We changed our name from IT Central Station: Here's why

Application Security Java Reviews

Showing reviews of the top ranking products in Application Security, containing the term Java
Veracode: Java
DevSecOps Consultant at a comms service provider with 10,001+ employees

We use the Veracode SAST solution to scan the Java, Node.js, and Python microservices as part of our CI/CD pipeline, wherein we are using our CI/CD server as Bamboo, Jenkins, and GitLab CI/CD. 

We have teams for both our cloud pipeline and on-prem pipeline, and both teams use this solution. We are using Veracode to constantly run the internal application source code and ensure the code's security hygiene.

View full review »
Software Architect at Alfresco Software

The feature that we use the most is the static analysis, by uploading the artifacts. We have two types of applications. They are either Java Server applications using Spring Boot or JavaScript frontend applications. We scan both using the static analysis. Before, we used to do the software composition on one side and the static analysis. For about a year now, we have had a proper security architect who's in charge of organizing the way that we scan for security. He suggested that we only use the static analysis because the software composition has been integrated. So in the reports, we can also see the version of the libraries that have vulnerabilities and that need to be upgraded.

It is good in terms of the efficiency of creating secure software.

My team only does cloud-native applications. Ultimately, the part that we are interested in, in testing, works fine.

There are some false positives, like any products that we have tried in this area, but slightly less. I would trust Veracode more than the others. For example, we had quite a few issues with Snyk which was much worse in terms of false positives, when we tested it for open source.

Also, the solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful.

View full review »
IT Cybersecurity Analyst at a educational organization with 11-50 employees

If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing.

They have a pretty unique process to get guidance. It's not like you send them an email. You could do that, but if you want to set up a consultation call, you have to go to the website and give them a certain amount of detail so that they can study the problem and the detail and be ready to meet with you. It's not as simple as doing an email. You have to go to their website and you have to click on the "consultation" button and pick a time to talk with an engineer. Sometimes an engineer is not available for quite a while. You have to wait at least a couple of days before you can meet. Having to wait for two days is not that efficient. You should be able to set it up within 24 hours.

And regarding announcements from Veracode, I've tried to get them to let my developers know directly, and I'm not sure if that's happening. I want to tell Veracode to make sure that happens. I don't want them to send an announcement to me and then I have to disseminate that information to my developers. I want it to go directly to them. They've got the developers' names and emails in their database so those announcements should go directly to them.

View full review »
Principal for the Application Security Program and Access Control at a engineering company with 10,001+ employees

When we go from the dynamic scan to static scan to SCA, there is a huge change in the UI. This was not relayed to us when we were buying the product nor during the demo. They mentioned, "Yeah, this was an acquisition. The third-party library scanner was an acquisition from SourceClear."

You can see there is a huge difference in the user experience in terms of both the display as well as the usability of the product. That is one of our pet peeves: They are not normalizing the UI across the three product segments. We had numerous calls with them early on because we were new to the platform. The sales team is not aligned with the support team. The support team keeps telling us to use a different UI versus the one that the sales team showcased during the sales cycle.

There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed. It is ironic that they claim themselves as agile AppSec tool, but their UI doesn't reflect that.

We had a couple of consulting calls, and perhaps it may be the engineers that we got, they were not really up to speed with our frameworks. They were very focused on .NET and Java, which are legacy frameworks for us. We don't use these at all in our code base. We are using the newer, modern web frameworks, like Django. They have very little coverage or knowledge base on these, especially on the mobile side.

There are a lot of faults with the Static Analysis Pipeline Scan tool. Their tool seems to be very good with legacy products, which are developed in .NET and Java frameworks, but there are false positives when it comes to using modern web frameworks, like Python and Django. The C++ code doesn't even scan. We have spent at least three weeks worth of time going back and forth because it won't support the use cases that we have.

View full review »
Product Owner - DevOps at Digite

At the time that we set it up, it was quite complex. Now, they have made it pretty simple to use and a brief process. However, we felt the process was quite complicated when we did it. For example, when we initiated the static scan for the JavaScript, we needed a lot of instrumentation. That specific instrumentation that needs to be done at the JavaScript layer. Now, they can accept the bundle as it is and still identify the issue at the line number level. So, that is an enhancement.

They have done some improvements on the triage screen where you can look at all the issues. You can perform various actions over there, like mitigations or adding comments. They have simplified that interface a bit and made it a little faster. Earlier, we used to take quite a time for the check-in and check-out operations. However, now, it is quite fast. If we had to redeploy it from scratch, it would take around 30 minutes.

To start a static code scanning, do an upload, and start a scan, it hardly takes 10 minutes.

View full review »
Cybersecurity Expert at PSYND

The most valuable feature is actually the support provided by Veracode. Once you start to use the platform, you can mount the IDE plugin for your script. The advantage is that you can run the scan and check what the problem is and you can fix it yourself. Support could be used to address something that could go beyond your skills. If you use Veracode Greenlight, you have a small pop-up that you can use to interact directly with the team and you can ask a consultant to advise how an issue can be fixed. One of the good things about the Greenlight plugin is that it is very simple. There are several guides that tell you how to install it. It's a matter of one or two minutes and you are ready to go.

Once you check something, they provide links, not manually, it's all automated. When you want to check into a vulnerability you click and open the website where there is a description. If this is not enough of an answer, you can ask directly by scheduling an appointment with a Veracode guy.

Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced. They don't teach you how to develop in Java, Python, PHP or C#, but they instruct you about the best practices that should be adopted for secure code developing and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool. And as far as I know, there are no other competitors that offer it.

The best stuff is the training: this enables your team to adopt the same programming approach, although these people have a different background or joined the projects in a different phase. Doing that, they can take the training and be aligned so that they all write code in a good way.

We also use the Static Analysis Pipeline Scan and it's quite good. They provide several of the most common templates for pipelines. You see the process, while you program, right up until you package an application, and that the platform is able to detect things that are a blocking point. Before deploying to the production, you already know what is doing. And the speed of the Pipeline Scan is quite good.

Another good feature is the policy reporting for ensuring compliance with industry standards and regulations. We test compliance for medical devices, for GDPR, and for payment methods. These are all good. If you are not correctly prepared on one of these sets of regulations, you know that Veracode is going to take care of it using pre-prepared templates. But we can also customize our own policy if we are facing a unique use case. Even if it's not really common, we can take a regulation and build it the way we want it to look.

In addition, you can check everything from the dashboard. Veracode provides a web portal that is connected with your account and through that you can check the status of all the deployments that were run. And suppose you also have an application that is quite complex. You can deploy and upload it through the portal. When it is ready, you receive a notification from the portal that the job has been done and that you can check the results. When you go to the dashboard, you have the OWASP vulnerabilities. There is a really simple graphic with the colors showing how many vulnerabilities have been found and how much these vulnerabilities are repeated in your code. It also tells you the potential effect, if it is a backdoor data breach, for example, etc. It also suggests what you can do to remediate. It might suggest modifying code or changing the status of some part of the development, or updating a third-party.

And if you have people on different projects, there is also a role management feature, so you can select, for example, that people who are working on a given project can only see that project. If you are running something with different levels of classifications, for example, if you have an external consultant, it does not affect the confidentiality of the system. When people are collaborating, not all people are at the same level of an NDA. It is good that each person can see only their part implementing Need-To-Know.

It also integrates with developer tools. We use IntelliJ and Eclipse, among others.

View full review »
Manager, Information Technology at Broadcom Corporation

When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications.

For C++ based languages, or languages where there is a platform dependency—for example, if I write C language code it is dependent on whether I'm executing that on Windows, or on Linux, or another platform—and with some of these platforms-specific languages, Veracode makes something called debug symbols that are introduced into the code. That gets cumbersome. They could improve that or possibly automate. If Veracode could quickly analyze the code and make file-line flags, that would be great. It is easy to do for Java, Python, and Pearl, but not so easy for C++. So when it comes to the debug symbols, guidance or automation could be improved.

Also, scan completion, as well scanning progress, is not reported accurately. Sometimes the scan says it will complete in two to three hours but it will take four or five hours. That is one of the areas where they can give a more accurate estimate.

View full review »
Software Engineer at a tech services company with 1,001-5,000 employees

The most valuable features are the application analyses: 

  • Static Analysis
  • Dynamic Analysis
  • SCA, the software composition analysis, to scan all the models together. 

These are the three features we've mostly been using.

It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail. 

You can detect which line is causing the issue and it gives you some insights about, for example, if you have a dependency problem in your inputs or some known vulnerabilities. It even gives you an article so that you can read about it and know how to mitigate it in some cases. Sometimes there are well-known flaws in third-parties and you should upgrade to another version to resolve your issues. Veracode guides you.

I haven't tried any other platforms, but from what I have seen, it is really fast. You just upload the files, which is easy to do, and you can follow the scanning progress on the platform. Once it's done you get an email and you just access the platform. I don't know what other tools are like, but for me, Veracode is user-friendly.

View full review »
Acunetix by Invicti: Java
Senior Test Engineer II at a financial services firm with 201-500 employees

The scanning speed could be faster. It digs really deep, so that could be one of the reasons why it takes a while. If I want to scan an application, it's going to take over three to four hours. That's something I think they could improve.

Instead of posting hundreds of requests to find the vulnerability, if it simply had the capability to find that particular vulnerability in the payload itself, that would make a big impact.

The vulnerability identification speed should be improved. It takes more time compared to other tools I have used. 

Simply put, Acunetix passes too many payloads in order to identify one part of the ratio. That's probably why it can take a while to identify a particular issue. Other tools are able to identify vulnerabilities with just a few requests. Acunetix takes more time to make certain if a vulnerability exists. That's one of the areas which they can improve on.

The scan configuration could be improved. The first thing that we need to do is set up a site policy and a scan policy. By site policy, I mean we have to choose what kind of technology our site is developed with so that it will only pass payloads related to that technology.

For example, if I'm using MySQL or Python as my backend database, it will only check payloads related to MySQL or Python; it won't check Java or other programming languages.

We have to define the scanning configuration as well as the site configuration each and every time. This has to be done whenever we are adding a new set of sites or domains.

Other tools provide a list of predefined scan policies, but with Acunetix, we have to create our own every time. We have to spend a lot of time setting up these configurations, rather than just picking them from a vast variety of predefined sets of configurations, which is much easier.

View full review »
PortSwigger Burp Suite Professional: Java
Lead Security Architect at SITA

The initial setup isn't too difficult. It's JAR based. I would say it's an analog file. It just requires minimum requirements like Java and a license. After that, you are good to go.

View full review »
Micro Focus Fortify on Demand: Java
Project Analyst at a financial services firm with 1,001-5,000 employees

We use it for statistical analysis for Java applications that are used in the collection process of a bank. It is also used for an internal web page. The tellers use this web page in the branches to make money transactions, such as withdrawals, deposits, etc.

View full review »
Senior System Analyst at Azurian

We create technology solutions for clients and on one project we were requested to use Fortify on Demand after the client had read a good report about it. They sent us the report and recommended its use.

In this case, we were using Java to program the client's solution and so we used Fortify on Demand alongside our Java development operations, for the purpose of improving the application's security.

The work we were doing for the client involved creating a billing system that they would use to manage payments and taxes for other companies in Chile. We've only used Fortify on Demand for this one client so far. 

Because Fortify on Demand was so new to us, we decided to go with the trial version first and figure out the costing at a later stage.

View full review »
SonarQube: Java
Security consultant at a tech services company with 1,001-5,000 employees

It has been just three days since I deployed this solution. I have just configured the Community edition of SonarQube, and now I am searching for some Java products to test the solution. 

View full review »
Information Technology Technical Architect at a insurance company with 51-200 employees

The product has a friendly UI that is easy to use and understand. Especially, the admin's control panel is very good and It's not really difficult to get through the settings.

With minimal coding experience, we can build many rules that apply for each programming language, for example, CSS, and Java. You can easily set up rules. We are luckily able to do this with the community version.

With other community versions, you are not always allowed to customize the profile for example. With the SonarQube Community Edition, it's authorized.

View full review »
Information Technology Technical Architect at a insurance company with 51-200 employees

The product itself has a friendly UI. It's easy to use and we understand how to manage the admin control panel, it's really quick. It's really easy to perform admin jobs using the control panel. 

The tools are really easy to use. With the coding, we can build a bunch of rules that apply for each programming language, for example, CSS, Java, and more. Even with the community version, we can still set up rules. We accommodate them and they give us the best quality. It's been a great experience so far.

View full review »
Backend Architect at Sngular

We usually do the development in Java, and when we finish the development, we usually run the SonarQube tests and review the critical level, bugs, and security issues. We also review the license and the web issues and try to solve them, and then pass again through SonarQube.

We usually deploy it in the cloud, but sometimes we also have on-premises solutions.

View full review »
Chief Solutions Officer at CleverIT B.V.

I am now working in a consultancy company and I work with different clients in different industries. For this reason I implement, for example, a delivery pipeline with the process whereby we need to validate the quality gate of the quality code. Meaning, the developer creates the unit testing and the code coverage, but grants the code coverage for a specific person. In other cases, we used to see what the technical depth was to see if if there are any bugs in the applications - the web application, mobile application and different languages, like, C-Sharp, JavaScript or Java, et cetera.

We deploy SonarQube on-premise on a Linux server and our pipelines were created with GitLab and Azure DevOps. Meaning that Azure DevOps and GitLab are the tools that do the build and release process.

We use Microsoft Azure and Google Cloud Platform a little.

View full review »
Senior System Analyst at a non-profit with 10,001+ employees

I believe that it is scalable, but this is an area that we have not yet explored.

I know that there is an option to add a new rule. For example, if we are creating an application using Java, there is a list of predefined rules to check the quality against.

It's expandable at least in terms of code quality checks.

For now, I am the only user of this solution.

View full review »
Technology Manager at Publicis Sapient

The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language. The quality profile rules that it provides based on the architect are set across the board, this provides continuity. Being able to fix all the application vulnerabilities before it reaches production is a huge benefit.

View full review »
Test Expert at Saudi Telecom Company

SonarQube does not cover BPM programming language. It only covers the Java layer from BPM WebMethods. When we were faced with this issue with one of your applications, we found that we were not able to scan the BPM code for configurations generated from the WebMethod.

The BPM language is important and should be considered in SonarQube.

It utilizes a lot of resources from the servers. I think this issue should be resolved because it takes approx 20% of the CPU utilization.

Reporting related to SonarQube only exists in the enterprise edition, and not in the Community Edition.

There are no limitations in the lines of code with the Community Edition, but with the Enterprise Version, there are limitations related to the lines of code.

I don't understand why you can use an infinite line code amount with the Community Edition and the Enterprise Edition is limited.

View full review »
Executive Manager at PepsiCo

We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release.

What we are seeing is for some of the Javascript projects SonarQube is not reading all the files. We had to manually configure it to accomplish what we wanted. However, we probably needed some documentation that we did not have that explained this process.

In an upcoming release, it would be beneficial to have the ability to use multiple applications under one project, and if we want to scan one of the applications we can just switch to that application, this would be really helpful.

View full review »
Development Team Lead at a financial services firm with 1,001-5,000 employees

SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see. 

View full review »
Manager at kellton

Our primary use case of SonarQube is getting feedback on code. We are using Spring Boot and Java 8. We are also using SonarLint, which is an Eclipse IDE plugin, to detect vulnerabilities during development. Once the developer finishes the code and commits the code into the Bitbucket code repository, the continuous integration pipeline will automatically run using Jenkins. As part of this pipeline, there is a build unit test and a SonarQube scan. All the parameters are configured as per project requirements, and the SonarQube scan will run immediately once the developer commits the code to the repository. The advantage of this is that we can see immediate feedback: how many vulnerabilities there are, what the code quality is, the code quality metrics, and if there are any issues with the changes that we made. Since the feedback is immediate, the developer can rectify it immediately and can further communicate changes. This helps us with product quality and having less vulnerabilities in the early stages of development. 

This solution is deployed on-premise. 

View full review »
Klocwork: Java
VP Delivery & Customer Success at a computer software company with 11-50 employees

I believe it should support more languages, such as Python and JavaScript.

I would like to see dynamic analysis as well.

View full review »
Kiuwan: Java
Test Engineer at a tech company with 501-1,000 employees

In terms of setting up the solution, you only have to download a client to make the analysis. In the local environment, you also only need Java 1.8 and an internet connection to make an analysis. You have to worry about working in the configuration and administration of the users of the quality models. It's pretty easy.

View full review »
Contrast Security Protect: Java
Senior Customer Success Manager at a tech company with 201-500 employees

This typical use case was a situation where there are mature Java applications that will be replaced by a new system. However, the new apps will not be available for some time and the existing apps need to be secured until then.

The customer deployed Protect with their current apps and Protect was able to detect attempted exploits and report the vulnerabilities and details of the attacks in real-time.

View full review »
Coverity: Java
Security Consultant at a tech services company with 11-50 employees

It should be easier to specify your own validation routines and sanitation routines.

For example, if you have data coming into the application, perhaps something really simple like it's getting a parameter from a web page that is your username when you go to a website to login, and then ultimately that's being consumed by something, the data goes through some business logic and then, let's say, it enters that username into a database. 

Well, what if I say my username is JavaScript calling alert hello. Now I've just entered JavaScript code as my username and you should be able to sanitize that pretty easily with a number of different techniques to remove the actual executable code from what they entered on the login page. However, once you do that, you want the program to understand that you are doing it and then remove what looks like a true positive at first glance because, in fact, the data being consumed in the SQL exec statement is not unsanitized. It's not just coming from the web.

Likewise, let's say you log in, and then it says, "Hello" Such and such. You can inject JavaScript code there and have it be executed when it says hello. So basically the ability to say that this validates and then also above and beyond that, this validates data coming from any GET parameter on the web. You should be able to specify a particular routine validates all of that, or this particular routine validates anytime we read data from a database, maybe an untrusted database.

So, if I reach for that data eight times and I say, "Hey," this validates it once, I also get the option to say it validates it the other seven times, or I could just say it's a universal validator. Obviously, a God validator so to speak is not a good practice because you're sure to miss some edge cases, but to have one routine validate three or four different occurrences is not rare and is often not a bad practice.

Another thing that Coverity needs to implement or improve is a graphical way to display the data. If you can see an actual graphical view of the data coming in, then it would be very useful. Let's say, the first node would be GET parameter from a webpage, and then it would be an arrow to another method like validate user ID, and then another method of GET data about the user. Next, that goes into the database, and so forth. When that's graphically displayed, then it is helpful for developers because they can better grab onto it.

The speed of Coverity can be improved, although that is true for any similar product.

View full review »
Senior Solutions Architect at a computer software company with 11-50 employees

I used CodeSonar a few years back. Both tools have their advantages. In any static analysis tool, the first stage is the instrumentation of the source code. It'll try to capture the skeleton of your source code. So when I compare them based on the first phase alone, Coverity is far better than CodeSonar. 

They both use a similar technique, but CodeSonar uses up way more storage resources. For example, to scan a 1GB code base, CodeSonar generates more than 5GB of instrumented files for every 1GB of code base. In total, that is 6GB. Coverity generates 500MB extra on top of 1GB, so that equals 1.5GB all in. That's a huge difference. CodeStar would eat up my disc space and hardware resources when I used it, whereas Coverity is minimal. 

In terms of checkers, both CodeSonar and Coverity cover a good length and breadth, especially for C and C++ programming languages. But CodeSonar focuses only on four languages—C, C++, Java, and C#—only four programming languages, whereas Coverity supports more than 20-plus programming languages.

Also, the two are comparable with respect to their plugin offerings, but there are crucial differences. For example, CodeSonar only focuses on well-known integrations, like Jenkins and JIRA, but you cannot expect all customers to use the same tools. Coverity supports almost all CI/CD tools, including Jenkins and Bamboo. It also integrates with service providers like Azure DevOps Pipelines, AWS CodePipelines that CodeSonar hasn't added yet. The plugins are available in the marketplace, and you don't have to pay extra. You just have to download it from the marketplace, hook the plugin in your pipeline, and ready to use kind of approach. So these are some of the major use cases, three major use cases I would say when you compare apples to apples with CodeSonar and Coverity.

View full review »
Fortify Application Defender: Java
Director of Security at Merito

The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java. They need better support for applications written in Python or more advanced web service-type implementations. Better support for other architectures is critical.

Technical support needs to be improved.

It would be helpful to include agent deployment as part of the Azure DevOps marketplace. This would make it really easy for customers to get this plugin and install it within their application centers.

View full review »
Sonatype Nexus Lifecycle: Java
Software Architect at a tech vendor with 11-50 employees

We use the Nexus IQ Server. That is the only product that we use, though there are other affiliated products Sonatype offers which integrates with it. We use it to categorize and index all libraries used in our software. Every time that a new build is created in our CI server, Nexus IQ server will check exactly what libraries that we're using. It does this for our Java libraries, JavaScript, and other things that it finds. Then, it checks a number of things for each of those libraries. E.g., it checks the license that is being used in it. Sometimes with open source software, the license is a bit more restrictive than might be convenient for what you are doing. Maybe it doesn't allow you to make changes to the library. Or, it's free to use for nonprofits, but if you're using a product which does make a profit, then you might have to purchase a license. Therefore, it protects us from accidentally misusing open source software and is protection against legal issues.

A bigger, ongoing use case is security. Sonatype checks security vulnerabilities that come up for all these libraries. Oftentimes, as a developer, you add a library that you want to use, and then you might check for security issues. Sometimes a problem comes up after your product is already live. IQ Server checks all libraries that we're using for security issues, reporting these, and allowing us to go through and see them to determine, "Is this something that we can waive?" It might be a very specific use case which doesn't actually affect us or we might have to mitigate it. Also, if a vulnerability or security issue is found in libraries later, it will send out alerts and notifications if a library is being used in our production environment, letting us know there is an issue. This allows us to address it right away, then we can make the decision, "Do we want to do a hotfix to mitigate this? Or is it something that isn't an issue in our case because we're not using it in a way that exposes the vulnerability?" This gives us peace of mind that we will be notified when these types of things occur, so we can then respond to them. 

View full review »
DevOps Engineer at a tech vendor with 51-200 employees

We have many use cases. Our main use case is focused on Nexus Repository and a little bit on Nexus IQ, including Lifecycle. The basic use case is storing Maven, Java, JavaScript, and other kinds of artifacts. For some years now we have implemented more complex solutions to manage releases and staging. Since Nexus Repository introduced that feature for free and natively, we moved to the feature provided for managing release staging.

View full review »
Senior Architect at a insurance company with 1,001-5,000 employees

We use Nexus as a local repository of both JavaScript and Java components, and we're starting to look at Python. We also connected up to the Nexus Firewall, so that new components that are proxied are looked at to see if they have malicious components or if they are components without vulnerabilities. We're able to establish policies about whether we want to allow those or quarantine them. 

Our main use case for IQ Server is to scan software builds for components with existing vulnerabilities and malicious components. We're working to drive down our technical debt due to components with known issues, and it's been helpful. We're still expanding the program to different software languages. We started with Java and then extended the JavaScript. We want to extend to Python, but we're not quite there yet. We don't have too many Python users, so that's less of a priority.

View full review »
Software Engineer at a manufacturing company with 10,001+ employees

We use it for checking our open source libraries for Java and .NET. I think they also have Python and R that some of my colleagues are using. And on the other side, of course, we also have the proxy to only download the open source libraries for our internet software development that are free of vulnerabilities and security issues.

It's deployed on-prem. We have internal servers.

View full review »
Snyk: Java
Senior Director, Engineering at Zillow Group

There were some feature requests that we have sent their way in the context of specific needs on containers, like container support and scanning support. 

There are some more language-specific behaviors on their toolchains that we'd like to see some improvements on. The support is more established on some than others. There are some parts that could be fixed around the auto-fix and automitigation tool. They don't always work based on the language used.

I would like them to mature the tech. I am involved with Java and Gradle, and in this context, there are some opportunities to make the tools more robust.

The reporting could be more responsive when working with the tools. I would like to see reports sliced and diced into different dimensions. The reporting also doesn't always fully report.

Scanning on their site, to some extent, is less reliable than running a quick CLI.

View full review »
Information Security Officer at a tech services company with 51-200 employees

The dependency checks of the libraries are very valuable, but the licensing part is also very important because, with open source components, licensing can be all over the place. Our project is not an open source project, but we do use quite a lot of open source components and we want to make sure that we don't have surprises in there. That's something that we pay attention to.

The ease of use for developers is quite straightforward. They've got good documentation. It depends on the language that you use for development, but for what we have — Java, JavaScript, Python — it seems to be pretty straightforward.

It also has good integration with CI/CD pipelines. In the past we had it integrated with Concourse and now it's running on Jenkins, so it seems to be quite versatile.

View full review »
Security Software Engineer at a tech company with 10,001+ employees

We use it as a pretty wide ranging tool to scan vulnerabilities, from our Docker images to Ruby, JavaScript, iOS, Android, and eventually even Kubernetes. We use those findings with the various integrations to integrate with our teams' workflows to better remediate the discoveries from Snyk.

View full review »

Our enterprise success manager from Snyk has open discussions with us. We have been with Snyk at meetings and webinars with our engineers. Documentation for scanning on the developer side is clear and good. We don't have any concerns from our development team that it is difficult or unclear. Everything is good on this point.

It has poor support sometimes for the Scala language when running scans of the official Docker images from Snyk. Scala is a part of the Java framework. We need to customize it and built our own Snyk images. The platform provide the images, but the execution is too long.

Their customer success management is an eight out of 10, because every enterprise ticket should go to general support initially.

I would rate the first line of support as a six out of 10, but their technical site engineers who help us are an eight out of 10.

View full review »
VP of Engineering at a tech vendor with 11-50 employees

The core offering of reporting across multiple projects and being able to build that into our build-pipelines, so that we know very early on if we've got any issues with dependencies, is really useful.

We're loving some of the Kubernetes integration as well. That's really quite cool. It's still in the early days of our use of it, but it looks really exciting. In the Kubernetes world, it's very good at reporting on the areas around the configuration of your platform, rather than the things that you've pulled in. There's some good advice there that allows you to prioritize whether something is important or just worrying. That's very helpful.

In terms of actionable items, we've found that when you're taking a container that has been built from a standard operating system, it tends to be riddled with vulnerabilities. It's more akin to trying to persuade you to go for something simpler, whether that's a scratch or an Alpine container, which has less in it. It's more a nudge philosophy, rather than a specific, actionable item.

We have integrated Snyk into our software development environment. The way Snyk works is that, as you build the software in your pipelines, you can have a Snyk test run at that point, and it will tell you if there are newly-discovered vulnerabilities or if you've introduced vulnerabilities into your software. And you can have it block builds if you want it to. Our integrations were mostly a language-based decision. We have Snyk integrated with Python, JavaScript Node, and TouchScript code, among others, as well as Kubernetes. It's very powerful and gives us very good coverage on all of those languages. That's very positive indeed.

We've got 320-something projects — those are the different packages that use Snyk. It could generate 1,000 or 2,000 vulnerabilities, or possibly even more than that, most of which we can't do anything about, and most of which aren't in areas that are particularly sensitive to us. One of our focuses in using Snyk — and we've done this recently with some of the new services that they have offered — is to partition things. We have product code and we have support tools and test tools. By focusing on the product code as the most important, that allows us to scope down and look at the rest of the information less frequently, because it's less important, less vulnerable.

From a fixing-of-vulnerabilities perspective, often Snyk will recommend just upgrading a library version, and that's clearly very easy. Some of the patching tools are a little more complicated to use. We're a little bit more sensitive about letting SaaS tools poke around in our code base. We want a little bit more sensitivity there, but it works. It's really good to be able to focus our attention in the right way. That's the key thing.

Where something is fixable, it's really easy. The reduction in the amount of time it takes to fix something is in orders of magnitude. Where there isn't a patch already available, then it doesn't make a huge amount of difference because it's just alerting us to something. So where it wins, it's hugely dramatic. And where it doesn't allow us to take action easily, then to a certain extent, it's just telling you that there are "burglaries" in your area. What do you do then? Do you lock the windows or make sure the doors are locked? It doesn't make a huge difference there.

View full review »
CISO at a tech vendor with 51-200 employees

Snyk's ability to help developers find and fix vulnerabilities quickly is pretty good. From a one to 10, it is probably a six or seven. The reason is because they make it very clear how to take the steps, but it's not necessarily in front of the developers. For instance, my role here is security, so I go and look at it all the time to see what is happening. The developer is checking code, then their analysis runs in the pipeline and they have moved on. Therefore, the developers don't necessarily get real-time feedback and take action until someone else reviews it, like me, to know if there is a problem that they need to go address.

Snyk does a good job finding applications, but that is not in front of the developers. We are still spending time to make it a priority for them. So, it's not really saving time, e.g., the developers are catching something before it goes into Snyk's pipeline.

A criticism I would have of the product is it's very hierarchical. I would rate the container security feature as a seven or eight (out of 10). It lists projects. So, if you have a number of microservices in an enterprise, then you could have pages of findings. Developers will then spend zero time going through the pages of reports to figure out, "Is there something I need to fix?" While it may make sense to list all the projects and issues in these very long lists for completeness, Snyk could do a better job of bubbling up and grouping items, e.g., a higher level dashboard that draws attention to things that are new, the highest priority things, or things trending in the wrong direction. That would make it a lot easier. They don't quite have that yet in container security.

One area that I would love to see more coverage of is .NET. We primarily use JavaScript and TypeScript, and Snyk does a great job with those. One of the things that we are doing as a microservices developer is we want to be able to develop in any language that our developers want, which is a unique problem for a tool like this because they specialize. As we grow, we see interest in Python, and while Snyk has some Python coverage that is pretty good, it is not as mature. For other languages, while it's present, it is also not very mature yet. This is an area for improvement because there was a very straightforward way that they integrated everything for Node.js. However, as other languages like Rust and .NET gain popularity, we may just have one very critical service in 200 that uses something else, and I would like to see this same level of attestation across them.

View full review »
Contrast Security Assess: Java
Director of Innovation at a tech services company with 1-10 employees

The effectiveness of the solution’s automation via its instrumentation methodology is good, although it still has a lot of room for growth. The documentation, for example, is not quite up to snuff. There are still a lot of plugins and integrations that are coming out from Contrast to help it along the way. It's really geared more for smaller companies, whereas I'm contracting for a very large organization. Any application's ability to be turnkey is probably the one thing that will set it apart, and Contrast isn't quite to the point where it's turnkey.

Also, Contrast's ability to support upgrades on the actual agents that get deployed is limited. Our environment is pretty much entirely Java. There are no updates associated with that. You have to actually download a new version of the .jar file and push that out to the servers where your app is hosted. That can be quite cumbersome from a change-management perspective.

View full review »
Senior Security Architect at a tech services company with 5,001-10,000 employees

Contrast Security Assess covers a wide range of applications like .NET Framework, Java, PSP, Node.js, etc. But there are some like Ubuntu and the .NET Core which are not covered. They have it in their roadmap to have these agents. If they have that, we will have complete coverage. 

Let's say you have .NET Core in an Ubuntu setup. You probably don't have an agent that you could install, at all. If Contrast gets those built up, and provides wide coverage, that will make it a masterpiece. So they should explore more of technologies that they don't support. It should also include some of the newer ones and future technologies. For example, Google is coming up with its own OS. If they can support agent-based or sensor-based technology there, that would really help a lot.

View full review »
Manager at a consultancy with 10,001+ employees

Regarding the solution's OSS feature, the one drawback that we do have is that it does not have client-side support. We'll be missing identification of libraries like jQuery or JavaScript, and such, that are client-side.

The same thing is true on the custom code side: the client-side technology support. Although client-side technologies are inherently less risky than server-side technologies, which is where Contrast focuses testing, it would definitely help for this tool to identify both the server-side and client-side findings in libraries, as well as custom code. This would help us move away from using multiple tools. For example, if we have Contrast for our server-side testing, we still need to use some sort of static scanning sensor for the client-side. In a perfect world, it would just be Contrast Assess doing both of those.

View full review »
Senior Customer Success Manager at a tech company with 201-500 employees

A good use case is a development team with an established DevOps process. The Assess product natively integrates into developer workflows to deliver immediate results. Highly accurate vulnerability findings are available at the same time as functional /regression testing results. There is no wait for time-consuming static scans.

Assess works with several languages, including Java and .NET, which are common in enterprise environments, as well as Node.JS, Ruby and Python. 

View full review »