Apiiro Application Security Posture Management (ASPM) Platform

My only use case is the reporting, which is correct. My role is limited because this is an additional role that I do on top of my day job, so it is only limited to pulling out reports and working with the respective engineering or support teams.

The positive impact I have seen from working with Apiiro for my company includes the metrics that we get from Apiiro, which have been extremely helpful. I get the overall report which captures the closed risks, open risks, and how the Mean Time To Remediate (MTTR) is doing. It definitely tells a lot about how the particular portfolio is doing, so we know who the best actors are and who the bad actors are. We try to call out these bad actors who are struggling, and we are clear about which portfolios need help, while we try to celebrate the top ones.

The metrics look great, but I would love to explore more on Apiiro and see how we can improve our vulnerability management piece, where we want to help our portfolios improve, remediate, and bring down all critical vulnerabilities to zero. That's the ambition.

The features and capabilities of Apiiro that I have found the most valuable so far are its reporting capabilities, which basically tell me how these applications are doing in terms of each month. I can see January, February, March, how these are performing, giving me a view on their consistency and any early measures I need to take to help these projects or portfolios. I can decide on constant offenders, those which are consistently not performing well, and I can reach out to them.

It tells me the risks when they were reported and how old they have been, and also tells me the due date by when these need to be remediated. Since I cannot go through each vulnerability or risk one by one, I can just do a filter in Excel and understand which ones have breached, making it clear to me which ones I need to chase. It also collects information from various sources such as Wiz, SonarQube, SonarLint, and Dependabot, so it gives us a holistic view of how these applications are performing.

My first feedback for Apiiro is that it is very slow, extremely slow. The moment I select from the entire list of repositories in my vertical, which is almost more than 400 repositories, it takes a lot of time for me to load the report. Sometimes it fails. I do not have Role-Based Access Control (RBAC). It's only given to the application security team, and Apiiro as a vendor does not have the rollback access control enabled for the clients, so that would have given me access to the reports tab, which would have made my life easier. Currently, I have to go to the risks tab to pull out all this information.

I started exploring dashboards with Copilot. I need to reach out to the Apiiro teams to see if I can get an access token so that I can pull out a Power BI dashboard. I think Apiiro definitely has its own capabilities, but if there are access tokens that teams can use to build a custom dashboard, that would be great. This might already exist, but that is something which will ease the vulnerability management day-to-day activities.

I have been working with Apiiro since mid-last year, mid-2024 when I got my access, and I've been pulling out a list of all risks ever since.

I did not evaluate other options or other vendors before choosing Apiiro. It was provided to us by the application security team, stating that these are the tools that we can use, so it was prescribed to us, and I did not have an option to choose.

Apiiro is stable on weekends because nobody is using it, but during weekdays, it is too slow. If you are accessing your own project or repository, it's not slow, but for somebody in a central or horizontal role, it's painful to get to the reports on a weekday.

I think Apiiro is scalable. It was not the same last year when we looked at it. Apiiro has definitely stepped up this year and is open to customizations. That's why I rate it eight out of ten, although I'm very limited in my exposure.

I have not had to reach out to the technical support of Apiiro often. I have had some internal teams, and the last time I reached out to them for my access, they helped me with access to the superset of repositories. The team informed me that RBAC is yet to be implemented; beyond this, I haven't interacted with the support team.

Apiiro provides similar functionality, but I think the interpretation and intelligence is something I would expect more from Apiiro. Last year, we were using Invicti, which used to give us some good recommendations.

I haven't explored Apiiro's advanced risk analysis features. I have not used the compliance monitoring feature of Apiiro so far. I am learning about Apiiro's AI-driven analytics for real-time feedback and risk scoring for reporting. I haven't used the automation capabilities of Apiiro.

I have not yet integrated Apiiro with other technical solutions. I started looking into the possibility of integrating inputs from Apiiro or other sources into a custom dashboard. Since I don't have a developer laptop, I'm trying to raise that. Last year, some teams indicated it was not very integration-friendly, but things have changed now. It is quite user-friendly in my view now.

Before Apiiro, we used to have an internal dashboard developed using Power BI, which pulled data from various sources, including Wiz, SonarQube, SonarLint, and Mend. We used to monitor secrets in code and critical vulnerabilities. They are upgrading, and we were referring to Apiiro recently. We still use an internal custom dashboard and some use Wiz. We also have Rapid7, and when I pull the reports from ServiceNow, it tells us what the top critical vulnerabilities reported by Rapid7 are, but I have no exposure to Rapid7 yet.

My overall rating for Apiiro is 7 out of 10.

We use Apiiro to detect secrets in our code, including SCA and SBOM generation. We recently used it to identify unused and public GitHub repositories, which we were able to clean up and remove code that should have been private.

We deployed Apiiro as SaaS.

The biggest benefit of Apiiro for us was the visibility it gave us into our GitHub organization, which we didn't have much of before.

The benefit of adding Apiiro early is that it would be integrated into our pipeline from the start. Since we have had some of our software products for many years, we would have to do a lot of cleaning up before integrating Apiiro into our developer workflow. Integrating Apiiro early allows us to stay ahead of the curve on security issues and address them as they arise, rather than having a huge backlog for developers to fix.

Apiiro's ability to provide visibility into the risk of our application components is great. This was a selling feature for us. Apiiro was a less mature product a little over a year ago when they were still early on in their development. However, they have made fantastic advancements over the last year, which has given us much more visibility into that sort of thing.

Apiiro has helped prevent business-critical risks by making recommendations based on what it thinks is a high or critical issue. I think it does a pretty good job at that, but those recommendations still need a manual review from us. In general, if Apiiro flags a critical issue, it is usually pretty close to identifying whether it is business-critical or not. It is something we should review, even if we end up downgrading it. Apiiro raises valid concerns, and I am happy that it does.

Apiiro's secrets detection feature has saved us several times, which we appreciate greatly. We also like the visibility aspect because it goes beyond visibility into code to include visibility into our developers' work and who needs more security training. Apiiro allows us to identify repeat offenders who introduce security issues, so we can provide them with additional training and support.

Apiiro recently integrated SaaS, and we would love to see them expand on that. They provide many integrations to different products, including SaaS products such as Snyk. Ideally, Apiiro would include SaaS from the get-go.

I would like support for our self-hosted Git server, other than GitHub, just regular Git. I understand that it's a legacy system and most people aren't using on-premises Git servers. We're probably gonna move away from it soon, and Apiiro is trying to accommodate us there.

I have been using Apiiro for over one year.

The stability has been very good. Early on, there was one instance when it was down for an hour or so, but it was not a big deal.

Apiiro is scalable, even for large customers. It's hard to say for certain, but we haven't had any issues with it. We probably have around a hundred or two hundred GitHub repositories, and we haven't had any performance issues or anything like that.

We have biweekly or monthly meetings with them, and we raise any questions or concerns we have at that time. I have never needed to contact Apiiro's technical support independently.

We are also in a Slack channel with Apiiro, where we can ping them if we have any questions, and they usually respond quickly.

We previously used Black Duck Hub to identify risky licenses, but that was essentially the only thing we used it for.

When we first started using Apiiro, it was not as mature as it is today. However, when we evaluate software vendors, we are not only evaluating the product but also the team behind it. We try to envision what the future might look like for the product and whether it has the potential to become great. If we can get in early on a product that shows promise, it can be beneficial for us both in terms of usability. We won't have to change tools in two years and pricing because we can get in at a good price early on.

The entire proof-of-concept process, sales process, and working with the Apiiro engineers were all very positive. I would like to emphasize that the team at Apiiro has been fantastic.

The deployment was straightforward. One person was required for the deployment.

The implementation was completed in-house with the help of an Apiiro tech.

We evaluated Snyk, Endor, and primarily GuardRails. We chose Apiiro because of its team. GuardRails was significantly more expensive then, and it was one of those situations where the price difference didn't make sense to me. Apiiro was already clearly on its way to providing everything that GuardRails had pitched us, it was better priced, and the team was outstanding. So, from a value perspective, Apiiro was a great choice at the beginning.

I would rate Apiiro ten out of ten. There are certain features we're asking for That Apiiro is working with us on. Generally, these are not super major things.

Apiiro is a mature solution.

Apiiro has added a lot of work because there were many things we didn't know about that we had to address. So, theoretically, it has increased our workload because our entire AppSec program was virtually nonexistent for a while. We weren't doing anything, but after implementing Apiiro, there is a lot more work. Therefore, I wouldn't say that it has reduced our manual workload.

We hired at least one person specifically to work with Apiiro. In that sense, it is additional work, but it is a good thing, and we somewhat anticipated it.

In the past year, we have requested features from Apiiro. One of them has been a bit of a back-and-forth process, but we have met with both of their founders, who have taken the time to meet with us and discuss how we can achieve our goals, even if it means getting what we need from Apiiro in a different way than we originally intended. They have been very engaged with us, and we feel that they treat us like any other customer, even though we are smaller.

No maintenance is required except for setting up our configurations.

My advice is to use Apiiro strategically. This means that we should not simply bring Apiiro into our environment, take all of its findings at once, and expect the development teams to fix them all within a couple of months. Instead, use Apiiro as a supporting tool for our AppSec strategy. I have seen many organizations bring on Apiiro or similar tools and then simply take all of the findings, create tickets for them, and assign them to developers. However, I believe that we need to be more strategic in how we integrate Apiiro into our culture and workflows.