"The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end."
"The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA."
"It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail."
"The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up."
"Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely. By adopting their suggestions, we are fixing this vulnerability."
"The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our continuous integration, continuous delivery system, so we can get insight quickly."
"The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code."
"It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage."
"We use the solution for vulnerability assessment in respect of the application and the sites."
"The active scanner, which does an automated search of any web vulnerabilities."
"The most valuable feature of PortSwigger Burp Suite Professional is the advanced features, user-friendly interface, and integration with other tools."
"PortSwigger Burp Suite does not hamper the node of the server, and it does not shut down the server if it is running."
"I have found the best features to be the performance and there are a lot of additional plugins available."
"There is no other tool like it. I like the intuitiveness and the plugins that are available."
"You can scan any number of applications and it updates its database."
"In my area of expertise, I feel like it has almost everything I could possibly require at this moment."
"I have found the detection of vulnerabilities tool thorough with good results and the graphical display output to be wonderful and full of colors. It allows many types of outputs, such as bar and chart previews."
"Qualys WAS' most valuable features are the navigation flow of the UI and the option for a different layer of security (identification and operation through email and mobile)."
"It is easy to use."
"The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours."
"It works with many different products."
"It is a very stable solution."
"Qualys' process of updating signatures is something we really appreciate, and it's way ahead of its industry peers."
"The solution could improve the Dynamic Analysis Security Testing(DAST)."
"When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications."
"The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it."
"There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed."
"The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most."
"Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."
"Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had."
"I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results."
"We'd like to have more integration potential across all versions of the product."
"Currently, the scanning is only available in the full version of Burp, and not in the Community version."
"The pricing of the solution is quite high."
"The reporting needs to be improved; it is very bad."
"I am from Brazil. The currency exchange rate from a dollar to a Brazilian Real is quite steep. It is almost six to one. It would be good if it can be sold in the local currency, and its price is cheaper for us."
"There is not much automation in the tool."
"The price could be better. The rest is fine."
"As with most automated security tools, too many false positives."
"Sometimes the response time is low because the handshake fails, and then you have to re-login and start again."
"Deployment can be complicated."
"We procured around 110 licenses for Web Application Scanning, but we have issues running concurrent scans. I don't currently have the option to trigger scans for all 100-plus websites. The default limit is around 10 conference scans. It's not very scalable, to be honest, because of the limitation that they put on concurrent scans."
"The UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs."
"The reporting contains too many false positives."
"When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem."
"There could be better management and faster scanning."
"The virus code updates are not frequent enough."
More PortSwigger Burp Suite Professional Pricing and Cost Advice →
More Qualys Web Application Scanning Pricing and Cost Advice →
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
PortSwigger Burp Suite Professional is ranked 5th in Application Security Tools with 21 reviews while Qualys Web Application Scanning is ranked 12th in Application Security Tools with 6 reviews. PortSwigger Burp Suite Professional is rated 8.6, while Qualys Web Application Scanning is rated 7.6. The top reviewer of PortSwigger Burp Suite Professional writes "Best for manual penetration testing, a great user interface, and offers good scanning capabilities". On the other hand, the top reviewer of Qualys Web Application Scanning writes "Has a good progressive scan feature but the data server needs improvement". PortSwigger Burp Suite Professional is most compared with OWASP Zap, Fortify WebInspect, Acunetix, Invicti and HCL AppScan, whereas Qualys Web Application Scanning is most compared with Tenable.io Web Application Scanning, OWASP Zap, SonarQube, Fortify WebInspect and Acunetix. See our PortSwigger Burp Suite Professional vs. Qualys Web Application Scanning report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
