Legit Security Reviews

Legit Security helps us secure our product's code pipeline. As a company developing cybersecurity products for other companies defense, it's crucial for our products to be free of security defects. A nightmare scenario would be if a product we sold was used by malicious actors to harm the very company we intended to help. To achieve this balance between security and agility, we utilize two products: Legit Security and Snyk. Snyk focuses on securing the application code itself, while Legit Security secures the entire pipeline, encompassing the code building, shipping, and delivery processes.

At the time, Legit Security was the only product we could find that specifically focused on the security of the software delivery pipeline itself. The SolarWinds breach highlighted this critical need, as Russian actors tampered with the actual pipeline that delivered SolarWinds software. This allowed them to inject their malicious code into the final product. Consequently, we were highly motivated to find a solution that could help us secure our pipeline.

Legit Security provides strong visibility into our software development environment.

The unified application security control plane is key to using a lot of the functionality.

It is extremely important that Legit's unified application security control plane helps us prioritize security issues effectively. It forms the cornerstone of our approach to product security. I am unaware of any other product that offers the same level of functionality and enables us to achieve similar results. Ultimately, resources, whether it be my security team or the product engineering teams, are always finite. Therefore, prioritization is crucial to our efforts. We want to focus on resolving the issues that will have the most significant impact on the security of the products we deliver to our customers.

I believe the unified application security control plane's risk-scoring comparisons of teams and pipelines are valuable. While we don't solely rely on them, they effectively bring together a broad spectrum of information about the underlying state of the code and pipelines. This enables my security teams to prioritize their partnerships with the product engineering teams.

We have integrated Legit Security with Snyk. The integration was straightforward.

Legit Security has helped to improve collaboration between the security and software development teams. Legit has become the foundation of enabling a deeper partnership there.

Legit Security has been instrumental in helping our organization adopt a shift-left approach to security. This approach is the core of our security strategy and represents a fundamental shift from the traditional toll gate model to a more proactive guardrail approach. I believe this is the essence of shifting left. Addressing security issues in a way that software development teams can easily understand, prioritize, and integrate into their workflow. This minimizes disruption to their process, allowing us to identify and fix vulnerabilities faster, ultimately resulting in quicker code releases.

It has helped reduce the risk of attacks.

Working with Legit Security has significantly improved our security posture. As a result, we have successfully shipped all of our applications with no critical security defects for the past three years.

Legit Security is a product that hyper-focuses on the various aspects of the software development pipeline. For example, if an engineer spins off a new project and stands up a new Git project, Legit automatically detects it, connects Snyk and other tools, and ensures the engineering team doesn't have to think about it. This way, we stay on top of security from the beginning.

On the other hand, Legit provides a clear view of the controls around repositories. We have standards requiring code reviews and similar practices, and Legit shows us whether these are being followed. Additionally, Legit helps us identify unmaintained repositories, which often arise when engineering teams try something and leave it behind. This knowledge allows us to determine the appropriate action for these neglected projects.

One area where Legit falls short is secret detection. While it functions well overall, the feature has a 10-20 percent false positive rate, requiring some manual intervention. Almost everything else works flawlessly.

The true value proposition of Legit lies not in its features but in its ability to support our product security program's focus on creating guardrails instead of toll gates. Unlike traditional programs that require security reviews at specific stages, hindering development flow, we strive to partner with the product engineering team to ship secure code seamlessly within their existing workflows. Legit plays a crucial role in this by automatically notifying us of new projects, eliminating the need for manual communication. This partnership approach, enabled by Legit, allows us to work much closer with our engineering teams than ever before.

Legit Security's secret detection works. However, there are some limitations to its effectiveness. One issue is that engineering teams don't always embed secrets in the same way, making it difficult for the tool to consistently identify them. While I don't know of any other application that performs better, this inconsistency does lead to some false positives and occasional missed secrets.

I have been using Legit Security for three years.

Legit Security has been flawless for us.

Legit Security has scaled to our needs with no issues.

I have tried many other solutions in the past, but none of them have focused specifically on the security of the pipeline itself as Legit does. I've used countless application security products throughout my 40-year career, including 30 years in cybersecurity. I've tried most of the major tools available, but Snyk, for example, focuses primarily on the code itself, identifying security vulnerabilities within the actual code. Thus far, Legit is the only tool I've found that truly addresses the entire pipeline surrounding the code.

My team was able to deploy Legit in about two weeks. It was extremely simple and straightforward. We had two people working on the deployment.

The implementation was completed in-house.

I wouldn't characterize it as a clear return on investment, as I can't pinpoint specific cost savings or tangible returns. Cybersecurity is inherently challenging in that regard; its success lies in preventing negative outcomes. From that perspective, we have achieved our goal: we haven't encountered any pipeline disruptions or malicious activity. Were such an incident to occur, the cost to our organization would be substantial. Therefore, in my view, Legit Security has fulfilled its purpose, making our investment worthwhile.

The pricing is reasonable.

After evaluating numerous solutions, Legit ultimately emerged as the only platform dedicated to securing the pipeline itself. Unlike the majority of competitors in this space, such as Snyk, which focuses on code security, Legit recognized the critical need for secure delivery pipelines, a lesson underscored by the SolarWinds attack orchestrated by Russia. Legit's targeted approach to pipeline security has proven immensely valuable to our organization.

I would rate Legit Security ten out of ten.

In my opinion, the team does not require significant maintenance for Legit Security. They log in and review reports on an ongoing basis, and I receive a weekly summary via email. While they utilize the tool constantly, its operation is mostly automated. Once deployed, Legit integrates with GitHub and other code repositories, automatically interacting with any new projects.

Organizations researching AppSec programs should consider Legit Security. Two key things about Legit Security are highly valuable to us. Firstly, securing the pipeline is critically important. Secondly, and perhaps even more compelling, Legit's platform has enabled us to shift from a toll gate approach to a guardrail approach. This, in turn, has fostered a deeper partnership between my team and the product engineering team. This improved collaboration allows both teams to work more efficiently and effectively.

What started as code supply chain security rapidly expanded into application security posture management. Our use case is verifying and using it to ensure our developers are coding in a secure manner. We have about 300 different developers. I have 15 members of my security team, five of whom are on the ASM team and use Legit Security on a daily basis. Legit is deployed on the AWS cloud presence. 

Legit has increased my security posture to a level I couldn't achieve before. I don't need to worry as much about what's happening within my developer environments. I can rest assured that my vulnerabilities are being detected. It's increased my security posture by a good margin. It strengthened my security and my AppSec development cycle to be able to have more confidence in the code that I release. 

There's definitely a better understanding between software development teams on security now. There's greater coordination about what we're trying to accomplish, especially with their prioritization methodologies. Legit Security is a massive help to our shift-left strategy because it puts security in the developer's hands. 

Legit Security has helped to reduce the risk of attacks, but it's hard to quantify. The less code with vulnerabilities I put out there, the greater our security posture. 

Legit Security enables me to verify things like request checks and the installation of my SaaS. I can also verify that we're not publicly exposing our keys. Those are crucial features. Legit Security's visibility into our software development environment is excellent. The solution correlates information based on the integrations I have, which is extremely helpful.

The unified security control panel is top-notch. It has helped us gain insight as the company has grown over the past couple of years. We used to have two different programs that did some of this, but now we're going to discontinue the other application and only use Legit. Centralization is one thing I always preach, and Legit helps us do that. The risk-scoring features are excellent, and their scoring methodology is aligned with mine. 

It's integrated with Snyk, GitHub, Jenkins, and Wizz. The integration with AppSec applications and tools is excellent. The performance is super-fast, and I haven't had any problems.

Legit Security could do a little better with detecting publicly exposed keys. It's not bad. The detections that they are running get to everything eventually, but it would be great if they could increase some of that awareness.

We have used Legit Security for nearly three years.

Legit Security is stable. I can't recall ever having an outage. 

Legit Security has scaled well with my environment. Since we implemented Legit, my environment has doubled in size. We've doubled the number of developers, and our infrastructure is twice as large. 

I rate Legit Security support 10 out of 10. We've had very few issues, but they're always responsive. They have quarterly meetings where they tell us about new features that are coming out. 

Positive

We're using another solution alongside Legit and both are installed at the same time, but we will get rid of the other and keep Legit instead.

I managed the deployment at a high level, and I didn't do the integration myself. It's straightforward. The implementation strategy was to get it up and running within our development. We actually used Veracode, not even Snyk. 

The deployment team is about four people, including ASM engineers and a senior person on the engineering side to spin it up. The solution requires very little maintenance unless we're trying to expand the use case.

We've used Legit Security in ways that helped us offset the cost of engineering or hiring a vulnerability expert because we can now do it automatically.

The price is what I would expect to pay for a tool like this. It isn't too high but not too low either. They're definitely in the sweet spot where I would expect them to be.

I rate Legit Security 10 out of 10. 

We use Legit Security to support our application security program, which provides roll-up reporting for our program and controls, including secret management, infrastructure code, and use cases. We can also break down our development teams and see which programs or tools they actually employ.

We implemented Legit Security to gain visibility into all development teams and ensure that consistent controls are in place and accounted for on every route. We wanted an easy way to obtain this visibility with metrics and data, rather than simply relying on the opinions of engineers who claimed to have completed their security releases.

Legit Security has been responsive to all feedback, ideas, and guidance I have provided. Our relationship has been excellent.

The unified application security control plane has been effective. It allows me to stop attacks at the codebase or port infrastructure level, even before developers write and deploy the code. Additionally, the roll-up reporting feature helps me ensure that all security controls are in place and that the AppSec analysis is complete throughout the software development lifecycle before deployment.

Prioritizing issues is probably one of the most difficult challenges in application security. Many programs don't focus on application security, but we have built it into our program and invested heavily in it. This has given us a lot of visibility, which also means a lot of telemetry and data. This data creates more visibility and noise, so the challenge is how to take all of that information and break it down to focus on the areas we need to. Our team allows me to allocate my resources to ensure the integrity of our pipeline, focus on the controls that are in place, research-based risks and threats, and major control gaps in areas that are being applied to a certain project.

Our overall impression of the Unified Application Security Control Plane's risk-scoring comparisons of teams and pipelines is very positive. Since onboarding and starting to use and operationalize the solution, the teams have not had any pushback from the application security team, other teams, developer teams, or engineering teams. In fact, many of them have not expressed any need to slow down, stop, or do anything different. From this perspective, the process has been very smooth. We have not had any real hiccups or issues, either. Our only real issue is our own ability to move faster and continue to either dive into the items we see or continue to roll out and broaden the program. This is always a challenge when working on our own projects, first working on operations, and being responsive to the business. But the Unified Application Security Control Plane has been able to keep up with us, no matter how fast we go.

Our primary integration is with GitHub, but we also have integrations with Jenkins and other pipeline tooling to ensure the integrity of our overall release pipeline. Those integrations were easy for us to adopt.

Legit Security's ability to integrate with AppSec applications and tools works well for us, allowing us to integrate with ease. We haven't encountered any issues. If a solution or tool doesn't exist, the engineering and Legit teams will collaborate with us to understand our needs and requirements, and then determine if they can build a new integration, leverage an existing integration, or build out capabilities within an existing integration. However, most of the core solutions that we use have out-of-the-box integrations that Legit has built.

The biggest benefit of using Legit Security for me has been the ability to prioritize and roll up data. Before Legit Security, I had to dig through a lot of detailed data and information to understand if a control was actually in place. Now, I can simply log in and click a few buttons to see if all of the controls for a certain development team have been implemented and completed. This has been a huge time-saver for me and our team. Realizing the benefits in some cases was instantaneous once we implemented the integrations. For some of the more tactical items, it took within a couple of weeks. For the strategic initiative that we were running, such as pipeline security, we had to do some additional integrations and visibility work, and we partnered with a consulting firm to help us. Legit built out the initiative with GuidePoint and we leveraged their expertise. We were able to develop a project plan, and it took a couple of months for us to complete the integrations, create the policies, and get the project off the ground. So, the time to realize benefits varied from a couple of weeks for tactical items to a couple of months for strategic projects, but we were able to get everything done efficiently.

Software developers are now more responsive and open to feedback because they know we are watching them now that the telemetry data is rolling up into a system. They know that this is live data and information coming from their systems, and they are supporting it. This has been a great scenario for us, and we have worked with the engineering teams to build this part out. We are getting a subjective or mean-based view of the data that is being pulled right out of their systems.

Legit Security has definitely helped us shift our security left. We've been able to adopt self-service security, which has allowed developers to have the same visibility as security engineers. This has enabled our security champions within the engineering team to be responsible for their own security pipelines and controls, without having to rely on the security team to do it for them. This has been a major improvement for both our security posture and our governance processes. As we have incorporated more layers into our security program, self-service security has made it much easier to manage.

Legit Security has helped our organization reduce the risk of attacks by providing application security solutions. Many programs and security teams are not well-equipped to handle application security, so Legit Security's solutions are essential to our security program. Legit Security gives us visibility and control over our applications, which protects our services and customers. What this has done for us is to provide us with easier, simplified visibility in minutes instead of hours or days. This means that we can now report on engineering team compliance with our outlined critical controls quickly and efficiently. The reduction in time and effort required to generate these roll-up reports and communicate them to stakeholders has been one of the biggest gains for us. I no longer have to stress or worry about gathering this information, as I can now do it in minutes because the data is always live and up-to-date. One of our next goals is to make this information available to application development leaders within minutes, as well as to engineering teams.

Our overall security posture has improved. The ability to articulate and demonstrate our security controls has become much easier. This, in turn, has raised awareness and focus, which allows us to prioritize and implement the security controls that we need. This has improved our security posture, especially within the application security program, as well as increased visibility and awareness.

The ability to roll up recordings, build dynamic teams, and then map observed controls to those things, has been very helpful. We also use Legit Security for secret management and validation to ensure that secrets are still getting into our codebase, as well as for infrastructure and code scans. These are the three main use cases for which I have been using Legit Security. There are a number of other areas in which it has also helped us, such as pipeline security, which involves the actual infrastructure and pipelines that we use to build and deploy our software. I wanted to make sure that these were secure, and Legit Security helped me with that as well.

The team has been responsive to all the enhancements we've requested. The one we're working on right now is the ability to dynamically rerun development teams and groups. That's been our primary focus. Our teams have been able to build out development teams and groups manually, so it's not holding us back. But I think Legit Security's observations would be something we could easily adopt and use. We could provide observations about different teams working with a project or codebase, and we could then dynamically assemble those teams. That's the feature we're working on together right now.

I have been using Legit Security for three years.

Legit Security is stable.

Legit Security is scalable.

The technical support is great. Nothing has held up our deployment or delayed us in any way. Any hold-ups, delays, or other issues we've encountered have all been on our end.

Positive

We did not use any solutions for our pipeline security before Legit Security. They were the first movers to tackle this problem in the software supply chain. They were essentially uncontested.

The deployment was straightforward, using methods that were understood by everyone and received no pushback.

The first step was to integrate with core solutions to help the legitimate security solution gain visibility. Then, we would start to understand the data and information coming back, prioritize events, and adjust policy based on the findings. Finally, we would start to disseminate and share the information with others.

Over the past few years, we have been using the solution and rolling it out to more users. We have only needed to dedicate a small portion of our resources to it, and we have not needed to assign someone specifically to manage, build, or support the solution.

GuidePoint Security helped us with the implementation.

I would say that instead of an ROI, we have definitely seen a reduction in cost and an improvement in security posture with many security programs. These programs typically define and test the controls that they put in place, and from that perspective, we have definitely seen a return on investment.

I would rate Legit Security a ten out of ten. We have not had any issues with Legit Security, and I am very impressed with their scalability, performance, and overall value. They are one of my best partners and one of the best solutions I have in place. Every time I have the team use, work with, or leverage their solutions for either a tactical report or engagement, it is always easy to use. We never have to go back to Legit Security and ask them questions.

Currently, we have about eighteen users. We are now rolling out the solution to our engineering teams, with deeper integration planned. As we progress, we will roll out the solution to about 180 users. Legit Security is deployed to multiple departments and multiple teams at multiple locations globally.

No maintenance is required.

Generally, the reason why organizations have unstructured asset management programs is that they have not been able to invest the necessary focus and resources into them. This is where leveraging a solution like Legit Security can be helpful. It can help us to identify and address the needs of engineers and developers, and to build momentum and support for our program. I would recommend this approach to others. Often, the reason why organizations do not have visibility into their asset management programs or the support of their stakeholders is that they are not communicating the risks and issues associated with these programs effectively. It is important to be able to provide tangible information that can be shared and used to communicate and share feedback consistently. One of the core metrics that our program is measured on is MTTR. On the application security side, one of our key goals is to identify and fix issues as quickly as possible. By leveraging solutions like Legit Security, we can identify and fix issues earlier in the development cycle, which benefits both us and our customers.

We're leaning into Legit to be the management plan across our SDLC. We use it for the enforcement of policies, ingestion of results from other scanning tools, and creating our SBOM. It's the central point of visibility, prioritization, and orchestration for our software development.

Legit has helped to improve collaboration between our organization’s security and software development teams. We can talk through findings that have been correlated or validated from multiple sources. We can talk about procedural violations. We can talk about hardening the repos. It's a much more credible discussion with the development team, and that's very valuable since it raises the bar of the quality of the discussion. We’re not talking about noisy findings that are false positives.

We're a start-up. We only had about 40 or 50 developers at the time we started with Legit - and essentially, we didn't have a well-defined SDLC. We performed scanning and penetration testing, however, we didn't really have a process from start to finish to ensure the integrity of the software and to track the remediation of findings and those kinds of tasks. Legit was a green field for us in terms of selecting a technology and then to some degree designing our policy and process around it.

The most important feature is the surfacing out of the noise of other scanning technologies. We’re getting out of the noisy platforms and focusing our developers on the remediation of the actual most high-risk findings. It's really focused on our efficiency in those areas.

It also serves as identification of those individual instances where a developer made a mistake, where they might include hard-coded credentials or what appears to be production data used in a test script. Those are the breadcrumbs to a breach. Legit is paying for itself time and time again by finding those, and allowing us to remediate those quickly.

We have it connected to over 100+ repos. The visibility is excellent. It is the primary and the only visibility that we need into the development. The reports at the end of the pipeline are great. It's complete in that sense.

It's the only tool that I've seen that can put all the pieces together in terms of visibility, policy enforcement, and vulnerability identification under one pane of glass.

It’s important for our organization to have this unified application security control. We are a software company, so this is the primary crown jewel of security control. Our primary risk factor to consider is the security of the software. That is the centerpiece of our attention.

The unified application security control plans and risk-scoring comparisons of teams and pipelines are useful. It gives us a certain direction and, in the macro sense, I value it. Personally, I don't put a lot of weight behind the scores except for their directionality. We get a sense over time of direction, and that's very useful. For example, when a 67 goes up to a 90, I know that's a good thing, and we're making progress, or vice versa.

We integrate Legit with other application tools. It's integrated with a handful of tools. We use it with our single sign-on through Okta, and then also with our code repositories, CI/CD pipelines, and ticketing systems. The incidents all go to our SEIM. 

Legit's ability to integrate with AppSec implications and tools somewhere else is easy. Once we've established those API connections, there is little maintenance.

It’s helped our organization shift the security left. It just makes shift left executable, enabling us to shift the security controls left as far as possible is absolutely necessary.

Legit helped our organization reduce the risk of attacks. Particularly, when we see things like a developer mistake or major coding error. Those are the breachable moments that Legit picks up on, and we can remediate very quickly.

Legit has had a positive effect on our overall security posture. We have a very healthy posture, which importantly starts just by having completeness of visibility, knowing exactly what we have - and knowing exactly what our vulnerabilities are, and having trust in the process. On any given day there are always going to be vulnerabilities. To have that procedural integrity of the software development process, that's huge.

I would like them to have their own static code scanner, and I'd like them to have their own open-source software scanners. I'm using it as a management plan; I still have to have licenses for other tools that do active scanning, and I would just prefer to consolidate that under one roof.

I've been using the solution for 18 months. 

I'm not aware of any outage times.

We have over 100+ repos. I'm sure there are larger customers. There is no indication that we are bumping up against any capacity restraint. It's been fast and easy. 

We have live Slack with their product team. In the beginning, we had daily contact with Customer Success. We could easily correspond back and forth for troubleshooting or tips and tricks. 

We aren't in a situation where we need to open a ticket, we just discuss it in Slack.

Overall support has been really strong. 

Positive

Legit did not displace anything. We're still using other solutions. We're still using our screen scanning technologies, however, I'm hoping that we can displace some of those with Legit.

I was not involved in the deployment. I'm more of an end-user.

There is no maintenance from the system, however, it does require the AppSec team to periodically go into the GitHub repos to make sure that we're connected to everything. For example, a developer could set up a new GitHub account. Legit wouldn't discover that we'd have to enroll it. We have to continually make sure that we have enrolled in Legit all of the assets that we need.

We implemented the solution with an in-house team. 

We were a very early customer of Legit. We have a relationship with the product team and our feature requests are acted upon swiftly. 

There were other options we looked at. However, there were credentials that were undiscovered previously that Leit picked up on right away. We avoided a potentially fatal disaster on literally the first day, and we did not endeavor to look at other technologies after that. 

I'm a customer and from time to time we'll partner with Legit with case studies and things like that. I've done customer reference calls, however, we haven't developed a direct partnership.

Legit comes out of the box with the ability to sort of design secure SDLC practices - that's the policies, the procedures. It's not just a technology. It's a process management tool that kind of comes preloaded with best practices. It gets a company from zero to reasonably sophisticated maturity pretty quickly since you can adopt and pull in the policies and the control points that are available in the platform already without having to start with a blank sheet of paper to write a policy.

I'd rate the solution ten out of ten.