We performed a comparison between Mend.io, Polyspace Code Prover, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar)."
"For us, the most valuable tool was open-source licensing analysis."
"The inventory management as well as the ability to identify security vulnerabilities has been the most valuable for our business."
"Enables scanning/collecting third-party libraries and classifying license types. In this way we ensure our third-party software policy is followed."
"The overall support that we receive is pretty good. "
"There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it."
"Mend has reduced our open-source software vulnerabilities and helped us remediate issues quickly. My company's policy is to ensure that vulnerabilities are fixed before it gets to production."
"We find licenses together with WhiteSource which are associated with a certain library, then we get a classification of the license. This is with respect to criticality and vulnerability, so we could take action and improve some things, or replace a third-party library which seems to be too risky for us to use on legal grounds."
"Polyspace Code Prover has made me realize it differs from other static code analysis tools because it runs the code. So it's quite distinct in that aspect."
"Polyspace Code Prover is a very user-friendly tool."
"The outputs are very reliable."
"The product detects memory corruptions."
"When we work on safety modules, it is mandatory to fulfill ISO 26262 compliance. Using Prover helps fulfill the standard on top of many other quality checks, like division by zero, data type casts, and null pointer dereferences."
"The solution can scan old databases and old code written 20 years back."
"Being able to scan our applications and identify all codes and defects is an extremely valuable feature."
"The deployment mode is very useful."
"The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code."
"The recommendations and frequent updates are the most valuable features of Veracode."
"I don't have much experience with the solution yet. We're looking at integrating Manual Penetration Testing with JIRA and Bamboo and then building that into a CICD model, so the integration is the most valuable feature so far."
"I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code."
"What we found most valuable in Veracode is the ability to do automatic scans of our software. We've incorporated the solution into our SDLC process, so we take our builds before they get released and put them through scans to ensure any new vulnerabilities haven't occurred."
"Needs better ACL and more role definitions. This product could be used by large organisations and it definitely needs a better role/action model."
"WhiteSource needs improvement in the scanning of the containers and images with distinguishing the layers."
"The only thing that I don't find support for on Mend Prioritize is C++."
"The turnaround time for upgrading databases for this tool as well as the accuracy could be improved."
"We have been looking at how we could improve the automation to human involvement ratio from 60:40 to 70:30, or even potentially 80:20, as there is room for improvement here. We are discussing this internally and with Mend; they are very accommodating to us. We think they openly receive our feedback and do their best to implement our thoughts into the roadmap."
"It would be nice to have a better way to realize its full potential and translate it within the UI or during onboarding."
"If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation."
"We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running."
"Automation could be a challenge."
"Using Code Prover on large applications crashes sometimes."
"One of the main disadvantages is the time it takes to initiate the first run."
"I'd like the data to be taken from any format."
"The tool has some stability issues."
"It could be improved with support for more programming languages, like SQL."
"The technical support service has room for improvement."
"Veracode's ease of use could be improved. I would also like to see more online videos and tutorials that could help us understand the product better. It would also be helpful if Veracode created a certification program for DevSecOps staff to learn about their product and get certified. This kind of training would raise the company's profile within the industry."
"Veracode can be improved in terms of software composition analysis and related vulnerabilities."
"I do expect large applications with millions of lines of code to take a while, but it would be nice if there was a possibility to be able to have a baseline initial scan. I know that Veracode touts that there are Pipeline Scans that are supposed to take 90 seconds or less, and we've tried to do that ourselves with our ERP application. However, it actually times out after two hours of scanning. If the static scan itself or another option to run a lower tier scan can be integrated earlier on into our SDLC, it would be great. Right now, it takes so long that we usually leave it till a bit later in the cycle, whereas if it ran faster, we could push it to the time when a developer will be checking in code. That would make us feel a lot more confident that we'd be able to catch things almost instantaneously."
"The solution could improve the Dynamic Analysis Security Testing(DAST)."
"When we scan binary, when we perform binary analysis, it could go faster. That has a lot to do with the essence of scanning binary code, it takes a little bit longer. Certain aspects, depending on what type of code it is, take a little long, especially legacy code."
"Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly."
