We just raised a $30M Series A: Read our story

Application Security Eclipse Reviews

Showing reviews of the top ranking products in Application Security, containing the term Eclipse
Veracode: Eclipse
RL
Security Architect at a financial services firm with 1,001-5,000 employees

Among the most valuable features are the ability to 

  • submit the software and get automated scan results from it
  • collaborate with developers through the portal while looking at the code
  • create compliance reports.

Otherwise, we would have to do working sessions with developers and pull together all the different findings and then probably manage it in a separate mechanism like Excel. And to have to go through source code manually would be quite time intensive and tedious.

The solution also provides you with some guidance as well as best practices around how vulnerabilities should be fixed. It points you in that direction and gives the developers educational cues.

In addition, the policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards.

The solution also integrates with developer tools such as Visual Studio and Eclipse.

View full review »
Product Owner - DevOps at Digite

The static code analysis, which is integrated into the CI/CD environment, is a valuable feature. We get quick results of what has gone into the environment in terms of any vulnerability in the code and for the Eclipse plugins of Veracode. This is one of the more valuable features because a developer can get a sense at the line level if there are any issues. 

View full review »
Cybersecurity Expert at PSYND

The most valuable feature is actually the support provided by Veracode. Once you start to use the platform, you can mount the IDE plugin for your script. The advantage is that you can run the scan and check what the problem is and you can fix it yourself. Support could be used to address something that could go beyond your skills. If you use Veracode Greenlight, you have a small pop-up that you can use to interact directly with the team and you can ask a consultant to advise how an issue can be fixed. One of the good things about the Greenlight plugin is that it is very simple. There are several guides that tell you how to install it. It's a matter of one or two minutes and you are ready to go.

Once you check something, they provide links, not manually, it's all automated. When you want to check into a vulnerability you click and open the website where there is a description. If this is not enough of an answer, you can ask directly by scheduling an appointment with a Veracode guy.

Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced. They don't teach you how to develop in Java, Python, PHP or C#, but they instruct you about the best practices that should be adopted for secure code developing and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool. And as far as I know, there are no other competitors that offer it.

The best stuff is the training: this enables your team to adopt the same programming approach, although these people have a different background or joined the projects in a different phase. Doing that, they can take the training and be aligned so that they all write code in a good way.

We also use the Static Analysis Pipeline Scan and it's quite good. They provide several of the most common templates for pipelines. You see the process, while you program, right up until you package an application, and that the platform is able to detect things that are a blocking point. Before deploying to the production, you already know what is doing. And the speed of the Pipeline Scan is quite good.

Another good feature is the policy reporting for ensuring compliance with industry standards and regulations. We test compliance for medical devices, for GDPR, and for payment methods. These are all good. If you are not correctly prepared on one of these sets of regulations, you know that Veracode is going to take care of it using pre-prepared templates. But we can also customize our own policy if we are facing a unique use case. Even if it's not really common, we can take a regulation and build it the way we want it to look.

In addition, you can check everything from the dashboard. Veracode provides a web portal that is connected with your account and through that you can check the status of all the deployments that were run. And suppose you also have an application that is quite complex. You can deploy and upload it through the portal. When it is ready, you receive a notification from the portal that the job has been done and that you can check the results. When you go to the dashboard, you have the OWASP vulnerabilities. There is a really simple graphic with the colors showing how many vulnerabilities have been found and how much these vulnerabilities are repeated in your code. It also tells you the potential effect, if it is a backdoor data breach, for example, etc. It also suggests what you can do to remediate. It might suggest modifying code or changing the status of some part of the development, or updating a third-party.

And if you have people on different projects, there is also a role management feature, so you can select, for example, that people who are working on a given project can only see that project. If you are running something with different levels of classifications, for example, if you have an external consultant, it does not affect the confidentiality of the system. When people are collaborating, not all people are at the same level of an NDA. It is good that each person can see only their part implementing Need-To-Know.

It also integrates with developer tools. We use IntelliJ and Eclipse, among others.

View full review »
Manager, Information Technology at Broadcom Corporation

The most valuable feature, from a central tools team perspective, which is the team I am part of, being a DevSecOps person, is that it is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage. 

Also, because it's SaaS and hosted, we didn't have any infrastructure headache. We didn't have to think about capacity, the load, the scan times, the distribution of teams across various instances. All of this, the elasticity of it, is a major advantage.

There are two aspects to it. One is the infrastructure. The other one is the configuration. There are a lot of SaaS solutions where the infrastructure is taken care of, but the configuration of the application to start scanning takes some time to gain knowledge about it through research and study. That is not the case with Veracode. You don't have any extensive security profiles to consider. It's a two-pronged advantage.

Veracode also reports far fewer false positives with the static scanning. The scanner just goes through the code and analyzes all the security vulnerabilities. A lot of scanning tools in the market give you a lot of false positives. The false positive rate in Veracode is notably less. That was very helpful to the product teams as they could spend most of their time fixing real issues.

Veracode provides guidance for fixing vulnerabilities and that is one of their USPs—unique selling propositions. They provide security consultations, and scheduling a consultation is very easy. Once a scan is completed, anybody who has a Veracode login can just click a button and have a security consultation with Veracode. That is very unique to Veracode. I have not seen this offered in other products. Even if it is offered, it is not as seamless and it takes some time to get security advice. But with Veracode, it's very seamless and easy to make happen.

Along those lines, this guidance enables developers to write secure code from the start. One of the advantages with Veracode is its ability to integrate the scanning with the DevOps pipeline as well as into the IDEs of the developers, like Eclipse or IntelliJ or Visual Studio. This type of guidance helps developers left-shift their secure-coding practices, which really helps in writing far better secured product.

Another unique selling point of Veracode is their eLearning platform, which is available with the cloud-hosted solution. It's integrated into the same URL. Developers log into the Veracode tenant, go through the eLearning Portal, and all the courses are there. The eLearning platform is really good and has helped developers improve their application security knowledge and incorporate it in their coding practices.

One of the things that Veracode follows very clearly is the assignment of a vulnerability to the CWE standard or the OWASP standard. Every vulnerability reported is tied to an open standard. It's not something proprietary to Veracode. But it makes it easy for the engineers and developers to find more information on the particular bug. The adherence to standards helps developers learn more about issues and how to fix them.

We use the Static Analysis Pipeline Scan as part of the CI pipeline in Jenkins or TeamCity or any of the code orchestrators that use scanning as part of the pipeline. There's nothing special about the pipeline scan. It's like our regular Veracode Static Analysis Scan. It's just that if it is part of the pipeline, you are scanning more frequently and finding flaws at an earlier point in time. The time to identify vulnerabilities is quicker.

Veracode with the integrated development environments that the developers use to write code, including Microsoft Visual Studio, Eclipse, IntelliJ IDEA, etc. It also integrates with project and portfolio management tools like JIRA and Rally. That way, once vulnerabilities are reported you can actually track them by exporting them to your project management tools, your Agile tools, or your Kanban boards. The more integrations a scanning tool has, the better it is because everything has to fit into the DevOps or DevSecOps pipeline. The more integrations it has with the continuous integration tools, the IDEs, and the product management tools, the better it is. It affects the adoption. If it is a standalone system the adoption won't be great. The integration helps with adoption because you don't need to scan manually. You set it up in the pipeline once and it just keeps scanning.

View full review »
Micro Focus Fortify on Demand: Eclipse
Project Manager at Everis

There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes.

The initial setup is a bit complex.

We could have more detailed documentation. They could offer some quick start or some extra guidance regarding the implementation.

I'd like to see more interactive application security And more IDE integration and integration with VS Code and Eclipse. I would like to see more features of this kind.

View full review »
SonarQube: Eclipse
LM
Systems Analyst at a manufacturing company with 5,001-10,000 employees

SonarQube is a fantastic tool which saves us precious time. Prior to using the solution, all our code analysis was manual and this was very time consuming. The increase in the number of projects, including those involving the development team, meant that it was becoming increasingly challenging to keep up with our delivery schedules. SonarQube helped a lot in this regard. So too, the wonderful tool from Eclipse, SonarLint, was very helpful. These solutions allow the partners who develop our system, our code, to receive on-the-fly analysis of their computers. This affords delivery of a much more reliable code, something which allows us to focus our work on more aggregated value operations.

View full review »
Program Manager at a computer software company with 1,001-5,000 employees

I have used some tools previously, such as Eclipse and Checkmarx. I used some tools directly linked with Eclipse, but SonarQube is much better. It has a better ability to link with Eclipse as well as the standalone features for a code review I have found the SonarQube most efficient.

View full review »
Coverity: Eclipse
Automation Practice Leader at a financial services firm with 10,001+ employees

I would like to see integration with popular IDEs, such as Eclipse. If Coverity were available as a plugin then developers could use it to find security issues while they are coding because right now, as we are using Coverity, it is a reactive way of finding vulnerabilities. We need to find these kinds of problems during the coding phase, rather than waiting for the code to be analyzed after it is written.

View full review »
Sonatype Nexus Lifecycle: Eclipse
Sr. DevOps Engineer at Primerica

The proxy repository is probably the most valuable feature to us because it allows us to be more proactive in our builds. We're no longer tied to saving components to our repository.

The default policies are good, they're a good start. They're a great place to start when you are looking to build your own policies. We mostly use the default policies, perhaps with changes here and there. It's deceptively easy to understand. It definitely provides the flexibility we need. There's a lot more stuff that you can get into. It definitely requires training to properly use the policies.

We like the integrations into developer tooling. We use the Lifecycle piece for some of our developers and it integrates easily into Eclipse and into Visual Studio code. It's a good product for that.

View full review »
BS
Application Security at a comms service provider with 1,001-5,000 employees

It's handling a lot of code but if we wanted to roll out more servers and do more build outs, I wouldn't think that it would involve much more than just adding a few servers. So the scalability should be good.

It is being fully utilized in our build process — where our applications are built and deployed. Where we're lacking use is getting the developers to get it plugged into their Eclipse environments and actually using it on a more regular basis. That's where the struggle has been. That's not the tool, that's more an issue with our developer management side. The adoption is just not happening at the pace it should, because of a whole multitude of other things that are going on right now in our company.

The only other thing we might eventually want to do is get it hooked into a ticketing system where it could create tickets if there are libraries that are bad. Outside of that, it's pretty much integrated into our pipeline as far as we're going to integrate it.

View full review »