Aqua Cloud Native Security Platform vs. Azure DevOps vs. Sonatype Platform

Excellent tool for identifying Cloud security issues such as vulnerabilities or misconfigurations. The complaince scanning ability is perfect for enterprise organization to maintain complaince based off various complaince programs.

Incentivized

Azure DevOps works well when you’ve got larger delivery efforts with multiple teams and a lot of moving parts, and you need one place to plan work, track it properly, and see how everything links together. It’s especially useful when delivery and development are closely tied and you want backlog items, code and releases connected rather than spread across tools. Where it’s less of a fit is for small teams or simple pieces of work, as it can feel like more setup and process than you really need, and non-technical users often struggle with the interface. It also isn’t great if you want instant, easy programme-level views or a very visual planning experience without putting time into configuration.

Incentivized

- Guidance on remediation is very good - Vulnerability detection is very good - Support is very good - Ability to ask PMs/POs open questions at Office Hours every month is very good - Support for languages is lacking (TIOBE Index Top20) - Some features are un-neededly hidden and make the usage more complex then it needs to be

• seamless integration with GitHub, Jfrog, etc
• Easy configuration of security policy
• detailed instructions regarding finding of Vulnerabilities

Incentivized

• Utilize Git as a repository to share work between multiple users
• Ability to configure Pipelines to build containers to run virtual deployments and testing scripts.
• Split individual tasks and relate to master documents for quick navigation and ability to see overall picture of project.
• Track status of each task
• Integrate with Git to utilize branches, merging, approvals, history, etc.

Incentivized

• Nexus firewall is a great feature enabled for all our proxy repositories which are used to download the third-party opensource packages.
• Nexus IQ is integrated with build stage to analyze the component against evaluation policy. This helps to figure out the application security standards.
• Nexus IQ is also having a feature to scan container images before it uploads to our private repository. This is great feature for container platforms.

• The UI/UX of the Aqua platform has several issues, especially with the sign up/in flow, authentication, alerts and display of results
• Missing a few prominent notification channels for alerts such as Datadog, Webhooks
• Lacks complete granularity in RBAC with the ability to set permissions based on the cloud
• Some parts of the cocumentation for connecting an Oracle Cloud account is not up to update or clear

Incentivized

• I did mention it has good visibility in terms of linking, but sometimes items do get lost, so if there was a better way to manage that, that would be great.
• The wiki is not the prettiest thing to look at, so it could have refinements there.
• It could improve the search slightly better.

• Support on the end of life lifecycle of known open source components that are going end of life, or already went end of life
• Support for emerging infrastructure as code frameworks
• Support for native/ default retention, archiving and clean up policies for hosted repositories

I don't think our organization will stray from using VSTS/TFS as we are now looking to upgrade to the 2012 version. Since our business is software development and we want to meet the requirements of CMMI to deliver consistent and high quality software, this SDLC management tool is here to stay. In addition, our company uses a lot of Microsoft products, such as Office 365, Asp.net, etc, and since VSTS/TFS has proved itself invaluable to our own processes and is within the Microsoft family of products, we will continue to use VSTS/TFS for a long, long time.

Incentivized

Sonatype supports more than 200 dev(s). It proves with the repository to store the artifacts. Allows for governance of open source software used by the different teams. It is used by security teams to scan for vulnerabilities in software(s) and in the deployed containers. It helps ensure code quality.

Incentivized

The UI and UX of the platform requires some work since the platform is not for all screen sizes and the experience with certain features such as authentication and creating alerts is not great. The session times out while performing an action and having to repeat the entire action once again, which is not a great experience. Adding notification channels while creating the alerts is not seamless. But the platform has good UX with some great documentation for integrations along with the ability to customise dashboards.

Incentivized

It's a great help to get more information about new feature release and stay updated on what the dev team is working on. I like how easy it is to just login and read through the work items. Each work item has basic details: Title, Description, Assigned to, State, Area (what it belongs to), and iteration (when it’s worked on). See image above.They move through different states (New → Discovery → Ready for Prod → etc.).

Incentivized

Overall experience is great with the Platform; however, I see some opportunity with upgrading the platform as it is missing with data of historical scans to allow reviewer to get view of trend how the application/product development team is considering fixing the issues.

Incentivized

Extremely good

Sonatype products are great value as I said but a few areas like how products use underlying resources in order to make it further lightweight, is something I would like them to consider.

When we've had issues, both Microsoft support and the user community have been very responsive. DevOps has an active developer community and frankly, you can find most of your questions already asked and answered there. Microsoft also does a better job than most software vendors I've worked with creating detailed and frequently updated documentation.

Incentivized

Monthly touchpoints with Sinisa has been very valuable.

Incentivized

Was not part of the process.

Incentivized

easy to implement and performing the scans via automations as well

Incentivized

Aqua Cloud Native Security Platform is easy to implement and manage compare the Dome9.

Incentivized

Microsoft Planner is used by project managers and IT service managers across our organization for task tracking and running their team meetings. Azure DevOps works better than Planner for software development teams but might possibly be too complex for non-software teams or more business-focused projects. We also use ServiceNow for IT service management and this tool provides better analysis and tracking of IT incidents, as Azure DevOps is more suited to development and project work for dev teams.

Incentivized

Out of other products we evaluated before choosing Sonatype, the later looked far more user friendly, easy to understand and work with. This was key for us, as the tool needs to be used by many engineers that don't have security as their main focus. Having a tool that is easy to understand and work with, makes the process of evaluating open source dependencies much easier and appealing for developers.

Incentivized

Great value for money

Everything is very good except a little concern regarding large scale docker usage.

Very good

• ROI is high with our Aqua project.

Incentivized

• We have saved a ton of time not calculating metrics by hand.
• We no longer spend time writing out cards during planning, it goes straight to the board.
• We no longer track separate documents to track overall department goals. We were able to create customized icons at the department level that lets us track each team's progress against our dept goals.

Incentivized

• Sonatype's centralized management of artifacts have made it very easy for developers to share code in an efficient manner.
• Sonatype's low false positive rate has made it easier to convince developers to remediate vulnerabilities
• Sonatype's archaic architecture has made it more expensive to manage than it could be.