We performed a comparison between Fortify Application Defender, SonarQube, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities."
"Its ability to find security defects is valuable."
"The information from Fortify Application Defender on how to fix and solve issues is very good compared to other solutions."
"The most valuable feature is that it analyzes data in real-time."
"The most valuable features of Fortify Application Defender are the code packages that are default."
"Fortify Application Defender's most valuable features are machine learning algorithms, real-time remediation, and automatic vulnerability notifications."
"The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology."
"We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment."
"The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools."
"The product itself has a friendly UI."
"SonarQube is admin friendly."
"If code coverage is a low number then that's of great value to me."
"It is a very good tool for analysis and security vulnerability checking."
"The product has a friendly UI that is easy to use and understand."
"It's enabled us to improve software quality and help us to disseminate best practices."
"Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards."
"It has the ability to scale, and the fact that it doesn't produce a lot of false positives."
"The most valuable feature is the static scan that checks for security issues."
"Our development team use this solution for static code analysis and pen testing."
"We have such a wide variety of users for Veracode, including security champions, development leads, developers themselves, that the ease of use is really quite important, because we don't assume anything about what those people might already know, or need to know. It just makes it very useful for anyone who has to engage with it."
"Wide range of platforms and technology assessments."
"Veracode's integration with our continuous integration solution is what I've found to be the most valuable feature. It is easy to connect the two and to run scans in an automated way without needing as much manual intervention."
"The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code."
"Vericode's policy reporting for ensuring compliance with industry standards and regulations is great. I"
"The workbench is a little bit complex when you first start using it."
"The product should integrate industry-standard code review tools internally with its system. This would streamline the coding process, as developers wouldn't need multiple tools for code review and security checks. Many independent and open-source tools are available, from Apache to various libraries. Using multiple DevOps pipeline tools can slow the turnaround time."
"The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java."
"Fortify Application Defender gives a lot of false positives."
"The solution is quite expensive."
"I encountered many false positives for Python applications."
"Support for older compilers/IDEs is lacking."
"The solution could improve the time it takes to scan. When comparing it to SonarQube it does it in minutes while in Fortify Application Defender it can take hours."
"One thing to improve would be the integration. There is a steep learning curve to get it integrated."
"There isn't a very good enterprise report."
"We could use some team support, but since we are using the community version, it's not available."
"We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing."
"I would like to see dynamic code analysis in the next version of the software."
"The product provides false reports sometimes."
"It should be user-friendly."
"The product needs to integrate other security tools for security scanning."
"I do expect large applications with millions of lines of code to take a while, but it would be nice if there was a possibility to be able to have a baseline initial scan. I know that Veracode touts that there are Pipeline Scans that are supposed to take 90 seconds or less, and we've tried to do that ourselves with our ERP application. However, it actually times out after two hours of scanning. If the static scan itself or another option to run a lower tier scan can be integrated earlier on into our SDLC, it would be great. Right now, it takes so long that we usually leave it till a bit later in the cycle, whereas if it ran faster, we could push it to the time when a developer will be checking in code. That would make us feel a lot more confident that we'd be able to catch things almost instantaneously."
"It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo."
"Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided."
"The negative that I found is that it has a subscription-based model."
"The interface is too complex."
"I'd like to see more development tools and platforms integrated together with Veracode to amplify the solution's effectiveness."
"The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users."
"Veracode scans provide a higher number of false positives."
