My main use case for Nucleus Security is for both SAST and DAST mechanisms to test the code and dynamic code and static code together because I get a single dashboard for both, and that is really a centralizing finding that helps and also helps to remove duplicate vulnerabilities, fixing critical issues, and faster remediation. So, it's not just starting from a centralized dashboard to dev tool integration and risk, but also gives a better reporting where you can see improved compliance and metrics together.

One way the developer uses the code is that as soon as they incorporate the code, they use purely on Jira webhook, GitHub, GitLab, CI/CD model. They have their own codebase configured into their Integrated Development Environment. Then we start testing with different kinds of scanners including Fortify, Checkmarx, Veracode, and so on. In this case, you see the code vulnerabilities and also it fits the Open Web, OWASP jab and so on. Once you check these different tools, you can identify the vulnerabilities of one application in one place. In a similar way, as you run all these tools and the codebase at the same time, that is part of the application level, database level, front-end level, and back-end level. So all together, we can test from the codebase to application front. That is self-sufficient.

I could add more to my main use case for Nucleus Security, especially because there is a mobile application. The mobile application tests more on different TestNG and various behavior testing, where you can do front-end, back-end, and some code test, which will be easier to do. In the case of the Rich Client Platform, such as RCP, Eclipse RCP, and NetBean RCP kind of environments, what happens is that the code is written in different ways and across different systems, resulting in occasional link failures. I would like to know whether the on-premises tool, specifically Nucleus Security, has a mechanism for that. In another way, there is a mechanism of Eclipse RCP or NetBean RCP kind of Rich Client Platform where users can install on-premises, remotely, or locally. In this case, sometimes we feel we only manually pull the code and test it independently, and everything is done. Then, once it is installed and the installer is ready, it becomes challenging to test everything together compared to the web front and other local or remote deployments of the web application compared to the RCP.

I think the best features that Nucleus Security offers are purely the faster remediation to dev tools, which is crucial for managing, prioritizing, and fixing vulnerabilities while helping operational pipelines run these vulnerability management tools. It stands out as one of the best compared with others.

Regarding faster remediation and managing, prioritizing, and fixing vulnerabilities across the pipeline, we use multiple tools—not only is Nucleus Security one of them, but we also perform multiple testing tools, manual tests, and regression tests including various unit tests, system tests, integration tests, and so on. We employ different tools for performance loading, capacity, and API testing. However, in this case, the tool is limited. As I mentioned, there are substantial benefits to using this tool. The unique aspect is that some of the other tools do not facilitate duplicate vulnerability removal. Here, we have a de-duplication mechanism, and if some tools provide easier remediation, that is also a significant advantage compared to the other tools.

The way Nucleus Security positively impacts my organization is that the team feels very focused, and they trust the reports generated from the tools compared to others. I often recommend the tool to a few of our customers based on my experience, and when I receive any positive feedback from any tool, I also suggest Nucleus Security to the team.

I recommend more enhancements focusing on penetration testing for both SSL over HTTP and non-SSL over HTTP, specifically targeting the RCP Rich Client Platform and Equinox frameworks that allow on-premises desktop applications to be tested simultaneously. I believe those would significantly improve the tool in the future.

I choose eight as my rating primarily because of the installer app; it becomes challenging to identify the actual vulnerabilities. Once we build this installer—rather than just working on the codebase—sometimes, we face gaps considering the build parameters and conversions to the installer. Identifying those gaps is an area that could use improvement after the installer or desktop application testing, which would be beneficial. That is the only reason; otherwise, I could easily rate it a ten out of ten given its smooth operational process.

I have been using Nucleus Security for the last seven to eight years.

Nucleus Security is indeed stable.

Its scalability in application is substantial. It supports larger applications and can easily scale, accelerating both application performance and business growth since it efficiently manages multiple user bases and applications running concurrently.

The customer support is very nice.

In the past, we have utilized different solutions. Previous tools involved a partnership with an Ireland-based company, which we utilized over a couple of years. Although they were somewhat costly, we relied on these for various compliance checks and reports on several platforms, including both medical applications and clinical trial platforms. However, we recognized certain limitations in visibility with those tools, prompting us to train developers better and avoid duplication during reporting, ultimately leading us to switch to tools that provide enhanced visibility and reporting.

I can assert that there is a tangible return on investment (ROI). While discussing with customers, they follow the investment ROI guidelines. Quality, vulnerability management, and security hold significant value for us as a solution provider. However, we do not specifically count ROI for these tools; I justify using the tool whenever I recommend it to customers, and they tend to agree based on that justification.

I do not believe that the cost for Nucleus Security setup is excessively high. The pricing appears reasonable; it varies based on workload but still embodies value-driven services that justify the investment.

Before choosing Nucleus Security, we did evaluate other options, such as Parasoft. Although we had not used it extensively—only trialed it on one or two projects—before ultimately deciding to move forward with Nucleus Security. We also explored some open-source tools and other licensed penetration testing solutions, but limited in usage, thus examining multiple options.

I think there are many features, but due to time constraints, I feel my inputs would be valuable. We would be actively using these tools, and I would suggest that people utilize them. For instance, if you cannot compare with Parasoft Jtest and others, including SonarQube, there are indeed many tools. However, this is one tool where you can process workflows smoothly, step-by-step. You have all the dashboards in one place with easy usability and clear reporting and metrics in view also. I would recommend that developers utilize all this visibility in one setup—not just at the application level, but also by linking to your repository directly where you implement the CI/CD model, pipelines, repository APIs, and comprehensive visibility. Right now, if there is a scripting or API layer vulnerability, it could be critical in failure. Therefore, you need to manage it adequately and also comply with different frameworks. Automated compliance reporting and security metrics are significant advantages of this dashboard.

Most customers look for the abstraction layer that I provide. Whatever you do from the beginning of writing code, the abstraction and code abstraction are very important. It defines everything. You see the outcome, which is often sufficient for the customer. Code abstraction, along with detailed drill-down of all elements highlighting key areas to work on, provides better visibility.

The advice I would give to those considering using Nucleus Security is that it really depends on the type of users they are. They need to evaluate based on their industry domain. Most individuals look into whether they adhere to different compliance standards. If they follow compliance regulations such as SOC 2, SOX, PCI, ISO 27,001, they can better control risk, reporting, application behavior, and metrics. There are various compliance standards such as GDPR and CCPA as well. Tools that provide improved visibility will undoubtedly meet customer expectations and queries. I rated Nucleus Security an eight out of ten in this review.