"In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application."
"The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA."
"There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place."
"You can easily integrate it with Azure DevOps. This is an added value because we work with Azure DevOps. Veracode is natively supported and we don't have to work with APIs."
"The time savings has been tremendous. We saw ROI in the first six months."
"The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our continuous integration, continuous delivery system, so we can get insight quickly."
"Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers."
"Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely. By adopting their suggestions, we are fixing this vulnerability."
"I've tried many open source applications and the remediation or correction actions that were provided by Kiuwan were very good in comparison."
"The solution offers very good technical support."
"I like that I can scan the code without sending it to the Kiuwan cloud. I can do it locally on my device. When the local analyzer finishes, the results display on the dashboard in the cloud. It's essential for security purposes to be able to scan my code locally."
"I like that it provides a detailed report that lets you know the risk index and the vulnerability."
"Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications."
"It has very good scalability and stability."
"The product itself has a friendly UI."
"I like the by-default policies that are they, as they seem to cover most of what I need."
"This solution has the capability to analyze source code in almost all the languages in the market."
"The code coverage feature is very good."
"I like that it covers most programming languages for source code review."
"SonarQube is a fantastic tool which saves us precious time."
"The reports on offer are too verbose."
"I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use."
"Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."
"The training lab is not very user-friendly and takes a long time to set up."
"The product has issues with scanning."
"I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results."
"Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights."
"I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help."
"The configuration hasn't been that good."
"The integration process could be improved. It'll also help if it could generate reports automatically. But I'm not sure about the effectiveness of the reports. This is because, in our last project, we still found some key issues that weren't captured by the Kiuwan report."
"The solution seems to give us a lot of false positives. This could be improved quite a bit."
"Kiuwan's support has room for improvement. You can only open a ticket is through email, and the support team is outside of our country. They should have a support number or chat."
"For improvement, this solution could be offered on Docker and the cloud and the support for this solution could be improved. Customizing rules could also be made simpler."
"Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
"The interface could be a little better and should be enhanced."
"Our developers have complained about the Quality Gates and the number of false positives that this product reports."
"There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution."
"There could be better integration with other products."
"Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version."
"I have found this solution creates more noise than competitors."
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
Kiuwan is ranked 20th in Application Security with 4 reviews while SonarQube is ranked 1st in Application Security with 63 reviews. Kiuwan is rated 8.2, while SonarQube is rated 8.0. The top reviewer of Kiuwan writes "Scalable with good remediation capabilities and good stabilty". On the other hand, the top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". Kiuwan is most compared with Micro Focus Fortify on Demand, Checkmarx, Snyk, Mend and Invicti, whereas SonarQube is most compared with Checkmarx, Coverity, Sonatype Nexus Lifecycle, Snyk and CAST Highlight. See our Kiuwan vs. SonarQube report.
See our list of best Application Security vendors.
We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
It depends on your role and what you're trying to accomplish. If you're trying to harden your own code then a tool that does SAST or static code analysis like SonarQube is a great idea. For example, Parasoft C/C++test is the only tool that has full support for every rule in the CERT-C standard. If you're trying to secure applications that aren't yours, systems, etc., then SAST tools aren't for you. You have to have the code for them to be useful.
I’m sorry, I don’t know Kiuwan – so it’s hard for me to tell.
What I can say is that SonarQube is fairly common here in Brazil, many organizations are using it. So I suspect it must be a good AST tool.
Depending on the application that you are developing and the complexity, you need to be able to ensure that the application is secure along with APIs , its libraries and operating system and kernel interactions. Therefore it is eminently sensible to ensure you have taken all steps to remove any security risk or known threat in the deployed application. Any toolsets that address this and to enable metrics, rules, and customisation to meet QA and Corporate Governance should be deployed within the SDLC.