Contrast Security Assess Competitors and Alternatives

Get our free report covering Veracode, HCL, GitLab, and other competitors of Contrast Security Assess. Updated: June 2021.
510,204 professionals have used our research since 2012.

Read reviews of Contrast Security Assess competitors and alternatives

Product Owner - DevOps at Digite
Real User
Top 5
The centralized view of different testing types helps reduce our risk exposure

What is our primary use case?

We use Veracode primarily for three purposes: * Static Analysis, which is integrated into our CI/CD pipeline, using APIs. * Every release gets certified for a static code analysis and dynamic code analysis. There is a UAT server, where it gets deployed with the latest release, then we perform the dynamic code scanning on that particular URL. * Software Composition Analysis: We use this periodically to understand the software composition from an open source licensing and open source component vulnerability perspective.

Pros and Cons

  • "The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end."
  • "If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us."

What other advice do I have?

I'm pretty confident about Veracode's ability to prevent vulnerable code from going into production when I'm using it. When you use Veracode, instead of using it as a manual tool, you should integrate it into your CI/CD pipeline. This way, every build is certified. Then, if there is an issue, you will know about it earlier in the development cycle, not later. Because as the time passes, it becomes more difficult to fix that issue. With Veracode's support for cloud-native applications, there are some components of our application (which are cloud-native), that we treat in the same way as…
Get our free report covering Veracode, HCL, GitLab, and other competitors of Contrast Security Assess. Updated: June 2021.
510,204 professionals have used our research since 2012.