We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
"It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage."
"The time savings has been tremendous. We saw ROI in the first six months."
"The source composition analysis component is great because it gives our developers some comfort in using new libraries."
"The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools."
"It's comprehensive from a feature standpoint."
"The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our continuous integration, continuous delivery system, so we can get insight quickly."
"There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place."
"There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic."
"The feature that I find the most useful is being able to just see the vulnerabilities online while checking the code and then checking suggestions for fixing them."
"This product is top-notch solution and the technology is the best on the market."
"Fortify on Demand is easy to use and the reporting is good."
"Being able to reduce risk overall is a very valuable feature for us."
"One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that."
"It's a stable and scalable solution."
"The most valuable feature is that it connects with your development platforms, such as Microsoft Information Server and Jira."
"The most valuable features are the server, scanning, and it has helped identify issues with the security analysis."
"The most valuable feature is the reporting, which provides a good level of detail with respect to vulnerabilities."
"Our customers adopt this solution because of the replication testing and the vulnerability assessment it can do. It is a multi-faceted product."
"Tenable.io Web Application Scanning is very easy to use."
"The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there."
"We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it."
"Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."
"The policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs."
"Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights."
"The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it."
"The reports on offer are too verbose."
"There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed."
"There's a bit of a learning curve. Our development team is struggling with following the rules and following the new processes."
"This solution would be improved if the code-quality perspective were added to it, on top of the security aspect."
"We want a user-based control and role-based access for developers. We want to give limited access to developers so that it only pertains to the code that they write and scanning of the codes for any vulnerabilities as they're progressing with writing the code. As of now, the interface to give restricted access to the developers is not the best. It gives them more access than what is basically required, but we don't want over-provisioning and over-access."
"In terms of communication, they can integrate a few more third-party tools. It would be great if we can have more options for microservice communication. They can also improve the securability a bit more because security is one of the biggest aspects these days when you are using the cloud. Some more security features would be really helpful."
"During development, when our developer makes changes to their code, they typically use GitHub or GitLab to track those changes. However, proper integration between Fortify on Demand and GitHub and GitLab is not there yet. Improved integration would be very valuable to us."
"We typically do our bulk uploads of our scans with some automation at the end of the development cycle but the scanning can take a lot of time. If you were doing all of it at regular intervals it would still consume a lot of time. This could procedure could improve."
"It natively supports only a few languages. They can include support for more native languages. The response time from the support team can also be improved. They can maybe include video tutorials explaining the remediation process. The remediation process is sometimes not that clear. It would be helpful to have videos. Sometimes, the solution that the tool gives in the GUI is not straightforward to understand for the developer. At present, for any such issues, you have to create a ticket for the support team and request help from the support team."
"The thing that could be improved is reducing the cost of usage and including some of the most pricey features, such as dynamic analysis and that sort of functionality, which makes the difference between different types of tools."
"I would like for them to add proxy filtering, where you can transfer and alter the package. It is fully automated. Other web application testers programs are actually proxy software, and the proxy software gives you the flexibility of modifying the outgoing package, which will actually help you in exploiting any vulnerability in detail."
"It would be great if there were a dashboard that is more user-friendly."
"The reporting has a very limited customization capability."
"From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately."
"I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good."
"For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization."
"We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive."
"The pricing is really fair compared to a lot of other tools on the market."
"Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward."
"If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount."
"Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license."
"We make an annual purchase of the licenses we need."
"We are still using the trial version at this point but I can already see from the trial version alone that it is a good product. For others, I would say that Fortify on Demand might look expensive at the beginning, but it is very powerful and so you shouldn't be put off by the price."
"It is quite expensive. Pricing and the licensing model could be improved."
"It is cost-effective."
"Their subscriptions could use a little bit of a reworking, but I am very happy with what they're able to provide."
"The price is fair compared to that of other solutions."
"The pricing can be improved because it is complex when compared to the competition."
"The solution is a little expensive."
"It follows the same licensing scheme as Tenable.io and Tenable. sc."
"The pricing is okay."
Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.
Micro Focus Fortify on Demand’s application security-as-a-service is the easy and flexible way to identify vulnerabilities in your applications without additional investment in software or personnel. Allow our global team to work for you, providing support and technical expertise 24/7.
Tenable.io Web Application Scanning safely, accurately and automatically scans your web applications, providing deep visibility into vulnerabilities and valuable context to prioritize remediation.
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
Micro Focus Fortify on Demand is ranked 7th in Application Security with 15 reviews while Tenable.io Web Application Scanning is ranked 20th in Application Security with 3 reviews. Micro Focus Fortify on Demand is rated 8.0, while Tenable.io Web Application Scanning is rated 7.6. The top reviewer of Micro Focus Fortify on Demand writes "Makes it easy to discover hidden vulnerabilities in our open source libraries". On the other hand, the top reviewer of Tenable.io Web Application Scanning writes "Good reporting and integration, but it needs a user-friendly dashboard". Micro Focus Fortify on Demand is most compared with SonarQube, Checkmarx, Coverity, Fortify WebInspect and Micro Focus Software Security Center, whereas Tenable.io Web Application Scanning is most compared with PortSwigger Burp Suite Professional, Acunetix by Invicti, Qualys Web Application Scanning, Checkmarx and WhiteSource. See our Micro Focus Fortify on Demand vs. Tenable.io Web Application Scanning report.
See our list of best Application Security vendors.
We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.