We performed a comparison between Klocwork and Veracode based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."Klocwork's most valuable feature is the static code analysis feature. It detects the potential problem earlier to allow the developer to receive feedback quickly and then address it before it becomes a problem."
"It's integrated into our CI, continuous integration."
"I like not having to dig through false positives. Chasing down a false positive can take anywhere from five minutes for a small easy one, then something that is complicated and goes through a whole bunch of different class cases, and it can take up to 45 minutes to an hour to find out if it is a false positive or not."
"The most valuable feature of Klocwork is finding defects while you're doing the coding. For example, if you have an IDE plug-in of Klocwork on Visual Studio or Eclipse, you can find the faults; similar to using spell check on Word, you can find out defects during the development phase, which means that you don't have to wait till the development is over to find the flaws and address the deficiencies. I also find language support in Klocwork good because it used to support only C, C++, C#, and Java, but now, it also supports Java scripts and Python."
"There's a feature in Klocwork called 'on-the-fly analysis', which helps developers to find and fix the defects at the time of development itself."
"The tool helps the team to think beforehand about corner cases or potential bugs that might arise in real-time."
"The ability to create custom checkers is a plus."
"The most valuable feature is the Incremental analysis."
"It's comprehensive from a feature standpoint."
"Veracode enables us to build a strong data security layer in our platforms. We can increase customer confidence in data security. Some PCI/HIPAA compliance issues were impossible to resolve without Veracode."
"The most valuable feature is the security and vulnerability parts of the solution. It shows medium to high vulnerabilities so we can find them, then upgrade our model before it is too late. It is useful because it automates security. Also, it makes things more efficient. So, there is no need for the security team to scan every time. The application team can update it whenever possible in development."
"The CI/CD integration is the most valuable feature of Veracode."
"The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are helpful to the developers to help them track and manage their flaws."
"I like Veracode's static analysis. It was one of the core development tools when I worked with a telecommunication company where we were delivering new features for various applications and purposes each week, such as CRM, data channels, compliance, traffic data, etc."
"You can easily integrate it with Azure DevOps. This is an added value because we work with Azure DevOps. Veracode is natively supported and we don't have to work with APIs."
"The dashboards and the threat insights it provides are very good. The dashboards are intuitive and pretty straightforward, but also pretty detailed."
"What needs improvement in Klocwork, compared to other products in the market, is the dashboard or reporting mechanisms that need to be a bit more flexible. The Klocwork dashboard could be improved. Though it's good, it's not as good as some of the other products in the market, which is a problem. The reporting could be more detailed and easier to sort out because sorting in Klocwork could be a bit more time-consuming, mainly when sorting defects based on filters, compared to how it's done on other tools such as Coverity."
"Now the only issue we have is that whenever we need to get the code we have to build it first. Then we can get the report."
"The main problem is that since it only parses the code, the warnings or the problems that are given as a result of the report can sometimes require a lot of effort to analyze."
"Klocwork has to improve its features to stay ahead of other free solutions."
"The way to define the rules is too complex. The definition/rules for static analysis could be automated according to various SILs, so as to avoid confusion."
"Every update that we receive requires of us a lengthy and involved process."
"Klocwork does have a problem with true positives. It only found 30% of true positives in the Juliet test case."
"Modern languages, such as Angular and .NET, should be included as a part of Klocwork. They have recently added Kotlin as a part of their project, but we would like to see more languages in Klocwork. That's the reason we are using Coverity as a backup for some of the other languages."
"The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it."
"On-premise implementation is not available."
"The product has issues with scanning."
"It needs more timely support for newer languages and framework versions."
"All areas of the solution could use some improvement."
"Veracode's container scanning could be improved. We containerize all the platforms we use inside a Docker image. For example, we create a Microsoft Docker image that we build our application on top of. I would like Veracode to implement IT scans before we commit the code."
"Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly."
"Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had."
Klocwork is ranked 15th in Application Security Tools with 20 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. Klocwork is rated 8.2, while Veracode is rated 8.2. The top reviewer of Klocwork writes "Their technical team helps us get the most out of the solution, but we've faced some stability problems in our environment". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Klocwork is most compared with SonarQube, Coverity, Polyspace Code Prover, Checkmarx One and Parasoft SOAtest, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and Fortify Static Code Analyzer. See our Klocwork vs. Veracode report.
See our list of best Application Security Tools vendors, best Static Application Security Testing (SAST) vendors, and best Static Code Analysis vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.