CAST Highlight vs Sonatype Lifecycle comparison

 

Comparison Buyer's Guide

Executive Summary
 

Categories and Ranking

CAST Highlight
Ranking in Software Composition Analysis (SCA)
13th
Average Rating
7.8
Number of Reviews
5
Ranking in other categories
No ranking in other categories
Sonatype Lifecycle
Ranking in Software Composition Analysis (SCA)
5th
Average Rating
8.4
Number of Reviews
43
Ranking in other categories
Application Security Tools (5th), Software Supply Chain Security (2nd)
 

Mindshare comparison

As of July 2024, in the Software Composition Analysis (SCA) category, the mindshare of CAST Highlight is 1.4%, up from 0.9% compared to the previous year. The mindshare of Sonatype Lifecycle is 7.3%, down from 8.0% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Software Composition Analysis (SCA)
Unique Categories:
No other categories found
Application Security Tools
2.4%
Software Supply Chain Security
6.8%
 

Featured Reviews

AS
Oct 20, 2022
Easy to set up with optimized and automated insights
We get some code insights from CAST. We get insights as to if this or that function has way too many comments or things like that. We would like to backtrace, and understand how dependent that is as per the application. For example, when you are writing code in C Sharp versus writing code in C++, obviously, C++ has more complexities within that. What CAST does is CAST aggregates for different languages, and if they could provide us inputs for each of these languages separately, then that'd be great. When they classify code between their own code and third-party code, they classify it based on the number of files, and not really the number of lines. I'm not sure how extensive of a change this is on their end; however, it would be nice if they could tell us the number of lines of code that are not theirs. There's a bit of a learning curve at the outset. We have come across bugs occasionally. Technical support could be better.
NS
Dec 29, 2023
Seamless to integrate and identify vulnerabilities and frees up staff time
The Software Security Center, which is often overlooked, stands out as the most effective feature. This on-premises portal, included with their primary SaaS offering, streamlines the process of triaging our results. With thousands of daily active users, the Software Security Center serves as a centralized platform, consolidating results from various tools, including Sonatype, WebInspect's DAST results, and Pen Test findings from our internal team. This unified view eliminates the need for developers to log into multiple portals to access code vulnerabilities, open-source issues, web app scans, and Pen Test results. Instead, they can access everything they need from a single, convenient location. Secure Code Warrior is an invaluable integration and partnership for us. Fortify consistently collaborates with top-tier companies to deliver cutting-edge solutions. For instance, if a developer encounters a common code vulnerability, such as a path manipulation vulnerability in their Java website, and is unsure of how to resolve it, Fortify provides some guidance and standard response protocols. However, for more in-depth information and assistance, they direct us to Secure Code Warrior. Upon providing information on the vulnerability type and language, Secure Code Warrior offers tailored training courses, such as how to fix path manipulations in Java-based applications. This remediation technique, which is unmatched by any other provider, has proven to be incredibly effective.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The most valuable features of the CAST Highlight are the interface and there are three notations that are very simple to understand and communicate with."
"The most valuable features of CAST Highlight are automation and speed."
"CAST Highlight is easy to use and has a good dashboard."
"It offers good performance."
"The way it tells you which codebase is more ready for the cloud and which codebase is less ready is very valuable. It works seamlessly with most languages."
"You can really see what's happening after you've developed something."
"The REST API is the most useful for us because it allows us to drive it remotely and, ideally, to automate it."
"When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages."
"We really like the Nexus Firewall. There are increasing threats from npm, rogue components, and we've been able to leverage protection there. We also really like being able to know which of our apps has known vulnerabilities."
"It's online, which means if a change is made to the Nexus database today, or within the hour, my developers will benefit instantly. The security features are discovered continuously. So if Nexus finds out that a library is no longer safe, they just have to flag it and, automatically, my developers will know."
"The integration of Lifecycle is really good with Jenkins and GitHub; those work very well. We've been able to get it to work seamlessly with them so that it runs on every build that we have."
"Among its valuable features, it's easy to handle and easy configure, it's user-friendly, and it's easy to map and integrate."
"The dashboard is usable and gives us clear visibility into what is happening. It also has a very cool feature, which allows us to see the clean version available to be downloaded. Therefore, it is very easy to go and trace which version of the component does not have any issues. The dashboard can be practical, as well. It can wave a particular version of a Java file or component. It can even grandfather certain components, because in a real world scenarios we cannot always take the time to go and update something because it's not backward compatible. Having these features make it a lot easier to use and more practical. It allows us to apply the security, without having an all or nothing approach."
 

Cons

"There's a bit of a learning curve at the outset."
"CAST Highlight could improve to allow us to comment and do a deep analysis by ourselves."
"The reports that describe the issues of concern are rather abstract and the issues should be more clearly described to the user."
"Its price should be better. It is a pretty costly tool. They have two products: CAST Highlight and CAST AIP. I would expect CAST Highlight to have the Help dashboard and the Engineering dashboard. These dashboards are currently a part of CAST AIP, and if these are made available in CAST Highlight, customers won't have to use two different products all the time."
"The ease of configuration and customization could be improved in CAST Highlight."
"On the security side, I think there's a lot of development needed. There are many security tools on the market, like open-source ones, that Sonatype doesn't integrate with."
"Nexus Lifecycle is multiple products. One drawback I've noticed is that there are some differences in the features between the products within Lifecycle. They need to maintain the same structure, but there are some slight differences."
"If you look at NPM-based applications, JavaScript, for example, these are only checkable via the build pipeline. You cannot upload the application itself and scan it, as is possible with Java, because a file could change significantly."
"The solution is not an SaaS product."
"We use Griddle a lot for integrating into our local builds with the IDE, which is another built system. There is not a lot of support for it nor published modules that can be readily used. So, we had to create our own. No Griddle plugins have been released."
"The reporting could be better."
"If there is something which is not in Maven Central, sometimes it is difficult to get the right information because it's not found."
"One thing that I would like to give feedback on is to scan the binary code. It's very difficult to find. It's under organization and policies where there are action buttons that are not very obvious. I think for people who are using it and are not integrated into it, it is not easy to find the button to load the binary and do the scan. This is if there is no existing, continuous integration process, which I believe most people have, but some users don't have this at the moment. This is the most important function of the Nexus IQ, so I expect it should be right on the dashboard where you can apply your binary and do a quick scan. Right now, it's hidden inside organization and policies. If you select the organization, then you can see in the top corner that there is a manual action which you can approve. There are multiple steps to reach that important function that we need. When we were initially looking at the dashboard, we looked for it and couldn't find it. So, we called our coworker who set up the server and they told us it's not on the dashboard."
 

Pricing and Cost Advice

"Basic support is included with the standard licensing feed but it can be upgraded for an additional cost."
"It is a pretty costly tool. A lot of customers are resistant to using it."
"CAST Highlight is an expensive solution. However, CAST Highlight is less expensive than the CAST AIP, but it remains too expensive and the professional services from CAST are also too expensive. The high price is part of the problem with the CAST solutions."
"CAST Highlight is an expensive solution."
"Given the number of users we have, it is one of the most expensive tools in our portfolio, which includes some real heavy-duty tools such as GitLab, Jira, etc. It is definitely a bit on the expensive side, and the ambiguity in how the licenses are calculated adds to the cost as well. If there is a better understanding of how the licenses are being calculated, there would be a better agreement between the two parties, and the cost might also be a little less. There is no extra cost from Sonatype. There is an operational cost on the BT side in terms of resources, etc."
"It's expensive, but you get what you pay for. There were no problems with the base license and how they do it. It was transparent. You don't have to worry. You can scan to your heart's delight."
"We're pretty happy with the price, for what it is delivering for us and the value we're getting from it."
"The price is good. We certainly get a lot more in return. However, it's also hard to get the funds to roll out such a product for the entire firm. Therefore, pricing has been a limiting factor for us. However, it's a fair price."
"In comparison with other tools, Sonatype Nexus Lifecycle could be more expensive. Still, at the same time, my company prioritizes security, so the pricing for Sonatype Nexus Lifecycle hasn't been an issue. If IT security weren't at the top of the list for my company, somebody would have raised the question about cost and how Sonatype Nexus Lifecycle is in terms of ROI. So far, there's been no question about the price. The cost of Sonatype Nexus Lifecycle hasn't been a problem so far. My company pays for the license yearly, plus technical support."
"In addition to the license fee for IQ Server, you have to factor in some running costs. We use AWS, so we spun up an additional VM to run this. If the database is RDS that adds a little bit extra too. Of course someone could run it on a pre-existing VM or physical server to reduce costs. I should add that compared to the license fee, the running costs are so minimal they had no effect on our decision to use IQ Server."
"Lifecycle, to the best of my recollection, had the best pricing compared with other solutions."
"Its pricing is competitive within the market. It's not very cheap, it's not very expensive."
report
Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
792,905 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
20%
Computer Software Company
17%
Insurance Company
10%
Manufacturing Company
10%
Financial Services Firm
34%
Computer Software Company
12%
Government
9%
Manufacturing Company
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
No data available
 

Questions from the Community

What do you like most about CAST Highlight?
The most valuable features of CAST Highlight are automation and speed.
What is your experience regarding pricing and costs for CAST Highlight?
CAST Highlight is an expensive solution. On a scale from one to ten, where one is cheap, and ten is expensive, I rate the solution's pricing an eight or nine out of ten.
What needs improvement with CAST Highlight?
The ease of configuration and customization could be improved in CAST Highlight.
How does Sonatype Nexus Lifecycle compare with SonarQube?
We like the data that Sonatype Nexus Lifecycle consistently delivers. This solution helps us in fixing and understanding the issues a lot quicker. The policy engine allows you to set up different t...
What do you like most about Sonatype Nexus Lifecycle?
Fortify integrates with various development environments and tools, such as IDEs (Integrated Development Environments) and CI/CD pipelines.
What is your experience regarding pricing and costs for Sonatype Nexus Lifecycle?
I would rate the pricing a seven out of ten, with ten being expensive. The price is high. It depends on the number of licenses. The price increases based on the fact bundle you are collecting. The ...
 

Comparisons

 

Also Known As

No data available
Sonatype Nexus Lifecycle, Nexus Lifecycle
 

Learn More

 

Overview

 

Sample Customers

Wells Fargo, Bank of NY Mellon, Northern Trust, Microsoft, Amazon, IBM, BMW, AT&T, US Army, US Air Force, US Navy, John Hancock, Marsh & McLennan, Ernst & Young, PwC, Volkswagen, Boston Consulting Group, London Stock Exchange, Telefonica, Saur France, Total Energies France, SNCF
Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance
Find out what your peers are saying about CAST Highlight vs. Sonatype Lifecycle and other solutions. Updated: July 2024.
792,905 professionals have used our research since 2012.