We performed a comparison between OWASP Zap, PortSwigger Burp Suite Professional, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Testing (AST)."Simple and easy to learn and master."
"The HUD is a good feature that provides on-site testing and saves a lot of time."
"It can be used effectively for internal auditing."
"It's great that we can use it with Portswigger Burp."
"The solution is good at reporting the vulnerabilities of the application."
"This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer."
"ZAP is easy to use. The automated scan is a powerful feature. You can simulate attacks with various parameters. ZAP integrates well with SonarQube."
"It updates repositories and libraries quickly."
"BurpSuite helps us to identify and fix silly mistakes that are sometimes introduced by our developers in their coding."
"The solution is quite helpful for session management and configuration."
"You can download different plugins if you don't have them in the standard edition."
"This solution has helped a lot in finding bugs and vulnerabilities, and the scanner is good enough for simple web apps."
"In my area of expertise, I feel like it has almost everything I could possibly require at this moment."
"It's good testing software."
"It offers very good accuracy. You can trust the results."
"The most valuable feature is Burp Collaborator."
"My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople is fabulous."
"It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no manual upload. The code review function is great. It allows you to find flaws in source code."
"It has almost completely eliminated the presence of SQLi vulnerabilities."
"One of the features they have is Software Composition Analysis. When organizations use third-party, open source libraries with their application development, because they're open source they quite often have a lot of bugs. There are always patches coming out for those open source applications. You really have to stay on your toes and keep up with any third-party libraries that might be integrated into your application. Veracode's Software Composition Analysis scans those libraries and we find that very valuable."
"We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle."
"It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage."
"The most valuable feature is the SAST capability and its integration into the Veracode pipelines."
"Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution."
"The solution is unable to customize reports."
"The reporting feature could be more descriptive."
"I prefer Burp Suite to SWASP Zap because of the extensive coverage it offers."
"It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results."
"They stopped their support for a short period. They've recently started to come back again. In the early days, support was much better."
"It needs more robust reporting tools."
"The documentation needs to be improved because I had to learn everything from watching YouTube videos."
"The port scanner is a little too slow."
"I would like to see the return of the spider mechanism instead of the crawling feature. Burp Suite's earlier version 1.7 had an excellent spider option, and it would be beneficial if Burp incorporated those features into the current version. The crawling techniques used in the current version are not as efficient as those used in earlier versions."
"The Iran market does not have after-sales support. PortSwigger Burp Suite Professional needs to provide after-sales support."
"The solution lacks sufficient stability."
"As with most automated security tools, too many false positives."
"The Initial setup is a bit complex."
"The price could be better. The rest is fine."
"It should provide a better way to integrate with Jenkins so that DAST (dynamic application security testing) can be automated."
"The Burp Collaborator needs improvement. There also needs to be improved integration."
"All areas of the solution could use some improvement."
"The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes."
"Sometimes, the scans halt or drop for some reason, and we need to get help from Veracode to fix it."
"The interface is one thing I find a little challenging. Veracode's interface feels a little outdated compared to other solutions, and it could be modernized. I'm mostly happy with the features, but Vercaode could add Docker image scanning."
"We connected with Veracode's support a couple of times, and we got a different answer each time."
"They need to have a plug-in, a better integration with the development environment."
"I do expect large applications with millions of lines of code to take a while, but it would be nice if there was a possibility to be able to have a baseline initial scan. I know that Veracode touts that there are Pipeline Scans that are supposed to take 90 seconds or less, and we've tried to do that ourselves with our ERP application. However, it actually times out after two hours of scanning. If the static scan itself or another option to run a lower tier scan can be integrated earlier on into our SDLC, it would be great. Right now, it takes so long that we usually leave it till a bit later in the cycle, whereas if it ran faster, we could push it to the time when a developer will be checking in code. That would make us feel a lot more confident that we'd be able to catch things almost instantaneously."
"It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo."
More PortSwigger Burp Suite Professional Pricing and Cost Advice →
