Sken vs SonarQube
Sken adds capabilities above and beyond what SonarQube provides.
SonarQube and Sken offer different capabilities for application security testing.
SonarQube relies on rules-based source code analysis to check for programming errors written into the web application by developers/software engineers. This accounts for only 20% of static code analysis today as the other 80% typically consists of integrated third-party software components, and does not even factor in run-time security gaps as seen from the hacker’s outside in vantage point.
Sken.ai uses a combination of known vulnerability data, source code scanning for dependencies, code scanning for bugs and run-time web application scanning for a comprehensive view of application security.
Sken also correlates across these different application security testing methods to weed out false positives and identify real issues that have an impact on the security posture of the application.
SonarQube Provides:
- Finding vulnerabilities introduced by your dev team with SAST
- Understanding of known vulnerabilities based on a set of rules
SonarQube does not (while Sken does) provide:
- Dynamic scanning of deployed/production applications with DAST
- Understanding of unknown security issues, including OSS, application code and third-party interfaces.
- Lower false positives via correlation of source code scanning and run-time application security testing
Sken Vs. SonarQube
| Sken | SonarQube | |
|---|---|---|
|
DAST |
|
|
|
SAST |
|
|
|
SCA |
|
|
|
Secrets |
|
|
|
Ease of maintenance (rules vs AI)
|
|
|
|
Comprehensive security |
|
|
|
AI based source code scanning |
|
|
|
AI based Correlation across scans |
|
|
|
Affordable |
|
|
