What is our primary use case?
The use case is that any deployable container we have in our infrastructure should get scanned for vulnerabilities.
It is on a public cloud, and as soon as the containers get deployed to ECR, it automatically scans for vulnerability. It scans every hour on the hour.
Its version is out of the box with Amazon.
How has it helped my organization?
It is scanning the whole repository for any sort of vulnerabilities. So, it allows us to be more confident in our DevSecOps and not put a lot of folks or attention to it. We can trust the solution.
Before anything gets out to deployment, we have to be SOC 2 compliant. It gives us the ability to pretty much approach and implement a solution before anything gets out to our staging or production environment. We check in our code very frequently, and we're able to discover and get rid of any vulnerabilities before they make it to our cloud platform.
What is most valuable?
The vulnerability discovery is valuable, and they also rank those vulnerabilities for you. So, you could rapidly attack some of the higher, severe vulnerabilities as they pop up, if they do pop up.
What needs improvement?
There isn't too much to improve right now. Scanning on demand or as a part of the pipeline versus a post pipeline solution would be good, but it is not a deal breaker by any means.
Other than that, it is really about them just keeping up the pace with all the vulnerabilities out there. The vulnerability databases are growing on a daily basis. So, just making sure that they are on top of that is the key thing that I'm looking for.
For how long have I used the solution?
I have been using this solution for about a year and a half.
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
It is solid in terms of scalability. We have a microservice shop where we're deploying dozens and dozens of solutions a day, and it scans it every hour on the hour and provides us continuous feedback.
Everybody on the engineering development team is using it. There are 10 to 12 folks. We have a DevOps mindset, and we continuously monitor this. We're all responsible for any vulnerabilities that come up. Obviously, there are subject matter experts, but we try to continuously learn and cross-pollinate to address these things as they come up.
It is used for all our Amazon ECR pipelines. It'll be used more because we are pivoting from using JFrog to Amazon more regularly. So, it would be a standard part of our practice going forward.
How are customer service and support?
It is decent. If you pay for it, it is great. They'll get back to you with common questions and based on your tier of support level, but you can jack it up if you want instantaneous support.
Which solution did I use previously and why did I switch?
We used JFrog and JFrog Xray as part of our solution. We switched for data locality. We're pretty much an Amazon shop now. We're trying to limit all the third-party solutions that we're utilizing.
How was the initial setup?
It involves a couple of clicks. Amazon really helps out with it. We just have to use ECR and enable it.
We have continuous deployment for staging and push-button deployment for our production clusters.
What about the implementation team?
It was all done in-house. It requires minimal staff for deployment and maintenance purposes. Some of the setups to automate your pipelines and provide you with continuous monitoring and continuous feedback is a little bit of effort, but once you have everything set up, the effort is very minimal.
What was our ROI?
I don't have anything available on that at this time. We do know the time we spent, and it is just minimal time. We don't have to dedicate full security folks to this. It is just a part of our pipeline. So, it is very hard to get that chunk out of day-to-day activities.
What's my experience with pricing, setup cost, and licensing?
It is scaled as you go. There are probably a certain number of scans per month, and there are tiers. If you're under a certain tier, it is free. The second level is pennies, and then all the way up to like a million. So, it has a tiered pricing program. They're pretty good with your initial scanning, and there is room to scale based on being affordable, but it is fairly cheap.
There are no additional costs. They pretty much think about it as a pay-per-scan type model.
Which other solutions did I evaluate?
We didn’t really evaluate other options. We just needed to make sure that we had a handle on vulnerabilities.
What other advice do I have?
Security is very critical to maintain. If you don't have a dedicated security team, it allows you to be more productive and confident in your solutions at scale, without having a dedicated team scanning and focusing on security.
I would rate it an eight out of ten. It does its job in what we're looking for. Any software or any product always has room to improve. That's the only reason why I'm not giving it a ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.