We changed our name from IT Central Station: Here's why

Snyk vs Veracode Software Composition Analysis comparison

Cancel
You must select at least 2 products to compare!
Featured Review
Find out what your peers are saying about Snyk vs. Veracode Software Composition Analysis and other solutions. Updated: January 2022.
564,643 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"The dependency checks of the libraries are very valuable, but the licensing part is also very important because, with open source components, licensing can be all over the place. Our project is not an open source project, but we do use quite a lot of open source components and we want to make sure that we don't have surprises in there.""Snyk is a developer-friendly product.""It has a nice dashboard where I can see all the vulnerabilities and risks that they provided. I can also see the category of any risk, such as medium, high, and low. They provide the input priority-wise. The team can target the highest one first, and then they can go to medium and low ones.""Our overall security has improved. We are running fewer severities and vulnerabilities in our packages. We fixed a lot of the vulnerabilities that we didn't know were there.""It is one of the best product out there to help developers find and fix vulnerabilities quickly. When we talk about the third-party software vulnerability piece and potentially security issues, it takes the load off the user or developer. They even provide automitigation strategies and an auto-fix feature, which seem to have been adopted pretty well.""It's very easy for developers to use. Onboarding was an easy process for all of the developers within the company. After a quick, half-an-hour to an hour session, they were fully using it on their own. It's very straightforward. Usability is definitely a 10 out of 10.""We're loving some of the Kubernetes integration as well. That's really quite cool. It's still in the early days of our use of it, but it looks really exciting. In the Kubernetes world, it's very good at reporting on the areas around the configuration of your platform, rather than the things that you've pulled in. There's some good advice there that allows you to prioritize whether something is important or just worrying. That's very helpful.""Snyk has given us really good results because it is fully automated. We don't have to scan projects every time to find vulnerabilities, as it already stores the dependencies that we are using. It monitors 24/7 to find out if there are any issues that have been reported out on the Internet."

More Snyk Pros →

"The most valuable feature is the efficiency of the tool in finding vulnerabilities.""There have been a lot of benefits gained from Veracode. Compared to other tools, Veracode has good flexibility with an easy way to run a scan. We get in-depth details on how to fix things and go through the process. They provide good process documents, community, and consultation for any issues that occur during the use of Veracode.""The solution is stable. we've never had any issues surrounding its stability.""For use cases where our company buys a product with the source code, but only the final executables or the binaries, only Veracode is able to work on that type of tool.""The solution's ability to help create secure software is very valuable. We're a zero-trust networking company so we want to have the ability to say that we're practicing security seriously. Having something like Veracode allows us to have confidence when we're speaking to people about our product that we can back up what we're doing with a certification, with a reputable platform, and say, "This is what we're using to scan an application. Here's the number of vulnerabilities that are on an application. And here's the risk that we're accepting."""Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code.""The dependency graph visualization provides the ability to see nested dependencies within libraries for pinpointing vulnerabilities.""This is a great tool for learning about potential vulnerabilities in code."

More Veracode Software Composition Analysis Pros →

Cons
"The documentation sometimes is not relevant. It does not cover the latest updates, scanning, and configurations. The documentation for some things is wrong and does not cover some configuration scannings for the multiple project settings.""Scalability has some issues because we have a lot of code and its use is mandatory. Therefore, it can be slow at times, especially because there are a lot of projects and reporting. Some UI improvements could help with this.""A feature we would like to see is the ability to archive and store historical data, without actually deleting it. It's a problem because it throws my numbers off. When I'm looking at the dashboard's current vulnerabilities, it's not accurate.""There is always more work to do around managing the volume of information when you've got thousands of vulnerabilities. Trying to get those down to zero is virtually impossible, either through ignoring them all or through fixing them. That filtering or information management is always going to be something that can be improved.""The way Snyk notifies if we have an issue, there are a few options: High vulnerability or medium vulnerability. The problem with that is high vulnerabilities are too broad, because there are too many. If you enable notifications, you get a lot of notifications, When you get many notifications, they become irrelevant because they're not specific. I would prefer to have control over the notifications and somehow decide if I want to get only exploitable vulnerabilities or get a specific score for a vulnerability. Right now, we receive too many high vulnerabilities. If we enable notifications, then we just get a lot of spam message. Therefore, we would like some type of filtering system to be built-in for the system to be more precise.""Because Snyk has so many integrations and so many things it can do, it's hard to really understand all of them and to get that information to each team that needs it... If there were more self-service, perhaps tutorials or overviews for new teams or developers, so that they could click through and see things themselves, that would help.""We have to integrate with their database, which means we need to send our entire code to them to scan, and they send us the report. A company working in the financial domain usually won't like to share its code or any information outside its network with any third-party provider.""Compatibility with other products would be great."

More Snyk Cons →

"A high number of false positives are reported and this should be reduced.""Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues.""There were some additional manual steps or work involved that we should not have needed to do.""The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it.""The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified.""The documentation is poor and the technical support isn't helpful.""Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided.""The scanning could be improved, because some scans take a bit of time."

More Veracode Software Composition Analysis Cons →

Pricing and Cost Advice
  • "It's inexpensive and easy to license. It comes in standard package sizing, which is straightforward. This information is publicly found on their website."
  • "We do have some missing licenses issues, especially with non-SPDX compliant one, but we expect this to be fixed soon"
  • "You can get a good deal with Snyk for pricing. It's a little expensive, but it is worth it."
  • "Their licensing model is fairly robust and scalable for our needs. I believe we have reached a reasonable agreement on the licensing to enable hundreds of developers to participate in this product offering. The solution is very tailored towards developers and its licensing model works well for us."
  • "The price is good. Snyk had a good price compared to the competition, who had higher pricing than them. Also, their licensing and billing are clear."
  • "It's good value. That's the primary thing. It's not cheap-cheap, but it's good value."
  • "With Snyk, you get what you pay for. It is not a cheap solution, but you get a comprehensiveness and level of coverage that is very good. The dollars in the security budget only go so far. If I can maximize my value and be able to have some funds left over for other initiatives, I want to do that. That is what drives me to continue to say, "What's out there in the market? Snyk's expensive, but it's good. Is there something as good, but more affordable?" Ultimately, I find we could go cheaper, but we would lose the completeness of vision or scope. I am not willing to do that because Snyk does provide a pretty important benefit for us."
  • "Snyk is a premium-priced product, so it's kind of expensive. The big con that I find frustrating is when a company charges extra for single sign-on (SSO) into their SaaS app. Snyk is one of the few that I'm willing to pay that add-on charge, but generally I disqualify products that charge an extra fee to do integrated authentication to our identity provider, like Okta or some other SSO. That is a big negative. We had to pay extra for that. That little annoyance aside, it is expensive. You get a lot out of it, but you're paying for that premium."
  • More Snyk Pricing and Cost Advice →

  • "Without getting too specific, I'd say the average yearly cost is around $50,000. The costs include licensing and maintenance support."
  • "The Veracode price model is based on application profiles, which is how you package your components for scanning."
  • "Compared to other similar products, the licensing and pricing are definitely competitive. If you see Checkmarx as the market leader, then we are talking about Veracode being a fraction of the cost. You also have to consider your hidden costs: you need a team to maintain it, a server, and resources. From that point of view, Veracode is great because the cost is really a fraction of many competitors."
  • "It's too expensive for the European market. That is why, in a big bank with 400 applications, we are able to use it only for 10 of them. But the other solutions are also expensive, so it wasn't a differentiator."
  • More Veracode Software Composition Analysis Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
    564,643 professionals have used our research since 2012.
    Questions from the Community
    Top Answer: 
    Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to find any issues reported on the internet. It will store dependencies that you are… more »
    Top Answer: 
    There are many valuable features. For example, the way the scanning feature works. The integration is cool because I can integrate it and I don't need to wait until the CACD, I can plug it in to our… more »
    Top Answer: 
    Pricing-wise, it is not expensive as compared to other tools. If you have a couple of licenses, you can scan a certain number of projects. It just needs to be attached to them.
    Top Answer: 
    The solution's ability to help create secure software is very valuable. We're a zero-trust networking company so we want to have the ability to say that we're practicing security seriously. Having… more »
    Top Answer: 
    The thing that I'll go back to is when one of my mentors said to me "Evan, security is a critical aspect of any organization. People don't always believe in it. And the best way to sell it is to… more »
    Top Answer: 
    The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We… more »
    Ranking
    Views
    19,582
    Comparisons
    14,897
    Reviews
    18
    Average Words per Review
    1,608
    Rating
    8.4
    Views
    3,726
    Comparisons
    2,718
    Reviews
    11
    Average Words per Review
    1,257
    Rating
    8.2
    Comparisons
    Also Known As
    Veracode SCA, SourceClear
    Learn More
    Overview

    Snyk’s mission is to help developers use open source code and stay secure. The use of open source is booming, but security is a key concern (https://snyk.io/stateofossecurity/). Snyk’s unique developer focused product enables developers and enterprise security to continuously find & fix vulnerable dependencies without slowing down, with seamless integration into Dev & DevOps workflows. Snyk is adopted by over 100,000 developers, has multiple enterprise customers (such as Google, New Relic, ASOS and others) and is experiencing rapid growth. Our investors are Canaan Partners, BOLDStart, and several successful developer tools entrepreneurs. Snyk was founded in 2015 and is headquartered in London with offices in Israel and the US. For more information, go to https://snyk.io/.

    Veracode Software Composition detects open source vulnerabilities in the software development process with higher accuracy. Veracode SCA reduces false positives by prioritizing vulnerabilities in the execution path of the application. Its proprietary database contains significantly more vulnerabilities than the NVD because it datamines pull requests, bug reports, and release notes. It also looks for vulnerabilities in dependencies several layers deep. Veracode SCA is part of a comprehensive DevSecOps solution that covers multiple assessment types, enables developers, and helps organizations achieve AppSec governance.

    Offer
    Learn more about Snyk
    Learn more about Veracode Software Composition Analysis
    Sample Customers
    StartApp, Segment, Skyscanner, DigitalOcean, Comic Relief
    Blue Prism, Advantasure, Automation Anywhere, Cox Automotive
    Top Industries
    VISITORS READING REVIEWS
    Computer Software Company28%
    Comms Service Provider21%
    Financial Services Firm8%
    Manufacturing Company5%
    VISITORS READING REVIEWS
    Computer Software Company34%
    Comms Service Provider12%
    Financial Services Firm11%
    Insurance Company5%
    Company Size
    REVIEWERS
    Small Business32%
    Midsize Enterprise37%
    Large Enterprise32%
    VISITORS READING REVIEWS
    Small Business34%
    Midsize Enterprise13%
    Large Enterprise53%
    REVIEWERS
    Small Business50%
    Midsize Enterprise17%
    Large Enterprise33%
    VISITORS READING REVIEWS
    Small Business50%
    Midsize Enterprise12%
    Large Enterprise38%
    Find out what your peers are saying about Snyk vs. Veracode Software Composition Analysis and other solutions. Updated: January 2022.
    564,643 professionals have used our research since 2012.

    Snyk is ranked 2nd in Software Composition Analysis (SCA) with 18 reviews while Veracode Software Composition Analysis is ranked 7th in Software Composition Analysis (SCA) with 11 reviews. Snyk is rated 8.4, while Veracode Software Composition Analysis is rated 8.2. The top reviewer of Snyk writes "Helps Avoid The Pain And The Cost Of Trying To Retrofit Security in your Code". On the other hand, the top reviewer of Veracode Software Composition Analysis writes "The scanning process helps to significantly improve our standards and best practices". Snyk is most compared with SonarQube, WhiteSource, Black Duck, Checkmarx and Aqua Security, whereas Veracode Software Composition Analysis is most compared with Black Duck, JFrog Xray, WhiteSource, Sonatype Nexus Lifecycle and FOSSA. See our Snyk vs. Veracode Software Composition Analysis report.

    See our list of best Software Composition Analysis (SCA) vendors.

    We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.