My only use case is the reporting, which is correct. My role is limited because this is an additional role that I do on top of my day job, so it is only limited to pulling out reports and working with the respective engineering or support teams.

The positive impact I have seen from working with Apiiro for my company includes the metrics that we get from Apiiro, which have been extremely helpful. I get the overall report which captures the closed risks, open risks, and how the Mean Time To Remediate (MTTR) is doing. It definitely tells a lot about how the particular portfolio is doing, so we know who the best actors are and who the bad actors are. We try to call out these bad actors who are struggling, and we are clear about which portfolios need help, while we try to celebrate the top ones.

The metrics look great, but I would love to explore more on Apiiro and see how we can improve our vulnerability management piece, where we want to help our portfolios improve, remediate, and bring down all critical vulnerabilities to zero. That's the ambition.

The features and capabilities of Apiiro that I have found the most valuable so far are its reporting capabilities, which basically tell me how these applications are doing in terms of each month. I can see January, February, March, how these are performing, giving me a view on their consistency and any early measures I need to take to help these projects or portfolios. I can decide on constant offenders, those which are consistently not performing well, and I can reach out to them.

It tells me the risks when they were reported and how old they have been, and also tells me the due date by when these need to be remediated. Since I cannot go through each vulnerability or risk one by one, I can just do a filter in Excel and understand which ones have breached, making it clear to me which ones I need to chase. It also collects information from various sources such as Wiz, SonarQube, SonarLint, and Dependabot, so it gives us a holistic view of how these applications are performing.

My first feedback for Apiiro is that it is very slow, extremely slow. The moment I select from the entire list of repositories in my vertical, which is almost more than 400 repositories, it takes a lot of time for me to load the report. Sometimes it fails. I do not have Role-Based Access Control (RBAC). It's only given to the application security team, and Apiiro as a vendor does not have the rollback access control enabled for the clients, so that would have given me access to the reports tab, which would have made my life easier. Currently, I have to go to the risks tab to pull out all this information.

I started exploring dashboards with Copilot. I need to reach out to the Apiiro teams to see if I can get an access token so that I can pull out a Power BI dashboard. I think Apiiro definitely has its own capabilities, but if there are access tokens that teams can use to build a custom dashboard, that would be great. This might already exist, but that is something which will ease the vulnerability management day-to-day activities.

I have been working with Apiiro since mid-last year, mid-2024 when I got my access, and I've been pulling out a list of all risks ever since.

I did not evaluate other options or other vendors before choosing Apiiro. It was provided to us by the application security team, stating that these are the tools that we can use, so it was prescribed to us, and I did not have an option to choose.

Apiiro is stable on weekends because nobody is using it, but during weekdays, it is too slow. If you are accessing your own project or repository, it's not slow, but for somebody in a central or horizontal role, it's painful to get to the reports on a weekday.

I think Apiiro is scalable. It was not the same last year when we looked at it. Apiiro has definitely stepped up this year and is open to customizations. That's why I rate it eight out of ten, although I'm very limited in my exposure.

I have not had to reach out to the technical support of Apiiro often. I have had some internal teams, and the last time I reached out to them for my access, they helped me with access to the superset of repositories. The team informed me that RBAC is yet to be implemented; beyond this, I haven't interacted with the support team.

Neutral

Apiiro provides similar functionality, but I think the interpretation and intelligence is something I would expect more from Apiiro. Last year, we were using Invicti, which used to give us some good recommendations.

I haven't explored Apiiro's advanced risk analysis features. I have not used the compliance monitoring feature of Apiiro so far. I am learning about Apiiro's AI-driven analytics for real-time feedback and risk scoring for reporting. I haven't used the automation capabilities of Apiiro.

I have not yet integrated Apiiro with other technical solutions. I started looking into the possibility of integrating inputs from Apiiro or other sources into a custom dashboard. Since I don't have a developer laptop, I'm trying to raise that. Last year, some teams indicated it was not very integration-friendly, but things have changed now. It is quite user-friendly in my view now.

Before Apiiro, we used to have an internal dashboard developed using Power BI, which pulled data from various sources, including Wiz, SonarQube, SonarLint, and Mend. We used to monitor secrets in code and critical vulnerabilities. They are upgrading, and we were referring to Apiiro recently. We still use an internal custom dashboard and some use Wiz. We also have Rapid7, and when I pull the reports from ServiceNow, it tells us what the top critical vulnerabilities reported by Rapid7 are, but I have no exposure to Rapid7 yet.

My overall rating for Apiiro is 7 out of 10.

I use the solution for source code analysis and to find vulnerabilities in source code to see where they might be exposed in the actual infrastructure.

Developers will now notice that one of their pull requests for their code has a vulnerability before it makes it into the main branch, and they'll be able to fix it themselves and realize that this is happening. it's provided us with a safeguard against having issues go into code.

The benefits of adding the solution early on in our AppSec strategy are great. That's what gives me the opportunity to automate a lot of the ticket-making and vulnerability finding and push it up towards the development teams. It's great for finding these vulnerabilities, however, due to the fact that we are not a fully mature program, we don't have many people onboard to focus on this. 

The automation is useful. It lets me bubble it up to the application teams while they're making changes and pull requests so that they'll see it. They'll realize that this code has vulnerabilities, and then they'll have to fix it for the pull request without me ever really looking at it myself - even though, technically, I could. Since I don't have much time, the automation lets me push a lot towards the developing team.

The workflow automation is likely the best aspect of the solution.

The solution's ability to provide visibility into our application components and risks is very good. It's helpful for finding all the components and risks that are available in the source code.

Apiiro has helped to reduce manual work associated with triaging alerts. It has saved at least ten hours per month.

It's helped me free up my time and gives me more time to work on other items that need to be worked on. I'm the only person on the IT team. 

The product is helping us prevent business-critical risks.

It's helped to reduce our mean time to remediate. This is very important to our organization. 

I've been pretty close to all of their new releases. We are on the beta program for a lot of their new features. We do a good job of testing and we learn whatever we can at the time. Since we're testing some of the new features for them, and walking through the product, we'll work with their chief product officer to see what's on the road map and what's coming down the line. It's been really nice and a good, two-way conversation.

That said, user management is a little bit clunky. It relies on contributors to source code. It's a little bit clunky, especially during the renewal process for our contract. Trying to figure out how many "seats" we had was very, very difficult due to the fact that it pulled those numbers dynamically from whoever was contributing to our GitHub repo. Therefore, having that be a little bit less clunky and not having to pull logs for who was actually contributing to the GitHub repo to find who is using licenses would be ideal. There's probably a much easier way to handle the users on the platform.

I've used the solution for a bit more than six months. 

The stability has gotten a lot better. We're in the AWS Marketplace and fully on the cloud. Their past self-posted solution lagged. Some things were not working, however, once we switched to AWS Marketplace, it's been very smooth. We've gotten a ton of beta updates and it's improved a lot compared to six months ago. 

I don't see any issues with scalability whatsoever. I'm not sure how they would do with a company that had five times our repositories to analyze.

Technical support is fantastic. Before we had a new account manager and a technical support person on Slack who was awesome. They helped a lot when we were re-establishing everything. 

Positive

I haven't used any other tools previously.

The solution was already in place when I arrived at the company. Nobody was really paying attention to it, however, so I revived it when I got to the company. I resynced and redeployed items. The whole process is very straightforward. 

The solution only requires some standard maintenance for SSO whenever that changes.

I did not use an integrator or consultant when I was re-setting up the solution. 

My understanding is the pricing is pretty competitive. 

I wasn't the one that implemented the solution. I inherited it. 

Our AppSec program is not yet mature in terms of people processes and tools.

I'd rate the solution seven out of ten. There are other tools that do similar things to the solution and yet do a lot more than Apiiro. They are not as specialized in source code analysis, however. 

I'd advise potential users that the solution definitely requires attention. While there is automation, it's not a silver bullet. You have to make sure you have the people in place to automate things, work the alerts, and set everything up correctly.