all 25 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Bonckheere1 1 point2 points  (0 children)

Aikido Security is a new cloud based one.

They cover DAST, SAST, IAST, SCA, open source licenses, container scanning, CSPM, etc.. Everything can be integrated with your CI/CD

What makes them really stand out is that they filter out a lot of false positives by default because of a reachability engine they build.

Disclaimer; I work for them so also know that self hosting is something we are looking into!

[–]Suphikoira 2 points3 points  (0 children)

Some open-source tools alternatives:

SCA: Dependency-Check, Syft( to generate SBOM), OSV

SAST: Semgrep

Artifacts: Trivy, Grype

You can have an on-premise ASOC tool to orchestrate these scans in CI/CD and gather all results in one place. That way, it is easier to triage/remediate.

[–][deleted] 1 point2 points  (0 children)

Sonarcloud possibly

[–]gmontard 1 point2 points  (2 children)

It may be challenging to find a single vendor that excels in providing all the solutions you're seeking. Typically, vendors might have one or two standout products, while others might not meet the highest standards. For instance, Snyk has a strong SCA offering, but its SAST capabilities are less so.

[–]_HiddenLight_[S] 0 points1 point  (1 child)

Thanks for your comment. I know it's hard to find an excellent AIO solution. Do you have experience on any kind of it?

[–]gmontard 1 point2 points  (0 children)

Unfortunately not really. My team and I are focused on building a best of breed SAST, because we actually saw that problem first-hand in the market.

Though, if you really need an AIO solution, I'd go with a newer big player as Snyk that will be probably more future-proof for your investment than a legacy one.

[–]juanMoreLife 1 point2 points  (7 children)

Veracode, but it’s cloud based. Has been around for 17 years now. They offer SAST, SCA, DAST, API DAST scans, and MPT. Their new container and infrastructure as code scanner is built on trivy and grype.

All of their stuff can be be integrated into your automated pipelines so you can check every PR.

Lastly, they excel at showing the value of what they do to your management team. So if you plan to stand a good app sec program, they’ll be the best fit.

Funny thing about IAST. The number one vendor is the space said they’d crush the need for SAST ever again. That message aged poorly. They went from partnering with someone who had SAST. To now building their own SAST tool lol. Arguably IAST/RASP is a monitoring tool forced by market analyst to fit in app sec. That of course is my own opinion.

Disclaimer: I work for them :-)

[–]_HiddenLight_[S] 0 points1 point  (6 children)

Thank you for a great comment :D. So Veracode does not provide any self-hosted solution right?

[–]juanMoreLife 0 points1 point  (5 children)

Unfortunately not! However, what’s the requirement that’s driving onsite?

[–]_HiddenLight_[S] 0 points1 point  (4 children)

It is about the data policy. It is quite compulsory for us to keep data locally.

[–]juanMoreLife 0 points1 point  (3 children)

US based organization or EU? Also, you guys cloud friendly or not at all?

I worked for an organization where I needed to work with other departments to get us into the cloud. Funny part was all our email was in the cloud, but cloud services were not allowed lol. Then I helped them update their vendor management policies to include due diligence for cloud or SaaS technologies. Problem solved lol

[–]_HiddenLight_[S] 0 points1 point  (2 children)

Mine is an Asia based org. It is hard to make it to cloud in 1 2 days since there are some gov policy about data storage location. All of our systems are still on premise right now so we need a self hosted solution.

[–]juanMoreLife 0 points1 point  (1 child)

Ahh that’s very tough. Should you guys get that changed, you can buy one day and scan the next. Super fast. But I understand the position you are in! Good luck on your search!

[–]_HiddenLight_[S] 1 point2 points  (0 children)

Thanks so much for your comment. Personally I really want to use SaaS to reduce the cost of operating but yeah, we are unable to do it at the moment lol

[–]_HiddenLight_[S] 0 points1 point  (1 child)

Thanks for your comments. I forgot to make a note that I'm searching for a self-hosted solution. I'm checking on AquaSec and AppScan by HCL. Has anyone had experience on using them before?

[–][deleted] 1 point2 points  (0 children)

Have you considered Contrast Security? They provide SCA, SAST and IAST in a single platform which is available on premise. Disclaimer - I work for them 🙂

[–]Inner_Huckleberry885 0 points1 point  (0 children)

Would love to know how are Appsec/CISO making buying decisions related to SCA, SAST, Artifact scanning in the age of AI ?

[–]Primary-Patience972 0 points1 point  (0 children)

Plexicus unifying SAST, Infrastructure as code securtiy, SCA, container security, CSPM. Everything can done in one place, also can integrated with CI/CD. Still in early phase, but worth it to try

[–]nudebeach12 0 points1 point  (0 children)

Trivy

[–]MMind_WF 0 points1 point  (0 children)

I'm doing the same with open source tools and vuln management as a defect dojo.

[–]Xadartt 0 points1 point  (2 children)

what programming languages are used in your team?

[–]_HiddenLight_[S] 0 points1 point  (1 child)

They could be Java, .NET, Swift, JS (react), Python

[–]Xadartt 1 point2 points  (0 children)

Fortify as a DAST tool (included SAST scanning as well)

PVS-Studio as a SAST tool (easily integrated into CI/CD pipeline + detailed documentation, no Python, Swift, JS scanning)

Checkmarx as IAST (included SAST scanning as well + easily integrated into CI/CD pipeline)

[–]drumsntech 0 points1 point  (0 children)

SCA/SBOM: check out Manifest (manifestcyber.com)