"The quality or the profiles that you can set are most valuable. The remediation of issues that you can do and how the information is offered is also valuable."
"The integrations into developer tooling are quite nice. I have the integration for Eclipse and for Visual Studio. Colleagues are using the Javascript IDE from JetBrains called WebStorm and there is an integration for that from Nexus Lifecycle. I have not heard about anything that is not working. It's also quite easy to integrate it. You just need to set up a project or an app and then you just make the connection in all the tools you're using."
"Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD; we use Jenkins to do continuous integration, and it makes our pipeline build a lot more streamlined. It integrates with Jenkins very well."
"With the plugin for our IDE that Sonatype provides, we can check whether a library has security, quality, or licensing issues very easily. Which is nice because Googling for this stuff can be a bit cumbersome. By checking it before code is even committed, we save ourselves from getting notifications."
"The report part is quite easy to read. The report part is very important to us because that is how we communicate to our security officer and the security committee. Therefore, we need to have a complete report that we can generate and pass onto them for review."
"The proxy repository is probably the most valuable feature to us because it allows us to be more proactive in our builds. We're no longer tied to saving components to our repository."
"When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages."
"We really like the Nexus Firewall. There are increasing threats from npm, rogue components, and we've been able to leverage protection there. We also really like being able to know which of our apps has known vulnerabilities."
"The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards."
"The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up."
"The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful."
"The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools."
"Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers."
"It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail."
"Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution."
"Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence."
"They're working on the high-quality data with Conan. For Conan applications, when it was first deployed to Nexus IQ, it would scan one file type for dependencies. We don't use that method in Conan, we use another file type, which is an acceptable method in Conan, and they didn't have support for that other file type. I think they didn't even know about it because they aren't super familiar with Conan yet. I informed them that there's this other file type that they could scan for dependencies, and that's what they added functionality for."
"It's the right kind of tool and going in the right direction, but it really needs to be more code-driven and oriented to be scaled at the developer level."
"We use Azure DevOps as our application lifecycle management tool. It doesn't integrate with that as well as it does with other tools at the moment, but I think there's work being done to address that. In terms of IDEs, it integrates well. We would like to integrate it into our Azure cloud deployment but the integration with Azure Active Directory isn't quite as slick as we would like it to be. We have to do some workarounds for that at the moment."
"As far as the relationship of, and ease of finding the relationships between, libraries and applications across the whole enterprise goes, it still does that. They could make that a little smoother, although right now it's still pretty good."
"The biggest thing that I have run into, which there are ways around, is being able to easily access the auditing data from a third-party tool; being able to pull all of that into one place in a cohesive manner where you can report off of that. We've had a little bit of a challenge with that. There are a number of things available to work with, to help with that in the tool, but we just haven't explored them yet."
"It would be helpful if it had a more detailed view of what has been quarantined, for people who don't have Lifecycle licenses. Other than that, it's pretty good."
"The user interface needs to be improved. It is slow for us. We use Nexus IQ mostly via APIs. We don't use the interface that much, but when we use it, certain areas are just unresponsive or very slow to load. So, performance-wise, the UI is not fast enough for us, but we don't use it that much anyway."
"One thing that it is lacking, one thing I don't like, is that when you label something or add a status to it, you do it as an overall function, but you can't go back and isolate a library that you want to call out individually and remove a status from it. It's still lacking some functionality-type things for controlling labels and statuses. I'd like to be able to apply it across all of my apps, but then turn it off for one, and I can't do that."
"The pricing for qualified startups such as Neo4j could be improved."
"The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most."
"Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly."
"Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights."
"One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive."
"The solution could improve the Dynamic Analysis Security Testing(DAST)."
"The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there."
"It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects."
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
Sonatype Nexus Lifecycle is ranked 3rd in Application Security with 17 reviews while Veracode is ranked 2nd in Application Security with 24 reviews. Sonatype Nexus Lifecycle is rated 8.6, while Veracode is rated 8.2. The top reviewer of Sonatype Nexus Lifecycle writes "Checks our libraries for security and licensing issues". On the other hand, the top reviewer of Veracode writes "Good reporting, comprehensive interface, and integrates well into our build pipeline". Sonatype Nexus Lifecycle is most compared with SonarQube, Black Duck, WhiteSource, JFrog Xray and GitLab, whereas Veracode is most compared with SonarQube, Checkmarx, Micro Focus Fortify on Demand, Coverity and Qualys Web Application Scanning. See our Sonatype Nexus Lifecycle vs. Veracode report.
See our list of best Application Security vendors.
We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
