We performed a comparison between Fortify WebInspect, OWASP Zap, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about HCLTech, OpenText, Rapid7 and others in Dynamic Application Security Testing (DAST)."The most valuable feature is the static analysis."
"Fortify WebInspect is a scalable solution, it is good for a lot of applications."
"Technical support has been good."
"It's a well-known platform for doing dynamic application scanning."
"There are lots of small settings and tools, like an HTTP editor, that are very useful."
"Guided Scan option allows us to easily scan and share reports."
"It is scalable and very easy to use."
"The user interface is ok and it is very simple to use."
"This solution has improved my organization because it has made us feel safer doing frequent deployments for web applications. If we have something really big, we might get some professional company in to help us but if we're releasing small products, we will check it ourselves with Zap. It makes it easier and safer."
"The HUD is a good feature that provides on-site testing and saves a lot of time."
"The vulnerabilities that it finds, because the primary goal is to secure applications and websites."
"The product helps users to scan and fix vulnerabilities in the pipeline."
"Stability-wise, I rate the solution a nine out of ten. I think it's stable enough. I don't see any crashes within the application, so its stability is high."
"The application scanning feature is the most valuable feature."
"The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool."
"The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information."
"I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code."
"The most important feature is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to production or provide something to a client... Dynamic scanning actually hits our Web applications, to try to detect any well known Web application vulnerabilities as well."
"It has provided what we were looking for in such an application, meaning static application security testing functionality. That was what we were interested in."
"Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers."
"It is a good product for creating secure software. The static code analysis is pretty good and useful."
"My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople is fabulous."
"The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards."
"The installation was straightforward."
"Not sufficiently compatible with some of our systems."
"Fortify WebInspect could improve user-friendliness. Additionally, it is very bulky to use."
"The solution needs better integration with Microsoft's Azure Cloud or an extension of Azure DevOps. In fact, it should better integrate with any cloud provider. Right now, it's quite difficult to integrate with that solution, from the cloud perspective."
"It took us between eight and ten hours to scan an entire site, which is somewhat slow and something that I think can be improved."
"Lately, we've seen more false negatives."
"The scanner could be better."
"The installation could be a bit easier. Usually it's simple to use, but the installation is painful and a bit laborious and complex."
"Fortify WebInspect's shortcoming stems from the fact that it is a very expensive product in Korea, which makes it difficult for its potential customers to introduce the product in their IT environment."
"Zap could improve by providing better reports for security and recommendations for the vulnerabilities."
"If there was an easier to understand exactly what has been checked and what has not been checked, it would make this solution better. We have to trust that it has checked all known vulnerabilities but it's a bit hard to see after the scanning."
"The ability to search the internet for other use cases and to use the solution to make applications more secure should be addressed."
"Online documentation can be improved to utilize all features of ZAP and API methods to make use in automation."
"Sometimes, we get some false positives."
"The technical support team must be proactive."
"The port scanner is a little too slow."
"The reporting feature could be more descriptive."
"Veracode's false positives have room for improvement."
"There is room for improvement in the speed of the system. Sometimes, the servers are very busy and slow... Also, the integration with SonarQube is very weak, so we had to implement a custom solution to extend it."
"I would like to see improvement on the analytics side, and in integrations with different tools. Also, the dynamic scanning takes time."
"We get some false positives with JavaScript languages like React, TypeScript, and Angular. The problem is rooted in the build process of JavaScript, not the code we are using. This is something we spend lots of time trying to resolve. When we point to a specific library and review that on the code, we can see it is a part of the build that isn't going into production. It's only a part of the build because JavaScript has a different build process."
"Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them."
"The UI is not user-friendly and can be improved."
"The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users."
"Veracode's ability to fix flaws is less sophisticated than that of its competitors."