We performed a comparison between Kiuwan and Sonatype Lifecycle based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."We use Kiuwan to locate the source of application vulnerabilities."
"It provides value by offering options to enhance both code quality and the security of the company."
"I find it immensely helpful because it's not just about generating code; it's about ensuring efficiency in the execution."
"We are using this solution to increase the quality of our software and to test the vulnerabilities in our tools before the customers find them."
"I personally like the way it breaks down security vulnerabilities with LoC at first glance."
"I have found the security and QA in the source code to be most valuable."
"I like that I can scan the code without sending it to the Kiuwan cloud. I can do it locally on my device. When the local analyzer finishes, the results display on the dashboard in the cloud. It's essential for security purposes to be able to scan my code locally."
"I've tried many open source applications and the remediation or correction actions that were provided by Kiuwan were very good in comparison."
"When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages."
"The most valuable features of the Sonatype Nexus Lifecycle are the evaluation of the unit test coverage, vulnerability scanning, duplicate code lines, code smells, and unnecessary loops."
"The integrations into developer tooling are quite nice. I have the integration for Eclipse and for Visual Studio. Colleagues are using the Javascript IDE from JetBrains called WebStorm and there is an integration for that from Nexus Lifecycle. I have not heard about anything that is not working. It's also quite easy to integrate it. You just need to set up a project or an app and then you just make the connection in all the tools you're using."
"Fortify integrates with various development environments and tools, such as IDEs (Integrated Development Environments) and CI/CD pipelines."
"The REST API is the most useful for us because it allows us to drive it remotely and, ideally, to automate it."
"We really like the Nexus Firewall. There are increasing threats from npm, rogue components, and we've been able to leverage protection there. We also really like being able to know which of our apps has known vulnerabilities."
"Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good."
"The grandfathering mode allows us to add legacy applications which we know we're not going to change or refactor for some time. New developments can be scanned separately and we can obviously resolve those vulnerabilities where there are new applications developed. The grandfathering is a good way to separate what can be factored now, versus long-term technical debt."
"The solution seems to give us a lot of false positives. This could be improved quite a bit."
"I would like to see additional languages supported."
"The product's UI has certain shortcomings, where improvements are required."
"The next release should include more flexibility in the reporting."
"I would like to see better integration with the Visual Studio and Eclipse IDEs."
"I would like to see better integration with Azure DevOps in the next release of this solution."
"The configuration hasn't been that good."
"The QA developer and security could be improved."
"Another feature they could use is more languages. Sonatype has been mainly a Java shop because they look after Maven Central... But we've slowly been branching out to different languages. They don't cover all of them, and those that they do cover are not as in-depth as we would like them to be."
"The price can be improved."
"It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier."
"The solution is not an SaaS product."
"In the beginning, we sometimes struggle to access the customer environment. The customer must issue the required certificates because many customers use cell phone certificates, and Sonatype needs a valid CA certificate."
"We got a lot of annotations for certain libraries when it comes to Java, but my feeling, and the feeling of a colleague as well, is that we don't get as many for critical libraries when it comes to .NET, as if most of them are really fine... It would be good if Sonatype would check the status of annotations for .NET packages."
"We use Griddle a lot for integrating into our local builds with the IDE, which is another built system. There is not a lot of support for it nor published modules that can be readily used. So, we had to create our own. No Griddle plugins have been released."
"It's the right kind of tool and going in the right direction, but it really needs to be more code-driven and oriented to be scaled at the developer level."
Kiuwan is ranked 21st in Application Security Tools with 23 reviews while Sonatype Lifecycle is ranked 6th in Application Security Tools with 42 reviews. Kiuwan is rated 8.6, while Sonatype Lifecycle is rated 8.4. The top reviewer of Kiuwan writes "Though a stable tool, the UI needs improvement". On the other hand, the top reviewer of Sonatype Lifecycle writes "Seamless to integrate and identify vulnerabilities and frees up staff time". Kiuwan is most compared with SonarQube, Checkmarx One, Veracode, Snyk and Fortify on Demand, whereas Sonatype Lifecycle is most compared with SonarQube, Black Duck, Fortify Static Code Analyzer, GitLab and Checkmarx One. See our Kiuwan vs. Sonatype Lifecycle report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.