Veracode alternatives and competitors

We use Mend especially for code analysis. I work in the application security part of my company. Developers will build and push the code to the GitHub repository. We have a build server that pulls in the code, and we are using Jenkins to automate that to do the DevOps stuff.

Once the code is built, we create a product for that particular version on Mend. We are currently working with three different versions for our particular product. We have the products created on Mend via White Source, which has a configuration file and a back file that runs. The configuration files basically tell what parameters to use, which server URL to use, which files to ignore, and which files to use.

For example, if I just have to do Python, I can make changes in the configuration files in Excel to include just .py files and exclude all of the files. If I have to do Python and C++, I can make changes in the configuration file itself to make .py, .C++ and exclude all of those. Once that configuration file is ready, then we run a White Source back file that just connects to the server, contacts the configuration file as well, does the scan on all the files that are there in the project, the project being for, and then pushes it to Mend, our Mend page.

On our Mend page, once we go into the product page of it, we can see what libraries have been used by us and what have some vulnerabilities. We also can set policies on Mend. We set some policies for our organization to accept and reject. For each product, we also get the policy violations that the libraries go through and any new versions for any new libraries that are available on that library's parent page - the parent page being the official developers of the library. We can get the new versions as well. We get the licenses we use with the library, and most importantly, we get vulnerability alerts regarding every library we use in our code.

Once the code is pulled, scanned, and pushed, we get the UI. We go to the library alerts. Once we go to the library alerts, we can see the different severities and the different libraries with vulnerabilities. We normally just sort according to higher severity first and go down to lower severity. We check what can be ignored or what is acceptable and what cannot be ignored, and what is of high priority. Ones that are a high priority, we flag and create a ticket on JIRA. That's our platform for collaboration.

Once we create a ticket for JIRA, the developers can see it, the QA team can see it, and they will go through that as well. They can tell if the update or the upgrade of the library is possible or not. They'll check its compatibility and see if it's actually doable or not. If it's not doable, they'll just tell us it's not doable, and probably our next version of the application will have the changes - not this one. We term that as acceptable or within our domains of acceptance. However, daily, if a JIRA ticket is created, the developers get back to us saying yes or no. Mostly they can say yes to changing the library to upgrade the library. If it's upgraded, they upgrade it to the next version. We scan it again. We do a weekly scan. We'll just check the next week if that particular liability is upgraded and the vulnerability has been remediated.

The vulnerability analysis is the best aspect of the solution. It’s my main go-to.

We can't do static code analysis ourselves; it's manual. That's a lot of manual tasks to handle. It's close to impossible to do that. That was a lot for static code analysis of our projects, alerting on vulnerabilities whenever it's possible. Whenever there's a vulnerability available, Mend does that. It vulnerability analyst is a report as well with how many high vulnerabilities, how many medium, how many lows we got, and how many accepted or how many are without any vulnerabilities basically.

I see a lot of it is pretty good and has a high level of trust.

It’s stable and easy to set up.

All applications in the world that are created have room for improvement.

Within Mend itself, there’s Mend Prioritize, which prioritizes the vulnerability automatically by itself with relevance to our application. Mend Prioritize has support for five or six languages right now, including JavaScript, C, and C#. The only thing that I don't find support for on Mend Prioritize is C++, which they'll be working on since the product is under development. Once that's done, we can also add it into Mend Prioritize for our weekly scans, which will help us with our analysis and efforts for remediation.

It's everything we need right now. There's nothing as such that’s out of the world that they should do. We use it just for one thing and focus on that. Therefore, they should not do anything else. We're fine with it as it is.

I've been using Mend for six months now.

It’s quite stable. There are no bugs or glitches. It doesn’t crash or freeze. A lot of infrastructure is dependent on Mend right now, and it's not disappointing.

It is a pretty scalable product.

The application security team uses it. That’s four people using it regularly.

We are using everything that it does. Mend does a lot of things. It does SAST, SCA, it does DAST as well. We are using just the SCA module of it, which we need, and we are using the SCA model to its fullest. I hope we're doing the most efficient deployment of it.

We’ve used technical support in the past. We had some issues with One RPM last month. That was sorted quickly.

Positive

We did not previously use any different solution prior to Mend.

We did look at other solutions. There was Veracode that we tried and Tenable. There was Qualys as well. However, we chose Mend, and we have had a license for three years right now.

The initial setup was pretty easy.

The deployment didn’t take long. Within a day or two, it was done.

There's no maintenance and deployment of Mend as such.

We have a license, so once the license was set up, once the server was set up, after that, we rolled it out by ourselves.

We’ve seen a terrific ROI. I’d rate the solution a 4.5 out of five in terms of delivering us ROI.

I don’t have any information in regards to pricing.

I would advise potential users to go through the documentation extensively. The documentation is pretty extensive. It's easy to miss some points in the initial setup itself. If the initial setup's gone wrong, it is difficult to debug it once the infrastructure is up. Therefore, start slow. If the deployment is done correctly, it's only a matter of two files after that for each project that you scan.

I’d rate the solution a nine out of ten.

It is for SCA, and we have just been doing the PoC. We are currently using the open-source version for some of the development teams. 

The main functionality that we found useful is scanning. A main feature of Snyk is that when you go with SCA, you do get properly done security composition, also from the licensing and open-source parameters perspective. A lot of companies often use open-source libraries or frameworks in their code, which is a big security concern. Snyk deals with all the things and provides you with a proper report about whether any open-source code or framework that you are using is vulnerable. In that way, Snyk is very good as compared to other tools.

I had a list of what they can improve, and I did share that with them. They are coming up with a beta version. 

It can be improved from the reporting perspective and scanning perspective. They can also improve it on the UI front. When we started the PoC five months ago, we encountered all these things. So, I asked them to improve on them. They have come up with a lot of new features, but they are still lacking on the UI front and the reporting side of things.

If you go to the UI front of Snyk, you won't find it so friendly. Another one is that you can't see the projects clearly. It gets all the sources from the repository. It pulls all the projects from the repository and creates a new project altogether for every new addition. So, you can't group them clearly. For example, if I have one product with different repositories, it creates a number of projects underneath in the Snyk UI. 

When it comes to reporting, if I run a scan on a particular project, I want the report only for that particular project in a PDF format that I can share with others. Currently, you get the notification over an email with all the projects but not in detail. You have to go to Snyk to find the details of a particular project. You only get a generic view, and you don't get a detailed view of a project. You need to go to the tool, export it as a CSV, and then find it, which is ridiculous. With other tools, once the scan is complete, we can just share the report with the development team that is working on that project, but Snyk doesn't let us do that. They still need to work a lot on the reporting structure.

It also needs to be improved in terms of interdependencies. When you run a code scan, the code can have interdependencies. If you have found a vulnerable line somewhere, it might lead to other interdependencies. Currently, Snyk doesn't provide you with interdependencies. For example, it doesn't provide you with the best location to do the fix. Checkmarx does that, and after you fix a particular line of code, all the other dependencies are automatically fixed. Snyk doesn't offer that. So, you have to do the fix one by one, which is a tedious task for the development team. It takes a lot of effort. I shared this feedback with them, and they might be working on it. They told me that they'll consider that.

We have been using Snyk for the past five months.

They are very proactive, sometimes more than what we want them to be. They reach out to us very often, and they are very good with technical support. They reach out to us and just ask us if there are any challenges where they can improve. They're quite open on that front. They don't have any local support as of now, but they are planning for 24/7 support. Currently, they are based only in the US, but they are still very active. Whenever we send out an email, they respond immediately. I would rate them a four out of five.

Positive

I have worked with other solutions. From the open-source composition and the licensing perspective, they are doing well as compared to competitors such as Black Duck, Veracode, and others. They do well on that front.

Checkmarx is the top one. They need to work very hard to match Checkmarx. Checkmarx is really good as compared to Snyk, but Checkmarx is too expensive. That's the reason we went with Snyk. Checkmarx has a very good scanning engine and technical support. It is also user-friendly. It is quite friendly for developers who are beginners. Anyone can use and learn Checkmarx easily, whereas with Snyk, you need some knowledge before you begin with it.

I had an on-prem Checkmarx. They still do on-prem, and now, they're also coming up with the cloud version. Even if you use the on-prem version, it is quite easy to access the database. You can customize everything based on your needs. From the scanning perspective, if I want to change any policies or rules, it is quite easy with Checkmarx. You just need to change the query inside the database, and you can easily set the rules.

We have only done a PoC. We are yet to finalize the pricing and then deploy the product as a whole. When it comes to PoC, it was quite simple. It was not complex at all. The integrations with GenCAN, or even with GitHub, were quite easy for us. There was no complex structure there. It was straightforward. Once we set up the environment, it took us a few hours to do all the integrations with different repositories or CI/CD. I would rate it a four out of five in terms of ease of the setup.

Currently, we have done it on CI/CD. It is kind of automated. Whenever there is a new build, it automatically triggers the scan.

There are about 30 developers who have been working with it for the PoC. They have been using it on a daily basis for the past four months. Last month, we stopped using it because we have finalized it. Going forward, we will be having 500 developers to begin with. 

We did the integration using their documentation. Their documentation was very simple. It was very easy to use.

We are using the open-source version for the scans. We will be going with the full source, license-based version as soon as possible.

I would rate it a seven out of ten.

I am utilizing Kiuwan for quick and efficient scans, specifically static scanning for web applications. This includes checking the application's code base and dependencies, known as SaaS scans. In the first quarter, there is a "code-based security and insight" tab where we can review the application's code for any vulnerabilities arising from dependencies. We then analyze these vulnerabilities and provide solutions for mitigating them.

The feature that I have found the most valuable in Kiuwan is the speed of scanning. Compared to other SaaS tools I have used, Kiuwan is much quicker in performing scans. I have not yet used it on a large code base, but from what I have experienced, it is efficient and accurate. Additionally, I have used it both manually and in an automated pipeline, and both methods have been effective. The speed of scanning is what makes it valuable to me.

Kiuwan provides a detailed analysis and mitigation steps for any vulnerabilities reported, which is very helpful for teams in addressing the issues.

In Kiuwan there are sometimes duplicates found in the dependency scan under the "insights" tab. It's unclear to me why these duplicates are appearing, and it would be helpful if the application teams could investigate further. 

Another issue I've encountered is that Kiuwan only looks at the version of components and doesn't take into account any workaround fixes that have been implemented at the code level. This can result in false positives being reported. Additionally,  these issues are in the "insights" tab and not in the code base security aspect. Lastly, when muting findings that are false positives, there should be an option to see the only available at the code level rather than at the organization level because it can lead to missing vulnerabilities if they are muted at the org level.

An additional feature that would be helpful is the ability to easily download reports from Kiuwan. Specifically, in the "insights" tab, we have been encountering an error when trying to download the PDF report. We are able to download the code-based security report, but not the insights report. This has been an ongoing issue for the past couple of months and would be beneficial if it could be resolved.

My main recommendation would be to address the issues with downloading reports that we have been experiencing. Additionally, it would be helpful if Kiuwan could support a wider range of programming languages, as there are currently some that are not compatible with the tool. If the code of a particular application falls under the category which is not compatible with Kiuwan, then it will not be able to scan it.

I have been using Kiuwan for approximately 10 months.

Since using Kiuwan, I have not experienced any major issues with the tool crashing. There may have been occasional loading issues, but overall, Kiuwan has been reliable and up and running most of the time.  

Our teams have scanned multiple reports, some of which have been in the hundreds, and we have not encountered any issues with scalability. The code level for any application should not be excessively large, and if it were, it's likely that any tool would have limitations. In our case, we have not faced any scalability issues with Kiuwan.

We have approximately 20 teams that are working with 20 applications a month, and mostly all the applications are scanned with Kiuwan.

I have not used the support from Kiuwan.

Out of the solutions I have worked with which are Veracode, Kiuwan, Fortify, and Checkmarks, I would exclude Veracode because I did not have a good experience with it. If I had to choose between Kiuwan and Fortify, I prefer Kiuwan. It scans reports faster and provides more detailed analysis and mitigation steps for vulnerabilities. Additionally, Kiuwan takes into account the versions of components more effectively, which is an advantage over Fortify.

I am not the primary person responsible for that as it is handled by the application team. Our role is to perform the scans, identify any vulnerabilities, and provide guidance on how to mitigate them. Once the vulnerabilities have been resolved, a rescan is conducted until there are no longer any critical or high vulnerabilities present. At that point, the Kiuwan scan is completed for that particular application.

We did the integration of Kiuwan in-house.

Kiuwan is an open-source solution and free to use. 

The team responsible for maintenance makes sure to constantly monitor and ensure that Kiuwan is always running smoothly and not crashing. Overall, the maintenance and upkeep of the tool have been good in my experience.

I rate Kiuwan an eight out of ten.

Our company uses the solution to manage code, Wiki, and repository management for multiple projects on Truck It In. The solution helps us manage our experience with projects. We currently have twenty-two developers using the solution.  

We are in the process of executing the pipelines to use the solution for CI/CD. 

The interface is much more user friendly than competitor products. 

The merge request tool is very valuable. 

It is easy to perform code and peer reviews. 

Key features allow creation of well-presented Wiki that includes ideas, development, and domains. 

The solution should expand features to match other tools such as Coverity, Veracode, or SonarQube with its static code analysis tool so third-party integrations are not required.

There can be a lapse of fifteen minutes to a day when updates are pushed. We do receive email notification of upcoming lapses and push progress, so that helps.

I have been using the solution for eight months. 

The solution is stable with no failures or issues in the version controlling or epic creation processes. 

The solution is scalable. We can manage issues or epics, make Kanban with proper backlog, and move any processes with no problems. It is scalable in terms of managing our experience and using it as a project management tool. 

We have not needed technical support. 

The setup is straightforward with good user interface. Third-party integrations can be a bit of a hassle. 

We implemented the solution in-house. 

We use Spring Boot at the back end with IntelliJ for IDs. IntelliJ is a good tool that integrates our projects with the solution through a well-managed synchronization process. 

The solution has a better user interface than GitHub and Bitbucket. 

We also use ClickUp which is a great tool for managing tickets and stream planning. We follow Agile methodologies so ClickUp is quite helpful to us. 

SonarQube has a new integration with the solution so we use its static code analysis tool.

The solution is valuable for developers because it includes version controlling, pipelines, CI/CD, and integrations. When moving from the development side to the production side it is important to ensure that code is bug-free with no errors. We have less issues on the production side because we take full advantage of the solution. 

The solution currently requires third-party integrations for CI/CD so I rate it a seven out of ten. 

Our company uses the solution to check the vulnerabilities in our products at the build level. We capture, identify potential issues and fixes, and publish reports on a weekly basis. 

We work in the banking industry and have a license for 100 users.

The report function is the solution's greatest asset. We can configure reports in our build pipeline. We set them to publish scores and consolidate all the pod answers. We go through reports to understand issues and next steps. We get availability of code by clicking on that particular section. 

We are able to speed up services because the semi-application is done in the report.

The solution is very easy to navigate. 

The solution sometimes reports a false auditable code or false positive. This is not a bug but something within the software's operation that should be addressed. 

I have been using the solution for four years. 

The stability is rated an eight out of ten. 

The solution is scalable and we can use the VCM feature for multiple projects or incidents. Scalability is rated an eight out of ten. 

Technical support is very helpful so is rated a seven out of ten. 

Neutral

We did not previously use a different solution. 

Our finance team handled the setup so I don't have details. 

Our finance team implemented the solution. 

I rate the solution a seven out of ten.