Fortify Static Code Analyzer vs Veracode comparison

Cancel
You must select at least 2 products to compare!
Comparison Buyer's Guide
Executive Summary

We performed a comparison between Fortify Static Code Analyzer and Veracode based on real PeerSpot user reviews.

Find out what your peers are saying about Veracode, OpenText, JetBrains and others in Static Code Analysis.
To learn more, read our detailed Static Code Analysis Report (Updated: November 2023).
746,635 professionals have used our research since 2012.
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"I like the Fortify taxonomy as it provides us with a list of all of the vulnerabilities found. Fortify release updated rule packs quarterly, with accompanying documentation, that lets us know what new features are being released.""The Software Security Center, which is often overlooked, stands out as the most effective feature.""The reference provided for each issue is extremely helpful.""I like Fortify Software Security Center or Fortify SSC. Basically, this tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions.""The integration Subset core integration, using Jenkins is one of the good features.""It's helped us free up staff time.""You can really see what's happening after you've developed something.""Fortify Static Code Analyzer tells us if there are any security leaks or not. If there are, then it's notifying us and does not allow us to pass the DevOps pipeline. If it is finds everything's perfect, as per our given guidelines, then it is allowing us to go ahead and start it, and we are able to deploy it."

More Fortify Static Code Analyzer Pros →

"I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate.""The pricing is worth it.""Provides the ability to understand the black zones in our system.""I contacted the solution's technical support during the automation part, and it went well, after which I never faced any issues.""One thing we like is the secret detection feature. It has helped us to discover keys stored in our settings file as a TXT document. We can address that vulnerability by using encryption. We can even scan Docker images for vulnerabilities. Static analysis is another good feature of Veracode because we can run a security scan during development to identify the vulnerabilities.""It can be very hard to make a good lab environment with a console with log windows and code bases. What I like about Veracode is that they managed to do that. It has a very responsive graphical user interface and has worked very well. I was very pleased with that.""The recommendations and frequent updates are the most valuable features of Veracode.""It has the ability to statically scan your source code before it goes to production. It can be scanned within your testing or development environment, and that is very useful. And good explanations of all the vulnerabilities in your source code help take care of those issues in future code implementation as well."

More Veracode Pros →

Cons
"Fortify's software security center needs a design refresh.""Not all languages are supported in Fortify.""Fortify Static Code Analyzer is a good solution, but sometimes we receive false positives. If they could reduce the number of false positives it would be good.""The generation of false positives should be reduced.""It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier.""The troubleshooting capabilities of this solution could be improved. This would reduce the number of cases that users have to submit.""The price can be improved.""Their licensing is expensive."

More Fortify Static Code Analyzer Cons →

"In the last month or so, I had a problem with the APIs when doing some implementations. The Veracode support team could be more specific and give me more examples. They shouldn't just copy the URL for a doc and send it to me.""Sometimes Veracode gives us results about small glitches in the necessary packages. For example, we recently found issues with Veracode's native libraries for .NET 6 that were fixed in the next versions of those libraries. But sometimes you do not know which version of the library particular components are using. The downside of that is that one day, the solution found some issues in that library for the necessary package we spent. Another day, it found the same issues with another library. It will clearly state that this is the same stuff you've already analyzed. This creates some additional work, but it isn't significant. However, sometimes you see the same issue for two or three days in a row.""There are times when certain modules cannot be scanned automatically, requiring us to manually select these modules and initiate the scanning process on our side.""Security can always be improved.""Static scanning takes a long time, so you need to patiently wait for the scan to achieve. I also think the software could be more accurate. It isn't 100 percent, so you shouldn't completely rely on Veracode. You need to manually verify its findings.""Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans.""There is room for improvement in documentation.""I would like to see improvement on the analytics side, and in integrations with different tools. Also, the dynamic scanning takes time."

More Veracode Cons →

Pricing and Cost Advice
  • "The price of Fortify Static Code Analyzer could be reduced."
  • "The licensing is expensive and is in the 50K range."
  • "There is a licensing fee, and if you bring them to the company and you want them to do the installation and the implementation in the beginning, there is a separate cost. Similarly, if you want consultation or training, there is a separate cost. I see it as suitable only for enterprises. I do not see it suitable for a small business or individual use."
  • "From our standpoint, we are significantly better off with Fortify due to the favorable pricing we secured five years ago."
  • "Although I am not responsible for the budget, Fortify SAST is expensive."
  • More Fortify Static Code Analyzer Pricing and Cost Advice →

  • "Users in some forums mentioned that pricing for this solution can be quite high."
  • "The price of Veracode Static Analysis is on the higher side."
  • "It has good, fair licensing. If the price could depend on the scope of its scanning or the languages supported, then that would be better."
  • "Compared to the typical software composition analysis solutions, Veracode is not so costly, although the static analysis part of it is a little costlier."
  • "The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us."
  • "For our company, the price is reasonable for the benefits that we get."
  • "It is quite good. If you adapt it for the whole organization, it is quite affordable. The pricing plans are good as compared to the other competitors, and any small, medium, or big company can easily adopt Veracode. Its cost includes deployment, training, and support for one year."
  • "The price of Veracode Static Analysis is expensive. There is an annual fee to use the solution and the company is upfront with the pricing model and fees."
  • More Veracode Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Static Code Analysis solutions are best for your needs.
    746,635 professionals have used our research since 2012.
    Questions from the Community
    Top Answer:I like Fortify Software Security Center or Fortify SSC. Basically, this tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as… more »
    Top Answer:There is a licensing fee, and if you bring them to the company and you want them to do the installation and the implementation in the beginning, there is a separate cost. Similarly, if you want… more »
    Top Answer:One downside to it is that it is costly. I can see it only for enterprises. I cannot see it for small businesses or for individual use. The configuration part is a little bit tricky. There is a… more »
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
    Top Answer:The SAST and DAST modules are great.
    Top Answer:The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.
    Ranking
    2nd
    Views
    1,372
    Comparisons
    893
    Reviews
    5
    Average Words per Review
    1,014
    Rating
    8.6
    1st
    Views
    1,559
    Comparisons
    964
    Reviews
    93
    Average Words per Review
    975
    Rating
    8.0
    Comparisons
    Also Known As
    Fortify Static Code Analysis SAST
    Crashtest Security , Veracode Detect
    Learn More
    Overview

    Fortify Static Code Analyzer (SCA) utilizes numerous algorithms in addition to a dynamic intelligence base of secure coding protocols to investigate an application’s source code for any potential risk of malicious or dangerous threats. Additionally, the solution will prioritize the most critical concerns and give direction on how users can repair those concerns. This solution researches each and every potential route that workflow and data can travel to discover and repair all possible vulnerabilities. Fortify SCA allows users to create safe and secure software quickly. Users are able to discover potential security gaps more quickly with precise outcomes and repair them immediately.

    Fortify Static Code Analyzer Benefits

    • CI/CD pipeline security: Fortify SCA integrates well with third-party tools such as ALM Octane, Atlassian Bamboo, Azure DevOps, Eclipse, Jenkins, and Jira. It offers real-time scan results, immediate recommendations, and collaborative auditing, and finds threats faster. It also discovers and prioritizes weaknesses to reduce risk.

    • Cost-effective: Improves coding actions by training users as they work to better understand the relationship of static application security testing (SAST). Fortify SCA is able to find more vulnerabilities than other solutions and delivers significantly fewer false positives.

    • Quick and reliable scanning: Fortify SCA will discover and eradicate weaknesses in byte, binary, or source code. SAST is able to stop the bulk of code issues at the start of development. The solution is able to discover 815 specific categories of risk, works through 27 programming languages and more than one million different APIs. Fortify SCA has a positive rate of 100% in the OWASP 1.2 benchmark.

    Fortify Static Code Analyzer Features

    • Flexible deployment: Using Fortify On Demand, users can work in a complete SaaS environment. Fortify Hosted allows users to use on-premises and SaaS to work in a secure virtual space with complete control. Fortify-On-Prem gives users absolute control of the Fortify SCA solution.

    • Security assistant: Users have an interactive guide as they create code that provides risk analysis and anticipated outcomes. Security Assistant is an outstanding immediate feedback tool that gives instant results with significantly fewer false positives.

    • Audit assistant: This feature uses machine learning to reduce manual audit time while prioritizing the most important risks to users' networks. It provides automated audits in minutes. Any manual examinations are reduced, all issues are prioritized in accordance with organizational needs, and Fortify SCA consistently provides audit results to all projects.

    Results from Real Users

    Fortify Static Code Analyzer tells us if there are any security leaks or not. If there are, then it's notifying us and does not allow us to pass the DevOps pipeline. If it finds everything's perfect, as per our given guidelines, then it is allowing us to go ahead and start it, and we are able to deploy it.” - Arun D., Senior Architect at a healthcare company.

    “Its flexibility is most valuable. It is such a flexible tool. It can be implemented in a number of ways. It can do anything you want it to do. It can be fully automated within a DevOps pipeline. It can also be used in an ad hoc, special test case scenario and anywhere in between.” - Tom H., Director of Security at Merito

    Veracode is a leading application security platform that helps organizations to develop and deliver secure software. Veracode's solution provides comprehensive capabilities for static analysis, dynamic analysis, software composition analysis, and manual penetration testing.

    Veracode's static analysis solution scans source code for various security vulnerabilities, including common web application attack vectors, injection flaws, cross-site scripting, and insecure direct object references. Veracode's dynamic analysis solution simulates real-world attacks to identify vulnerabilities that may not be detectable by static analysis alone. Veracode's software composition analysis solution scans open-source and third-party components for known vulnerabilities. Veracode's manual penetration testing service is performed by experienced security professionals who use a variety of techniques to identify vulnerabilities in software applications.

    Many organizations, including Fortune 500 companies, government agencies, and startups, use Veracode's solution. Veracode's customers rely on Veracode to help them to improve the security of their software applications and to reduce the risk of data breaches and other security incidents.

    Here are some of the benefits of using Veracode:

    • Veracode provides capabilities for static analysis, dynamic analysis, software composition analysis, and manual penetration testing to help organizations identify and fix security vulnerabilities in their software applications early in the development process.
    • Veracode helps organizations reduce the risk of data breaches and other security incidents by identifying and fixing security vulnerabilities in their software application. 
    • Veracode helps organizations to comply with industry regulations. Many industries have regulations that require organizations to implement security measures to protect their customers' data. Veracode's solution can help organizations to comply with these regulations by providing them with the tools and resources they need to identify and fix security vulnerabilities in their software applications.
    Offer
    Learn more about Fortify Static Code Analyzer
    Keep your software secure

    Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

    Sample Customers
    Information Not Available
    Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
    Top Industries
    REVIEWERS
    Financial Services Firm40%
    Computer Software Company20%
    Healthcare Company10%
    Government10%
    VISITORS READING REVIEWS
    Financial Services Firm28%
    Computer Software Company14%
    Manufacturing Company10%
    Government7%
    REVIEWERS
    Financial Services Firm23%
    Computer Software Company23%
    Insurance Company9%
    Comms Service Provider6%
    VISITORS READING REVIEWS
    Financial Services Firm18%
    Computer Software Company15%
    Manufacturing Company8%
    Government7%
    Company Size
    REVIEWERS
    Small Business45%
    Large Enterprise55%
    VISITORS READING REVIEWS
    Small Business16%
    Midsize Enterprise9%
    Large Enterprise75%
    REVIEWERS
    Small Business29%
    Midsize Enterprise20%
    Large Enterprise51%
    VISITORS READING REVIEWS
    Small Business17%
    Midsize Enterprise12%
    Large Enterprise71%
    Buyer's Guide
    Static Code Analysis
    November 2023
    Find out what your peers are saying about Veracode, OpenText, JetBrains and others in Static Code Analysis. Updated: November 2023.
    746,635 professionals have used our research since 2012.

    Fortify Static Code Analyzer is ranked 2nd in Static Code Analysis with 8 reviews while Veracode is ranked 1st in Static Code Analysis with 98 reviews. Fortify Static Code Analyzer is rated 9.0, while Veracode is rated 8.0. The top reviewer of Fortify Static Code Analyzer writes "Integrates easily with many IDEs, and enables development and security teams to work together". On the other hand, the top reviewer of Veracode writes "Great SAST, good DAST, and helps save a significant amount of time". Fortify Static Code Analyzer is most compared with Black Duck, Snyk, Sonatype Lifecycle, GitLab and Mend.io, whereas Veracode is most compared with SonarQube, Checkmarx, Snyk, Fortify on Demand and Mend.io.

    See our list of best Static Code Analysis vendors.

    We monitor all Static Code Analysis reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.