Veracode and OpenText Static Application Security Testing (SAST) compete in the static code analysis market. Veracode appears to hold an advantage due to its dynamic scanning capabilities and superior integration with the SDLC.
Features:Veracode is known for offering dynamic analysis, manual scanning capabilities, and vulnerability management, which help in reducing false positives. It seamlessly integrates into the software development life cycle, handling large-scale scans effectively. Meanwhile, OpenText SAST stands out with comprehensive language support and flexible integration options, although it lacks in dynamic analysis features.
Room for Improvement:Veracode users highlight the need for better API integrations, improved scanning speeds for large applications, and more intuitive reporting tools. OpenText users suggest enhancements in UI functionality, a reduction in false positives, and streamlined integration with other tools. OpenText also needs to address the absence of dynamic scanning features.
Ease of Deployment and Customer Service:Veracode excels with its cloud-based offerings, making deployment flexible across various environments and providing highly praised customer service with fast response times. OpenText SAST, generally deployed on-premises or in hybrid settings, offers strong customer support but needs improvements in responsiveness and consistency.
Pricing and ROI:Veracode is recognized as a high-cost solution but offers a flexible pricing structure, which can become costly for large implementations. Its comprehensive security capabilities often justify the investment. OpenText SAST, on the other hand, provides a competitive price point appealing to enterprises seeking on-premises solutions. However, additional features and training can increase costs, with ROI observed in improved security compliance and vulnerability detection.
The scanners of Veracode bring status of the weaknesses in the current infrastructure. It scans and provides reports regarding the servers, the network, and the applications running on those servers.
Regarding price, the evaluation should focus on how efficiently they will recover their investment, considering the time saved through the use of Veracode Fix, for example, and the ability to fix code at dev time compared to the problems faced when fixing after the product is already deployed.
The customer service and support for Fortify Static Code Analyzer are better than those for LoadRunner.
The technical support has been good because we always received answers to our questions.
Access to the engineering team is crucial for faster feedback on the product fix process.
They are very responsive and quick to help with queries within our scope.
They respond very quickly since security is something critical.
Fortify Static Code Analyzer integrates well and is scalable.
Cloud solutions are easier to scale than on-premise solutions.
It has a good capacity to scale effectively.
The stability of Fortify Static Code Analyzer is generally good.
I would rate the product stability as an eight.
If the Veracode server is down, we experience many issues during the scan.
It's not that easy to onboard, but once they have been onboarded on the platform, and the pipeline configured alongside the product configured, it works effectively.
We would appreciate if the AI could give us more information about improvements and reduce the number of false positives, but this solution doesn't have this function yet.
It should be easier to install, perhaps through a container-based approach where everything is combined into one image or pack of containers.
It would be really helpful to include trending vulnerabilities and how to manage them.
If it could be integrated directly with code repositories such as Bitbucket or GitHub, without the need to create a pipeline to upload and decode code, it would simplify the code scan process significantly.
We had issues with scanning large applications. Scanning took a lot of time, so we kept it outside the DevOps pipeline to avoid delaying deployments.
A nice addition would be if it could be extended for scenarios with custom cleansers.
The pricing of Fortify Static Code Analyzer is good, with a flexible model that allows customers to choose a setup that suits their needs.
My experience with the pricing, setup costs, and licensing has been good.
It's not the most expensive solution.
If there's a security gap, you'll never know the cost or effect.
Pricing-wise, I find it a bit expensive because it's based on the number of users requesting access to Veracode.
Fortify Static Code Analyzer has the capability of giving fewer false positives compared to other tools.
The most valuable feature of Fortify Static Code Analyzer is its extensive language support, covering many languages from legacy ones to the newest.
The most impactful feature of Fortify Static Code Analyzer in identifying vulnerabilities is the ratio of total number of vulnerabilities to false positives.
It offers confidence by preventing exposure to vulnerabilities and helps ensure that we are not deploying vulnerable code into production.
The best features in Veracode include static analysis and the early detection of vulnerable libraries; it integrates with tools such as Jenkins.
It fixes issues directly in the IDE while you're doing it.
OpenText Static Application Security Testing empowers teams with efficient vulnerability detection and streamlined secure coding practices, offering comprehensive language support and seamless integration with development tools.
OpenText Static Application Security Testing enhances software security during development by accurately identifying vulnerabilities with minimal false positives. It integrates seamlessly with IDEs and CI/CD pipelines, making it highly efficient for early detection of security issues. Users benefit from its easy setup, clear documentation, and centralized portal for managing security findings. Despite facing challenges like high costs and complex configurations for certain languages, its role in facilitating compliance and streamlining secure coding processes is indispensable. Improvements are needed in areas such as outdated design, language support, and integration capabilities to meet evolving user expectations.
What features does OpenText Static Application Security Testing offer?Organizations across diverse sectors implement OpenText Static Application Security Testing primarily to secure applications during development phases. Its integration with tools like GitLab, Jenkins, and Azure DevOps ensures a robust security pipeline. By combining with Sonatype Nexus, secure code, and library management is achieved effectively.
Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.
Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.
What are the key features of Veracode?
What benefits should users consider in Veracode reviews?
Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.
Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.
We monitor all Static Code Analysis reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
