight to enhance the security of the company so that our score is good on Bitsight, which really matters.

The best features Bitsight offers, in my experience, are the ratings that it gives to vulnerabilities and how frequently they conduct scans for a particular company. Bitsight also used to manage our third-party providers regarding how their security is, so it is better for us to manage the vendors we are currently engaged with and the third-party vendors so that we are aware of their security posture as well, instead of us monitoring their security. That is the most useful use case from Bitsight.

Bitsight gives me a holistic view of my entire security posture, which is something any organization would want to have after getting a tool such as Bitsight. It was sufficient in that way, serving the purpose that we took Bitsight for, and there is something that we continued our relationship. We had annual contracts and then we renewed it every year based on the performance of Bitsight.

We had internal KPIs based on the number of findings that we finalized from Bitsight and then tracked it internally to work on that. The more vulnerabilities that we close, the rating would subsequently reflect on Bitsight because they work independently; they do not work as we do inside the company. As long as we are fixing the vulnerabilities, we used to see the score getting improved, and that is something that the board of directors and the internal community were looking for.

Bitsight's scan could be more rigorous and then more accurate.

I think it would be good to try to see each and everything of the company in a more accurate way.

Their scan scheduling could be improved and they could take more inputs from the companies they are working with. If they can speed up that process, they would obviously increase that score. We found that some of the findings are clear false positives, but they still report that, and based on that, the rating goes down until we rectify them. So that is something they need to work towards; the number of false positives they are rating should focus on producing more accurate results to get a higher rating.

Bitsight had a professional support service where whenever there are any ratings which we know to be a false positive and a wrong finding, we used to get on a call with support from Bitsight to submit our review as to what we found and what the evidence is for it being a false positive, and they used to consider that and then try to revise that internally and adjust the rating accordingly.

Bitsight is a useful tool to monitor your external posture and it is backed by a good professional support service. The respective other teams such as pre-sales, support service, and customer success team are very good in terms of dealing with customers, so there is something to look for in such products.

Neutral

There is nothing particularly unique about Bitsight because we were also using another product along with Bitsight, and we used to compare the results of Bitsight with that tool and then try to see what the unique proposition or the unique findings are that we can evaluate and then work internally.

If the ratings were very poor, low, or below the benchmark that we expected for Virtusa, we used to have a meeting with them, and then try to negotiate if they can improve their security, or else we would discontinue the business with them. So to that extent, we took actions based on the findings that we got from Bitsight. I give Bitsight a six out of ten for this review.

I mostly use Amazon Inspector for vulnerability scanning on AWS native applications. For hybrid applications, we have different security scanners.

I assess that the integration part with CloudTrail and CloudWatch is good for application monitoring. CloudTrail basically creates the trail. CloudWatch is mostly for native application monitoring, but it's not something we can use as a centralized monitoring tool. It's not a tool that can be used as a security incident event management SIEM solution. It's a monitoring tool for native applications.

They might launch support for third-party environments in the next version regarding the best features in Amazon Inspector from my perspective.

The false positive rate of Amazon Inspector is a little high, and it is not covering all different applications and scanning. It mostly covers specific native applications, and I think as per my understanding, it doesn't cover third-party environments or hybrid environments.

I have been working with Amazon Inspector for approximately six to seven years.

My experience with AWS technical support is very good. I didn't face any specific challenges, and even the documentation of AWS is good for both Microsoft, which is Azure, and AWS.

Positive

The setup of Amazon Inspector is straightforward. It's not a very simple implementation.

I am not honestly sure about the pricing side of Amazon Inspector, but that is taken care of by a separate team. I believe it's cheaper than the other third-party solutions.

My advice is that Amazon Inspector is a good tool for covering the cloud environment, but if organizations want to go with a hybrid environment, there are other solutions that are much better than Inspector.

On a scale from one to ten, I rate this solution a six.