We performed a comparison between Invicti and Sonatype Lifecycle based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."Its ability to crawl a web application is quite different than another similar scanner."
"When we try to manually exploit the vulnerabilities, it often takes time to realize what's going on and what needs to be done."
"The most attractive feature was the reporting review tool. The reporting review was very impressive and produced very fruitful reports."
"Crawling feature: Netsparker has very detail crawling steps and mechanisms. This feature expands the attack surface."
"The solution generates reports automatically and quickly."
"It has a comprehensive resulting mechanism. It is a one-stop solution for all your security testing mechanisms."
"The scanner and the result generator are valuable features for us."
"Attacking feature: Actually, attacking is not a solo feature. It contains many attack engines, Hawk, and many properties. But Netsparker's attacking mechanism is very flexible. This increases the vulnerability detection rate. Also, Netsparker made the Hawk for real-time interactive command-line-based exploit testing. It's very valuable for a vulnerability scanner."
"The reference provided for each issue is extremely helpful."
"The most valuable feature is that I get a quick overview of the libraries that are included in the application, and the issues that are connected with them. I can quickly understand which problems there are from a security point of view or from a licensing point of view. It's quick and very exact."
"For us, it's seeing not only the licensing and security vulnerabilities but also seeing the age of the open-sources included within our software. That allows us to take proactive steps to make sure we're updating the software to versions that are regularly maintained and that don't have any vulnerabilities."
"The most valuable function of Sonatype Lifecycle is its code analysis capability, especially within the specific sub-product focusing on static analysis."
"The report part is quite easy to read. The report part is very important to us because that is how we communicate to our security officer and the security committee. Therefore, we need to have a complete report that we can generate and pass onto them for review."
"The proxy repository is probably the most valuable feature to us because it allows us to be more proactive in our builds. We're no longer tied to saving components to our repository."
"It was very easy to integrate into our build pipeline, with Jenkins and Nexus Repository as the central product."
"The most valuable features of the Sonatype Nexus Lifecycle are the evaluation of the unit test coverage, vulnerability scanning, duplicate code lines, code smells, and unnecessary loops."
"Netsparker doesn't provide the source code of the static application security testing."
"They don't really provide the proof of concept up to the level that we need in our organization. We are a consultancy firm, and we provide consultancy for the implementation and deployment solutions to our customers. When you run the scans and the scan is completed, it only shows the proof of exploit, which really doesn't work because the tool is running the scan and exploiting on the read-only form. You don't really know whether it is actually giving the proof of exploit. We cannot prove it manually to a customer that the exploit is genuine. It is really hard to perform it manually and prove it to the concerned development, remediation, and security teams. It is currently missing the static application security part of the application security, especially web application security. It would be really cool if they can integrate a SAS tool with their dynamic one."
"Right now, they are missing the static application security part, especially web application security."
"Maybe the ability to make a good reporting format is needed."
"The solution needs to make a more specific report."
"The scanner itself should be improved because it is a little bit slow."
"The scanning time, complexity, and authentication features of Invicti could be improved."
"The proxy review, the use report views, the current use tool and the subset requests need some improvement. It was hard to understand how to use them."
"It would be helpful if it had a more detailed view of what has been quarantined, for people who don't have Lifecycle licenses. Other than that, it's pretty good."
"Some of the APIs are just REST APIs and I would like to see more of the functionality in the plugin side of the world. For example, with the RESTful API I can actually delete or move an artifact from one Nexus repository to another. I can't do that with the pipeline API, as of yet. I'd like to see a bit more functionality on that side."
"Their licensing is expensive."
"The price can be improved."
"The solution is not an SaaS product."
"We do not use it for more because it is still too immature, not quite "finished." It is missing important features for making it a daily tool. It's not complete, from my point of view..."
"One thing that I would like to give feedback on is to scan the binary code. It's very difficult to find. It's under organization and policies where there are action buttons that are not very obvious. I think for people who are using it and are not integrated into it, it is not easy to find the button to load the binary and do the scan. This is if there is no existing, continuous integration process, which I believe most people have, but some users don't have this at the moment. This is the most important function of the Nexus IQ, so I expect it should be right on the dashboard where you can apply your binary and do a quick scan. Right now, it's hidden inside organization and policies. If you select the organization, then you can see in the top corner that there is a manual action which you can approve. There are multiple steps to reach that important function that we need. When we were initially looking at the dashboard, we looked for it and couldn't find it. So, we called our coworker who set up the server and they told us it's not on the dashboard."
"It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier."
Invicti is ranked 20th in Application Security Tools with 25 reviews while Sonatype Lifecycle is ranked 6th in Application Security Tools with 42 reviews. Invicti is rated 8.2, while Sonatype Lifecycle is rated 8.4. The top reviewer of Invicti writes "A customizable security testing solution with good tech support, but the price could be better". On the other hand, the top reviewer of Sonatype Lifecycle writes "Seamless to integrate and identify vulnerabilities and frees up staff time". Invicti is most compared with OWASP Zap, Acunetix, PortSwigger Burp Suite Professional, Tenable.io Web Application Scanning and Fortify WebInspect, whereas Sonatype Lifecycle is most compared with SonarQube, Black Duck, Fortify Static Code Analyzer, GitLab and Checkmarx One. See our Invicti vs. Sonatype Lifecycle report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.