Veracode Software Composition Analysis Competitors and Alternatives

Get our free report covering Synopsys, JFrog, Snyk, and other competitors of Veracode Software Composition Analysis. Updated: January 2021.
456,719 professionals have used our research since 2012.

Read reviews of Veracode Software Composition Analysis competitors and alternatives

DavidJellison
Senior Director, Quality Engineering at a tech services company with 1,001-5,000 employees
Real User
Top 10
Dec 3, 2020
Good scan performance and visualization facilitates compliance and improves code quality

What is our primary use case?

We introduced SCA scanning to satisfy customer-requested open-source library scans as part of a contractional agreement. This led to expanding SCA scanning across our other applications to compliment SAST/DAST application scanning. We knew we had a technical debt from not updating open-source libraries for years, and were not aware of the vulnerabilities in these libraries at the time. SCA scanning is now a first-class scan component of our current practices and included in our external security audits going forward.

Pros and Cons

  • "The dependency graph visualization provides the ability to see nested dependencies within libraries for pinpointing vulnerabilities."
  • "Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues."

What other advice do I have?

Veracode has evolved to be a good partner, overall, in working through our learning needs and problem escalations. There are layers of training and consultation available, as well as recurring support engagements if the enterprise scanning needs warrant it.
Reviewer64985
Principle Consultant at a tech services company with 11-50 employees
Consultant
Jan 20, 2021
Provides extensive guidance for writing secure code and pointing to vulnerable open source libraries

What is our primary use case?

Software Composition Analysis (SCA) is used to detect vulnerabilities in open source libraries, which are used by our customers for their own product. We are a consulting company who provides consulting services to clients. We don't buy the software for our own internal use. However, we advise customers about which solutions will fit their environment. Most of our clients use SCA for cloud applications.

Pros and Cons

  • "Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code."
  • "Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided."

What other advice do I have?

I don't think that Veracode has helped developers with security training, but it helps developers have a reality check on the code that they write and their open source library. That is the best value that developers can get from the product. Veracode products can be run as part of the development pipeline. That is also valuable. It integrates with tools like GitHub or Jenkins. At a high level, it does integrate with most of the pipeline of tools. It would be a showstopper if the incorporation of security was not in the developer workflows. We are past a time when developers or software…
Get our free report covering Synopsys, JFrog, Snyk, and other competitors of Veracode Software Composition Analysis. Updated: January 2021.
456,719 professionals have used our research since 2012.