We just raised a $30M Series A: Read our story
Cancel
You must select at least 2 products to compare!
Veracode Logo
63,090 views|34,507 comparisons
Snyk Logo
Read 19 Snyk reviews.
18,017 views|13,859 comparisons
WhiteSource Logo
19,292 views|15,214 comparisons
Featured Review
Find out what your peers are saying about Snyk vs. WhiteSource and other solutions. Updated: November 2021.
552,305 professionals have used our research since 2012.
Quotes From Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros
"In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application.""The time savings has been tremendous. We saw ROI in the first six months.""The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards.""It's comprehensive from a feature standpoint.""Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers.""My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople is fabulous.""There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic.""Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence."

More Veracode Pros »

"From the software composition analysis perspective, it first makes sure that we understand what is happening from a third-party perspective for the particular product that we use. This is very difficult when you are building software and incorporating dependencies from other libraries, because those dependencies have dependencies and that chain of dependencies can go pretty deep. There could be a vulnerability in something that is seven layers deep, and it would be very difficult to understand that is even affecting us. Therefore, Snyk provides fantastic visibility to know, "Yes, we have a problem. Here is where it ultimately comes from." It may not be with what we're incorporating, but something much deeper than that.""There are many valuable features. For example, the way the scanning feature works. The integration is cool because I can integrate it and I don't need to wait until the CACD, I can plug it in to our local ID, and there I can do the scanning. That is the part I like best.""The most valuable feature is that they add a lot of their own information to the vulnerabilities. They describe vulnerabilities and suggest their own mitigations or version upgrades. The information was the winning factor when we compared Snyk to others. This is what gave it more impact.""The dependency checks of the libraries are very valuable, but the licensing part is also very important because, with open source components, licensing can be all over the place. Our project is not an open source project, but we do use quite a lot of open source components and we want to make sure that we don't have surprises in there.""The CLI feature is quite useful because it gives us a lot of flexibility in what we want to do. If you use the UI, all the information is there and you can see what Snyk is showing you, but there is nothing else that you can change. However, when you use the CLI, then you can use commands and can get the output or response back from Snyk. You can also take advantage of that output in a different way. For the same reason, we have been using the CLI for the hard gate in the pipeline: Obtain a particular CDSS score for vulnerability. Based on that information, we can then decide if we want to block or allow the build. We have more flexibility if we use the CLI.""It has a nice dashboard where I can see all the vulnerabilities and risks that they provided. I can also see the category of any risk, such as medium, high, and low. They provide the input priority-wise. The team can target the highest one first, and then they can go to medium and low ones.""It has improved our vulnerability rating and reduced our vulnerabilities through the tool during the time that we've had it. It's definitely made us more aware, as we have removed scoping for existing vulnerabilities and platforms since we rolled it out up until now.""What is valuable about Snyk is its simplicity."

More Snyk Pros »

"The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar).""The results and the dashboard they provide are good.""The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine.""The solution is scalable.""For us, the most valuable tool was open-source licensing analysis.""It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions.""The reporting capability gives us the option to generate an open-source license report in a single click, which gets all copyright and license information, including dependencies.""Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software."

More WhiteSource Pros »

Cons
"The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most.""The policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs.""I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results.""Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly.""I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan.""If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing.""Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk""The product has issues with scanning."

More Veracode Cons »

"They were a couple of issues which happened because Snyk lacked some documentation on the integration side. Snyk is lacking a lot of documentation, and I would like to see them improve this. This is where we struggle a bit. For example, if something breaks, we can't figure out how to fix that issue. It may be a very simple thing, but because we don't have the proper documentation around an issue, it takes us a bit longer.""Because Snyk has so many integrations and so many things it can do, it's hard to really understand all of them and to get that information to each team that needs it... If there were more self-service, perhaps tutorials or overviews for new teams or developers, so that they could click through and see things themselves, that would help.""Compatibility with other products would be great.""We have seen cases where tools didn't find or recognize certain dependencies. These are known issues, to some extent, due to the complexity in the language or stack that you using. There are some certain circumstances where the tool isn't actually finding what it's supposed to be finding, then it could be misleading.""Scalability has some issues because we have a lot of code and its use is mandatory. Therefore, it can be slow at times, especially because there are a lot of projects and reporting. Some UI improvements could help with this.""Basically the licensing costs are a little bit expensive.""Could include other types of security scanning and statistical analysis""We've also had technical issues with blocking newly introduced vulnerabilities in PRs and that was creating a lot of extra work for developers in trying to close and reopen the PR to get rid of some areas. We ended up having to disable that feature altogether because it wasn't really working for us and it was actually slowing down developer velocity."

More Snyk Cons »

"The dashboard UI and UX are problematic.""Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting.""The initial setup could be simplified.""I would like to see the static analysis included with the open-source version.""It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools. Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process.""If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation.""We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail.""The UI is not that friendly and you need to learn how to navigate easily."

More WhiteSource Cons »

Pricing and Cost Advice
"Veracode's price is high. I would like them to better optimize their pricing.""The pricing is really fair compared to a lot of other tools on the market.""From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately.""Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license.""Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive.""If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount.""We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive.""Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward."

More Veracode Pricing and Cost Advice »

"Snyk is a premium-priced product, so it's kind of expensive. The big con that I find frustrating is when a company charges extra for single sign-on (SSO) into their SaaS app. Snyk is one of the few that I'm willing to pay that add-on charge, but generally I disqualify products that charge an extra fee to do integrated authentication to our identity provider, like Okta or some other SSO. That is a big negative. We had to pay extra for that. That little annoyance aside, it is expensive. You get a lot out of it, but you're paying for that premium.""The pricing is reasonable.""You can get a good deal with Snyk for pricing. It's a little expensive, but it is worth it.""It's inexpensive and easy to license. It comes in standard package sizing, which is straightforward. This information is publicly found on their website.""Pricing-wise, it is not expensive as compared to other tools. If you have a couple of licenses, you can scan a certain number of projects. It just needs to be attached to them.""The price is good. Snyk had a good price compared to the competition, who had higher pricing than them. Also, their licensing and billing are clear.""Their licensing model is fairly robust and scalable for our needs. I believe we have reached a reasonable agreement on the licensing to enable hundreds of developers to participate in this product offering. The solution is very tailored towards developers and its licensing model works well for us.""With Snyk, you get what you pay for. It is not a cheap solution, but you get a comprehensiveness and level of coverage that is very good. The dollars in the security budget only go so far. If I can maximize my value and be able to have some funds left over for other initiatives, I want to do that. That is what drives me to continue to say, "What's out there in the market? Snyk's expensive, but it's good. Is there something as good, but more affordable?" Ultimately, I find we could go cheaper, but we would lose the completeness of vision or scope. I am not willing to do that because Snyk does provide a pretty important benefit for us."

More Snyk Pricing and Cost Advice »

"WhiteSource is much more affordable than Veracode.""Pricing is competitive.""As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using.""The solution involves a yearly licensing fee."

More WhiteSource Pricing and Cost Advice »

report
Use our free recommendation engine to learn which Application Security solutions are best for your needs.
552,305 professionals have used our research since 2012.
Questions from the Community
Top Answer: SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »
Top Answer: The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the… more »
Top Answer: Veracode is very, very expensive, one of the most expensive security scanning tools available. We pay an annual license… more »
Top Answer: Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to… more »
Top Answer: Snyk is a developer-friendly product.
Top Answer: Pricing-wise, it is not expensive as compared to other tools. If you have a couple of licenses, you can scan a certain… more »
Top Answer: Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This… more »
Top Answer: We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is… more »
Top Answer: The license management of WhiteSource was at a good level. As compared to other tools that I have used, its… more »
Comparisons
Learn More
Overview

Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

Snyk’s mission is to help developers use open source code and stay secure. The use of open source is booming, but security is a key concern (https://snyk.io/stateofossecurity/). Snyk’s unique developer focused product enables developers and enterprise security to continuously find & fix vulnerable dependencies without slowing down, with seamless integration into Dev & DevOps workflows. Snyk is adopted by over 100,000 developers, has multiple enterprise customers (such as Google, New Relic, ASOS and others) and is experiencing rapid growth. Our investors are Canaan Partners, BOLDStart, and several successful developer tools entrepreneurs. Snyk was founded in 2015 and is headquartered in London with offices in Israel and the US. For more information, go to https://snyk.io/.

The leading solution for agile open source security and license compliance management, WhiteSource integrates with the DevOps pipeline to detect vulnerable open source libraries in real-time.

It provides remediation paths and policy automation to speed up time-to-fix. It also prioritizes vulnerability alerts based on usage analysis.

We support over 200 programming languages and offer the widest vulnerability database aggregating information from dozens of peer-reviewed, respected sources.

Offer
Keep your software secure

Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

Learn more about Snyk
Learn more about WhiteSource
Sample Customers
State of Missouri, Rekner
StartApp, Segment, Skyscanner, DigitalOcean, Comic Relief
Microsoft, Autodesk, NCR, Comcast, Nokia, Forgerock, indeed.com, GE digital, KPMG, LivePerson, Jack Henry and Associates
Top Industries
REVIEWERS
Financial Services Firm30%
Computer Software Company12%
Insurance Company9%
Healthcare Company7%
VISITORS READING REVIEWS
Computer Software Company30%
Comms Service Provider16%
Financial Services Firm10%
Manufacturing Company6%
VISITORS READING REVIEWS
Computer Software Company29%
Comms Service Provider21%
Financial Services Firm8%
Manufacturing Company5%
REVIEWERS
Computer Software Company33%
Media Company11%
Energy/Utilities Company11%
Consumer Goods Company11%
VISITORS READING REVIEWS
Computer Software Company35%
Comms Service Provider19%
Financial Services Firm7%
Manufacturing Company5%
Company Size
REVIEWERS
Small Business24%
Midsize Enterprise25%
Large Enterprise51%
VISITORS READING REVIEWS
Small Business24%
Midsize Enterprise31%
Large Enterprise45%
REVIEWERS
Small Business32%
Midsize Enterprise37%
Large Enterprise32%
VISITORS READING REVIEWS
Small Business35%
Midsize Enterprise12%
Large Enterprise53%
REVIEWERS
Small Business33%
Midsize Enterprise7%
Large Enterprise60%
VISITORS READING REVIEWS
Small Business17%
Midsize Enterprise10%
Large Enterprise72%
Find out what your peers are saying about Snyk vs. WhiteSource and other solutions. Updated: November 2021.
552,305 professionals have used our research since 2012.

Snyk is ranked 4th in Application Security with 19 reviews while WhiteSource is ranked 8th in Application Security with 13 reviews. Snyk is rated 8.4, while WhiteSource is rated 8.4. The top reviewer of Snyk writes "Helps Avoid The Pain And The Cost Of Trying To Retrofit Security in your Code". On the other hand, the top reviewer of WhiteSource writes "Policy automation and automatic fix suggestions help us to save time in finding and solving problems". Snyk is most compared with SonarQube, Black Duck, Checkmarx, Sonatype Nexus Lifecycle and JFrog Xray, whereas WhiteSource is most compared with SonarQube, Black Duck, Sonatype Nexus Lifecycle, Checkmarx and Micro Focus Fortify on Demand. See our Snyk vs. WhiteSource report.

See our list of best Application Security vendors and best Software Composition Analysis (SCA) vendors.

We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.