We performed a comparison between Fortify Application Defender, Kiuwan, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."The information from Fortify Application Defender on how to fix and solve issues is very good compared to other solutions."
"The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities."
"The product saves us cost and time."
"We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment."
"The solution helped us to improve the code quality of our organization."
"The most valuable features of Fortify Application Defender are the code packages that are default."
"The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology."
"Fortify Application Defender's most valuable features are machine learning algorithms, real-time remediation, and automatic vulnerability notifications."
"Software analytics for a lot of different languages including ABAP."
"I have found the security and QA in the source code to be most valuable."
"We use Kiuwan to locate the source of application vulnerabilities."
"I find it immensely helpful because it's not just about generating code; it's about ensuring efficiency in the execution."
"The solution has a continuous integration process."
"I like that I can scan the code without sending it to the Kiuwan cloud. I can do it locally on my device. When the local analyzer finishes, the results display on the dashboard in the cloud. It's essential for security purposes to be able to scan my code locally."
"Lifecycle features, because they permit us to show non-technical people the risk and costs hidden into the code due to bad programming practices."
"I personally like the way it breaks down security vulnerabilities with LoC at first glance."
"Veracode is very easy to use."
"Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence."
"Code scanning is the most valuable feature."
"Veracode enables us to build a strong data security layer in our platforms. We can increase customer confidence in data security. Some PCI/HIPAA compliance issues were impossible to resolve without Veracode."
"It's comprehensive from a feature standpoint."
"The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up."
"Veracode offers various security features."
"The ability on static scans to be able to do sandbox scans which do not generate metrics."
"The solution could improve the time it takes to scan. When comparing it to SonarQube it does it in minutes while in Fortify Application Defender it can take hours."
"The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java."
"The workbench is a little bit complex when you first start using it."
"Fortify Application Defender gives a lot of false positives."
"Fortify Application Defender could improve by supporting more code languages, such as GRAAS and Groovy."
"The false positive rate should be lower."
"I encountered many false positives for Python applications."
"The solution is quite expensive."
"The integration process could be improved. It'll also help if it could generate reports automatically. But I'm not sure about the effectiveness of the reports. This is because, in our last project, we still found some key issues that weren't captured by the Kiuwan report."
"I would like to see better integration with the Visual Studio and Eclipse IDEs."
"The QA developer and security could be improved."
"I would like to see additional languages supported."
"DIfferent languages, such Spanish, Portuguese, and so on."
"In Kiuwan there are sometimes duplicates found in the dependency scan under the "insights" tab. It's unclear to me why these duplicates are appearing, and it would be helpful if the application teams could investigate further."
"Kiuwan's support has room for improvement. You can only open a ticket is through email, and the support team is outside of our country. They should have a support number or chat."
"The product's UI has certain shortcomings, where improvements are required."
"There are few languages that take time for scanning. It covers the majority of languages from C to Scala, but it doesn't support certain languages and the newer versions of certain languages. For example, it doesn't support SAP and new JavaScript frameworks such as Node.js and React JS. They can include support for these. If you go to their website, you can see the list of languages that are currently supported. The false-positive rates are also something they can work on."
"They could improve how they fix vulnerabilities. They could have more support in place to help the developers."
"The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified."
"From what we have seen of Veracode's SCA offering, it is just average."
"Veracode does not support scans for .NET Blazor server applications."
"The documentation is poor and the technical support isn't helpful."
"Veracode can improve the price model and how they bill the final offer to customers. It's based on the amount of traffic. For example, you can buy 1 gigabyte distributed across various applications, and each one can consume part of the whole allotment of traffic data."
"If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us."
