We performed a comparison between Fortify Static Code Analyzer and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Veracode, OpenText, JetBrains and others in Static Code Analysis."I like the Fortify taxonomy as it provides us with a list of all of the vulnerabilities found. Fortify release updated rule packs quarterly, with accompanying documentation, that lets us know what new features are being released."
"The Software Security Center, which is often overlooked, stands out as the most effective feature."
"The reference provided for each issue is extremely helpful."
"I like Fortify Software Security Center or Fortify SSC. Basically, this tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions."
"The integration Subset core integration, using Jenkins is one of the good features."
"It's helped us free up staff time."
"You can really see what's happening after you've developed something."
"Fortify Static Code Analyzer tells us if there are any security leaks or not. If there are, then it's notifying us and does not allow us to pass the DevOps pipeline. If it is finds everything's perfect, as per our given guidelines, then it is allowing us to go ahead and start it, and we are able to deploy it."
"I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate."
"The pricing is worth it."
"Provides the ability to understand the black zones in our system."
"I contacted the solution's technical support during the automation part, and it went well, after which I never faced any issues."
"One thing we like is the secret detection feature. It has helped us to discover keys stored in our settings file as a TXT document. We can address that vulnerability by using encryption. We can even scan Docker images for vulnerabilities. Static analysis is another good feature of Veracode because we can run a security scan during development to identify the vulnerabilities."
"It can be very hard to make a good lab environment with a console with log windows and code bases. What I like about Veracode is that they managed to do that. It has a very responsive graphical user interface and has worked very well. I was very pleased with that."
"The recommendations and frequent updates are the most valuable features of Veracode."
"It has the ability to statically scan your source code before it goes to production. It can be scanned within your testing or development environment, and that is very useful. And good explanations of all the vulnerabilities in your source code help take care of those issues in future code implementation as well."
"Fortify's software security center needs a design refresh."
"Not all languages are supported in Fortify."
"Fortify Static Code Analyzer is a good solution, but sometimes we receive false positives. If they could reduce the number of false positives it would be good."
"The generation of false positives should be reduced."
"It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier."
"The troubleshooting capabilities of this solution could be improved. This would reduce the number of cases that users have to submit."
"The price can be improved."
"Their licensing is expensive."
"In the last month or so, I had a problem with the APIs when doing some implementations. The Veracode support team could be more specific and give me more examples. They shouldn't just copy the URL for a doc and send it to me."
"Sometimes Veracode gives us results about small glitches in the necessary packages. For example, we recently found issues with Veracode's native libraries for .NET 6 that were fixed in the next versions of those libraries. But sometimes you do not know which version of the library particular components are using. The downside of that is that one day, the solution found some issues in that library for the necessary package we spent. Another day, it found the same issues with another library. It will clearly state that this is the same stuff you've already analyzed. This creates some additional work, but it isn't significant. However, sometimes you see the same issue for two or three days in a row."
"There are times when certain modules cannot be scanned automatically, requiring us to manually select these modules and initiate the scanning process on our side."
"Security can always be improved."
"Static scanning takes a long time, so you need to patiently wait for the scan to achieve. I also think the software could be more accurate. It isn't 100 percent, so you shouldn't completely rely on Veracode. You need to manually verify its findings."
"Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans."
"There is room for improvement in documentation."
"I would like to see improvement on the analytics side, and in integrations with different tools. Also, the dynamic scanning takes time."
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
Fortify Static Code Analyzer is ranked 2nd in Static Code Analysis with 8 reviews while Veracode is ranked 1st in Static Code Analysis with 98 reviews. Fortify Static Code Analyzer is rated 9.0, while Veracode is rated 8.0. The top reviewer of Fortify Static Code Analyzer writes "Integrates easily with many IDEs, and enables development and security teams to work together". On the other hand, the top reviewer of Veracode writes "Great SAST, good DAST, and helps save a significant amount of time". Fortify Static Code Analyzer is most compared with Black Duck, Snyk, Sonatype Lifecycle, GitLab and Mend.io, whereas Veracode is most compared with SonarQube, Checkmarx, Snyk, Fortify on Demand and Mend.io.
See our list of best Static Code Analysis vendors.
We monitor all Static Code Analysis reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.