"Good static analysis and dynamic analysis."
"The source composition analysis component is great because it gives our developers some comfort in using new libraries."
"The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up."
"There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic."
"The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools."
"My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople is fabulous."
"Veracode is a valuable tool in our secure SDLC process."
"The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful."
"When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages."
"The data quality is really good. They've got some of the best in the industry as far as that is concerned. As a result, it helps us to resolve problems faster. The visibility of the data, as well as their features that allow us to query and search - and even use it in the development IDE - allow us to remediate and find things faster."
"The REST API is the most useful for us because it allows us to drive it remotely and, ideally, to automate it."
"For us, it's seeing not only the licensing and security vulnerabilities but also seeing the age of the open-sources included within our software. That allows us to take proactive steps to make sure we're updating the software to versions that are regularly maintained and that don't have any vulnerabilities."
"Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good."
"The scanning capability is its most valuable feature, discovering vulnerable open source libraries."
"The report part is quite easy to read. The report part is very important to us because that is how we communicate to our security officer and the security committee. Therefore, we need to have a complete report that we can generate and pass onto them for review."
"The component piece, where you can analyze the component, is the most valuable. You can pull the component up and you can look at what versions are bad, what versions are clean, and what versions haven't been reported on yet. You can make decisions based off of that, in terms of where you want to go. I like that it puts all that information right there in a window for you."
"Tenable.io Web Application Scanning is very easy to use."
"The most valuable feature is the reporting, which provides a good level of detail with respect to vulnerabilities."
"Our customers adopt this solution because of the replication testing and the vulnerability assessment it can do. It is a multi-faceted product."
"I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help."
"The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most."
"Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."
"One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive."
"It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects."
"Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly."
"If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us."
"The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it."
"Overall it's good, but it would be good for our JavaScript front-end developers to have that IDE integration for their libraries. Right now, they don't, and I'm told by my Sonatype support rep that I need to submit an idea, from which they will submit a feature request. I was told it was already in the pipeline, so that was one strike against sales."
"It would be helpful if it had a more detailed view of what has been quarantined, for people who don't have Lifecycle licenses. Other than that, it's pretty good."
"One thing that it is lacking, one thing I don't like, is that when you label something or add a status to it, you do it as an overall function, but you can't go back and isolate a library that you want to call out individually and remove a status from it. It's still lacking some functionality-type things for controlling labels and statuses. I'd like to be able to apply it across all of my apps, but then turn it off for one, and I can't do that."
"The user interface needs to be improved. It is slow for us. We use Nexus IQ mostly via APIs. We don't use the interface that much, but when we use it, certain areas are just unresponsive or very slow to load. So, performance-wise, the UI is not fast enough for us, but we don't use it that much anyway."
"They're working on the high-quality data with Conan. For Conan applications, when it was first deployed to Nexus IQ, it would scan one file type for dependencies. We don't use that method in Conan, we use another file type, which is an acceptable method in Conan, and they didn't have support for that other file type. I think they didn't even know about it because they aren't super familiar with Conan yet. I informed them that there's this other file type that they could scan for dependencies, and that's what they added functionality for."
"One thing that I would like to give feedback on is to scan the binary code. It's very difficult to find. It's under organization and policies where there are action buttons that are not very obvious. I think for people who are using it and are not integrated into it, it is not easy to find the button to load the binary and do the scan. This is if there is no existing, continuous integration process, which I believe most people have, but some users don't have this at the moment. This is the most important function of the Nexus IQ, so I expect it should be right on the dashboard where you can apply your binary and do a quick scan. Right now, it's hidden inside organization and policies. If you select the organization, then you can see in the top corner that there is a manual action which you can approve. There are multiple steps to reach that important function that we need. When we were initially looking at the dashboard, we looked for it and couldn't find it. So, we called our coworker who set up the server and they told us it's not on the dashboard."
"We do not use it for more because it is still too immature, not quite "finished." It is missing important features for making it a daily tool. It's not complete, from my point of view..."
"We had some issues, and I think we might still have some issues, where the Sonatype Nexus Repository has integrations with IQ and SonarQube. We're getting some errors on the UI, so we've had Sonatype look into that a little bit."
"The reporting has a very limited customization capability."
"I would like for them to add proxy filtering, where you can transfer and alter the package. It is fully automated. Other web application testers programs are actually proxy software, and the proxy software gives you the flexibility of modifying the outgoing package, which will actually help you in exploiting any vulnerability in detail."
"It would be great if there were a dashboard that is more user-friendly."
More Tenable.io Web Application Scanning Pricing and Cost Advice →
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
Sonatype Nexus Lifecycle is ranked 3rd in Application Security with 17 reviews while Tenable.io Web Application Scanning is ranked 20th in Application Security with 3 reviews. Sonatype Nexus Lifecycle is rated 8.6, while Tenable.io Web Application Scanning is rated 7.6. The top reviewer of Sonatype Nexus Lifecycle writes "Checks our libraries for security and licensing issues". On the other hand, the top reviewer of Tenable.io Web Application Scanning writes "Good reporting and integration, but it needs a user-friendly dashboard". Sonatype Nexus Lifecycle is most compared with SonarQube, WhiteSource, Black Duck, JFrog Xray and Contrast Security Protect, whereas Tenable.io Web Application Scanning is most compared with PortSwigger Burp Suite Professional, Qualys Web Application Scanning, Acunetix by Invicti, Micro Focus Fortify on Demand and HCL AppScan. See our Sonatype Nexus Lifecycle vs. Tenable.io Web Application Scanning report.
See our list of best Application Security vendors.
We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
