We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
"The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end."
"Good static analysis and dynamic analysis."
"Veracode is a valuable tool in our secure SDLC process."
"Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced... in the e-learning you can check into best practices for developing code and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool."
"The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code."
"In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application."
"The source composition analysis component is great because it gives our developers some comfort in using new libraries."
"It's comprehensive from a feature standpoint."
"The solution offers services in a few specific development languages."
"It identifies all the URLs and domains on its own and then performs tests and provides the results."
"There's extensive functionality with custom rules and a custom knowledge base."
"With the Extender Tab, if you know how to code then you can create a plugin and add it to Burp."
"The most valuable features are Burp Intruder and Burp Scanner."
"There is no other tool like it. I like the intuitiveness and the plugins that are available."
"The suite testing models are very good. It's very secure."
"I have found the best features to be the performance and there are a lot of additional plugins available."
"We use the solution for vulnerability assessment in respect of the application and the sites."
"In my area of expertise, I feel like it has almost everything I could possibly require at this moment."
"The extension that it provides with the community version for the skills mapping is excellent."
"The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved."
"Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access."
"The reports on offer are too verbose."
"The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most."
"If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing."
"If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us."
"The pricing for qualified startups such as Neo4j could be improved."
"Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."
"The solution often has a high number of false positives. It's an aspect they really need to improve upon."
"They have to improve support."
"One thing which I think can be improved is the CI/CD Integration"
"The Burp Collaborator needs improvement. There also needs to be improved integration."
"One thing that is not up to the mark in PortSwigger is web application testing. I found some issues with its performance and reporting. They should work on these and give us a better outcome."
"There should be a heads up display like the one available in OWASP Zap."
"It should provide a better way to integrate with Jenkins so that DAST (dynamic application security testing) can be automated."
"We wish that the Spider feature would appear in the same shape that it does in previous versions."
"The biggest improvement that I would like to see from PortSwigger that today many people see as an issue in their testing. There might be a feature which might be desired."
"Currently, the scanning is only available in the full version of Burp, and not in the Community version."
"One area that can be improved, when compared to alternative tools, is that they could provide different reporting options and in different formats like PDF or something like that."
"I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good."
"The pricing is really fair compared to a lot of other tools on the market."
"Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive."
"Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward."
"Veracode's price is high. I would like them to better optimize their pricing."
"From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately."
"It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent."
"Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license."
"We are using the community version, which is free."
"This solution requires a license. It is expensive but you receive a lot of functionality for the price."
"At $400 or $500 per license paid annually, it is a very cheap tool."
"The price for the solution is expensive and could be cheaper. We pay an annual license and our team has several of them."
"There are different licenses available that include a free version."
"It is expensive for us in Brazil because the currency exchange rate from a dollar to a Brazilian Real is quite steep."
"Licensing costs are about $450/year for one use. For larger organizations, they're able to test against multiple applications while simultaneously others might have multiple versions of applications which needs to be tested which is why we have the enterprise edition."
"The solution used to be expensive. However, they have reduced the price to approximately $400.00 which is reasonable."
Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.
IBM Security AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities and generate reports and fix recommendations.
Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.
PortSwigger is the web security company that is enabling the world to secure the web. Over 50,000 security engineers rely on our software and expertise to secure their world.
Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.
HCL AppScan is ranked 18th in Application Security with 3 reviews while PortSwigger Burp Suite Professional is ranked 5th in Application Security with 21 reviews. HCL AppScan is rated 7.0, while PortSwigger Burp Suite Professional is rated 8.4. The top reviewer of HCL AppScan writes "Allows for dynamic scanning but lacks easy CI/CD integration". On the other hand, the top reviewer of PortSwigger Burp Suite Professional writes "Great design, excellent features like Intruder, Repeater, Decoder with plenty of plug-ins from community forums". HCL AppScan is most compared with SonarQube, Micro Focus Fortify on Demand, OWASP Zap, Checkmarx and Fortify WebInspect, whereas PortSwigger Burp Suite Professional is most compared with OWASP Zap, Fortify WebInspect, Tenable.io Web Application Scanning, Acunetix by Invicti and Micro Focus Fortify on Demand. See our HCL AppScan vs. PortSwigger Burp Suite Professional report.
We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.