We performed a comparison between Fortify Application Defender, Trustwave App Scanner [EOL], and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment."
"The most valuable features of Fortify Application Defender are the code packages that are default."
"The solution helped us to improve the code quality of our organization."
"The product saves us cost and time."
"The most valuable feature is that it analyzes data in real-time."
"I find the configuration of rules in Fortify Application Defender useful. Its integration is also easy."
"The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology."
"The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities."
"The stability is great. We haven't had any issues at all with it."
"All the features provided by Veracode are valuable, including static scan, dynamic scan, and MPT (Manual Penetration Testing)."
"Vulnerability Management and mitigation recommendations help with resolution of issues found, prior to deployment to production."
"The coverage of the last vulnerabilities reported."
"Veracode Fix is a new feature that functions similarly to auto-remediation for low or medium flaw codes."
"Static analysis scanning engine is a key feature."
"The static analysis gives you deep insights into problems."
"The most valuable feature is the seamless automation of Veracode via the pipeline, in comparison to other solutions like Fortify SSC, which are complex to integrate through the pipeline."
"The user interface is quick, familiar, and user-friendly and makes navigation to other software very easy."
"The solution is quite expensive."
"The workbench is a little bit complex when you first start using it."
"The solution could improve the time it takes to scan. When comparing it to SonarQube it does it in minutes while in Fortify Application Defender it can take hours."
"The licensing can be a little complex."
"Fortify Application Defender gives a lot of false positives."
"I encountered many false positives for Python applications."
"The product should integrate industry-standard code review tools internally with its system. This would streamline the coding process, as developers wouldn't need multiple tools for code review and security checks. Many independent and open-source tools are available, from Apache to various libraries. Using multiple DevOps pipeline tools can slow the turnaround time."
"Support for older compilers/IDEs is lacking."
"I would like to see a little more flexibility with regards to setting up profiles for vulnerabilities."
"Some important languages are not supported."
"Scanning large amounts of code can be a time-consuming process and there is scope for improvement."
"It's problematic if you want to integrate it with your pipelines because the documentation is not so well written and it's full of typos. It is not presented in a structured way. It does not say, "If you want to achieve this particular thing, you have to do steps 1, 2, and 3." Instead, it contains bits of information in different parts, and you have to read everything and then understand the big picture."
"Another thing I need is continued support for the new languages today that are popular. Most of them are scripting languages more so than real, fourth-generation, commercial grade stuff; we're evolving. Most applications are using so much open-source that, quite frankly, it would be great to see Veracode, or anybody else, extend their platform to where they are able to help secure open-source platforms or repositories."
"The scans were sometimes not accurate in version 2022. There were some false positives in the vulnerability reports. We used to get false positives, and we were responsible for checking all of the alerts and determining whether they were true positives or false positives. They might have already improved it. If they have not, they can look into how to mitigate false positives."
"If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us."
"Veracode should provide more flexibility in its pricing and licensing modules so that it could be more affordable for all types of projects and not only for very active mission-critical projects."
"Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."
Earn 20 points
