We performed a comparison between OWASP Zap, PortSwigger Burp Suite Professional, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Testing (AST)."It has evolved over the years and recently in the last year they have added, HUD (Heads Up Display)."
"The solution is scalable."
"It can be used effectively for internal auditing."
"You can run it against multiple targets."
"We use the solution for security testing."
"The stability of the solution is very good."
"The application scanning feature is the most valuable feature."
"The HUD is a good feature that provides on-site testing and saves a lot of time."
"The most valuable feature is the application security. It also has a reasonable price."
"The solution has a limited range of functions, which is good for small companies. This is because, in small companies, websites are less complex. They also have single services which makes the solution good enough for them. However, the most advantageous aspect of the solution is its affordable price."
"The solution has a great user interface."
"This solution has helped a lot in finding bugs and vulnerabilities, and the scanner is good enough for simple web apps."
"The Spider is the most useful feature. It helps to analyze the entire web application, and it finds all the passes and offers an automated identification of security issues."
"The feature that we have found most valuable is that it comes with pre-set configurations. They have a set of predefined options where you can pick one and start scanning. We also have the option of creating our own configurations, like how often do the applications need to be scanned."
"The most valuable feature is Burp Collaborator."
"You can download different plugins if you don't have them in the standard edition."
"Developer Sandboxes help move scanning earlier within the SDLC."
"In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better."
"Veracode's most valuable aspect is continuous integration. It helps us integrate with other applications so that it can monitor the security process."
"Veracode supports a broad range of code technologies, and it can analyze large applications. Fortify takes a long time and may not be able to generate the report for larger applications. We don't have these constraints with Veracode."
"Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced... in the e-learning you can check into best practices for developing code and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool."
"Wide range of platforms and technology assessments."
"It is a good product for creating secure software. The static code analysis is pretty good and useful."
"The ability on static scans to be able to do sandbox scans which do not generate metrics."
"Too many false positives; test reports could be improved."
"It would be beneficial to enhance the algorithm to provide better summaries of automatic scanning results."
"The documentation is lacking and out-of-date, it really needs more love."
"The product reporting could be improved."
"The forced browse has been incorporated into the program and it is resource-intensive."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
"The technical support team must be proactive."
"One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that."
"The use of system memory is an area that can be improved because it uses a lot."
"As with most automated security tools, too many false positives."
"You can have many false positives in Burp Suite. It depends on the scale of the penetration testing."
"The solution is not easy to set it up. You need a lot of knowledge."
"Scanning needs to be improved in enterprise and professional versions."
"There were a lot of false positives there, and we used to spend a lot of time, like, for security reasons, reproducing those bugs for the development team to fix it."
"The solution doesn't offer very good scalability."
"To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources."
"One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications."
"We use Ruby on Rails and we still don't have any support for that from Veracode."
"Veracode can be improved in terms of software composition analysis and related vulnerabilities."
"Their platform is not consistent. It needs a lot of user experience updates. It's slow performing, and they log you out of the system every 15 minutes, so using the platform is challenging from a developer's perspective because you always have to log in."
"The security labs integration has room for improvement."
"It will be beneficial for developers if Veracode Greenlight includes Python."
"Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines."
More PortSwigger Burp Suite Professional Pricing and Cost Advice →
