Most Helpful Review
Enables me to choose a vulnerable library and see versions that don't have any listed vulnerabilities
Find out what your peers are saying about Qualys Web Application Scanning vs. Sonatype Nexus Lifecycle and other solutions. Updated: September 2020.
437,064 professionals have used our research since 2012.
We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up.
Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.
The source composition analysis component is great because it gives our developers some comfort in using new libraries.
Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence.
Veracode is a valuable tool in our secure SDLC process.
We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes.
I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code.
The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs.
The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours.
The interface is user-friendly and easy to understand.
The simplicity of exporting reports and the simplicity and clarity of the reports included with the product are good.
With our vulnerabilities under control, it's putting our services in compliance and minimizing our risk for exposure.
The most valuable feature is that we are able to scan the services and put credentials like a user ID password. We can verify the vulnerability level.
When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages.
The component piece, where you can analyze the component, is the most valuable. You can pull the component up and you can look at what versions are bad, what versions are clean, and what versions haven't been reported on yet. You can make decisions based off of that, in terms of where you want to go. I like that it puts all that information right there in a window for you.
The scanning capability is its most valuable feature, discovering vulnerable open source libraries.
The report part is quite easy to read. The report part is very important to us because that is how we communicate to our security officer and the security committee. Therefore, we need to have a complete report that we can generate and pass onto them for review.
The policy engine is really cool. It allows you to set different types of policy violations, things such as the age of the component and the quality: Is it something that's being maintained? Those are all really great in helping get ahead of problems before they arise. You might otherwise end up with a library that's end-of-life and is not going to get any more fixes.
The data quality is really good. They've got some of the best in the industry as far as that is concerned. As a result, it helps us to resolve problems faster. The visibility of the data, as well as their features that allow us to query and search - and even use it in the development IDE - allow us to remediate and find things faster.
With the plugin for our IDE that Sonatype provides, we can check whether a library has security, quality, or licensing issues very easily. Which is nice because Googling for this stuff can be a bit cumbersome. By checking it before code is even committed, we save ourselves from getting notifications.
It integrates well with our existing DevOp tools because we can integrate it in our build pipeline. We can also trigger our build pipeline to create warnings and let the build fail if there is a critical vulnerability that violates our policy.
The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there.
One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive.
I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan.
Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk
It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects.
One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications.
Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them.
I would like to see expanded coverage for supporting more platforms, frameworks, and languages.
The UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs.
The scanner reports a lot of false positives, which is something that needs to be improved.
The pricing does not seem to be competitive.
The solution needs to adjust its pricing. They should make it more affordable.
It should have better automatic reporting.
They're working on the high-quality data with Conan. For Conan applications, when it was first deployed to Nexus IQ, it would scan one file type for dependencies. We don't use that method in Conan, we use another file type, which is an acceptable method in Conan, and they didn't have support for that other file type. I think they didn't even know about it because they aren't super familiar with Conan yet. I informed them that there's this other file type that they could scan for dependencies, and that's what they added functionality for.
One thing that it is lacking, one thing I don't like, is that when you label something or add a status to it, you do it as an overall function, but you can't go back and isolate a library that you want to call out individually and remove a status from it. It's still lacking some functionality-type things for controlling labels and statuses. I'd like to be able to apply it across all of my apps, but then turn it off for one, and I can't do that.
The reporting capability is good but I wish it was better. I sent the request to support and they raised it as an enhancement within the system. An example is filtering by version. If I have a framework that is used in all applications, but version 1 is used in 50 percent of them and version 2 in 25 percent, they will show as different libraries with different usage. But in reality, they're all using one framework.
One thing that I would like to give feedback on is to scan the binary code. It's very difficult to find. It's under organization and policies where there are action buttons that are not very obvious. I think for people who are using it and are not integrated into it, it is not easy to find the button to load the binary and do the scan. This is if there is no existing, continuous integration process, which I believe most people have, but some users don't have this at the moment. This is the most important function of the Nexus IQ, so I expect it should be right on the dashboard where you can apply your binary and do a quick scan. Right now, it's hidden inside organization and policies. If you select the organization, then you can see in the top corner that there is a manual action which you can approve. There are multiple steps to reach that important function that we need. When we were initially looking at the dashboard, we looked for it and couldn't find it. So, we called our coworker who set up the server and they told us it's not on the dashboard.
The biggest thing that I have run into, which there are ways around, is being able to easily access the auditing data from a third-party tool; being able to pull all of that into one place in a cohesive manner where you can report off of that. We've had a little bit of a challenge with that. There are a number of things available to work with, to help with that in the tool, but we just haven't explored them yet.
As far as the relationship of, and ease of finding the relationships between, libraries and applications across the whole enterprise goes, it still does that. They could make that a little smoother, although right now it's still pretty good.
One of the things that we specifically did ask for is support for transitive dependencies. Sometimes a dependency that we define in our POM file for a certain library will be dependent on other stuff and we will pull that stuff in, then you get a cascade of libraries that are pulled in. This caused confusing to us at first, because we would see a component that would have security ticket or security notification on it and wonder "Where is this coming in from?" Because when we checked what we defined as our dependencies it's not there. It didn't take us too long effort to realize that it was a transitive dependency pulled in by something else, but the question then remains "Which dependency is doing that?"
We cannot currently use the automated pull requests because we are missing the Bitbucket port. We use Bitbucket as our Git repository and automated pull requests only work with GitHub currently. So, we are missing this feature, but we have already addressed this with Sonatype.
Pricing and Cost Advice
I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good.
For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.
They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey.
They just changed their pricing model two weeks ago. They went from a per-app license to a per-megabyte license. I know that the dynamic scan was $500 per app. Static analysis was about $4500 yearly. The license is only for the number of users, it doesn't matter what data you put in there. That was the old model. I do not know how the new model works.
Veracode has been fair. We use their SaaS solution and it's just an annual subscription.
No issues, the pricing seems reasonable.
There are different options available with respect to licensing.
The product is expensive, at least initially, in comparison to other products in this category.
Lifecycle, to the best of my recollection, had the best pricing compared with other solutions.
Pricing is decent. It's not horrible. It's middle-of-the-road, as far as our ranking goes. They're a little bit more but that's also because they provide more.
The license fee may be a bit harder for startups to justify. But it will save you a headache later as well as peace of mind. Additionally, it shows your own customers that you value security stuff and will protect yourselves from any licensing issues, which is good marketing too.
In addition to the license fee for IQ Server, you have to factor in some running costs. We use AWS, so we spun up an additional VM to run this. If the database is RDS that adds a little bit extra too. Of course someone could run it on a pre-existing VM or physical server to reduce costs. I should add that compared to the license fee, the running costs are so minimal they had no effect on our decision to use IQ Server.
Our licensing costs are on an annual basis. The Sonatype licensing model is transparent with no hidden costs or holes.
The price is good. We certainly get a lot more in return. However, it's also hard to get the funds to roll out such a product for the entire firm. Therefore, pricing has been a limiting factor for us. However, it's a fair price.
Pricing is comparable with some of the other products. We are happy with the pricing.
We're pretty happy with the price, for what it is delivering for us and the value we're getting from it.
Questions from the Community
Top Answer: JaeLee, check out our comparison page here of Veracode vs Checkmarx: https://www.itcentralstation.com/products/comparisons/checkmarx_vs_veracode Checkmarx is ranked 4th, while Veracode is ranked… more »
Top Answer: I would recommend Veracode. Our uses cases included removing vulnerable code from our Product and ensuring the product is secure. Veracode helps us in regularly scanning our code base and reporting… more »
Top Answer: SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services… more »
Top Answer: por ahora estoy usando Owasp Zap, es muy intuitivo y sus reportes muy detallados, probe con burp suite pero no me convencio por el cosoto
Top Answer: The interface is user-friendly and easy to understand.
Top Answer: There are different options available with respect to licensing.
Top Answer: The report part is quite easy to read. The report part is very important to us because that is how we communicate to our security officer and the security committee. Therefore, we need to have a… more »
Top Answer: Our licensing costs are on an annual basis. The Sonatype licensing model is transparent with no hidden costs or holes.
Top Answer: One thing that I would like to give feedback on is to scan the binary code. It's very difficult to find. It's under organization and policies where there are action buttons that are not very obvious… more »
Compared 51% of the time.
Compared 15% of the time.
Compared 8% of the time.
Compared 5% of the time.
Compared 1% of the time.
Compared 19% of the time.
Compared 8% of the time.
Compared 7% of the time.
Compared 7% of the time.
Compared 2% of the time.
Compared 37% of the time.
Compared 15% of the time.
Compared 11% of the time.
Compared 7% of the time.
Compared 1% of the time.
Also Known As
|Qualys WAS||Nexus Lifecycle|
Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.
|Qualys Web Application Scanning (WAS) is a cloud service that provides automated crawling and testing of custom web applications to identify vulnerabilities including cross-site scripting (XSS) and SQL injection. The automated service enables regular testing that produces consistent results, reduces false positives, and easily scales to secure a large number of websites. Proactively scans websites for malware infections, sending alerts to website owners to help prevent black listing and brand reputation damage.|
Nexus Lifecycle gives you full control over your software supply chain and allows you to define rules, actions, and policies that work best for your organization and teams.
Learn more about Veracode
Learn more about Qualys Web Application Scanning
Learn more about Sonatype Nexus Lifecycle
|State of Missouri, Rekner||BskyB, Cartagena, ClearPoint Learning Systems, Connect Group, du, Fortrex Technologies, HBOR, HDI, Highlights for Children, The Lithuanian State Enterprise Centre of Registers, City of Miami Beach, Microsoft, MidlandHR, MSCI Inc., Northern Arizona University, Ofgem, Olympus Europa, PhoneFactor, RTL Nederland, ThousandEyes, VGZ Organisatie B.V.||Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance|
Financial Services Firm37%
Consumer Goods Company7%
Computer Software Company44%
Comms Service Provider11%
Financial Services Firm57%
Comms Service Provider14%
Computer Software Company14%
Computer Software Company45%
Comms Service Provider7%
Financial Services Firm37%
Computer Software Company11%
Comms Service Provider5%
Computer Software Company37%
Comms Service Provider12%
Financial Services Firm6%
See our list of best Application Security vendors.