Kiuwan Reviews

Kiuwan is useful because it provides functions related to secure code review, source code review, detection of security vulnerabilities, and development of proper input validations to get proper output and coding to see if all the systems in our environment are properly used. Some SQL queries are written at the back end or at the server-side code, and the tool helps to check how they have been written. The tool helps us find if there is an issue, like whether an SQL injection attack has occurred in some SQL queries or not, meaning it helps deal with OWASP Top 10 vulnerabilities and some other vulnerabilities that a user can find through source code review. The tool also helps protect sensitive data, including passwords or encryption keys.

The most valuable feature of the solution stems from the fact that it is quick when processing and giving an output or generating a report.

Kiuwan can improve its UI a little more. The user experience can be made better. Kiuwan offers a user interface that is similar to the one offered by Windows 7 or Windows 98, which I saw when I ran the tool and tried to scan the repository to find the security issues. The product's UI has certain shortcomings, where improvements are required.

I have experience with Kiuwan. I have used the solution in the last fifteen months, and before that, I used it for two to three years. I am a customer of the solution.

I found no issues with the product's stability. Once you run the tool to scan the repository and get the report, everything is good. I did not experience any glitches when using the solution.

I have less idea about the scalability feature of the solution since I was its sole user in my company. I used to use its scanning feature, and I don't even know if it has the features to add users who can check reports or use its scanning features.

A session from Kiuwan was made available to help me perform the steps required to take care of the setup phase and how to do the scanning with it. The setup phase was not much of a task to handle, considering how I have experience with Fortify and Checkmarx. In general, Kiuwan was not a tool that was very much known to me, but it was a bit different from the tools that I had experienced in the past.

The solution is deployed on an on-premises model.

The price of Kiuwan is lower than that of other tools on the market.

Personally, I would not suggest Kiuwan to others since I believe that there are better tools in the market, like Checkmarx, if you want a SAST tool to do SAST scans. People can choose Kiuwan over other SAST tools if they face budget-related issues in their company.

I rate the tool a six to seven out of ten.

We use it to modify and enhance code across various aspects of our projects, particularly focusing on key data. The extent of modification varies and is influenced by the specific application and repository requirements.

The significance varies, and it is usually linked to the code's length. I find it immensely helpful because it's not just about generating code; it's about ensuring efficiency in the execution. It offers comprehensive information, covering not only the basics but also delving into controllers, interfaces, and more.

It would be beneficial to streamline calls and transitions seamlessly for improved functionality. When dealing with connections, prioritizing a smooth flow can enhance overall performance.

I would rate its stability capabilities eight out of ten.

It provides good scalability and it can easily adapt to bigger volumes of data or different tolls.

Generally, our team is responsible for overseeing applications and maintaining comprehensive records. If a client chooses to update the Kiuwan version or make other changes, we can approach the designated person to assess whether there are any issues or seek assistance in understanding how to provide support.

The initial setup depends on one's familiarity, and for newcomers, it may initially appear complex. However, with persistent efforts to understand and use the tool, the process becomes more manageable. Continuous experimentation and exploration lead to a better grasp of configuring the tool for optimal results.

The deployment duration can range from three to four years, contingent on reviews and adjustments, especially when transitioning to different environments like developer versions or continuous integration. The tool provides information to Kiuwan, and decisions are made based on the information gathered. Timing is crucial, especially when there's a need to move an application into production, and there might be limited time for thorough checks. Despite the time constraints, the deployment process is generally beneficial for identifying and addressing issues within the code, particularly when there are unexpected problems that require solutions before redeployment. It's a matter of adapting the approach based on the project's version and organization.

Overall, I would rate it eight out of ten.

I am utilizing Kiuwan for quick and efficient scans, specifically static scanning for web applications. This includes checking the application's code base and dependencies, known as SaaS scans. In the first quarter, there is a "code-based security and insight" tab where we can review the application's code for any vulnerabilities arising from dependencies. We then analyze these vulnerabilities and provide solutions for mitigating them.

The feature that I have found the most valuable in Kiuwan is the speed of scanning. Compared to other SaaS tools I have used, Kiuwan is much quicker in performing scans. I have not yet used it on a large code base, but from what I have experienced, it is efficient and accurate. Additionally, I have used it both manually and in an automated pipeline, and both methods have been effective. The speed of scanning is what makes it valuable to me.

Kiuwan provides a detailed analysis and mitigation steps for any vulnerabilities reported, which is very helpful for teams in addressing the issues.

In Kiuwan there are sometimes duplicates found in the dependency scan under the "insights" tab. It's unclear to me why these duplicates are appearing, and it would be helpful if the application teams could investigate further. 

Another issue I've encountered is that Kiuwan only looks at the version of components and doesn't take into account any workaround fixes that have been implemented at the code level. This can result in false positives being reported. Additionally,  these issues are in the "insights" tab and not in the code base security aspect. Lastly, when muting findings that are false positives, there should be an option to see the only available at the code level rather than at the organization level because it can lead to missing vulnerabilities if they are muted at the org level.

An additional feature that would be helpful is the ability to easily download reports from Kiuwan. Specifically, in the "insights" tab, we have been encountering an error when trying to download the PDF report. We are able to download the code-based security report, but not the insights report. This has been an ongoing issue for the past couple of months and would be beneficial if it could be resolved.

My main recommendation would be to address the issues with downloading reports that we have been experiencing. Additionally, it would be helpful if Kiuwan could support a wider range of programming languages, as there are currently some that are not compatible with the tool. If the code of a particular application falls under the category which is not compatible with Kiuwan, then it will not be able to scan it.

I have been using Kiuwan for approximately 10 months.

Since using Kiuwan, I have not experienced any major issues with the tool crashing. There may have been occasional loading issues, but overall, Kiuwan has been reliable and up and running most of the time.  

Our teams have scanned multiple reports, some of which have been in the hundreds, and we have not encountered any issues with scalability. The code level for any application should not be excessively large, and if it were, it's likely that any tool would have limitations. In our case, we have not faced any scalability issues with Kiuwan.

We have approximately 20 teams that are working with 20 applications a month, and mostly all the applications are scanned with Kiuwan.

I have not used the support from Kiuwan.

Out of the solutions I have worked with which are Veracode, Kiuwan, Fortify, and Checkmarks, I would exclude Veracode because I did not have a good experience with it. If I had to choose between Kiuwan and Fortify, I prefer Kiuwan. It scans reports faster and provides more detailed analysis and mitigation steps for vulnerabilities. Additionally, Kiuwan takes into account the versions of components more effectively, which is an advantage over Fortify.

I am not the primary person responsible for that as it is handled by the application team. Our role is to perform the scans, identify any vulnerabilities, and provide guidance on how to mitigate them. Once the vulnerabilities have been resolved, a rescan is conducted until there are no longer any critical or high vulnerabilities present. At that point, the Kiuwan scan is completed for that particular application.

We did the integration of Kiuwan in-house.

Kiuwan is an open-source solution and free to use. 

The team responsible for maintenance makes sure to constantly monitor and ensure that Kiuwan is always running smoothly and not crashing. Overall, the maintenance and upkeep of the tool have been good in my experience.

I rate Kiuwan an eight out of ten.

We use Kiuwan to assess the code, resolve issues, and showcase technical indicators. These indicators reveal the number of errors over a timeline and offer guidance on addressing issues related to business servers. We haven't integrated Kiuwan with additional tools; it operates as a standalone application and isn't integrated into the development life cycle.

It provides opportunities for improvement by guiding us toward better coding practices. It's a valuable learning tool, teaching developers about security concepts and ways to rectify various issues across different programming languages. 

I appreciate Kiuwan for its simplicity in establishing programming rules, especially with the Kiuwan client development tool. It allows programming rules by loading the code into the tool and using the DXPath and AST functionalities.

It boasts several great features, such as modularity, allowing you to choose specific models. The method of creating new rules using Kiuwan is quite efficient, which I find better compared to other systems. It's also effective in generating reports, be it on the overall results across the year or quarter or for specific analyses. I find it quite impressive in this aspect.

Integration with development frameworks like IntelliJ, NetBeans, and Visual Studio Code can be improved as a part of Kiuwan's capabilities. There are plugins available for these systems, facilitating smoother integration and usage within these popular development environments.

In our scenario, with approximately fifty applications and ten users, conducting around five hundred analyses per day, we've noticed that updating Kiuwan rules is time-consuming. Analyzing new rules also takes a significant amount of time. It might be partly due to how we develop the rules; it seems that our approach to creating rules might contribute to this issue. This impacts the time it takes to conduct analyses using Kiuwan.

I've been using Kiuwan for about two years across various companies. It assists in establishing rules, maintaining static analysis of the code, and aiding developers in improving their code quality.

I believe the project is stable, and we've been in contact with technical support.

In my case, I feel we need technical support to develop new rules and to comprehend some of Kiuwan's internal functionalities.

Positive

I've experienced a migration from an analog system to Kiuwan, and we've remained with Kiuwan. In my previous company, a similar transition occurred, using Kiuwan to analyze all their applications. They had various tools but chose Kiuwan, possibly because the migration process was easier.

In my experience, companies prefer minimal installations of Kiuwan; they opt for the basic installation and don't want to invest in or pay for all the available models.The deployment takes longer than usual. 

We have deployed it using in-house experience.

I believe that many companies in Spain might not fully grasp that without using these kinds of tools, they encounter more problems, leading to increased investment. However, I consider these tools essential as they can prevent costly errors or bugs that might arise without their detection. In my view, it's a worthwhile investment.

I'm not entirely sure about the price and business aspects, but I assume Checkmarx might be less expensive. I think Checkmarx might offer more affordable options, especially in its smaller business version.

I've noticed that in Spain, Kiuwan is more familiar and widespread compared to other tools. When clients lack the knowledge to choose a tool, IT companies often step in to bridge the gap. In Spain, there's a strong focus on Kiuwan because it's easier to integrate and develop rules. Presently, I'm also working with Checkmarx, and it seems that these two tools are among the most commonly used in Spain.

As for Checkmarx, it offers two types of installation: Checkmarx on-premise and  Checkmarx. The on-premise version allows for customizable analyses based on the lines and workstation capabilities, catering to different business sizes. Kiuwan, on the other hand, appears to have a single version without variations, unlike Checkmarx's options.

I believe that for someone new to using these types of tools, Kiuwan is easier to start with compared to other tools. It seems less complex and more user-friendly for beginners.

I would rate it an eight because it's incredibly easy to comprehend and a powerful tool for code analysis. It's also a powerful tool for educating others on developing good code.

In my experience across various companies, I've noticed that the health aspects of the tools are not frequently updated. The documentation and other support resources, including the rules accessed through the help button, often redirect to web pages that are not regularly updated.

We use the solution for in-house development. In one of the cases, we use it for some applications that we need to create something from scratch. 

What we are considering more than anything else is maybe its quality of performance. We are looking for security vulnerabilities. I'm an Information Security Officer and that's why we are looking for vulnerabilities more than the quality of the code or the performance, however, it's great that it gives more detailed information about performance and the quality of the code. I'm actually looking to try another technology, to see if there's something we can do around static tests.

The solution is stable.

The solution is scalable.

I've tried many open source applications and the remediation or correction actions that were provided by Kiuwan were very good in comparison.

When you do the download test, there is some part that remains there from the static test. When it comes to the configuration of this library, I've not sure that Kiuwan gives a real vulnerability assessment for a configuration. 

The configuration hasn't been that good. From a security perspective, we are looking into something in the middle between the static and the dynamic. 

There are many open-source tools that can generate perfect results. It's not as good as the quality as the Kiuwan or maybe the SonarQube, however, I'm sure it's really close, and it's also free

We've had issues with technical support not being responsive enough. 

We also have had issues with the initial setup.

We've used the solution for around two years or so. It's been a while now. 

We have found the solution to be stable. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. 

The solution can scale if you need it to. 

We're dealing with three customers that have this solution right now. 

We're working on some issues with some delays from the support team.

We are also using Tenable. 

We faced a lot of problems with the initial setup and support gave us difficulties around the installation. That made us a little bit confused. When you lose your servers for the week, it's not a good thing.

With support, we had to troubleshoot the issues and that took about eight working days. It took us around 11 days to overcome the issues and to upgrade. 

As an information security team, we were providing some services and were trying to make a vulnerability assessment. The security testing let us note a lot of vulnerabilities. We contacted support and it took us three months to overcome those particular issues.  

In terms of maintenance, we have system admins that just look to see if the servers are running or not, however, for managing the servers, the servers implementation security team will handle that.

We can likely find free open-source solutions that give us close to the quality we get with this solution. We'd rather not pay if we don't have to.

Customers must pay a yearly licensing fee. 

We got it from a partner. The partner is already connected to Kiuwan from Spain.

We are providing the Kiuwan solution for a small group of customers.

I'd rate the solution at an eight out of ten.

I develop use cases to enhance code quality, and in the event of code vulnerabilities, I guide the team on how to address and rectify them.

It provides value by offering options to enhance both code quality and the security of the company.

There are limited alternatives from other libraries or dependencies to enhance the application which posed a challenge for me as it necessitated modifications across different cases. It's problematic since you might need to alter or replace everything for potential improvements.

I have been working with it for approximately two years and six months.

It offers good stability capabilities.

It could improve its scalability abilities.

We've worked with Checkmarx, Veracode and Fortify. I find Kiuwan to be more user-friendly, you can easily locate and download data. However, in certain processes, it might not be the most cost-effective option.

The initial setup was easy.

Overall, I would rate it eight out of ten.

Our company produces a financial application, and we use Kiuwan for vulnerability testing. Kiuwan scans our code to detect some security issues. 

Kiuwan has enabled us to give our customers peace of mind through early identification of code vulnerabilities and remediation before delivery to the customer.

I like that I can scan the code locally on my device. When the local analyzer finishes, the results display on the dashboard in the Cloud. Actually Kiuwan allows to scan code both locally and in the cloud, but It's essential for security purposes to be able to scan my code locally.

Kiuwan should charge based on usage

I've been using Kiuwan for two years.

Kiuwan is stable, but we have some issues when they perform system maintenance. We cannot access the platform for a couple of hours max. It's happened twice in one year, but it's not that bad because this tool isn't critical for our operation. 

It's easy to scale up Kiuwan.

Kiuwan's support has room for improvement. You can only open a ticket is through email, and the support team is outside of our country. They should have a support number or chat.

Neutral

Kiuwan was pretty easy to set up. We simply installed the local analyzer and configured the dashboard with some rules to apply to our code. It wasn't that hard. 

Kiuwan is not as expensive as the other solutions. We pay according to the number of lines of code that have been hired to scan, whether it scans or not. That's the downside.

I rate Kiuwan nine out of 10. I think it's an excellent platform, and I'd recommend Kiuwan.

I'm currently working at a FinTech company, and we normally use Kiuwan for code analysis. This helps us ensure that our product complies with proper codes.

I like that it provides a detailed report that lets you know the risk index and the vulnerability.

The integration process could be improved. It'll also help if it could generate reports automatically. But I'm not sure about the effectiveness of the reports. This is because, in our last project, we still found some key issues that weren't captured by the Kiuwan report.

I have been using Kiuwan since 2019.

I'm not sure if it's stable, but it's working fine.

I don't know if it's scalable, but we have about 30 to 60 users. It all depends on the scope of the project. If they have made the last point of implementation, then we can perform the code analysis.

It follows a subscription model. I think the price is somewhere in the middle. 

I would recommend this solution to new users.

On a scale from one to ten, I would give Kiuwan an eight.

We analyze all the portfolio of applications from the customer. The customer is within the government of Spain. We analyze all their applications. On the portfolio of publications, we run analyses from all the applications.

From the tool itself, the developer can run an analysis with the same quality. With this tool, every developer has the opportunity to do an unlimited analysis.

The solution can scale well.

The solution offers very good technical support.

It's quite a stable product.

I'm still working on learning all the specifics of the tool; it's quite new to me.

The solution seems to give us a lot of false positives. This could be improved quite a bit.

The rules could be more clear. They need to have more clarity in that respect. It would help make the solution easier to use.

I've been using the solution for about a year now.

The stability at this time is very good. It doesn't have bugs or glitches and it doesn't crash or freeze. It's very, very reliable.

You can definitely scale the solution. However, if you want to analyze more, of course, you have to pay more. This might be limiting if you are an organization that has a specific budget.

In our organization, we have 1,000 users approximately on the solution.

The technical support is very good. They are responsive and are very knowledgeable. We are satisfied with their level of service at this time.

In terms of setting up the solution, you only have to download a client to make the analysis. In the local environment, you also only need Java 1.8 and an internet connection to make an analysis. You have to worry about working in the configuration and administration of the users of the quality models. It's pretty easy.

I don't handle the payments or licensing aspects of the solution, therefore, I can't speak to the exact cost of the product. I only administer the tool.

That said, it's my understanding that, if you need to analyze more, you do need to pay more for the solution.

It was too difficult for us to evaluate different solutions. That said, I recall the other options being, for example, Veracode and SonarQube. There may have been more options that we considered evaluating as well, however, I don't recall the names of them.

We're just a customer.

We are using the latest version of the solution.

Overall, I would rate the solution eight out of ten. It's worked quite well for us so far.

Our primary use case is to focus on and discover the vulnerabilities in our code, to clean the code and to make it safer and more secure for our customers. We are a customer of Kiuwan and sell it to our customers. We employ an analyzer for our coding.

The most valuable feature of the solution is the continuous integration process. This enables us to make the best in terms of security of our solution and not introduce new mistakes. Problems are solved step by step. 

Improvement could be made with the integration of the programming tools. The solution provides some integration tools but for now we're not using these tools very much because it's expensive and we don't get much return. In the future we might be more interested. They could also improve repositories in the solution. I also think the coding could be improved technically and include some features that could be valuable for enterprise companies.

I've been using this solution for about one year. 

It's a stable solution 

I don't think there would be problems with scalability. 

I've used the technical support sometimes but we haven't had a lot of issues. There is also a call centre and they respond quickly. For the moment, support is good. 

The key for success of this solution in relation to other similar solutions is that it's a flexible solution.

The initial setup was very straightforward. It's a cloud solution so after you sign the contract you have the solution. You just need to create the users, do the tutorials, it's simple. There's no deployment because it's a cloud service, you might just need to download a local analyzer.  We have an external consultant who performed the dynamic analysis of our code. 

With this solution you only pay for the total amount of lines of code and it's a reasonable cost. 

The solution is easy to work with. It takes a day or two to get used to it but after that it's easy to use and there's enough documentation in the tool. We haven't had problems using it. 

I would rate this product an eight out of 10. It's not perfect but it's good for us.