5 out of 5.0, Reviewed Nov 30, 2016
The original onboarding process was handled very efficiently by WhiteHat and they explained in an appropriate level of detail how the service worked and how to use the portal. The service has been effective in identifying areas within our application where we have had issues we needed to address. Support has been good and on-boarding of subsequent extensions to our original scope has been handled well.
The tool is very powerful and may well provide a fair amount of insight into your application - you then need to make sure you are in a position to actually address the issues uncovered.. this is the harder part in my experience.
It does exactly what I expected it to.
Can't think of anything.
Can't think of anything.
The findings produced by the service are only useful if acted on so I would ensure responsibilities around its use within my team were formalised from the start.
5 out of 5.0, Reviewed Nov 29, 2016
WhiteHat has been a good partner. They have always put resources when needed at our disposal, and continue to remain engaged in our code security efforts. Their static analysis tool has come very far from when I first reviewed it, and I consider it to be on par with other SaaS based static tools (to be fair, the very best results come from a fully tuned, on-premises tool). They do tend to push for more enhanced scanning levels, which of course comes with a cost increase, but they do not question a decision once made, and fully support the process. The technical resources they have put forth are always on point. They're good at what they do, or at a minimum, very well prepared. Integration is easy as they have a pretty well-featured API. We are able to automatically dump vulnerabilities to our tool of choice, which is important as we work in a very contractor-centric environment (on the development side). On the sales/renewal side, they work well with our processes, always putting needed resources at our disposal. We always work together at that time to ensure that our renewal is correctly sized to cover our existing needs and cover us for the future. We don't have much "waste" (unneeded scans) with our purchase, and much of this is due to the hard work WhiteHat puts into it along with our teams. I would like to collect better metrics. Their built-in reports are good, but I'd like to be able to dump everything into a single file and manipulate it myself which is sometimes cumbersome.
Check out their partners and integrations. WhiteHat's mobile offering is, in my opinion, not ideal, but what's great is that they recognize their weaknesses and solve with strategic partners.
More use of the API. Automation makes this much easier - particularly when you're trying to match code to a contractor on a real-time basis.
5 out of 5.0, Reviewed Nov 29, 2016
We have implemented a Web Application Vulnerability Management Program around the service WhiteHat provides. The program’s scope is our Internet facing, production web applications. WhiteHat's SaaS allows us run continuous DAST assessments against hundreds of applications utilizing a single FTE. They provide a good service that scales extremely well. Their support organization is friendly and easy to work with. WhiteHat's API allows us bring their vulnerability data into our aggregation tool, merge it with asset inventory data, and feed it into our downstream vulnerability management processes.
Finding security vulnerabilities is easy. Remediating them is hard, but is where you actually reduce the risk. Ensure you have cooperation from application owners and developers prior to engaging this type of service.
WhiteHat does their core competency well, and allows us to scale our assessments quickly and easily.
False positives/negatives in the vulnerability data. Initially, they advertised their service as fast positive free. As we scale, it becomes more and more important that their vulnerability analysis be accurate. Their false positive rate is low, but not zero.
WhiteHat could expand their service to offer asset discovery. They have a manual process they use when signing up a new client, but it falls apart trying to use it on an ongoing basis. Our application portfolio is dynamic, and we had to purchase a service through another company to make sure inventory didn't slip through the cracks.
We would spend more analysis time up front sizing the amount of licenses required, or try to enter into more of a pay-as-you-go contract. We oversized our need, and have ended up overpaying for our actual use. The vendor has been more difficult to work with around right-sizing in contract renewals than expected.
4 out of 5.0, Reviewed Nov 21, 2016
Ease of implementation and use. Solid dashboard reporting.
Ask for other customer references/testimonials, and look at Gartner trends.
Ability to turn on/off new applications.
A bit pricey.
Improvements to dashboard would be beneficial.
5 out of 5.0, Reviewed Nov 21, 2016
WhiteHat has proven to be committed to their customer's success. Their management team strives to ensure customer satisfaction, their on-boarding team is efficient and very helpful, and their Threat Research Center (TRC) is excellent in explaining scanning results/issues. They are helpful in ensuring that customer's get the most benefit from their service.
When developing a SAST/DAST capability, you need to incorporate more than 1 product to ensure you are providing adequate depth & breadth of capabilities
The fact they have a dedicated part of the organization that reviews and verifies results to minimize/eliminate false positives; and they are very knowledgeable (and responsive) with their answers to technical questions.
Since we renewed the service, I think it is safe to say we believe the service is a helpful addition to our AppSec program.
Although it is good, the interface needs a little more refining to adequately convey results/process of scans.
Identify and prioritize the scanning requirements, and ensure their is a clear understanding between your company and the vendor. Fortunately, WhiteHat is commited to being a partner in the application security process.
4 out of 5.0, Reviewed Nov 14, 2016
On-boarding team was strong and driven for us to succeed. Willing to help us learn while managing the implementation. Startup/entry was easy and stright forward and we were "up and running" with starting reports in just a few days.
Do your own risk analysis in addition to any single vendor. Don't implecitly trust any single vendor. Make sure they are really testing everything.
I have come to trust thier testing services and I feel confident in the test results. We have found Whitehat to one of the best at indepth Java script-heavy page analysis. Compared to some of the competitors we evaluated, thier "continuous scanning" technology set them apart from weekly or monthly scans.
Occasionally, Whathat did not find vulnerbilities that other products found. (but conversely, Whitehat found vulnerabilites that others missed) I dont fully trust any one vendor. (similar to Anti virus today, one AV solution does not mean you will not get a virus)
Right at the begining, we started receiving reports, but only after goign through them did we find that several findings were missing and pages were not being scanned. We had to bring it to thier attention that some were missed and then they fixed it, but I would have liked for them to tell us. One other Item, the Executive summary report is too detailed for my management. Exec report should be exec level and not include IP's and other details they dont care about. Handing my execs a 10+ page document with descriptions and details only ensured they did not fully read it.
Buy Training hours and entry training prior to implentation. We received findings/reports of findings right after implementation, but understanding what to do with the findings were overwhelming to start. Learning curve was quick and they were there to help support us through ramp up. They were supporting from the begining.
Integration is critical in our overall security posture. API integration with other ticketing vendors and solutions is limited.
5 out of 5.0, Reviewed Nov 14, 2016
WhiteHat always go above and beyond our expectations.
Make sure you use WhiteHat's expert advice.
The personal contact between application testers and our internal web dev team.
Price is a little high.
Cant think of anything.
4 out of 5.0, Reviewed Nov 11, 2016
WhiteHat does an amazing job once engaged. We found the testing criteria and the quality of the test on par with our high expectations for this company. The reporting and the customer out reach were very good We were pleased with the overall result. There was some misscommunication and delay during early implimentation. However our account representatives were able to correct this in a reasonable amount of time.
Ensure that you manage your testing projects actively. The Whitehat team is dedicated and hard working but unless theere is a stong plan in place there is a chance for misscommunication.
Portability and Utility
We would have spent more time understanding the testing team initially assigned to our account.
5 out of 5.0, Reviewed Nov 10, 2016
Whitehat provides a state of art Saas offering that facilitates our web application security and compliance strategy. It integrates with source code version control systems like SVN and Git. Moreover, it allows for integration with JIRA that further simplifies with vulnerability management and tracking. We compared this product against Veracode, HP WebInspect and IBM App scan and Whitehat performed better against the competition for every single metric of ours. Implementation was smooth and we were up an running in less than a week. The whitehat support team responds quickly to any support tickets and/or issues and works diligently to resolve them. A definite recommendation for both Dynamic and Static Scans.
Start with the Saas Approach, easy to setup, you up and running.
Easy to setup and use.
5 out of 5.0, Reviewed Nov 7, 2016
Overall experience has been good. Tool works well as as dscribed. Customer service is attentive and helpful.
Zero false positives, and their engineers can back that up explaining why.
Involve our own internal "customers" earlier in the process. Allow them to build relationships with WhiteHat of their own.