Based on the user reviews, Veracode is the preferred product over SonarQube. Veracode receives mixed reviews for its customer service and support, but some customers praise its responsiveness and knowledge. In contrast, SonarQube's customer service and support experiences vary. Veracode's deployment process is generally straightforward, while SonarQube's setup can be complex and time-consuming for some users. Veracode's pricing is considered reasonable by some, while SonarQube's licensing process could be improved. Veracode's ROI is difficult to quantify but offers several benefits, while SonarQube's ROI is likened to insurance. Veracode's comprehensive security testing capabilities and ease of use make it the preferred choice.
Checkmarx is a highly accurate and flexible static code analysis product that allows organizations to automatically scan uncompiled code and identify hundreds of security vulnerabilities in all major coding languages and software frameworks. Checkmarx is available as a standalone product and can be effectively integrated into the software development lifecycle (SDLC) to streamline vulnerability detection and remediation. Checkmarx is trusted by leading organizations such as SAP, Samsung, and Salesforce.com.
The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security.
I believe pricing is better compared to other commercial tools.
The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security.
I believe pricing is better compared to other commercial tools.
Snyk is a user-friendly security solution that enables users to safely develop and use open source code. Users can create automatic scans that allow them to keep a close eye on their code and prevent bad actors from exploiting vulnerabilities. This enables users to find and remove vulnerabilities soon after they appear.
We do have some missing licenses issues, especially with non-SPDX compliant one, but we expect this to be fixed soon
You can get a good deal with Snyk for pricing. It's a little expensive, but it is worth it.
We do have some missing licenses issues, especially with non-SPDX compliant one, but we expect this to be fixed soon
You can get a good deal with Snyk for pricing. It's a little expensive, but it is worth it.
Users have expressed satisfaction with various aspects, highlighting its quality, functionality, and value for money. They appreciate its user-friendly interface and the convenience it offers.
Additionally, users have praised the prompt and helpful customer support provided. Some users have also mentioned the product's durability and reliability.
I think that we pay approximately $100 USD per month.
The price is okay.
I think that we pay approximately $100 USD per month.
The price is okay.
Tricentis Tosca is a continuous testing platform that uses the industry’s most innovative functional testing technologies. Unlike traditional testing technologies, which are siloed and can allow for integration risks that are likely to derail end-to-end processes, Tricentis Tosca accelerates testing across the enterprise to keep pace with Agile and DevOps and helps enterprise teams to achieve 90%+ test automation rates, thereby enabling them to deliver fast and continuous feedback.
It is an expensive tool compared to other test automation tools. It has a lot of advantages over other tools.
Expensive, but for long-term projects, it is paying back.
It is an expensive tool compared to other test automation tools. It has a lot of advantages over other tools.
Expensive, but for long-term projects, it is paying back.
Coverity gives you the speed, ease of use, accuracy, industry standards compliance, and scalability that you need to develop high-quality, secure applications. Coverity identifies critical software quality defects and security vulnerabilities in code as it’s written, early in the development process, when it’s least costly and easiest to fix. With the Code Sight integrated development environment (IDE) plugin, developers get accurate analysis in seconds in their IDE as they code. Precise actionable remediation advice and context-specific eLearning help your developers understand how to fix their prioritized issues quickly, without having to become security experts.
The price of this solution is negotiable, depending on the size of the organization.
Coverity is quite expensive.
The price of this solution is negotiable, depending on the size of the organization.
Coverity is quite expensive.
OWASP Zap is a powerful tool used for security and vulnerability testing of applications. Its primary use case includes scanning pipelines, dynamic testing, penetration testing, and vulnerability scanning. OWASP Zap's most valuable functionality is its ability to scan and fix vulnerabilities, provide clear explanations in reports, and discover more vulnerabilities compared to other tools. It helps organizations by improving application security, reducing the need for external testers, and strengthening overall security.
It is highly recommended as it is an open source tool.
It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy.
It is highly recommended as it is an open source tool.
It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy.
It's an expensive solution.
It took about five years to break even. UFT is costly.
It's an expensive solution.
It took about five years to break even. UFT is costly.
Fortify on Demand is a web application security testing tool that enables continuous monitoring. The solution is designed to help you with security testing, vulnerability management and tailored expertise, and is able to provide the support needed to easily create, supplement, and expand a software security assurance program without the need for additional infrastructure or resources.
We used the one-time application, Security Scan Dynamic. I believe the original fee was $8,000.
Buying a license would be feasible for regular use. For intermittent use, the cloud-based option can be used (Fortify on Demand).
We used the one-time application, Security Scan Dynamic. I believe the original fee was $8,000.
Buying a license would be feasible for regular use. For intermittent use, the cloud-based option can be used (Fortify on Demand).
Mend.io is a software composition analysis tool that secures what developers create. The solution provides an automated reduction of the software attack surface, reduces developer burdens, and accelerates app delivery. Mend.io provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violation alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t require you to physically maintain servers or data centers for any implementation. Not only does Mend.io reduce enterprise application security risk, it also helps developers meet deadlines faster.
We are paying a lot of money to use WhiteSource. In our company, it is not easy to argue that it is worth the price.
The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps.
We are paying a lot of money to use WhiteSource. In our company, it is not easy to argue that it is worth the price.
The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps.
Sonatype Lifecycle is an open-source security and dependency management software that uses only one tool to automatically find open-source vulnerabilities at every stage of the System Development Life Cycle (SDLC). Users can now minimize security vulnerabilities, permitting organizations to enhance development workflow. Sonatype Lifecycle gives the user complete control over their software supply chain, allowing them to regain wasted time fighting risks in the SDLC. In addition, this software unifies the ability to define rules, actions, and policies that work best for your organizations and teams.
Its pricing is competitive within the market. It's not very cheap, it's not very expensive.
We're pretty happy with the price, for what it is delivering for us and the value we're getting from it.
Its pricing is competitive within the market. It's not very cheap, it's not very expensive.
We're pretty happy with the price, for what it is delivering for us and the value we're getting from it.
Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.
This is a value for money product.
The cost is approximately $500 for a single license, and there are no additional costs beyond the standard licensing fees.
This is a value for money product.
The cost is approximately $500 for a single license, and there are no additional costs beyond the standard licensing fees.
SonarCloud is a cloud-based alternative of the SonarQube platform, offering continuous code quality and security analysis as a service. SonarCloud integrates seamlessly with popular version control and CI/CD platforms such as GitHub, Bitbucket, and Azure DevOps. It provides static code analysis to identify and help remediate issues such as bugs and security vulnerabilities. SonarCloud enables developers to receive immediate feedback on their code within their development environment, facilitating the maintenance of high-quality code standards, and promoting a culture of continuous improvement in software development projects. It helps produce software that is secure, reliable, and maintainable. SonarCloud is free for open-source projects and is offered as a paid subscription for private projects, priced per lines of code.
The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable.
I am using the free version of the solution.
The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable.
I am using the free version of the solution.
Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.
Acunetix was around the same price as all the other vendors we looked at, nothing special.
The costs aren't very expensive. It costs around $3000 or $4000.
Acunetix was around the same price as all the other vendors we looked at, nothing special.
The costs aren't very expensive. It costs around $3000 or $4000.
Sauce Labs is a functional testing tool that ensures your apps and websites work flawlessly on every browser, OS, and device. The solution allows you to automate functional testing on multiple operating systems and browsers, emulating the way that a user would use the website. With Sauce Labs, you can also run tests on various operating system and browser combinations in parallel, reducing the amount of time to get results. The Sauce Labs solution provides enterprise-grade security, scalability, and reliability.
We have an enterprise account; it has worked great for our needs.
Try the free trial and work with a Sauce Labs representative to see what package works best for your application(s).
We have an enterprise account; it has worked great for our needs.
Try the free trial and work with a Sauce Labs representative to see what package works best for your application(s).
IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.
AppScan is a little bit expensive. IBM needs to work a little bit on the pricing model, decreasing the license cost.
With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level.
AppScan is a little bit expensive. IBM needs to work a little bit on the pricing model, decreasing the license cost.
With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level.
Qualys Web Application Scanning (WAS) is a fully cloud-based web application security scanner. The scanner will automatically crawl periodically and test web applications to discover potential vulnerabilities, including cross-site scripting (XSS) and SQL injection. The consistent testing equips the automated service to generate consistent results, lessen false positives, and offer the ability to scale to protect thousands of websites effortlessly.
It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders.
Try the free trial of the product to understand the basic working mechanisms.
It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders.
Try the free trial of the product to understand the basic working mechanisms.
Tenable.io Web Application Scanning safely, accurately and automatically scans your web applications, providing deep visibility into vulnerabilities and valuable context to prioritize remediation.
The pricing is okay.
It follows the same licensing scheme as Tenable.io and Tenable. sc.
The pricing is okay.
It follows the same licensing scheme as Tenable.io and Tenable. sc.
Klocwork detects security, safety, and reliability issues in real-time by using this static code analysis toolkit that works alongside developers, finding issues as early as possible, and integrates with teams, supporting continuous integration and actionable reporting.
Klocwork should not to be quite so heavy handed on the licensing for very specific programs.
Licensing fees are paid annually, but they also have a perpetual license.
Klocwork should not to be quite so heavy handed on the licensing for very specific programs.
Licensing fees are paid annually, but they also have a perpetual license.
The private repositories are free, which is very good.
It is open-source. There is no license for GitHub.
The private repositories are free, which is very good.
It is open-source. There is no license for GitHub.
Invicti helps DevSecOps teams automate security tasks and save hundreds of hours each month by identifying web vulnerabilities that matter. Combining dynamic with interactive testing (DAST + IAST) and software composition analysis (SCA), Invicti scans every corner of an app to find what other tools miss with 99.98% accuracy, delivering on the promise of Zero Noise AppSec. Invicti helps discover all web assets — even ones that are lost, forgotten, or created by rogue departments. With an array of out-of-the-box integrations, DevSecOps teams can get ahead of their workloads to hit critical deadlines, improve processes, and communicate more effectively while reducing risk and hitting the ROI goals.
We never had any issues with the licensing; the price was within our assigned limits.
It is competitive in the security market.
We never had any issues with the licensing; the price was within our assigned limits.
It is competitive in the security market.
GitHub makes extra security features available to customers under an Advanced Security license. These features are also enabled for public repositories on GitHub.com.
The current licensing model, which relies on active commitments, poses challenges, particularly in predicting and managing growth.
The solution is expensive.
The current licensing model, which relies on active commitments, poses challenges, particularly in predicting and managing growth.
The solution is expensive.
Micro Focus Security Fortify Application Defender is a runtime application self-protection (RASP) solution that helps you manage and mitigate risk from homegrown or third-party applications. It provides centralized visibility into application use and abuse while protecting from software vulnerability exploits and other violations in real time.
The base licensing costs for the SaaS platform is about $900 USD per application, per year.
The price of this solution could be less expensive.
The base licensing costs for the SaaS platform is about $900 USD per application, per year.
The price of this solution could be less expensive.
Parasoft SOAtest delivers fully integrated API and web service testing capabilities that automate end-to-end functional API testing. Streamline automated testing with advanced codeless test creation for applications with multiple interfaces (REST & SOAP APIs, microservices, databases, and more).
SOAtest reduces the risk of security breaches and performance outages by transforming functional testing artifacts into security and load equivalents. Such reuse, along with continuous monitoring of APIs for change, allows faster and more efficient testing.
From what I understand, Parasoft SOAtest isn't the cheapest option. But it has a lot to offer.
I think it would be a great step to decrease the price of the licenses.
From what I understand, Parasoft SOAtest isn't the cheapest option. But it has a lot to offer.
I think it would be a great step to decrease the price of the licenses.
CAST Highlight is a SaaS software intelligence product for performing rapid application portfolio analysis. It automatically analyzes source code of hundreds of applications in a week for Cloud Readiness, Software Composition Analysis (Open Source risks), Resiliency, and Technical Debt. Objective software insights from automated source code analysis combined with built-in qualitative surveys for business context enable more informed decision-making about application portfolios.
Basic support is included with the standard licensing feed but it can be upgraded for an additional cost.
It is a pretty costly tool. A lot of customers are resistant to using it.
Basic support is included with the standard licensing feed but it can be upgraded for an additional cost.
It is a pretty costly tool. A lot of customers are resistant to using it.
GrammaTech enables organizations to develop software applications more efficiently, on-budget, and on-schedule by helping to eliminate harmful defects that can cause system failures, enable data breaches, and ultimately increase corporate liabilities in today’s connected world. GrammaTech is the developer of CodeSonar, the most powerful source and binary code analysis solution available today. Extraordinarily precise, CodeSonar finds, on average, 2 times more serious defects in software than other static analysis solutions. Designed for organizations with zero tolerance for defects and vulnerabilities in their applications, CodeSonar provides static analysis for applications where reliability and security are paramount - widely used by software developers in avionics, medical, automotive, industrial control, and other mission-critical applications. Some of GrammaTech's customers include Toyota, GE, Hyundai, Kawasaki, LG, Lockheed Martin, NASA, Northrop Grumman, Panasonic, and Samsung.
Pricing is a bit costly.
The solution's price depends on the number of licenses needed and the source code for the project.
Pricing is a bit costly.
The solution's price depends on the number of licenses needed and the source code for the project.
SPAs, APIs, mobile—the evolution of application technology is measured in months, not years. Is your web application security testing tool designed to keep up? AppSpider lets you collect all the information needed to test all the apps so that you aren’t left with gaping application risks.
It is expensive if you want to buy the Enterprise version that is able to scan multiple applications at once.
The price is pretty fair.
It is expensive if you want to buy the Enterprise version that is able to scan multiple applications at once.
The price is pretty fair.
Software analytics technology with a breadth of third party integrations that takes into account the wealth of applications your teams are currently using.
Check with your account manager.
Nothing special. It's a very fair model.
Check with your account manager.
Nothing special. It's a very fair model.
Polyspace Code Prover is a sound static analysis tool that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code. It produces results without requiring program execution, code instrumentation, or test cases. Polyspace Code Prover uses semantic analysis and abstract interpretation based on formal methods to verify software interprocedural, control, and data flow behavior. You can use it on handwritten code, generated code, or a combination of the two. Each operation is color-coded to indicate whether it is free of run-time errors, proven to fail, unreachable, or unproven.
We use the paid version.
We use the paid version.
Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production.
The solution is expensive.
The product's pricing is low. I would rate it a two out of ten.
The solution is expensive.
The product's pricing is low. I would rate it a two out of ten.
GitGuardian helps organizations detect and fix vulnerabilities in source code at every step of the software development lifecycle. With GitGuardian’s policy engine, security teams can monitor and enforce rules across their VCS, DevOps tools, and infrastructure-as-code configurations.
It's a little bit expensive.
The pricing and licensing are fair. It isn't very expensive and it's good value.
It's a little bit expensive.
The pricing and licensing are fair. It isn't very expensive and it's good value.
CAST Application Intelligence Platform (AIP), a result of over $130M in R&D investment over two decades, is an enterprise-grade software measurement and quality analysis solution designed to analyze multi-tiered, multi-technology applications for technical vulnerabilities and adherence to architectural and coding standards and then provide business relevant information to the IT organization through various dashboards and products built with end users in mind.
Defensics® fuzz testing is a comprehensive, powerful, and automated black box solution that enables organizations to effectively and efficiently discover and remediate security weaknesses in software. By taking a systematic and intelligent approach to negative testing, Defensics allows organizations to ensure software security without compromising on product innovation, increasing time to market, or inflating operational costs.
Licensing is a bit expensive.
Licensing is a bit expensive.
Sonatype Repository Firewall is a cloud-based security solution designed to safeguard your software supply chain against malicious components. It operates by meticulously scanning and evaluating each new component against customized governance policies, thereby effectively identifying and blocking potential threats before they infiltrate your development pipeline. What sets Sonatype Repository Firewall apart is its user-friendly setup, seamless integration with existing workflows, and remarkable scalability, making it suitable for software development environments of any size. Key features include blocking malicious components through behavioral analysis, malware scanning, and vulnerability assessment, as well as the ability to enforce custom governance policies. By utilizing this tool, organizations can enhance their software supply chain security, mitigate risks related to supply chain attacks, bolster compliance with industry standards, and ultimately reduce costs associated with security incidents.
The pricing is reasonable if you're a large enterprise developing code. It's not super-expensive.
The pricing is reasonable if you're a large enterprise developing code. It's not super-expensive.
Nucleus is a Risk Based Vulnerability Management (RBVM) solution that automates vulnerability management processes and workflows, enabling organizations to mitigate vulnerabilities 10 times faster, using a fraction of the resources that it takes to perform these tasks today.
ReversingLabs is the trusted authority in software and file security. We provide the modern cybersecurity platform to verify and deliver safe binaries. Trusted by the Fortune 500 and leading cybersecurity vendors, the ReversingLabs Titanium Platform® powers the software supply chain and file security insights, tracking over 35 billion files daily with the ability to deconstruct full software binaries in seconds to minutes. Only ReversingLabs provides that final exam to determine whether a single file or full software binary presents a risk to your organization and your customers.
We have a yearly contract based on the number of queries and malicious programs which can be processed.
We have a yearly contract based on the number of queries and malicious programs which can be processed.
Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production.
WhiteHat Dynamic™ enables organizations to test applications at DevSecOps speed and enterprise-scale to build trust into their entire software portfolio. WhiteHat Dynamic combines artificial intelligence with expert security analysis, producing verified, actionable findings with near-zero false positives and yielding the most accurate results enabling organizations the need to understand, prioritize, and mitigate or remediate vulnerabilities in the shortest timeframe.
Polaris Software Integrity Platform® is an integrated, cloud-based application security testing solution optimized for the needs of development and DevSecOps teams.
Polaris brings our market-leading security analysis engines together in a unified platform, giving you the flexibility to run different tests at different times based on application, project, schedule, or SDLC events.
The licensing for Seeker is user-based and for 50 users I believe it costs about $70,000 per year.
The licensing for Seeker is user-based and for 50 users I believe it costs about $70,000 per year.
BlueOptima's analytics platform empowers software developers and their companies to create better software in the most time- and cost-efficient way.
Cycode is the industry’s first source code control, detection, and response platform. Its Source Path Intelligence engine seamlessly delivers comprehensive visibility into all of your code and automatically detects and responds to anomalies in its access, movement, and usage.
Apiiro is the leader in application security posture management (ASPM), unifying risk visibility, prioritization, and remediation with deep code analysis and runtime context.
Code Dx by Synopsys works with Intelligent Orchestration to give organizations the ability to: Execute tests and automatically run AppSec tools. Correlate results from multiple tools, combining security issues found by 75+ tools. Prioritize security issues, filtering out noise using machine learning.
It is more of an enterprise solution for budget-conscious customers. So, it's moderately priced. It's not for everybody.
It is more of an enterprise solution for budget-conscious customers. So, it's moderately priced. It's not for everybody.
Shipping secure code is painful and time-consuming – slowing down development teams and AppSec teams alike. ShiftLeft is on a mission to make vulnerabilities history. Our revolutionary Code Property Graph (CPG) enables us to seamlessly insert 10x faster code analysis, prioritized OSS vulnerability findings and real-time security education in one single SaaS platform integrated directly into modern development workflows. Combining our OWASP-benchmark dominating NG-SAST, Intelligent SCA, instant secrets detection, and contextual security education, ShiftLeft CORE code security platform turns every developer into an AppSec expert.
Through continuous monitoring, the Onapsis Security Platform (OSP) delivers a near real-time preventative, detective and corrective approach for securing SAP systems and applications whether deployed on-premise, or in a private, public or hybrid cloud environment.
Our mission is to help everyone involved in software engineering create secure and trustworthy code without slowing down.
Data Theorem is a leading provider of modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere. The Data Theorem Analyzer Engine continuously scans APIs and mobile applications in search of security flaws and data privacy gaps. Data Theorem products help organizations build safer applications that maximize data security and brand protection.
Our proprietary protection capabilities shield apps from reverse engineering, tampering, API exploits, and other attacks that can put your business, your customers, and your bottom line at risk.
Stop Attacks Across Your Software Supply Chain.
Automatically block risks introduced into the pipeline and ensure the integrity of each workload, all from a single location.
