Based on the user reviews, Veracode is the preferred product over SonarQube. Veracode has received mixed reviews for its customer service and support, but some customers praise its responsiveness and knowledge. In contrast, SonarQube's customer service and support experiences vary. Additionally, Veracode's pricing is considered reasonable and affordable by some, while SonarQube's pricing opinions vary. Overall, Veracode's comprehensive security testing capabilities and ease of use make it the preferred choice.
Checkmarx is a highly accurate and flexible static code analysis product that allows organizations to automatically scan uncompiled code and identify hundreds of security vulnerabilities in all major coding languages and software frameworks. Checkmarx is available as a standalone product and can be effectively integrated into the software development lifecycle (SDLC) to streamline vulnerability detection and remediation. Checkmarx is trusted by leading organizations such as SAP, Samsung, and Salesforce.com.
The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security.
I believe pricing is better compared to other commercial tools.
The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security.
I believe pricing is better compared to other commercial tools.
Snyk is a user-friendly security solution that enables users to safely develop and use open source code. Users can create automatic scans that allow them to keep a close eye on their code and prevent bad actors from exploiting vulnerabilities. This enables users to find and remove vulnerabilities soon after they appear.
We do have some missing licenses issues, especially with non-SPDX compliant one, but we expect this to be fixed soon
You can get a good deal with Snyk for pricing. It's a little expensive, but it is worth it.
We do have some missing licenses issues, especially with non-SPDX compliant one, but we expect this to be fixed soon
You can get a good deal with Snyk for pricing. It's a little expensive, but it is worth it.
GitLab is a complete DevOps platform that enables teams to collaborate and deliver software faster.
I think that we pay approximately $100 USD per month.
The price is okay.
I think that we pay approximately $100 USD per month.
The price is okay.
Tricentis Tosca is a continuous testing platform that uses the industry’s most innovative functional testing technologies. Unlike traditional testing technologies, which are siloed and can allow for integration risks that are likely to derail end-to-end processes, Tricentis Tosca accelerates testing across the enterprise to keep pace with Agile and DevOps and helps enterprise teams to achieve 90%+ test automation rates, thereby enabling them to deliver fast and continuous feedback.
It is an expensive tool compared to other test automation tools. It has a lot of advantages over other tools.
Expensive, but for long-term projects, it is paying back.
It is an expensive tool compared to other test automation tools. It has a lot of advantages over other tools.
Expensive, but for long-term projects, it is paying back.
Coverity gives you the speed, ease of use, accuracy, industry standards compliance, and scalability that you need to develop high-quality, secure applications. Coverity identifies critical software quality defects and security vulnerabilities in code as it’s written, early in the development process, when it’s least costly and easiest to fix. With the Code Sight integrated development environment (IDE) plugin, developers get accurate analysis in seconds in their IDE as they code. Precise actionable remediation advice and context-specific eLearning help your developers understand how to fix their prioritized issues quickly, without having to become security experts.
The price of this solution is negotiable, depending on the size of the organization.
Coverity is quite expensive.
The price of this solution is negotiable, depending on the size of the organization.
Coverity is quite expensive.
OWASP Zap is a free and open-source web application security scanner.
It is highly recommended as it is an open source tool.
It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy.
It is highly recommended as it is an open source tool.
It's free and open, currently under the Apache 2 license. If ZAP does what you need it to do, selling a free solution is a very easy.
Sonatype Lifecycle is an open-source security and dependency management software that uses only one tool to automatically find open-source vulnerabilities at every stage of the System Development Life Cycle (SDLC). Users can now minimize security vulnerabilities, permitting organizations to enhance development workflow. Sonatype Lifecycle gives the user complete control over their software supply chain, allowing them to regain wasted time fighting risks in the SDLC. In addition, this software unifies the ability to define rules, actions, and policies that work best for your organizations and teams.
Its pricing is competitive within the market. It's not very cheap, it's not very expensive.
We're pretty happy with the price, for what it is delivering for us and the value we're getting from it.
Its pricing is competitive within the market. It's not very cheap, it's not very expensive.
We're pretty happy with the price, for what it is delivering for us and the value we're getting from it.
It's an expensive solution.
It took about five years to break even. UFT is costly.
It's an expensive solution.
It took about five years to break even. UFT is costly.
Fortify on Demand is a web application security testing tool that enables continuous monitoring. The solution is designed to help you with security testing, vulnerability management and tailored expertise, and is able to provide the support needed to easily create, supplement, and expand a software security assurance program without the need for additional infrastructure or resources.
We used the one-time application, Security Scan Dynamic. I believe the original fee was $8,000.
Buying a license would be feasible for regular use. For intermittent use, the cloud-based option can be used (Fortify on Demand).
We used the one-time application, Security Scan Dynamic. I believe the original fee was $8,000.
Buying a license would be feasible for regular use. For intermittent use, the cloud-based option can be used (Fortify on Demand).
Mend.io is a software composition analysis tool that secures what developers create. The solution provides an automated reduction of the software attack surface, reduces developer burdens, and accelerates app delivery. Mend.io provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violation alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t require you to physically maintain servers or data centers for any implementation. Not only does Mend.io reduce enterprise application security risk, it also helps developers meet deadlines faster.
We are paying a lot of money to use WhiteSource. In our company, it is not easy to argue that it is worth the price.
The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps.
We are paying a lot of money to use WhiteSource. In our company, it is not easy to argue that it is worth the price.
The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps.
Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.
This is a value for money product.
The cost is approximately $500 for a single license, and there are no additional costs beyond the standard licensing fees.
This is a value for money product.
The cost is approximately $500 for a single license, and there are no additional costs beyond the standard licensing fees.
Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.
Acunetix was around the same price as all the other vendors we looked at, nothing special.
The costs aren't very expensive. It costs around $3000 or $4000.
Acunetix was around the same price as all the other vendors we looked at, nothing special.
The costs aren't very expensive. It costs around $3000 or $4000.
SonarCloud is the leading online service to catch Bugs and Security Vulnerabilities in your Pull Requests and throughout your code repositories. Totally free for open-source projects (paid plan for private projects), SonarCloud pairs with existing cloud-based CI/CD workflows, and provides clear resolution guidance for any Code Quality or Code Security issue it detects. With more than 1 billion lines of code analyzed every week, SonarCloud empowers development teams of all sizes to write cleaner and safer code, across 24 programming languages.
The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable.
I am using the free version of the solution.
The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable.
I am using the free version of the solution.
IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.
AppScan is a little bit expensive. IBM needs to work a little bit on the pricing model, decreasing the license cost.
With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level.
AppScan is a little bit expensive. IBM needs to work a little bit on the pricing model, decreasing the license cost.
With the features, that they offer, and the support, they offer, AppScan pricing is on a higher level.
Qualys Web Application Scanning (WAS) is a fully cloud-based web application security scanner. The scanner will automatically crawl periodically and test web applications to discover potential vulnerabilities, including cross-site scripting (XSS) and SQL injection. The consistent testing equips the automated service to generate consistent results, lessen false positives, and offer the ability to scale to protect thousands of websites effortlessly.
It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders.
Try the free trial of the product to understand the basic working mechanisms.
It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders.
Try the free trial of the product to understand the basic working mechanisms.
Sauce Labs is a functional testing tool that ensures your apps and websites work flawlessly on every browser, OS, and device. The solution allows you to automate functional testing on multiple operating systems and browsers, emulating the way that a user would use the website. With Sauce Labs, you can also run tests on various operating system and browser combinations in parallel, reducing the amount of time to get results. The Sauce Labs solution provides enterprise-grade security, scalability, and reliability.
We have an enterprise account; it has worked great for our needs.
Try the free trial and work with a Sauce Labs representative to see what package works best for your application(s).
We have an enterprise account; it has worked great for our needs.
Try the free trial and work with a Sauce Labs representative to see what package works best for your application(s).
Tenable.io Web Application Scanning safely, accurately and automatically scans your web applications, providing deep visibility into vulnerabilities and valuable context to prioritize remediation.
The pricing is okay.
It follows the same licensing scheme as Tenable.io and Tenable. sc.
The pricing is okay.
It follows the same licensing scheme as Tenable.io and Tenable. sc.
Klocwork detects security, safety, and reliability issues in real-time by using this static code analysis toolkit that works alongside developers, finding issues as early as possible, and integrates with teams, supporting continuous integration and actionable reporting.
Klocwork should not to be quite so heavy handed on the licensing for very specific programs.
Licensing fees are paid annually, but they also have a perpetual license.
Klocwork should not to be quite so heavy handed on the licensing for very specific programs.
Licensing fees are paid annually, but they also have a perpetual license.
Invicti helps DevSecOps teams automate security tasks and save hundreds of hours each month by identifying web vulnerabilities that matter. Combining dynamic with interactive testing (DAST + IAST) and software composition analysis (SCA), Invicti scans every corner of an app to find what other tools miss with 99.98% accuracy, delivering on the promise of Zero Noise AppSec. Invicti helps discover all web assets — even ones that are lost, forgotten, or created by rogue departments. With an array of out-of-the-box integrations, DevSecOps teams can get ahead of their workloads to hit critical deadlines, improve processes, and communicate more effectively while reducing risk and hitting the ROI goals.
We never had any issues with the licensing; the price was within our assigned limits.
It is competitive in the security market.
We never had any issues with the licensing; the price was within our assigned limits.
It is competitive in the security market.
The private repositories are free, which is very good.
It is open-source. There is no license for GitHub.
The private repositories are free, which is very good.
It is open-source. There is no license for GitHub.
Micro Focus Security Fortify Application Defender is a runtime application self-protection (RASP) solution that helps you manage and mitigate risk from homegrown or third-party applications. It provides centralized visibility into application use and abuse while protecting from software vulnerability exploits and other violations in real time.
The base licensing costs for the SaaS platform is about $900 USD per application, per year.
The price of this solution could be less expensive.
The base licensing costs for the SaaS platform is about $900 USD per application, per year.
The price of this solution could be less expensive.
Parasoft SOAtest is widely recognized as the leading enterprise-grade solution for API functional and nonfunctional testing and API integrity. Thoroughly test composite applications with robust support for REST and web services, plus over 120 supported protocols and message types.
From what I understand, Parasoft SOAtest isn't the cheapest option. But it has a lot to offer.
I think it would be a great step to decrease the price of the licenses.
From what I understand, Parasoft SOAtest isn't the cheapest option. But it has a lot to offer.
I think it would be a great step to decrease the price of the licenses.
Software analytics technology with a breadth of third party integrations that takes into account the wealth of applications your teams are currently using.
Check with your account manager.
Nothing special. It's a very fair model.
Check with your account manager.
Nothing special. It's a very fair model.
CAST Highlight is a SaaS software intelligence product for performing rapid application portfolio analysis. It automatically analyzes source code of hundreds of applications in a week for Cloud Readiness, Software Composition Analysis (Open Source risks), Resiliency, and Technical Debt. Objective software insights from automated source code analysis combined with built-in qualitative surveys for business context enable more informed decision-making about application portfolios.
Basic support is included with the standard licensing feed but it can be upgraded for an additional cost.
It is a pretty costly tool. A lot of customers are resistant to using it.
Basic support is included with the standard licensing feed but it can be upgraded for an additional cost.
It is a pretty costly tool. A lot of customers are resistant to using it.
SPAs, APIs, mobile—the evolution of application technology is measured in months, not years. Is your web application security testing tool designed to keep up? AppSpider lets you collect all the information needed to test all the apps so that you aren’t left with gaping application risks.
It is expensive if you want to buy the Enterprise version that is able to scan multiple applications at once.
The price is pretty fair.
It is expensive if you want to buy the Enterprise version that is able to scan multiple applications at once.
The price is pretty fair.
GrammaTech enables organizations to develop software applications more efficiently, on-budget, and on-schedule by helping to eliminate harmful defects that can cause system failures, enable data breaches, and ultimately increase corporate liabilities in today’s connected world. GrammaTech is the developer of CodeSonar, the most powerful source and binary code analysis solution available today. Extraordinarily precise, CodeSonar finds, on average, 2 times more serious defects in software than other static analysis solutions. Designed for organizations with zero tolerance for defects and vulnerabilities in their applications, CodeSonar provides static analysis for applications where reliability and security are paramount - widely used by software developers in avionics, medical, automotive, industrial control, and other mission-critical applications. Some of GrammaTech's customers include Toyota, GE, Hyundai, Kawasaki, LG, Lockheed Martin, NASA, Northrop Grumman, Panasonic, and Samsung.
Pricing is a bit costly.
The solution's price depends on the number of licenses needed and the source code for the project.
Pricing is a bit costly.
The solution's price depends on the number of licenses needed and the source code for the project.
Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production.
The solution is expensive.
The product's pricing is low. I would rate it a two out of ten.
The solution is expensive.
The product's pricing is low. I would rate it a two out of ten.
Polyspace Code Prover is a sound static analysis tool that proves the absence of overflow, divide-by-zero, out-of-bounds array access, and certain other run-time errors in C and C++ source code. It produces results without requiring program execution, code instrumentation, or test cases. Polyspace Code Prover uses semantic analysis and abstract interpretation based on formal methods to verify software interprocedural, control, and data flow behavior. You can use it on handwritten code, generated code, or a combination of the two. Each operation is color-coded to indicate whether it is free of run-time errors, proven to fail, unreachable, or unproven.
GitGuardian helps organizations detect and fix vulnerabilities in source code at every step of the software development lifecycle. With GitGuardian’s policy engine, security teams can monitor and enforce rules across their VCS, DevOps tools, and infrastructure-as-code configurations.
It's a little bit expensive.
The pricing and licensing are fair. It isn't very expensive and it's good value.
It's a little bit expensive.
The pricing and licensing are fair. It isn't very expensive and it's good value.
Sonatype Repository Firewall is a cloud-based security solution designed to safeguard your software supply chain against malicious components. It operates by meticulously scanning and evaluating each new component against customized governance policies, thereby effectively identifying and blocking potential threats before they infiltrate your development pipeline. What sets Sonatype Repository Firewall apart is its user-friendly setup, seamless integration with existing workflows, and remarkable scalability, making it suitable for software development environments of any size. Key features include blocking malicious components through behavioral analysis, malware scanning, and vulnerability assessment, as well as the ability to enforce custom governance policies. By utilizing this tool, organizations can enhance their software supply chain security, mitigate risks related to supply chain attacks, bolster compliance with industry standards, and ultimately reduce costs associated with security incidents.
The pricing is reasonable if you're a large enterprise developing code. It's not super-expensive.
The pricing is reasonable if you're a large enterprise developing code. It's not super-expensive.
CAST Application Intelligence Platform (AIP), a result of over $130M in R&D investment over two decades, is an enterprise-grade software measurement and quality analysis solution designed to analyze multi-tiered, multi-technology applications for technical vulnerabilities and adherence to architectural and coding standards and then provide business relevant information to the IT organization through various dashboards and products built with end users in mind.
Defensics® fuzz testing is a comprehensive, powerful, and automated black box solution that enables organizations to effectively and efficiently discover and remediate security weaknesses in software. By taking a systematic and intelligent approach to negative testing, Defensics allows organizations to ensure software security without compromising on product innovation, increasing time to market, or inflating operational costs.
Licensing is a bit expensive.
Licensing is a bit expensive.
Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production.
GitHub makes extra security features available to customers under an Advanced Security license. These features are also enabled for public repositories on GitHub.com.
The current licensing model, which relies on active commitments, poses challenges, particularly in predicting and managing growth.
The current licensing model, which relies on active commitments, poses challenges, particularly in predicting and managing growth.
Nucleus is a Risk Based Vulnerability Management (RBVM) solution that automates vulnerability management processes and workflows, enabling organizations to mitigate vulnerabilities 10 times faster, using a fraction of the resources that it takes to perform these tasks today.
WhiteHat Dynamic™ enables organizations to test applications at DevSecOps speed and enterprise-scale to build trust into their entire software portfolio. WhiteHat Dynamic combines artificial intelligence with expert security analysis, producing verified, actionable findings with near-zero false positives and yielding the most accurate results enabling organizations the need to understand, prioritize, and mitigate or remediate vulnerabilities in the shortest timeframe.
Tripwire IP360 delivers risk-based vulnerability assessment and asset discovery capabilities. With IP360, you get:
I believe the price compares well within the market.
The product was expensive for us.
I believe the price compares well within the market.
The product was expensive for us.
BlueOptima's analytics platform empowers software developers and their companies to create better software in the most time- and cost-efficient way.
The licensing for Seeker is user-based and for 50 users I believe it costs about $70,000 per year.
The licensing for Seeker is user-based and for 50 users I believe it costs about $70,000 per year.
Cycode is the industry’s first source code control, detection, and response platform. Its Source Path Intelligence engine seamlessly delivers comprehensive visibility into all of your code and automatically detects and responds to anomalies in its access, movement, and usage.
Polaris Software Integrity Platform® is an integrated, cloud-based application security testing solution optimized for the needs of development and DevSecOps teams.
Polaris brings our market-leading security analysis engines together in a unified platform, giving you the flexibility to run different tests at different times based on application, project, schedule, or SDLC events.
Code Dx by Synopsys works with Intelligent Orchestration to give organizations the ability to: Execute tests and automatically run AppSec tools. Correlate results from multiple tools, combining security issues found by 75+ tools. Prioritize security issues, filtering out noise using machine learning.
It is more of an enterprise solution for budget-conscious customers. So, it's moderately priced. It's not for everybody.
It is more of an enterprise solution for budget-conscious customers. So, it's moderately priced. It's not for everybody.
Through continuous monitoring, the Onapsis Security Platform (OSP) delivers a near real-time preventative, detective and corrective approach for securing SAP systems and applications whether deployed on-premise, or in a private, public or hybrid cloud environment.
Our mission is to help everyone involved in software engineering create secure and trustworthy code without slowing down.
Apiiro is the leader in application security posture management (ASPM), unifying risk visibility, prioritization, and remediation with deep code analysis and runtime context.
Shipping secure code is painful and time-consuming – slowing down development teams and AppSec teams alike. ShiftLeft is on a mission to make vulnerabilities history. Our revolutionary Code Property Graph (CPG) enables us to seamlessly insert 10x faster code analysis, prioritized OSS vulnerability findings and real-time security education in one single SaaS platform integrated directly into modern development workflows. Combining our OWASP-benchmark dominating NG-SAST, Intelligent SCA, instant secrets detection, and contextual security education, ShiftLeft CORE code security platform turns every developer into an AppSec expert.
Data Theorem is a leading provider of modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere. The Data Theorem Analyzer Engine continuously scans APIs and mobile applications in search of security flaws and data privacy gaps. Data Theorem products help organizations build safer applications that maximize data security and brand protection.
Our proprietary protection capabilities shield apps from reverse engineering, tampering, API exploits, and other attacks that can put your business, your customers, and your bottom line at risk.
DeepCode is blazingly fast - even on codebases with millions of lines of code!
