Most Helpful Review
Scans our thousands of dependencies every time we build and rechecks them daily, making us aware of what's going on
We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up.
Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.
The source composition analysis component is great because it gives our developers some comfort in using new libraries.
Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence.
Veracode is a valuable tool in our secure SDLC process.
We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes.
I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code.
The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs.
This solution saves us time due to the low number of false positives detected.
We're loving some of the Kubernetes integration as well. That's really quite cool. It's still in the early days of our use of it, but it looks really exciting. In the Kubernetes world, it's very good at reporting on the areas around the configuration of your platform, rather than the things that you've pulled in. There's some good advice there that allows you to prioritize whether something is important or just worrying. That's very helpful.
We have integrated it into our software development environment. We have it in a couple different spots. Developers can use it at the point when they are developing. They can test it on their local machine. If the setup that they have is producing alerts or if they need to upgrade or patch, then at the testing phase when a product is being built for automated testing integrates with Snyk at that point and also produces some checks.
It has an accurate database of vulnerabilities with a low amount of false positives.
The most valuable feature is that they add a lot of their own information to the vulnerabilities. They describe vulnerabilities and suggest their own mitigations or version upgrades. The information was the winning factor when we compared Snyk to others. This is what gave it more impact.
The solution's vulnerability database, in terms of comprehensiveness and accuracy, is very high-level. As far as I know, it's the best among their competitors.
The most valuable features are their GitLab and JIRA integrations. The GitLab integration lets us pull projects in pretty easily, so that it's pretty minimal for developers to get it set up. Using the JIRA integration, it's also pretty easy to get the information that is generated, as a result of that GitLab integration, back to our teams in a non-intrusive way and in a workflow that we are already using.
The dependency checks of the libraries are very valuable, but the licensing part is also very important because, with open source components, licensing can be all over the place. Our project is not an open source project, but we do use quite a lot of open source components and we want to make sure that we don't have surprises in there.
It is one of the best product out there to help developers find and fix vulnerabilities quickly. When we talk about the third-party software vulnerability piece and potentially security issues, it takes the load off the user or developer. They even provide automitigation strategies and an auto-fix feature, which seem to have been adopted pretty well.
The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there.
One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive.
I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan.
Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk
It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects.
One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications.
Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them.
I would like to see expanded coverage for supporting more platforms, frameworks, and languages.
IBM Security AppScan needs to add performance optimization for quickly scanning the target web applications.
There is always more work to do around managing the volume of information when you've got thousands of vulnerabilities. Trying to get those down to zero is virtually impossible, either through ignoring them all or through fixing them. That filtering or information management is always going to be something that can be improved.
I would like to give further ability to grouping code repositories, in such a way that you could group them by the teams that own them, then produce alerting to those teams. The way that we are seeing it right now, the alerting only goes to a couple of places. I wish we could configure the code to go to different places.
The documentation sometimes is not relevant. It does not cover the latest updates, scanning, and configurations. The documentation for some things is wrong and does not cover some configuration scannings for the multiple project settings.
We tried to integrate it into our software development environment but it went really badly. It took a lot of time and prevented the developers from using the IDE. Eventually, we didn't use it in the development area... I would like to see better integrations to help the developers get along better with the tool. And the plugin for the IDE is not so good. This is something we would like to have...
Because Snyk has so many integrations and so many things it can do, it's hard to really understand all of them and to get that information to each team that needs it... If there were more self-service, perhaps tutorials or overviews for new teams or developers, so that they could click through and see things themselves, that would help.
Generating reports and visibility through reports are definitely things they can do better.
We have seen cases where tools didn't find or recognize certain dependencies. These are known issues, to some extent, due to the complexity in the language or stack that you using. There are some certain circumstances where the tool isn't actually finding what it's supposed to be finding, then it could be misleading.
The way Snyk notifies if we have an issue, there are a few options: High vulnerability or medium vulnerability. The problem with that is high vulnerabilities are too broad, because there are too many. If you enable notifications, you get a lot of notifications, When you get many notifications, they become irrelevant because they're not specific. I would prefer to have control over the notifications and somehow decide if I want to get only exploitable vulnerabilities or get a specific score for a vulnerability. Right now, we receive too many high vulnerabilities. If we enable notifications, then we just get a lot of spam message. Therefore, we would like some type of filtering system to be built-in for the system to be more precise.
Pricing and Cost Advice
I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good.
For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.
They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey.
They just changed their pricing model two weeks ago. They went from a per-app license to a per-megabyte license. I know that the dynamic scan was $500 per app. Static analysis was about $4500 yearly. The license is only for the number of users, it doesn't matter what data you put in there. That was the old model. I do not know how the new model works.
Veracode has been fair. We use their SaaS solution and it's just an annual subscription.
No issues, the pricing seems reasonable.
Information Not Available
It's good value. That's the primary thing. It's not cheap-cheap, but it's good value.
The price is good. Snyk had a good price compared to the competition, who had higher pricing than them. Also, their licensing and billing are clear.
Their licensing model is fairly robust and scalable for our needs. I believe we have reached a reasonable agreement on the licensing to enable hundreds of developers to participate in this product offering. The solution is very tailored towards developers and its licensing model works well for us.
You can get a good deal with Snyk for pricing. It's a little expensive, but it is worth it.
We do have some missing licenses issues, especially with non-SPDX compliant one, but we expect this to be fixed soon
It's inexpensive and easy to license. It comes in standard package sizing, which is straightforward. This information is publicly found on their website.
Questions from the Community
Top Answer: JaeLee, check out our comparison page here of Veracode vs Checkmarx: https://www.itcentralstation.com/products/comparisons/checkmarx_vs_veracode Checkmarx is ranked 4th, while Veracode is ranked… more »
Top Answer: I would recommend Veracode. Our uses cases included removing vulnerable code from our Product and ensuring the product is secure. Veracode helps us in regularly scanning our code base and reporting… more »
Top Answer: SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services… more »
Ask a question
Earn 20 points
Question: What do you like most about Snyk?
Top Answer: What is valuable about Snyk is its simplicity.
Question: What needs improvement with Snyk?
Top Answer: The product could be improved by including other types of security scanning (e.g. SAST or DAST), which is important. It would also help to include the static analysis specifically to the open-source… more »
Compared 51% of the time.
Compared 15% of the time.
Compared 8% of the time.
Compared 5% of the time.
Compared 3% of the time.
Compared 18% of the time.
Compared 10% of the time.
Compared 10% of the time.
Compared 9% of the time.
Compared 9% of the time.
Compared 21% of the time.
Compared 20% of the time.
Compared 12% of the time.
Compared 8% of the time.
Compared 6% of the time.
Also Known As
|IBM Security AppScan, Rational AppScan, AppScan|
Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.
IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.
Snyk’s mission is to help developers use open source code and stay secure. The use of open source is booming, but security is a key concern (https://snyk.io/stateofossecurity/). Snyk’s unique developer focused product enables developers and enterprise security to continuously find & fix vulnerable dependencies without slowing down, with seamless integration into Dev & DevOps workflows. Snyk is adopted by over 100,000 developers, has multiple enterprise customers (such as Google, New Relic, ASOS and others) and is experiencing rapid growth. Our investors are Canaan Partners, BOLDStart, and several successful developer tools entrepreneurs. Snyk was founded in 2015 and is headquartered in London with offices in Israel and the US. For more information, go to https://snyk.io/.
Learn more about Veracode
Learn more about HCL AppScan
Learn more about Snyk
|State of Missouri, Rekner||Essex Technology Group Inc., Cisco, West Virginia University, APIS IT||StartApp, Segment, Skyscanner, DigitalOcean, Comic Relief|
Financial Services Firm37%
Consumer Goods Company7%
Computer Software Company44%
Comms Service Provider11%
Financial Services Firm13%
Computer Software Company48%
Comms Service Provider13%
Computer Software Company43%
Comms Service Provider12%
See our list of best Application Security vendors.