GoCD vs. Vulcan Cyber (discontinued)

Previously, our team used Jenkins. However, since it's a shared deployment resource we don't have admin access. We tried GoCD as it's open source and we really like. We set up our deployment pipeline to run whenever codes are merged to master, run the unit test and revert back if it doesn't pass. Once it's deployed to the staging environment, we can simply do 1-click to deploy the appropriate version to production. We use this to deploy to an on-prem server and also AWS. Some deployment pipelines use custom Powershell script for.Net application, some others use Bash script to execute the docker push and cloud formation template to build elastic beanstalk.

Incentivized

It's really challenging at times to contend with multiple vulnerabilities on a daily basis, and having a way to make sense of what actually needs to be prioritized and what can be shifted further down the task list is extremely helpful. Because the solution suggests what your next step should be in mitigating a specific vulnerability, it helps us save time and research by enabling us to immediately take action after being informed about an issue.

Incentivized

• Pipeline-as-Code works really well. All our pipelines are defined in yml files, which are checked into SCM.
• The ability to link multiple pipelines together is really cool. Later pipelines can declare a dependency to pick up the build artifacts of earlier ones.
• Agents definition is really great. We can define multiple different kinds of environments to best suit our diverse build systems.

Incentivized

• Identifies vulnerabilities and they are easily understood.
• Easy to identify remedies in an instant.
• Campaign feature is a true time saver
• Our CSM, Nino, is the best I have ever worked with!

Incentivized

• UI can be improved
• Location for settings can be re-arranged
• API for setting up pipeline

Incentivized

• Deduping of assets could be better.
• The weighting of vulnerabilities is hard to describe to non technical executives.
• The Business Groups and Tagging needs improvement. Or at least allow tags to be removed if not needed. Now they are static from the API feed.

Incentivized

GoCD is easier to setup, but harder to customize at runtime. There's no way to trigger a pipeline with custom parameters.

Jenkins is more flexible at runtime. You can define multiple user-provided parameters so when user needs to trigger a build, there's a form for him/her to input the parameters.

Incentivized

I wasn't here at the time when the company compared different vulnerability management platforms so I'm not sure on the reasoning and difference between the 2. It could be that the team went through different choices and found Vulcan to be the best fit. It's hard for me to say why Vulcan was specifically chosen

Incentivized

• ROI has been good since it's open source
• Settings.xml need to be backed up periodically. It contains all the settings for your pipelines! We accidentally deleted before and we have to restore and re-create several missing pipelines
• More straight forward use of API and allows filtering e.g., pull all pipelines triggered after this date

Incentivized

• Allows much better prioritizing of which assets are most vulnerable
• Allow a better understanding of what assets are actually under real threat vs. what is assumed to be vulnerable, but the real world fact is the system would be hard to reach internally, so it's not as vulnerable.

Incentivized