We performed a comparison between Fortra Tripwire IP360, HCL AppScan, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Tenable, Wiz, Check Point Software Technologies and others in Vulnerability Management."It's become the pinnacle point for anything that enters the network or anything that's passing through to production to first be affected by IP360, hardened, and up to standard. For our integrity management, one was deployed in the bank about two years ago and that's still going to expand the usage and the product itself. That will go hand in hand with training and expanding the product as for where it's deployed."
"Tripwire IP360 is a very stable solution."
"We could manage our entire IP range with the solution."
"The security and the dashboard are the most valuable features."
"The most valuable feature of HCL AppScan is scanning QR codes."
"It is a stable solution...It is a scalable solution...The initial setup or installation of HCL AppScan is easy."
"IBM AppScan has made our work easy, as we can do four to five scans of websites at a time, which saves time when it comes to vulnerability."
"It highlights, with several grades of severity, the types of vulnerabilities, so we can focus on the most severe security vulnerabilities in the code."
"There's extensive functionality with custom rules and a custom knowledge base."
"This is a stable solution."
"The solution offers services in a few specific development languages."
"Veracode has a nice API that they provide to allow for custom things to be built, or automation. We actually have integrated Veracode into our software development cycle using their API. We actually are able to automatically, every time a new build of a software is completed, submit that application, kick off a scan, and we get results in a much more automated fashion."
"The coverage of backdoors attacks on security that's the most valuable for my clients."
"The Static and Dynamic Analysis capabilities are very valuable to us. They've improved the speed of the inspection process."
"Veracode Security Labs are fantastic. My team loves getting the hands-on experience of putting in a flaw and fixing it. It's interactive. We've gotten decent support from the sales and software engineers, so the initial support was excellent. They scheduled a consultation call to dive deep and discuss why we see these findings and codes. That was incredibly helpful."
"To me, the principal feature is the CLI (command-line interface) because I put together a lot of implementations using it. Another important aspect is the low false-positive rate because the solution is very configurable. It is as low as 1 percent and that is a huge difference compared to competitors."
"The analysis of the vulnerabilities and the results are the most valuable features."
"The most valuable feature is the seamless automation of Veracode via the pipeline, in comparison to other solutions like Fortify SSC, which are complex to integrate through the pipeline."
"What I found most valuable in Veracode Static Analysis is that it categorizes security vulnerabilities."
"I am not very impressed by the technical support."
"We need to dedicate time and resources to keep it running."
"The reporting functions can use improvement. There is room for growth because reporting functions differ a lot depending on what you're going to output. It depends on whether it's for technical or senior management and how it's interpreted. There could be growth within the reporting functionality side."
"Sometimes it doesn't work so well."
"The solution's scalability can be a matter of concern because one license runs on one machine only."
"A desktop version should be added."
"One thing which I think can be improved is the CI/CD Integration"
"Many silly false positives are produced."
"We would like to see a check in the specific vulnerabilities in mobile applications or rooted devices, such as jailbreaking devices."
"The databases for HCL are small and have room for improvement."
"It has crashed at times."
"We connected with Veracode's support a couple of times, and we got a different answer each time."
"We are testing Veracode's software composition analysis, but we're having trouble integrating it with SVN. It works out of the box when you use Git but doesn't work as well with other tools like SVN. It's more geared toward Git"
"One concern is that scans take a long time to run. We scan at the end of the day because we know it will take a lot of time. We leave it to run and the report will be generated by the next day when we arrive. The scanning time could be reduced."
"The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I wouldn't even say it is a complaint. It is probably the only thing I worry about: Occasionally hitting something that is built in some other obscure development model, where we either can't scan it or can't scan it very well."
"It needs to reach the level of Checkmarx's and Fortify Software's capabilities and service levels, or may further loosen the market share."
"It needs more timely support for newer languages and framework versions."
"The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but it sometimes causes more work on our end."
"One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive."
