Coming October 25: PeerSpot Awards will be announced! Learn more
2021-04-15T16:14:00Z
CR
Manager of Data Processing at New York State Insurance Fund
  • 8
  • 349

What is the best Application Security Testing platform?

I'm choosing an Application Security Testing platform.

My use cases are as follows:

  • SAST
  • DAST
  • Component Scanning
  • Vulnerability auditing 
  • Mitigation

What product/solution would you recommend and why? 

8
PeerSpot user
8 Answers
Thomas Ryan - PeerSpot reviewer
Founder at Asymmetric Response
User
Top 5
2021-04-26T03:52:56Z
26 April 21

The first thing you'd want to do is:


1. Look at your application inventory to determine the language and framework coverage.


2. The following would be what has the developer integrations with my current and future state CI/CD toolset, Developer IDE's


3. Do I have the security team to support it? Helps determine vendor and approach. I say Fortify as they are the only Hybrid (Cloud and OnPremise) approach. 


4. Does this need to be Cloud or On-Premise?


My most successful customers have used the following:



  • SAST - Hybrid of Fortify on-premise and Fortify on Demand, if support is needed for Perl or Groovy, buy some CheckMarx to cover that gap and Correlate findings with Saltworks SaltMiner.

  • DAST - WebInspect/ScanCentral & Fortify on Demand

  • Component Scanning - The most successful deployments have been with SonaType due to the Fortify integration. Blackduck, WhiteSource, and Snyk also manage plugins to Fortify SSC. If there is no budget, use OWASP Dependency Track to build your use case for a more robust Composition Analysis tool.

  • Vulnerability auditing - Done within Fortify SSC or Fortify OnDemand

  • Mitigation - Your Team, but if consulting is needed I would recommend Saltworks Security, Deloitte, Accenture & Cigital which have a reputation for managing Fortify programs.


Ping me if you need further guidance.

Real User
2021-05-17T08:35:50Z
17 May 21

The best application security testing platforms include GitHub, GitLab, HCL AppScan, Netsparker, Acunetix Vulnerability Scanner, Pentest-Tools.com, Detectify Deep Scan, Appknox, Checkmarx, and Micro Focus Fortify On Demand. 

VD
Lead Security Architect at a comms service provider with 1,001-5,000 employees
Real User
Top 5Leaderboard
2021-04-26T12:00:04Z
26 April 21

SAST - Veracode, goes well with integration


DAST - Either Microfocus Webinspect or Burp Suite Professional or OWASP ZAP (Open Source)


Component Scanning - Blackduck or Sonatype Nexus Platform or Whitesource Bolt 


Vulnerability Auditing - Nessus & CIS - CAT ( Assessor Pro) or Qualys


Mitigation -  Team effort, for Security Orchestration  - Threadfix or ZeroNorth

Vishal-Goyal - PeerSpot reviewer
Chief Architect at Peristent Systems
Real User
Top 5Leaderboard
2021-12-21T07:59:12Z
21 December 21

Hello @Charles Race,


A lot of responses already on this one. Considerations will include on-premises vs SaaS, one tool vs modular approach to using different tools. I will share some additional details


1. Snyk: It can do SAST, SCA, Containers, IaaC scripts - all 4. They have 4 products as part of their SaaS platform. It's commercial and has an open-source version with limited capabilities. Their on-premises scanner is in private beta


2. Clouddefense.AI: It can do SAST, DAST, SCA, etc. Commercial SaaS Platform. Uses ZAP rules behind the scenes for DAST


3. Synopsys: Great product, the leader in Gartner MQ 2021. Can do IAST as well.


4. SonarQube Enterprise Licensed Deployment is an excellent product for SAST. It supports 27+ languages including SQL, strong reporting capabilities, trend analysis.


If you need to do CSPM (Cloud Security Posture Management), you will need to look at others like Prisma Cloud.


Hope this helps.

Rogerio Goncalves - PeerSpot reviewer
Chief Executive Officer at Xmart Solutions
User
2021-04-22T19:05:49Z
22 April 21

Hi my name is Rogerio from Xmart Solutions Brazil (we are an independent consultancy that represents several AST solutions). Some factors are important to be evaluated such as: 


How many SAST applications (static analysis) and how often will you do the analysis? How many analyzes (URLs) will you do dynamically?


What are your sprints? Do you have internal development or third parties? 


Which languages ​​from your legacy? How will you implement integrations? What tools?

Would you like to have everything automated?


These are just a few questions for your decision.


I hope I've contributed.

RR
Incident Manager at a tech services company with 1,001-5,000 employees
User
2021-04-22T14:46:43Z
22 April 21

I suggest go for a Secure SDLC approach by integrating security at each level of the development life cycle. If you are constrained to select just one from the above then start with DAST. As it helps simulate realtime attacks on your production application and thus helps you address the most glaring issues.

Find out what your peers are saying about Sonar, Veracode, GitLab and others in Application Security Testing (AST). Updated: September 2022.
634,775 professionals have used our research since 2012.
WK
Security Architect at A4BEE Architects for Business
User
2021-04-26T07:32:48Z
26 April 21

Kiuwan - scan for 3rd party libs


SonarQube - CD\CI integration with low price

Cuneyt KALPAKOGLU Phd. - PeerSpot reviewer
Founder & Chairman at Endpoint-labs Cyber Security R&D
Real User
Top 5Leaderboard
2021-04-26T07:03:11Z
26 April 21

I would like you to buy CHECKMARX as a SAST TOOL and have a look to KONDUKTO which embeds security tests into DevOps pipelines in an automated fashion using both open source and commercial security tools.                                  Vulnerabilities coming from different sources, be it from penetration tests, bug bounty programs or automated tools can be managed in a single platform to provide a unified view. With its unique process automation and CI/CD integration capabilities, Kondukto helps to scale AppSec effort and paves the way for DevSecOps.                                      My advice to pay attention the Visibility into vulnerabilities in native environments leads to improved security awareness among developers.

✔ Custom-tailored training programs based on the vulnerabilities created by each developer and team increase the ROI of training.

✔ Remediation database allows developers to benefit from the know-how accumulated in the company and fix vulnerabilities faster.

Related Questions
JW
User at Ant Financial
Mar 31, 2022
Hi security professionals, Companies like Fuzzbuzz, Forallsecure are introducing fuzzing platforms to the public. Have you ever used this or an alternative tool in your company?  How has your experience been with that fuzzing tool? Thanks for the help!
See 1 answer
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
31 March 22
Hi @NagarajSheshachalam ​, @Nachu Subramanian , @KashifJamil ​, @Cuneyt KALPAKOGLU Phd. ​and @Jangsun KIM ​, Can you please help @JerryWang1 ​in answering this question or advising how to get the answers?
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jan 27, 2022
Hi infosec professionals. What are your top choices of tools to use for mobile penetration testing this year? Thanks for sharing your knowledge!
See 2 answers
MH
Cloud Solution architect at VaporVM
21 January 22
Saminda Jayawardene - PeerSpot reviewer
Compliance Manager at a tech services company with 201-500 employees
27 January 22
Portswigger  
Related Articles
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 02, 2022
Dear professionals, Welcome back to PeerSpot's Community Spotlight! Below you can find the latest hot topics posted by your fellow PeerSpot Community members. Read articles, answer questions, and contribute to discussions that are relevant to you and your expertise. Or ask your peers for insight on topics that interest you! Trending Here are some topics that your peers are discussi...
See 1 comment
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
02 August 22
@Chris Childerhose, @PraveenKambhampati, @Deena Nouril, @Shibu Babuchandran and @reviewer1925439, Thank you for contributing your articles and sharing your professional knowledge with 618K PeerSpot community members around the globe as well as with a much bigger readers audience!
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 05, 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures that its offerings (online tools, videos, forums, events, etc.) remain free and are easily accessible t...
See 2 comments
Ben Arbeit - PeerSpot reviewer
Manager at a retailer with 51-200 employees
31 July 22
Thanks for this informative article.
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a financial services firm with 5,001-10,000 employees
05 August 22
OWASP is nice, but very specific and currently limited. How about trying ISO-24772 for all?
Moderator
Don Ingerson - PeerSpot reviewer
QA Automation Engineer at Consultancy
Consultant
ExpertTop 5
Related Articles
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 02, 2022
Community Spotlight #19
Dear professionals, Welcome back to PeerSpot's Community Spotlight! Below you can find the lates...
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 05, 2022
What is OWASP Top 10 in 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedi...
Download Free Report
Download our free Application Security Testing (AST) Report and find out what your peers are saying about Sonar, Veracode, GitLab, and more! Updated: September 2022.
DOWNLOAD NOW
634,775 professionals have used our research since 2012.