We performed a comparison between CAST Application Intelligence Platform, SonarQube, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Snyk, CAST and others in Software Development Analytics."CAST's risk and security flow detection capabilities are highly effective, particularly in identifying security vulnerabilities. It is one of the most important and valuable features of the platform."
"The most valuable feature of the CAST Application Intelligence Platform is its security dashboard which is a dedicated dashboard that's pretty helpful because it gives compliance checks based on some of the leading frameworks in the industry, such as ISO 5055, OWASP, CWE Top 25, and NIST security guidelines. I find the security dashboard of the solution and the information it provides pretty useful. The security dashboard of the CAST Application Intelligence Platform is a feature that stands out."
"Our clients use CAST Highlight for cloud migration. This allows them to remove or remediate the blockers which are highlighted. This part of the solution shows improvement in quality and captures feedback for our clients."
"It supports most programming languages."
"Used for controlling the technical debt and code quality."
"It is working fine. It provides a good value for money."
"It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely. SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition."
"There's plenty of documentation available to users."
"SonarQube is one of the more popular solutions because it supports 29 languages."
"SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues."
"Improve the code coverage and evaluates the technical steps and percentage of code being resolved."
"Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers."
"It is a very good tool for analysis despite its limitations."
"It's not "one policy fits all." I really like that Veracode allows me to set up specific policies that I can apply to applications."
"I have found the user interface extremely helpful in prioritizing issues."
"It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage."
"The dependency graph visualization provides the ability to see nested dependencies within libraries for pinpointing vulnerabilities."
"To me, the principal feature is the CLI (command-line interface) because I put together a lot of implementations using it. Another important aspect is the low false-positive rate because the solution is very configurable. It is as low as 1 percent and that is a huge difference compared to competitors."
"The source composition analysis had very good reporting."
"It's good at identifying security issues. It can pinpoint issues very effectively."
"It allows us to prove our security levels to vendors, and additionally helps us with our HIPAA security policies."
"The integration of this solution could be improved."
"It has very few plugins to access different code repositories, so source code has to be fed."
"The overall coverage of rules could be improved in the CAST Application Intelligence Platform because it does not cater to or cover all. For example, 2022 CWE coverage is still not available in the CAST Application Intelligence Platform. The solution also covers some NIST rules, but it does not cater to all rules. An additional feature I'd like to see in the next update of the CAST Application Intelligence Platform is for it to provide source code developer and contributor details, especially information on which areas of code were touched. This would be a good insight as the CAST Application Intelligence Platform looks into the source code."
"Implementation could be made more simpler as it is complex."
"Areas for improvement in CAST AIP include enhancing support for implementation in complex environments and improving technical support to address organizational challenges alongside engineering issues."
"The product provides false reports sometimes."
"Expression of common vulnerabilities and exposures is not always current."
"You may need to purchase add-ons to get the useability you desire."
"I would like to see SonarQube implement a good amount of improvements to the product's security features. Another aspect of SonarQube that could be improved is the search functionality."
"The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."
"A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product."
"There isn't a very good enterprise report."
"We had some issues where the Quality Gate check sometimes gets stuck and it is unclear."
"They cover a lot of languages already and it doesn't make sense for them to cover legacy languages but I know there is a need for covering legacy languages."
"There is room for improvement in documentation."
"There is also a size limit of 100 MB so we cannot upload files that are larger than that. That could be improved. Also, the duration of the scan is a bit too long."
"Veracode does not support scans for .NET Blazor server applications."
"Veracode can improve the price model and how they bill the final offer to customers. It's based on the amount of traffic. For example, you can buy 1 gigabyte distributed across various applications, and each one can consume part of the whole allotment of traffic data."
"I would like to see these features: entering comments for internal tracking; entering a priority; reports that show the above."
"Scanning progress is highly dependent on the speed of the Internet."
"We have approximately 900 people using the solution. The solution is scalable, but there is a high cost attached to it."
More CAST Application Intelligence Platform Pricing and Cost Advice →