We changed our name from IT Central Station: Here's why

Sonatype Nexus Lifecycle vs Veracode comparison

Cancel
You must select at least 2 products to compare!
Sonatype Nexus Lifecycle Logo
23,885 views|13,468 comparisons
Veracode Logo
60,232 views|33,073 comparisons
Featured Review
Find out what your peers are saying about Sonatype Nexus Lifecycle vs. Veracode and other solutions. Updated: January 2022.
564,643 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"The quality or the profiles that you can set are most valuable. The remediation of issues that you can do and how the information is offered is also valuable.""The integrations into developer tooling are quite nice. I have the integration for Eclipse and for Visual Studio. Colleagues are using the Javascript IDE from JetBrains called WebStorm and there is an integration for that from Nexus Lifecycle. I have not heard about anything that is not working. It's also quite easy to integrate it. You just need to set up a project or an app and then you just make the connection in all the tools you're using.""Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD; we use Jenkins to do continuous integration, and it makes our pipeline build a lot more streamlined. It integrates with Jenkins very well.""With the plugin for our IDE that Sonatype provides, we can check whether a library has security, quality, or licensing issues very easily. Which is nice because Googling for this stuff can be a bit cumbersome. By checking it before code is even committed, we save ourselves from getting notifications.""The report part is quite easy to read. The report part is very important to us because that is how we communicate to our security officer and the security committee. Therefore, we need to have a complete report that we can generate and pass onto them for review.""The proxy repository is probably the most valuable feature to us because it allows us to be more proactive in our builds. We're no longer tied to saving components to our repository.""When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages.""We really like the Nexus Firewall. There are increasing threats from npm, rogue components, and we've been able to leverage protection there. We also really like being able to know which of our apps has known vulnerabilities."

More Sonatype Nexus Lifecycle Pros →

"The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards.""The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up.""The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful.""The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools.""Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers.""It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail.""Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.""Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence."

More Veracode Pros →

Cons
"They're working on the high-quality data with Conan. For Conan applications, when it was first deployed to Nexus IQ, it would scan one file type for dependencies. We don't use that method in Conan, we use another file type, which is an acceptable method in Conan, and they didn't have support for that other file type. I think they didn't even know about it because they aren't super familiar with Conan yet. I informed them that there's this other file type that they could scan for dependencies, and that's what they added functionality for.""It's the right kind of tool and going in the right direction, but it really needs to be more code-driven and oriented to be scaled at the developer level.""We use Azure DevOps as our application lifecycle management tool. It doesn't integrate with that as well as it does with other tools at the moment, but I think there's work being done to address that. In terms of IDEs, it integrates well. We would like to integrate it into our Azure cloud deployment but the integration with Azure Active Directory isn't quite as slick as we would like it to be. We have to do some workarounds for that at the moment.""As far as the relationship of, and ease of finding the relationships between, libraries and applications across the whole enterprise goes, it still does that. They could make that a little smoother, although right now it's still pretty good.""The biggest thing that I have run into, which there are ways around, is being able to easily access the auditing data from a third-party tool; being able to pull all of that into one place in a cohesive manner where you can report off of that. We've had a little bit of a challenge with that. There are a number of things available to work with, to help with that in the tool, but we just haven't explored them yet.""It would be helpful if it had a more detailed view of what has been quarantined, for people who don't have Lifecycle licenses. Other than that, it's pretty good.""The user interface needs to be improved. It is slow for us. We use Nexus IQ mostly via APIs. We don't use the interface that much, but when we use it, certain areas are just unresponsive or very slow to load. So, performance-wise, the UI is not fast enough for us, but we don't use it that much anyway.""One thing that it is lacking, one thing I don't like, is that when you label something or add a status to it, you do it as an overall function, but you can't go back and isolate a library that you want to call out individually and remove a status from it. It's still lacking some functionality-type things for controlling labels and statuses. I'd like to be able to apply it across all of my apps, but then turn it off for one, and I can't do that."

More Sonatype Nexus Lifecycle Cons →

"The pricing for qualified startups such as Neo4j could be improved.""The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most.""Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly.""Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights.""One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive.""The solution could improve the Dynamic Analysis Security Testing(DAST).""The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there.""It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects."

More Veracode Cons →

Pricing and Cost Advice
  • "The license fee may be a bit harder for startups to justify. But it will save you a headache later as well as peace of mind. Additionally, it shows your own customers that you value security stuff and will protect yourselves from any licensing issues, which is good marketing too."
  • "In addition to the license fee for IQ Server, you have to factor in some running costs. We use AWS, so we spun up an additional VM to run this. If the database is RDS that adds a little bit extra too. Of course someone could run it on a pre-existing VM or physical server to reduce costs. I should add that compared to the license fee, the running costs are so minimal they had no effect on our decision to use IQ Server."
  • "Pricing is decent. It's not horrible. It's middle-of-the-road, as far as our ranking goes. They're a little bit more but that's also because they provide more."
  • "Lifecycle, to the best of my recollection, had the best pricing compared with other solutions."
  • "Cost is a drawback. It's somewhat costly."
  • "It's expensive, but you get what you pay for. There were no problems with the base license and how they do it. It was transparent. You don't have to worry. You can scan to your heart's delight."
  • "Given the number of users we have, it is one of the most expensive tools in our portfolio, which includes some real heavy-duty tools such as GitLab, Jira, etc. It is definitely a bit on the expensive side, and the ambiguity in how the licenses are calculated adds to the cost as well. If there is a better understanding of how the licenses are being calculated, there would be a better agreement between the two parties, and the cost might also be a little less. There is no extra cost from Sonatype. There is an operational cost on the BT side in terms of resources, etc."
  • "There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses."
  • More Sonatype Nexus Lifecycle Pricing and Cost Advice →

  • "For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization."
  • "I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good."
  • "Veracode's price is high. I would like them to better optimize their pricing."
  • "If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount."
  • "Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive."
  • "We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive."
  • "The pricing is really fair compared to a lot of other tools on the market."
  • "It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent."
  • More Veracode Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security solutions are best for your needs.
    564,643 professionals have used our research since 2012.
    Questions from the Community
    Top Answer: 
    We like the data that Sonatype Nexus Lifecycle consistently delivers. This solution helps us in fixing and understanding the issues a lot quicker. The policy engine allows you to set up different… more »
    Top Answer: 
    The quality or the profiles that you can set are most valuable. The remediation of issues that you can do and how the information is offered is also valuable.
    Top Answer: 
    There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses.
    Top Answer: 
    SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
    Top Answer: 
    There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of… more »
    Top Answer: 
    I was impressed with the pricing we got from Veracode. I was able to make it work very well within our budget.
    Ranking
    3rd
    Views
    23,885
    Comparisons
    13,468
    Reviews
    17
    Average Words per Review
    1,910
    Rating
    8.6
    2nd
    Views
    60,232
    Comparisons
    33,073
    Reviews
    24
    Average Words per Review
    1,372
    Rating
    8.1
    Comparisons
    Also Known As
    Nexus Lifecycle
    Learn More
    Overview

    Nexus Lifecycle gives you full control over your software supply chain and allows you to define rules, actions, and policies that work best for your organization and teams.

    Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

    Offer
    Learn more about Sonatype Nexus Lifecycle
    Keep your software secure

    Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

    Sample Customers
    Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance
    State of Missouri, Rekner
    Top Industries
    REVIEWERS
    Financial Services Firm33%
    Insurance Company17%
    Manufacturing Company13%
    Computer Software Company8%
    VISITORS READING REVIEWS
    Computer Software Company26%
    Financial Services Firm18%
    Comms Service Provider13%
    Government6%
    REVIEWERS
    Financial Services Firm30%
    Computer Software Company12%
    Insurance Company9%
    Healthcare Company7%
    VISITORS READING REVIEWS
    Computer Software Company29%
    Comms Service Provider17%
    Financial Services Firm10%
    Manufacturing Company6%
    Company Size
    REVIEWERS
    Small Business27%
    Midsize Enterprise17%
    Large Enterprise57%
    VISITORS READING REVIEWS
    Small Business30%
    Midsize Enterprise18%
    Large Enterprise51%
    REVIEWERS
    Small Business24%
    Midsize Enterprise25%
    Large Enterprise51%
    VISITORS READING REVIEWS
    Small Business26%
    Midsize Enterprise31%
    Large Enterprise43%
    Find out what your peers are saying about Sonatype Nexus Lifecycle vs. Veracode and other solutions. Updated: January 2022.
    564,643 professionals have used our research since 2012.

    Sonatype Nexus Lifecycle is ranked 3rd in Application Security with 17 reviews while Veracode is ranked 2nd in Application Security with 24 reviews. Sonatype Nexus Lifecycle is rated 8.6, while Veracode is rated 8.2. The top reviewer of Sonatype Nexus Lifecycle writes "Checks our libraries for security and licensing issues". On the other hand, the top reviewer of Veracode writes "Good reporting, comprehensive interface, and integrates well into our build pipeline". Sonatype Nexus Lifecycle is most compared with SonarQube, Black Duck, WhiteSource, JFrog Xray and GitLab, whereas Veracode is most compared with SonarQube, Checkmarx, Micro Focus Fortify on Demand, Coverity and Qualys Web Application Scanning. See our Sonatype Nexus Lifecycle vs. Veracode report.

    See our list of best Application Security vendors.

    We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.