Rapid7 InsightAppSec Reviews

We are using it for DAST, dynamic scanning.

I like the user interface and the friendly nature of the tool. It is very user-friendly for anyone to use it. The customization part for scanning is also good. 

You have various attack modules, and you also have the Attack Replay feature for the attack sequence. You can reproduce an attack and see it. That is a very good feature I noticed in this solution. It helps developers as well.

Scanning can be better. When you add new projects for the same product, it either duplicates or replaces the scan configuration. If I run a scan for the same product with a different scan configuration, it should keep the previous scan configuration and not replace it with the new scan configuration. It should just add the new scan configuration. That would be helpful. They do keep the results as it is, but the scan configuration keeps changing. For example, I have set a scan configuration to a full scan, and next week, I want to run a new scan for the same product with some changes or new functionalities. I want to run a partial scan. Currently, if I change the scan configuration to partial, it changes the old one also to partial. That should be improved.

They need to work on the user interface and management of all the projects. Their support can also be improved a little.

They should also focus on a wider integration scale and end-to-end scanning.

It has been almost one year.

It is stable. Like most products, there is some downtime here and there when they do some patches. Sometimes, it might be stuck as well. So, there are minor challenges, but there is nothing major. The support is helpful during those challenges. Whenever they have some patches or planned downtime, they inform us well before so that we can prepare ourselves. For the past year, I did not face any major challenges.

It is definitely scalable. We have been changing and upgrading its usage in phases.

At present, we have more than 150 users. It is being used on a weekly or a monthly basis. We are only using it for dynamic scanning. Once the environment is ready, we run the scan. We have not automated the scans as of now. We will be doing that in the next quarter, and we will schedule the scans on a monthly or quarterly basis, where once we set the configuration for a particular project, the scan will automatically trigger. Currently, our release cycle is not consistent. That's the reason we have not automated it, but eventually, we will be doing that.

When I joined, the agreement with Rapid7 was already in place. They have only email support, and if they have 24/7 phone support as well, that would be really helpful. Most of the technical support people are in the US time zone, whereas we span across different regions. We have a few folks in the UK and a few folks in India. We need to manage the time as well. So, we need a resolution as soon as possible. That is a little challenging for us at times. 

Neutral

I have used Fortify on Demand and other solutions. Each solution, whether it is Fortify, Qualys, or Veracode, has its own pros and cons. 

Qualys has a wider integration scale, and also from the cloud perspective, when you want to install the Qualys agents on any of your ECS or VMs, it is usually easy to integrate. Rapid7 is also easy, but it doesn't offer anything to scan everything from end to end. It is still improving. I recently attended one of their sessions, and I know they are coming up with new features, but they need to fasten up based on what the current market is and what other products offer. 

We have been using it only from the AppSec perspective, and it has been working well for us. If I go with Rapid7 for extensive use, including vulnerability management and infrastructure, it would become a little challenging for us because it doesn't offer so many features compared to Qualys or any other products.

It is straightforward. You don't need to have any complex solutions for it. They do provide all the documentation with all the steps. It is easy to follow the documentation.

It took a few hours to set it up. We did not immediately engage in it. We did the setup in phases. We modeled it that way. So, it was very quick for us because we had planned it that way. 

It was implemented in-house. In terms of maintenance, it doesn't require much maintenance. So far, I have not seen any major maintenance requirements. There are only regular updates.

They offer a good price, but I don't remember its cost. It is fair as compared to the competition. We have opted for project-based licensing, not user-based. We can add any number of users. That doesn't matter.

It is worth the money. I would rate it a four out of five in terms of pricing.

When you want to buy a tool, the main thing is whether it meets the requirements based on your business needs. In my previous company, I was in the financial sector, which has a lot of PCI transactions, et cetera. Now, I am in the media industry, and we don't have PCI transactions. It all depends on what kind of business you have, what are the requirements, and whether the product meets your requirements. For our needs, Rapid7 was the ideal go-to tool. Based on the budget, pricing, and features, we went for Rapid7.

I would rate it a nine out of ten.

We use Rapid7 for application security. We use it ourselves and we also provide services for our customers. The primary use is for checking security assessments of web applications. If you need code scanning or API integration, then AppSec provides these options.

This product is easy to use.

It uses a signature-based method to check for problems with your code and will provide an alert if anything is found. It will also give recommendations as to how to fix the issues.

The performance can be improved.

I would like a facility to monitor applications after they have been scanned. For example, when new programming is done, an application should be scanned again because sometimes they add a lot of pages and can affect it. The application should be monitored to protect you from future attacks or mistakes made by the developer team.

In the future, if they can have integration with a lot of ticketing systems then it would be amazing. This would mean that if you're using any ticketing system, then because the application is already integrated with it, and if there's an issue with the web application, it will automatically open a support ticket for the development team.

I have been working with Rapid7 InsightAppSec for two years.

I have not had any trouble with bugs or glitches.

The scalability is good.

The technical support is amazing. I have been in contact with the local office in Dubai, and they are very good.

It is a cloud-based solution so the initial setup is very simple.

You have an account, so you add the website to the application, and you should add your own website so that it has the authorization to scan your whole application.

The price of this product is very cheap. A trial version is available for 60 days, where the reports and problem fixes are available for free.

This is a product that I recommend and my advice for anybody who is interested in trying it, there is a free 60-day trial period where they will fix your problems without any payment. That will give you the opportunity to experiment with and gain experience scanning web applications.

I would rate this solution a ten out of ten.