We performed a comparison between Fortify WebInspect, OWASP Zap, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about HCLTech, OpenText, Rapid7 and others in Dynamic Application Security Testing (DAST)."It's a well-known platform for doing dynamic application scanning."
"The solution is able to detect a wide range of vulnerabilities. It's better at it than other products."
"I've found the centralized dashboard the most valuable. For the management, it helps a lot to have abilities at the central level."
"The user interface is ok and it is very simple to use."
"It is scalable and very easy to use."
"The most valuable feature of this solution is the ability to make our customers more secure."
"Guided Scan option allows us to easily scan and share reports."
"Technical support has been good."
"Simple to use, good user interface."
"Automatic updates and pull request analysis."
"The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
"We use the solution for security testing."
"They offer free access to some other tools."
"It updates repositories and libraries quickly."
"Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high."
"The ZAP scan and code crawler are valuable features."
"The most valuable features of Veracode Static Analysis are its ability to work with GitLab and GitHub so that you can do the reviews and force the code."
"It gives feedback to developers on the effectiveness of their secure coding practices."
"Considering that in my project, we are mostly using Software Composition Analysis as a part of Static Code Analysis, for me, the main part is reporting and highlighting necessary vulnerabilities. Veracode platform has a rather good database of different vulnerabilities in different libraries and different sources. So, finding vulnerabilities in third-party libraries is the main feature of Software Composition Analysis that we use. It is the most important feature for us."
"The coding standards in our development group have improved. From scanning our code we've learned the patterns and techniques to make our code more secure. An example would be SQL injection. We have mitigated all the SQL injection in our applications."
"Stable and scalable, with good reporting features. Helps in detecting and managing vulnerabilities and risks."
"Veracode has good support for microservices, and I also like the sandbox environment. For example, when introducing a new component, we can scan it in a sandbox environment. It will not impact the main environment. When our team fixes it, they. can push it to the production environment when the results are acceptable."
"Vericode's policy reporting for ensuring compliance with industry standards and regulations is great. I"
"The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process."
"The installation could be a bit easier. Usually it's simple to use, but the installation is painful and a bit laborious and complex."
"It requires improvement in terms of scanning. The application scan heavily utilizes the resources of an on-premise server. 32 GB RAM is very high for an enterprise web application."
"Lately, we've seen more false negatives."
"Creating reports is very slow and it is something that should be improved."
"A localized version, for example, in Korean would be a big improvement to this solution."
"We have had a problem with authentification."
"We have often encountered scanning errors."
"Fortify WebInspect could improve user-friendliness. Additionally, it is very bulky to use."
"It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results."
"The forced browse has been incorporated into the program and it is resource-intensive."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"The work that it does in the limited scope is good, but the scope is very limited in terms of the scanning features. The number of things it tests or finds is limited. They need to make it a more of a mainstream tool that people can use, and they can even think about having it on a proprietary basis. They need to increase the coverage of the scan and the results that it finds. That has always been Zap's limitation. Zap is a very good tool for a beginner, but once you start moving up the ladder where you want further details and you want your scan to show more in-depth results, Zap falls short because its coverage falls short. It does not have the capacity to do more."
"There are too many false positives."
"Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."
"It would be ideal if I could try some pre-built deployment scenarios so that I don't have to worry about whether the configuration sector team is doing it right or wrong. That would be very helpful."
"There isn't too much information about it online."
"The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there."
"Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly."
"The current version of the application does not support testing for API."
"The solution does take a bit more time when we use it for multiple processes."
"I do expect large applications with millions of lines of code to take a while, but it would be nice if there was a possibility to be able to have a baseline initial scan. I know that Veracode touts that there are Pipeline Scans that are supposed to take 90 seconds or less, and we've tried to do that ourselves with our ERP application. However, it actually times out after two hours of scanning. If the static scan itself or another option to run a lower tier scan can be integrated earlier on into our SDLC, it would be great. Right now, it takes so long that we usually leave it till a bit later in the cycle, whereas if it ran faster, we could push it to the time when a developer will be checking in code. That would make us feel a lot more confident that we'd be able to catch things almost instantaneously."
"The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but it sometimes causes more work on our end."
"The product has issues with scanning."
"I'd like to see an improved component of it work in a DevOps world, where the scanning speed does not impede progress along the AppSec pipeline."
