"Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely. By adopting their suggestions, we are fixing this vulnerability."
"The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code."
"The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools."
"The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA."
"The time savings has been tremendous. We saw ROI in the first six months."
"My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople is fabulous."
"One of the features they have is Software Composition Analysis. When organizations use third-party, open source libraries with their application development, because they're open source they quite often have a lot of bugs. There are always patches coming out for those open source applications. You really have to stay on your toes and keep up with any third-party libraries that might be integrated into your application. Veracode's Software Composition Analysis scans those libraries and we find that very valuable."
"The Veracode technical support is very good. They are responsive and very knowledgeable."
"Overall, it's a very good tool and a very good engine."
"Acunetix has an awesome crawler. It gives a referral site map of near targets and also goes really deep to find all the inputs without issues. This was valuable because it helped me find some files or directories, like web admin panels without authentication, which were hidden."
"Acunetix is the best service in the world. It is easy to manage. It gives a lot of information to the users to see and identify problems in their site or applications. It works very well."
"I haven't seen reporting of that level in any other tool."
"The most valuable feature of Acunetix is the UI and the scan results are simple."
"It's very user-friendly for the testing teams. It's very easy for them to understand things and to fix vulnerabilities."
"There is a lot of documentation on their website which makes setting it up and using it quite simple."
"Picks up weaknesses in our app setups."
"The solution is easy to use."
"Reporting, centralized dashboard, and bird's eye view of all vulnerabilities are the most valuable features."
"Fortify WebInspect is a scalable solution, it is good for a lot of applications."
"When we are integrating it with SSC, we're able to scan and trace and see all of the vulnerabilities. Comparison is easy in SSC."
"The solution is able to detect a wide range of vulnerabilities. It's better at it than other products."
"The most valuable feature of this solution is the ability to make our customers more secure."
"The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most."
"There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed."
"I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results."
"Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had."
"The policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs."
"The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it."
"Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access."
"The pricing for qualified startups such as Neo4j could be improved."
"The vulnerability identification speed should be improved."
"The only problem that they have is the price. It is a bit expensive, and you cannot change the number of applications for the whole year."
"There is room for improvement in website authentication because I've seen other products that can do it much better."
"Currently only supports web scanning."
"While we do have it integrated with other solutions, it could still offer more integrations."
"There are some versions of the solution that are not as stable as others."
"The jargon used makes it difficult for project managers to understand the issues, and the technical explanations used make it difficult for developers to understand issues. These things should be simplified much more. That would be very helpful for us when explaining to them what needs to be fixed. The report output needs to be simplified."
"The pricing is a bit on the higher side."
"Fortify WebInspect could improve user-friendliness. Additionally, it is very bulky to use."
"A localized version, for example, in Korean would be a big improvement to this solution."
"Lately, we've seen more false negatives."
"It requires improvement in terms of scanning. The application scan heavily utilizes the resources of an on-premise server. 32 GB RAM is very high for an enterprise web application."
"The scanner could be better."
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
Acunetix is ranked 11th in Application Security Tools with 9 reviews while Fortify WebInspect is ranked 1st in Dynamic Application Security Testing (DAST) with 6 reviews. Acunetix is rated 7.6, while Fortify WebInspect is rated 7.0. The top reviewer of Acunetix writes "We are getting notably fewer false positives than previously, but reporting output needs to be simplified". On the other hand, the top reviewer of Fortify WebInspect writes "Good reporting and vulnerability management, but needs better performance and resource utilization". Acunetix is most compared with OWASP Zap, PortSwigger Burp Suite Professional, Invicti, Tenable.io Web Application Scanning and HCL AppScan, whereas Fortify WebInspect is most compared with Micro Focus Fortify on Demand, PortSwigger Burp Suite Professional, OWASP Zap, HCL AppScan and Qualys Web Application Scanning. See our Acunetix vs. Fortify WebInspect report.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
