We performed a comparison between Fortify Static Code Analyzer and Veracode based on real PeerSpot user reviews.
Find out in this report how the two Static Code Analysis solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."We've found the documentation to be very good."
"Its flexibility is most valuable. It is such a flexible tool. It can be implemented in a number of ways. It can do anything you want it to do. It can be fully automated within a DevOps pipeline. It can also be used in an ad hoc, special test case scenario and anywhere in between."
"You can really see what's happening after you've developed something."
"I like Fortify Software Security Center or Fortify SSC. This tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions."
"The integration Subset core integration, using Jenkins is one of the good features."
"Automating the Jenkins plugins and the build title is a big plus."
"The reference provided for each issue is extremely helpful."
"The Software Security Center, which is often overlooked, stands out as the most effective feature."
"I like Veracode's API. You can put it into a simple bash script and run your own security testing from your MacBook in less than 15 minutes."
"Static Scanning is the most valuable feature of Veracode."
"With the pipeline scanner, it's easier for developers to scan their products, as they don't have to export anything from their computers. They can do everything with the command line on their computer."
"It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security."
"We have to look at it from the perspectives of how important it is to fix something and when it should be prioritized for fixing. The JSON output from the agent-based scans gives us the CVS core, and that makes things much easier."
"The static scan is the most valuable feature."
"When those scans kick, Veracode integrates back into our JIRA and actually open tickets with the appropriate development teams. We can use that as a measurement of vulnerabilities opened, closed; we can tie them to releases. So, we get a whole lot more statistical information about security in our software products."
"Ours is a Java-based application and Veracode can detect vulnerabilities in both Angular, which is used for the UI, and also in the backend code, which includes APIs and microservices."
"Not all languages are supported in Fortify."
"It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier."
"The generation of false positives should be reduced."
"The price can be improved."
"Fortify's software security center needs a design refresh."
"The pricing is a bit high."
"Fortify Static Code Analyzer is a good solution, but sometimes we receive false positives. If they could reduce the number of false positives it would be good."
"Their licensing is expensive."
"The interface is basic and has room for improvement."
"It needs more timely support for newer languages and framework versions."
"Security can always be improved."
"A high number of false positives are reported and this should be reduced."
"I'd like to see an improved component of it work in a DevOps world, where the scanning speed does not impede progress along the AppSec pipeline."
"The user interface could be more sleek. Some scanning requirements aren't flexible. Some features take some time for new users to understand (like what exactly "modules" are)."
"Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access."
"I would like Veracode to also have the ability to fix these flaws in a future release."
Fortify Static Code Analyzer is ranked 2nd in Static Code Analysis with 13 reviews while Veracode is ranked 1st in Static Code Analysis with 194 reviews. Fortify Static Code Analyzer is rated 8.4, while Veracode is rated 8.2. The top reviewer of Fortify Static Code Analyzer writes "Seamless to integrate and identify vulnerabilities and frees up staff time". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Fortify Static Code Analyzer is most compared with Black Duck, Snyk, Sonatype Lifecycle, GitLab and Mend.io, whereas Veracode is most compared with SonarQube, Checkmarx One, Snyk, Fortify on Demand and SonarCloud. See our Fortify Static Code Analyzer vs. Veracode report.
See our list of best Static Code Analysis vendors.
We monitor all Static Code Analysis reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.