We just raised a $30M Series A: Read our story

Compare CAST Highlight vs. WhiteSource

Cancel
You must select at least 2 products to compare!
Veracode Logo
61,411 views|33,718 comparisons
CAST Highlight Logo
1,141 views|817 comparisons
WhiteSource Logo
19,341 views|15,278 comparisons
Featured Review
Find out what your peers are saying about CAST Highlight vs. WhiteSource and other solutions. Updated: November 2021.
553,954 professionals have used our research since 2012.
Quotes From Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros
"The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our continuous integration, continuous delivery system, so we can get insight quickly.""There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place.""The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards.""The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools.""In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application.""The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA.""It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail.""One of the features they have is Software Composition Analysis. When organizations use third-party, open source libraries with their application development, because they're open source they quite often have a lot of bugs. There are always patches coming out for those open source applications. You really have to stay on your toes and keep up with any third-party libraries that might be integrated into your application. Veracode's Software Composition Analysis scans those libraries and we find that very valuable."

More Veracode Pros »

"The way it tells you which codebase is more ready for the cloud and which codebase is less ready is very valuable. It works seamlessly with most languages.""CAST Highlight is easy to use and has a good dashboard."

More CAST Highlight Pros »

"Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software.""With the fix suggestions feature, not only do you get the specific trace back to where the vulnerability is within your code, but you also get fix suggestions.""The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine.""Its ease of use and good results are the most valuable.""The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar).""The solution is scalable.""The reporting capability gives us the option to generate an open-source license report in a single click, which gets all copyright and license information, including dependencies.""The most valuable features are the reporting, customizing libraries "In-house, White list, license selection", comparing the products/projects, and License & Copyright resolution."

More WhiteSource Pros »

Cons
"The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there.""The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved.""The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it.""We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it.""I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results.""Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk""Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access.""If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing."

More Veracode Cons »

"Its price should be better. It is a pretty costly tool. They have two products: CAST Highlight and CAST AIP. I would expect CAST Highlight to have the Help dashboard and the Engineering dashboard. These dashboards are currently a part of CAST AIP, and if these are made available in CAST Highlight, customers won't have to use two different products all the time.""The reports that describe the issues of concern are rather abstract and the issues should be more clearly described to the user."

More CAST Highlight Cons »

"The solution lacks the code snippet part.""WhiteSource needs improvement in the scanning of the containers and images with distinguishing the layers.""If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation.""WhiteSource Prioritize should be expanded to cover more than Java and JavaScript.""We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail.""Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting.""It would be nice to have a better way to realize its full potential and translate it within the UI or during onboarding.""I would like to see the static analysis included with the open-source version."

More WhiteSource Cons »

Pricing and Cost Advice
"We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive.""I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good.""For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.""Veracode's price is high. I would like them to better optimize their pricing.""From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately.""Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive.""If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount.""Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward."

More Veracode Pricing and Cost Advice »

"Basic support is included with the standard licensing feed but it can be upgraded for an additional cost.""It is a pretty costly tool. A lot of customers are resistant to using it."

More CAST Highlight Pricing and Cost Advice »

"As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using.""The solution involves a yearly licensing fee.""Pricing is competitive.""WhiteSource is much more affordable than Veracode."

More WhiteSource Pricing and Cost Advice »

report
Use our free recommendation engine to learn which Application Security solutions are best for your needs.
553,954 professionals have used our research since 2012.
Questions from the Community
Top Answer: SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »
Top Answer: The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the… more »
Top Answer: Veracode is very, very expensive, one of the most expensive security scanning tools available. We pay an annual license… more »
Top Answer: The way it tells you which codebase is more ready for the cloud and which codebase is less ready is very valuable. It… more »
Top Answer: It is a pretty costly tool. A lot of customers are resistant to using it.
Top Answer: Its price should be better. It is a pretty costly tool. They have two products: CAST Highlight and CAST AIP. Both are… more »
Top Answer: Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This… more »
Top Answer: We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is… more »
Top Answer: The license management of WhiteSource was at a good level. As compared to other tools that I have used, its… more »
Comparisons
Learn More
Overview

Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

CAST Highlight is a leading SaaS Application Portfolio Analysis platform that delivers Software Intelligence at the intersection of IT and business to accelerate and secure your digital journey. It enables enterprise leaders to track hidden risks in custom and open source software rapidly and in a non-intrusive manner.

The leading solution for agile open source security and license compliance management, WhiteSource integrates with the DevOps pipeline to detect vulnerable open source libraries in real-time.

It provides remediation paths and policy automation to speed up time-to-fix. It also prioritizes vulnerability alerts based on usage analysis.

We support over 200 programming languages and offer the widest vulnerability database aggregating information from dozens of peer-reviewed, respected sources.

Offer
Keep your software secure

Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

Learn more about CAST Highlight
Learn more about WhiteSource
Sample Customers
State of Missouri, Rekner
Atos, David Consulting Group, Tech Mahindra, BCG, Capgemini
Microsoft, Autodesk, NCR, Comcast, Nokia, Forgerock, indeed.com, GE digital, KPMG, LivePerson, Jack Henry and Associates
Top Industries
REVIEWERS
Financial Services Firm30%
Computer Software Company12%
Insurance Company9%
Healthcare Company7%
VISITORS READING REVIEWS
Computer Software Company30%
Comms Service Provider16%
Financial Services Firm10%
Manufacturing Company6%
VISITORS READING REVIEWS
Computer Software Company38%
Comms Service Provider14%
Government8%
Financial Services Firm7%
REVIEWERS
Computer Software Company33%
Media Company11%
Energy/Utilities Company11%
Consumer Goods Company11%
VISITORS READING REVIEWS
Computer Software Company35%
Comms Service Provider19%
Financial Services Firm7%
Manufacturing Company5%
Company Size
REVIEWERS
Small Business24%
Midsize Enterprise25%
Large Enterprise51%
VISITORS READING REVIEWS
Small Business24%
Midsize Enterprise31%
Large Enterprise45%
No Data Available
REVIEWERS
Small Business33%
Midsize Enterprise7%
Large Enterprise60%
VISITORS READING REVIEWS
Small Business17%
Midsize Enterprise10%
Large Enterprise72%
Find out what your peers are saying about CAST Highlight vs. WhiteSource and other solutions. Updated: November 2021.
553,954 professionals have used our research since 2012.

CAST Highlight is ranked 21st in Application Security with 2 reviews while WhiteSource is ranked 8th in Application Security with 13 reviews. CAST Highlight is rated 7.0, while WhiteSource is rated 8.4. The top reviewer of CAST Highlight writes "Excellent support, works seamlessly with most languages, and useful for knowing about the readiness of the codebase for cloud migration". On the other hand, the top reviewer of WhiteSource writes "Policy automation and automatic fix suggestions help us to save time in finding and solving problems". CAST Highlight is most compared with SonarQube, Coverity, Sonatype Nexus Lifecycle, Checkmarx and HCL AppScan, whereas WhiteSource is most compared with SonarQube, Black Duck, Snyk, Sonatype Nexus Lifecycle and Checkmarx. See our CAST Highlight vs. WhiteSource report.

See our list of best Application Security vendors.

We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.