I believe we need to cover the SDLC from start to end as much as possible while ensuring that this does not mean too many dashboards and also keeping the cost of development in mind.
1. IDE Checks: This is the 1st step in shift left approach. Many open source tools integrate easily with IDE (VSC, Eclipse) etc and allow developers to do a check even before they commit code on local branch. We have leveraged SonarLint (https://www.sonarlint.org/) which covers a vast spectrum of programming languages and IDEs.
2. SAST: Many open source tools available in this space which do a check around security vulnerability, security hotpots etc. We use SonarQube.
3. SCA: Check against open source security vulnerabilities and license compliance is very important. WhiteSource is what we use here.
4. IaaC scan: We need tools to manage and analyze infrastructure as code (IaC) scan results across platforms and be able to resolve the issues.
5. Monitoring: Once application is deployed into production, we need tools to monitor it live and be able to check for vulnerabilities and other issues which happen when 100's of users are using the application from across the globe.
There are other areas like DAST, IAST which become important depending on size, complexity and business needs.
Search for a product comparison in Static Application Security Testing (SAST)
Transformation Leader at TEKsystems (ex Aston Carter)
Real User
May 31, 2021
It depends on the budget, business and technology portfolio of the enterprise.
If you predominantly web-based and service architecture-oriented technology portfolio, Veracode set of tools (Green-light, Veracode SAST, Veracode DAST) is a good option. Veracode is good if you have enterprise-level DevSecOps transformation. But Veracode may not work well for legacy systems.
I have also used Microfocus Fortify effectively. Just on SCA, universally used Sonarqube with standard plugins is I prefer as it is easy to use. All these tools are very used to integrate into DevSecOps Application Pipeline.
Everything in technology focuses on People, Process & Technology. What binds these together is business requirements and understanding the needs of each Line Of Business. Often each Line of Business requires completely different requirements, but what tools help you meet that unified vision and executive dashboard reporting to measure your KPIs.
Why so much Fortify? It has been around 17 years, while it is old it is constantly evolving. It is the only Hybrid (Cloud & On-Premise Solution), it provides the flexibility needed for most customers. There is a reason why over 50% of Cigital (Synopsys) business is managing Fortify and not Synopsys tool suite. Deloitte, Accenture, IBM & Saltworks makes a lot of money managing Fortify. One thing you won’t hear from Gartner, Fortify SAST & DAST surpasses their competitors’ revenue by over 70%.
CEO & Co-Founder at a computer software company with 11-50 employees
User
Aug 24, 2020
Depends on budget and the larger approach to security, compliance, and risk. There are many solutions and approaches out there but many limit the ability to scale DevSecOps beyond an experiment and justify to business leaders. Standard response: SCA, SAST, DAST, IAST. Many of these tools are disconnected and some slow down performance quit a bit, especially your traditional household names. What are your goals and what are your constraints to developing a program?
Director, Digital Architecture at a pharma/biotech company with 10,001+ employees
Real User
Jun 1, 2021
The detailed answers below are a good summary. How are teams pulling all these tools together and orchestrating in terms of agile stories and feedback loops? Azure DevOps, JIRA, ServiceNow, Other?
Find out what your peers are saying about SonarSource Sàrl, Veracode, Checkmarx and others in Static Application Security Testing (SAST). Updated: March 2026.
SAST is a method designed to detect security vulnerabilities within an application's source code. By analyzing the code structure, SAST identifies potential flaws early in the development cycle, promoting secure coding practices and reducing the risk of security issues in production.
Unlike dynamic testing that examines an application during runtime, SAST operates on static code analysis. This early detection capability is crucial as it enables developers to address vulnerabilities before...
I believe we need to cover the SDLC from start to end as much as possible while ensuring that this does not mean too many dashboards and also keeping the cost of development in mind.
1. IDE Checks: This is the 1st step in shift left approach. Many open source tools integrate easily with IDE (VSC, Eclipse) etc and allow developers to do a check even before they commit code on local branch. We have leveraged SonarLint (https://www.sonarlint.org/) which covers a vast spectrum of programming languages and IDEs.
2. SAST: Many open source tools available in this space which do a check around security vulnerability, security hotpots etc. We use SonarQube.
3. SCA: Check against open source security vulnerabilities and license compliance is very important. WhiteSource is what we use here.
4. IaaC scan: We need tools to manage and analyze infrastructure as code (IaC) scan results across platforms and be able to resolve the issues.
5. Monitoring: Once application is deployed into production, we need tools to monitor it live and be able to check for vulnerabilities and other issues which happen when 100's of users are using the application from across the globe.
There are other areas like DAST, IAST which become important depending on size, complexity and business needs.
It depends on the budget, business and technology portfolio of the enterprise.
If you predominantly web-based and service architecture-oriented technology portfolio, Veracode set of tools (Green-light, Veracode SAST, Veracode DAST) is a good option. Veracode is good if you have enterprise-level DevSecOps transformation. But Veracode may not work well for legacy systems.
I have also used Microfocus Fortify effectively. Just on SCA, universally used Sonarqube with standard plugins is I prefer as it is easy to use. All these tools are very used to integrate into DevSecOps Application Pipeline.
Everything in technology focuses on People, Process & Technology. What binds these together is business requirements and understanding the needs of each Line Of Business. Often each Line of Business requires completely different requirements, but what tools help you meet that unified vision and executive dashboard reporting to measure your KPIs.
Why so much Fortify? It has been around 17 years, while it is old it is constantly evolving. It is the only Hybrid (Cloud & On-Premise Solution), it provides the flexibility needed for most customers. There is a reason why over 50% of Cigital (Synopsys) business is managing Fortify and not Synopsys tool suite. Deloitte, Accenture, IBM & Saltworks makes a lot of money managing Fortify. One thing you won’t hear from Gartner, Fortify SAST & DAST surpasses their competitors’ revenue by over 70%.
Depends on budget and the larger approach to security, compliance, and risk. There are many solutions and approaches out there but many limit the ability to scale DevSecOps beyond an experiment and justify to business leaders. Standard response: SCA, SAST, DAST, IAST. Many of these tools are disconnected and some slow down performance quit a bit, especially your traditional household names. What are your goals and what are your constraints to developing a program?
The detailed answers below are a good summary. How are teams pulling all these tools together and orchestrating in terms of agile stories and feedback loops? Azure DevOps, JIRA, ServiceNow, Other?
Hi we think that is essential a tool for applying static analysis technologies for Code Quality and Security