2021-04-15T16:14:00Z
CR
Manager of Data Processing at New York State Insurance Fund
  • 8
  • 518

What is the best Application Security Testing platform?

I'm choosing an Application Security Testing platform.

My use cases are as follows:

  • SAST
  • DAST
  • Component Scanning
  • Vulnerability auditing 
  • Mitigation

What product/solution would you recommend and why? 

8
PeerSpot user
8 Answers
TR
Founder at Saltworks Security
Real User
Top 20
2021-04-26T03:52:56Z
Apr 26, 2021

The first thing you'd want to do is:


1. Look at your application inventory to determine the language and framework coverage.


2. The following would be what has the developer integrations with my current and future state CI/CD toolset, Developer IDE's


3. Do I have the security team to support it? Helps determine vendor and approach. I say Fortify as they are the only Hybrid (Cloud and OnPremise) approach. 


4. Does this need to be Cloud or On-Premise?


My most successful customers have used the following:



  • SAST - Hybrid of Fortify on-premise and Fortify on Demand, if support is needed for Perl or Groovy, buy some CheckMarx to cover that gap and Correlate findings with Saltworks SaltMiner.

  • DAST - WebInspect/ScanCentral & Fortify on Demand

  • Component Scanning - The most successful deployments have been with SonaType due to the Fortify integration. Blackduck, WhiteSource, and Snyk also manage plugins to Fortify SSC. If there is no budget, use OWASP Dependency Track to build your use case for a more robust Composition Analysis tool.

  • Vulnerability auditing - Done within Fortify SSC or Fortify OnDemand

  • Mitigation - Your Team, but if consulting is needed I would recommend Saltworks Security, Deloitte, Accenture & Cigital which have a reputation for managing Fortify programs.


Ping me if you need further guidance.

Search for a product comparison in Application Security Testing (AST)
Real User
2021-05-17T08:35:50Z
May 17, 2021

The best application security testing platforms include GitHub, GitLab, HCL AppScan, Netsparker, Acunetix Vulnerability Scanner, Pentest-Tools.com, Detectify Deep Scan, Appknox, Checkmarx, and Micro Focus Fortify On Demand. 

VD
Lead Security Architect at a comms service provider with 1,001-5,000 employees
Real User
Top 10Leaderboard
2021-04-26T12:00:04Z
Apr 26, 2021

SAST - Veracode, goes well with integration


DAST - Either Microfocus Webinspect or Burp Suite Professional or OWASP ZAP (Open Source)


Component Scanning - Blackduck or Sonatype Nexus Platform or Whitesource Bolt 


Vulnerability Auditing - Nessus & CIS - CAT ( Assessor Pro) or Qualys


Mitigation -  Team effort, for Security Orchestration  - Threadfix or ZeroNorth

VG
Chief Architect at Peristent Systems
Real User
Top 5Leaderboard
2021-12-21T07:59:12Z
Dec 21, 2021

Hello @Charles Race,


A lot of responses already on this one. Considerations will include on-premises vs SaaS, one tool vs modular approach to using different tools. I will share some additional details


1. Snyk: It can do SAST, SCA, Containers, IaaC scripts - all 4. They have 4 products as part of their SaaS platform. It's commercial and has an open-source version with limited capabilities. Their on-premises scanner is in private beta


2. Clouddefense.AI: It can do SAST, DAST, SCA, etc. Commercial SaaS Platform. Uses ZAP rules behind the scenes for DAST


3. Synopsys: Great product, the leader in Gartner MQ 2021. Can do IAST as well.


4. SonarQube Enterprise Licensed Deployment is an excellent product for SAST. It supports 27+ languages including SQL, strong reporting capabilities, trend analysis.


If you need to do CSPM (Cloud Security Posture Management), you will need to look at others like Prisma Cloud.


Hope this helps.

RG
Chief Executive Officer at Xmart Solutions
User
2021-04-22T19:05:49Z
Apr 22, 2021

Hi my name is Rogerio from Xmart Solutions Brazil (we are an independent consultancy that represents several AST solutions). Some factors are important to be evaluated such as: 


How many SAST applications (static analysis) and how often will you do the analysis? How many analyzes (URLs) will you do dynamically?


What are your sprints? Do you have internal development or third parties? 


Which languages ​​from your legacy? How will you implement integrations? What tools?

Would you like to have everything automated?


These are just a few questions for your decision.


I hope I've contributed.

RR
Incident Manager at a tech services company with 1,001-5,000 employees
User
2021-04-22T14:46:43Z
Apr 22, 2021

I suggest go for a Secure SDLC approach by integrating security at each level of the development life cycle. If you are constrained to select just one from the above then start with DAST. As it helps simulate realtime attacks on your production application and thus helps you address the most glaring issues.

Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: February 2023.
686,748 professionals have used our research since 2012.
WK
Security Architect at A4BEE Architects for Business
User
2021-04-26T07:32:48Z
Apr 26, 2021

Kiuwan - scan for 3rd party libs


SonarQube - CD\CI integration with low price

CK
Founder & Chairman at Endpoint-labs Cyber Security R&D
Real User
Top 10Leaderboard
2021-04-26T07:03:11Z
Apr 26, 2021

I would like you to buy CHECKMARX as a SAST TOOL and have a look to KONDUKTO which embeds security tests into DevOps pipelines in an automated fashion using both open source and commercial security tools.                                  Vulnerabilities coming from different sources, be it from penetration tests, bug bounty programs or automated tools can be managed in a single platform to provide a unified view. With its unique process automation and CI/CD integration capabilities, Kondukto helps to scale AppSec effort and paves the way for DevSecOps.                                      My advice to pay attention the Visibility into vulnerabilities in native environments leads to improved security awareness among developers.

✔ Custom-tailored training programs based on the vulnerabilities created by each developer and team increase the ROI of training.

✔ Remediation database allows developers to benefit from the know-how accumulated in the company and fix vulnerabilities faster.

Related Questions
Avigayil Henderson - PeerSpot reviewer
Content Development Manager at PeerSpot
Feb 22, 2023
Hello community, Please share your input and help out fellow peers. Thank you.
See 1 answer
LW
Content Editor at PeerSpot
Feb 22, 2023
Getting visibility into and control of complex or distributed cloud environments is not only a matter of investing in a CSPM (although that can be part of the answer). There are a number of additional approaches that can help. Let's look at a number of possibilities. The most obvious step is using a CSPM to view and manage resources in a centralized location. There's no doubt that having everything in one place makes it easier to monitor and control your cloud environment. And a CSPM can scale as your environment changes, while helping to automate processes. CSPMs are a maturing technology that can be very effective in bringing a complex environment into compliance and the alerts and remediation offered help to harden security posture. The CSPM market includes Prisma Cloud by Palo Alto Networks, Microsoft Defender for Cloud, Orca Security, Check Point CloudGuard Posture Management, Lacework, and Wiz, among others. On the visibility front, cloud monitoring tools like Auvik, Datadog, Centreon, or Amazon CloudWatch and Azure Monitor provide metrics and logs that can be used to identify issues and optimize performance. They can alert you to potential problems before they become critical. As noted, leveraging automation is going to be important when dealing with complex cloud estates. Automating common tasks will reduce the time and effort required to manage your cloud environment and can help create consistency across your systems. Tools like AWS CloudFormation, Google Cloud Deployment Manager, or Azure Resource Manager can automate the deployment and management of cloud resources. But beyond the tools are the security best practices that can also help bring things under control and help narrow down the search for issues when they occur. They include role-based access control, network segmentation, and encryption and they should help reduce the risk of unauthorized access and data breaches. Tried and true architectural approaches can also help, including containerization and microservices. These approaches simplify the management of complex or distributed cloud environments and break down applications into smaller, independent services, making issues easier to manage.
Avigayil Henderson - PeerSpot reviewer
Content Development Manager at PeerSpot
Feb 22, 2023
Hi community,  Please share your input and help out fellow peers. Thank you.
See 2 answers
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at a tech services company with 201-500 employees
Feb 19, 2023
Hi, some of the best cloud compliance reporting tools are as below- * Checkpoint CloudGuard Dome9 * Nutanix Xi Beam * Qualys Cloud Platform * Sophos Cloud Optix * Symantec Control Compliance Suite
LW
Content Editor at PeerSpot
Feb 22, 2023
There is probably no single tool that can completely unify cloud compliance reporting across all cloud providers and compliance frameworks. That's a pretty big ask (but a good one). But there are, of course, tools that streamline compliance reporting and make the process easier to manage across multiple cloud environments and compliance standards. These compliance management platforms can help identify compliance gaps, enforce policies, and generate compliance reports. Prisma Cloud enables you to monitor, view, and report on cloud infrastructure health and your compliance posture. You can create reports with both summary and detailed findings of security and compliance risks and it also offers a Compliance Dashboard and the ability to create custom compliance standards. Check Point CloudGuard Posture Management looks to automate conformance to regulatory requirements and security best practices. It provides compliance posture management for AWS, Azure, Google Cloud, Alibaba Cloud, and Kubernetes and claims to reference over 50 compliance frameworks. It also enables customization of cloud compliance with its proprietary Governance Specification Language. Touting 65 out-of-the-box frameworks, CIS Benchmarks, and custom compliance checks, Orca Security is an agentless solution that works across multiple cloud platforms. It exposes and prioritizes issues so that compliance gaps can be addressed strategically. Another option is Chef Compliance, which leverages certified, curated audit and remediation content and aims to make sure assets are always in compliance with CIS benchmarks and DISA STIGs. It supports multiple cloud providers and compliance frameworks. Perhaps lesser-known, CloudCheckr helps maintain security and compliance in the cloud and monitors cloud infrastructure against dozens of standards including PCI DSS, HIPAA, CIS, and NIST. Cloud One - Conformity, from Trend Micro, works toward security, compliance, and governance of cloud infrastructure with real-time monitoring and auto-remediation features for AWS, Microsoft Azure, and Google Cloud.
Related Articles
EB
Director of Community at PeerSpot (formerly IT Central Station)
Aug 2, 2022
Dear professionals, Welcome back to PeerSpot's Community Spotlight! Below you can find the latest hot topics posted by your fellow PeerSpot Community members. Read articles, answer questions, and contribute to discussions that are relevant to you and your expertise. Or ask your peers for insight on topics that interest you! Trending Here are some topics that your peers are discussi...
See 1 comment
EB
Director of Community at PeerSpot (formerly IT Central Station)
Aug 2, 2022
@Chris Childerhose, @PraveenKambhampati, @Deena Nouril, @Shibu Babuchandran and @reviewer1925439, Thank you for contributing your articles and sharing your professional knowledge with 618K PeerSpot community members around the globe as well as with a much bigger readers audience!
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 5, 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures that its offerings (online tools, videos, forums, events, etc.) remain free and are easily accessible t...
See 2 comments
Ben Arbeit - PeerSpot reviewer
Manager at a retailer with 51-200 employees
Jul 31, 2022
Thanks for this informative article.
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a retailer with 10,001+ employees
Aug 5, 2022
OWASP is nice, but very specific and currently limited. How about trying ISO-24772 for all?
Moderator
Don Ingerson - PeerSpot reviewer
QA Automation Engineer at Global Fortune 500 Company
Real User
ExpertTop 5
Related Articles
EB
Director of Community at PeerSpot (formerly IT Central Station)
Aug 2, 2022
Community Spotlight #19
Dear professionals, Welcome back to PeerSpot's Community Spotlight! Below you can find the lates...
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 5, 2022
What is OWASP Top 10 in 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedi...
Download Free Report
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions. Updated: February 2023.
DOWNLOAD NOW
686,748 professionals have used our research since 2012.