Review: 5 application security testing tools compared

Application security is arguably the biggest cyber threat, responsible for 90 percent of security incidents, according to the Department of Homeland Security. Yet it suffers from not-my-job syndrome, or, as SANS put it in its 2015 State of Application Security report, “Many information security engineers don’t understand software development — and most software developers don’t understand security.”

Stepping into that gap are application security testing tools. Scads of them, in fact. (Gartner’s 2015 Magic Quadrant for application security testing showed a handful of leaders, followed by a pack of challengers and niche players.)

For this profile, we chose the top 5 vendors and tools as measured by the number of product reviews, ratings, and comparisons from the IT Central Station community.

Ready to find out what enterprise users really think about HP Fortify on Demand, QualysGuard Web Application Scanning, Checkmarx, WhiteHat Sentinel, and SonarQube? Buckle up. Here, in their own words is what users say are the standout features (and greatest shortcomings) of each of these products.

HP Fortify on Demand

Valuable Features:

• It’s on-demand, and cloud-based which is well suited to occasional and price-conscious use.
• Fast turn-around allows for easy integration into the development process without any major impact on development efforts.

– Thomas B., Solution Security Architect at a healthcare company with 1000+ employees

I’ve used Fortify since 2007, and I think the most valuable feature is its ability to address the source code scanning and dynamic scanning in a known, correlated way. I think the best way to address application security is to have multiple types of scanning and a unified view for the customer. – SnrManager055, Senior Manager at a consultancy with 1000+ employees

I don’t know of any other On-Demand enterprise solution like this one where we can load the details and within a few days, receive the results of intrusion attacks, and work with HP Security Experts when needed for clarification Jason L., Executive Director at a tech consulting company with 1-100 employees

Room for improvement:

It needs to support more languages. – Thomas B.

It could use better integration with the incident management processor. This would allow us to understand the vulnerabilities that arise in the software and how they’re linked to the incident management center. – SnrManager055

I would like it to be easier to understand, and have better packaged reporting capabilities. For most of the reporting I needed, I exported to Excel and then had to produce more visually accepted reports for Executive Clients. With Rapid7 I utilized its reporting capabilities to deliver Client Reports within just a few minutes of checking the data. I believe that HP’s FoD Clients could sell more services to clients if HP put more effort into delivering visually pleasing reporting capabilities. – Jason L.

Read more user reviews of HP Fortify on Demand on IT Central Station.

QualysGuard Web Application Scanning

Valuable Features:

Web Application Security (WAS) and being able to integrate Selenium IDE to automate the login process was most helpful. – Aniruddha M., Security Analyst at a tech services company with 1000+ employees

• OWASP Top 10 scanning
• – PCI-ASV scanning

– InfoSecMgr112, Information Security Manager at a comms service provider with 1000+ employees

Room for Improvement:

Enhancing the capability to find XSS. – Aniruddha M.

It’s missing some zero-day patches. – InfoSecConsultant103, Info-Security Consultant at a financial services firm with 1000+ employees

Read more user reviews of QualysGuard Web Application Scanning on IT Central Station.

Checkmarx

Valuable Features:

It provides a graphical view of any vulnerabilities. – Consultant397, Cyber-Ark Consultant at a tech services company with 1-100 employees

It provides us with code analysis. – FullStackDev096, Full Stack Developer at a tech services company with 1-100 employees

Room for Improvement:

It could be improved with more reporting of false positives and the understanding of file references. – Consultant397

It needs better role management. – Nadav A., Co-Founder, CTO at a tech services company with 1-100 employees

Read more user reviews of Checkmarx on IT Central Station.

WhiteHat Sentinel

Valuable Features:

• The continuous online scanning capabilities and reporting features.
• The SaaS product features accessible from a browser make managing our online systems easy.
• The ability to review security items quickly along with being able to retest vulnerabilities on our schedule make the Sentinel product an invaluable tool for our company’s product security requirements.

– EVPOps412, Executive Vice President, Operations at a software R&D company with 1-100 employees

Room for Improvement:

I would like to see more research and code examples for the vulnerabilities identified to better assist us with our remediation process. – EVPOps412

Read more user reviews of WhiteHat Sentinel on IT Central Station.

SonarQube

Valuable Features:

Moving to a largely evidence-based assessment is hugely beneficial, especially if you are managing out-sourced resources. It provides a clear definition of what acceptable quality actually means, and supports the decision of when you can stop, as well as what is not as there are no arguments based on an opinion. That said, metrics only take you so far, you still need smart people who can interpret and see beyond the base facts provided. The ability to integrate analysis of software engineering metrics directly into the Development Lifecycle (DLC) in much the same way as any other practice such as Unit Testing. Specifically, developers run SonarQube analysis frequently and don’t commit changes to SCM when build breaker issues remain. Early warning via CI build pipeline and especially setting up ‘Build Breakers’ based on a team or code base specific quality gate – a set of rules/thresholds that determine the most important measures for a particular code base. Targeted improvement allows a team to identify specific areas of threat (e.g. TD) and then set purposeful goals to improve in those areas (rather than trying to improve everything). The SonarQube community is very active which often means that finding solutions is a blog post away from other like-minded organizations. Community plugins are a staple for this product and have tremendous breadth and depth. – Fraser G., Technical Authority Digital at a insurance company with 1000+ employees

• Quick access to issues in the code
• The ability to define your own analysis profiles
• Easy integration with Jenkins

– JavaDev595, Java Developer at a tech consulting company with 1-100 employees

Its dashboards, quality profile, quality gates and CI integration features (like as build breaker plugin) are the most valuable features for me. Personally, I have used SonarQube for educational purposes. SonarQube is helpful for giving motivation to a small development team (10 members or a little above) on code quality improvements with small efforts. – SoftwareEng526, Software Engineer, Agile/Lean Evangelist, Scrum Master at a tech services company with 1-100 employees

Room for Improvement:

• More granular security
• Simpler integration with JIRA
• It would be nice for a dashboard server to be able to address more than one database (this limitation tends to encourage either lots of small (team/project) servers or one uber server if you want to report across projects).

– Fraser G.

I’d like to see more API documentation, including, but not limited to, more extensive documentation of provided examples. – JavaDev595

The only thing I don’t like is that they removed the design libraries and dependencies-checking features from v5.2. I hope they reintroduce these features in the future. – SoftwareEng526

Read more user reviews of SonarQube on IT Central Station.

* These reviews of select application security products come from the IT Central Station community. They are the opinions of the users and are based on their own experiences.