Fortify Application Defender vs Veracode comparison

Fortify Application Defender

Read 194 Veracode reviews

24,547 Views
16,538 Comparison Views

90% willing to recommend

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between Fortify Application Defender and Veracode based on real PeerSpot user reviews.

Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.

To learn more, read our detailed Fortify Application Defender vs. Veracode Report (Updated: May 2024).

Fortify Application Defender vs. Veracode

May 2024

Download the complete report

Helped 787,061 peers since 2012

Categories and Ranking

Fortify Application Defender

Ranking in Application Security Tools

30th

Average Rating

7.8

Number of Reviews

Ranking in other categories

No ranking in other categories

Veracode

Ranking in Application Security Tools

2nd

Average Rating

8.2

Number of Reviews

194

Ranking in other categories

Static Application Security Testing (SAST) (2nd), Container Security (4th), Software Composition Analysis (SCA) (2nd), Penetration Testing Services (3rd), Static Code Analysis (1st), Application Security Posture Management (ASPM) (2nd)

Market share comparison

As of June 2024, in the Application Security Tools category, the market share of Fortify Application Defender is 0.6% and it decreased by 36.9% compared to the previous year. The market share of Veracode is 10.1% and it decreased by 0.9% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Application Security Tools

Unique Categories:

No other categories found

Static Application Security Testing (SAST)

8.1%

Container Security

2.9%

Featured Reviews

HisaoOgata

Department Manger at Hitachi Channel

May 24, 2023

Saves time and warns about the vulnerabilities in the software, but the false positive rate should be lower

We use the solution to prevent cyberattacks Based on the alerts created by the solution during development, we modify the software we are developing. The product finds mistakes automatically. It warns us about the vulnerabilities in the software. The product saves us cost and time. The product…

Read full review

Sai Srinivas B

L3 Security Engineer at a computer software company with 51-200 employees

Apr 16, 2024

Makes our code secure and integrates well with GitHub

There are multiple ways to use Veracode. We can use Veracode directly in our ID environment, and we can use it in the UI environment in our platform. We can integrate it with GitHub or GitLab. We can also install SourceClear as an agent. It helps to reduce the application risk rate. It checks for any vulnerabilities or CVE IDs against its database. If any vulnerabilities are present, it gives suggestions, remediations, and fixes. They have recently started with Veracode Fix, so the auto-fix capability is there for your code. Previously, it was very difficult to find vulnerabilities and scan threats. It is a primary need to maintain the security of our code. Veracode is a good option. It provides all kinds of features for developers. Veracode checks for vulnerabilities in the static code, third-party libraries, and infrastructure. If there are any vulnerabilities in your static code, it will provide them. It can also auto-fix them with Veracode Fix. For Web APIs, there is a solution called DAST Essentials. It came out recently, but it is a very good solution. It has been a year since I have been using Veracode, and it has been very helpful. It gave me the vulnerabilities present in my code, such as SQL injection, and the fixes for them. It gives good suggestions to improve the score of our code base. It gives a lot of things. I started using Veracode Fix about one month back. It can automatically fix whatever vulnerabilities are present in the code. In GitHub, it shows the line numbers that it has fixed. It also provides a reason to fix them. It also gives a report based on your policies. If any high-severity vulnerability was there, it tells you how it was fixed. Everything is given in detail in the reports. It is very good. Veracode's policy reporting is good for ensuring compliance with industry standards and regulations. I would rate it an eight out of ten for that. Veracode provides visibility into application status at every phase of development, but the option of infrastructure and deployment security is not there in Veracode. They have probably started working on that. We use third-party libraries, and it suggests using only the safest versions. It gives suggestions on vulnerabilities that are present and how to fix them. It is very good. It makes our code secure. Veracode saves 10% to 20% time of developers.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"We are able to provide out customers with a secure application after development. They are no longer left wondering if they are vulnerable to different threats within the market following deployment."

"The most valuable feature is the ability to automatically feed it rules what it's coupled with the WebInspect dynamic application scanning technology."

"The tool's most valuable feature is software composition analysis. This feature works well with my .NET applications, providing a better understanding of library vulnerabilities."

"The information from Fortify Application Defender on how to fix and solve issues is very good compared to other solutions."

"The most valuable feature is that it analyzes data in real-time."

"The most valuable features of Fortify Application Defender are the code packages that are default."

"I find the configuration of rules in Fortify Application Defender useful. Its integration is also easy."

"The product saves us cost and time."

More Fortify Application Defender pros

"The product’s policy reporting for ensuring compliance with industry standards and regulations is great."

"The most valuable feature is the static scan that checks for security issues."

"Considering that in my project, we are mostly using Software Composition Analysis as a part of Static Code Analysis, for me, the main part is reporting and highlighting necessary vulnerabilities. Veracode platform has a rather good database of different vulnerabilities in different libraries and different sources. So, finding vulnerabilities in third-party libraries is the main feature of Software Composition Analysis that we use. It is the most important feature for us."

"It has the ability to scale, and the fact that it doesn't produce a lot of false positives."

"I like Veracode's API. You can put it into a simple bash script and run your own security testing from your MacBook in less than 15 minutes."

"Code scanning is the most valuable feature."

"It has improved the quality of code being delivered for test and its vulnerability resolutions timeline has improved."

"The article scanning is excellent."

More Veracode pros

Cons

"I encountered many false positives for Python applications."

"The biggest complaint that I have heard concerns additional platform support because right now, it only supports applications that are written in .NET and Java."

"The licensing can be a little complex."

"The workbench is a little bit complex when you first start using it."

"Fortify Application Defender gives a lot of false positives."

"The solution is quite expensive."

"The product should integrate industry-standard code review tools internally with its system. This would streamline the coding process, as developers wouldn't need multiple tools for code review and security checks. Many independent and open-source tools are available, from Apache to various libraries. Using multiple DevOps pipeline tools can slow the turnaround time."

"Fortify Application Defender could improve by supporting more code languages, such as GRAAS and Groovy."

More Fortify Application Defender cons

"I've found that Veracode is not particularly suitable for Dynamic Application Security Testing."

"The technical support service has room for improvement."

"We have some constraints interacting with Veracode self-support. I'm not talking about their technical support. I'm talking about self-support. We sometimes have a hard time communicating with them."

"I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan."

"Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans."

"Veracode doesn't really help you so much when it comes to fixing things. It is able to find our vulnerabilities but the remediation activities it does provide are not a straight out-of-the-box kind of model. We need to work on remediation and not completely rely on Veracode."

"Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."

"I would like to see more AI features. It's a current subject because with ChatGPT and other solutions being developed all the time, IT attacks will increase... To defend against those it's very important that the good guys use AI in ways that are good instead of bad."

More Veracode cons

Pricing and Cost Advice

"The product’s price is much higher than other tools."

"The price of this solution could be less expensive."

"The base licensing costs for the SaaS platform is about $900 USD per application, per year."

"I rate the solution's pricing a five out of ten. It comes as an annual cloud subscription. The tool's pricing is around 50 lakhs."

"The licensing is very complex, it's project based and can range from $10,000 to $200,000+ depending on the project type and size."

"Fortify Application Defender is very expensive."

"Veracode is costly. They have different license models for different customers. What we had was based on the amount of code that has been analyzed. The license that we had was capped to a certain amount, for example, 5 Gig. There would be an extra charge for anything above 5 Gig."

"Get a license at the beginning of a project. Don't wait until the end, because you want to use the product throughout the entire software development lifecycle, not just at the end. You could be surprised, and not in a positive way, with all the vulnerabilities there are in your code."

"I know that Veracode is a semi-pricey solution. If you are serious about security, I would recommend that you use an open-source option to learn how the scanning process works and then look into Veracode if you want to really step up your game and have an all-in-one solution."

"Compared to the typical software composition analysis solutions, Veracode is not so costly, although the static analysis part of it is a little costlier."

"Regarding licensing, pay very close attention to what applications you're going to need to do dynamic scanning for, versus static. Right now, the way the licensing is set up, if you don't have any static elements for a website, you can certainly avoid some costs by doing more dynamic licenses. You need to pay very close attention to that, because if you find out later that you have static code elements - like Java scripts, etc. - that you want to have scanned statically, having the two licenses bundled together will actually save you money."

"It is an expensive solution, but it's the best solution available on the market. If you want something at the top, you have to pay a bit more than the average."

"The pricing is fair. You get a lot out of the product."

"Pricing seems fair for what is offered, and licensing has been no problem. All developers are able to get the access they need."

More Veracode pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.

See recommendations

787,061 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

20%

Computer Software Company

14%

Manufacturing Company

12%

Government

Financial Services Firm

18%

Computer Software Company

15%

Manufacturing Company

Government

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

Questions from the Community

What do you like most about Fortify Application Defender?

I find the configuration of rules in Fortify Application Defender useful. Its integration is also easy.

What needs improvement with Fortify Application Defender?

The product should integrate industry-standard code review tools internally with its system. This would streamline the coding process, as developers wouldn't need multiple tools for code review and...

What is your primary use case for Fortify Application Defender?

We use the solution for fast code review. It is integrated into our DevOps pipeline.

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...

What do you like most about Veracode?

The SAST and DAST modules are great.

What is your experience regarding pricing and costs for Veracode?

The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.

Checkmarx One vs Fortify Application Defender

Comparisons

Compared 46% of the time

CAST Application Intelligence Platform vs Fortify Application Defender

Compared 12% of the time

Coverity vs Fortify Application Defender

Compared 11% of the time

SonarQube vs Fortify Application Defender

Compared 10% of the time

WhiteHat Dynamic vs Fortify Application Defender

Compared 3% of the time

More Fortify Application Defender Competitors

SonarQube vs Veracode

Compared 26% of the time

Checkmarx One vs Veracode

Compared 14% of the time

Fortify on Demand vs Veracode

Compared 7% of the time

Snyk vs Veracode

Compared 6% of the time

Fortify Static Code Analyzer vs Veracode

Compared 4% of the time

More Veracode Competitors

Product Reports

Application Security Tools

June 2024

Download Fortify Application Defender product report

Download Veracode product report

May 2024

Also Known As

HPE Fortify Application Defender, Micro Focus Fortify Application Defender

Crashtest Security , Veracode Detect

Learn More

OpenText

Overview

Micro Focus Security Fortify Application Defender is a runtime application self-protection (RASP) solution that helps you manage and mitigate risk from homegrown or third-party applications. It provides centralized visibility into application use and abuse while protecting from software vulnerability exploits and other violations in real time.

Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-generated remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world’s leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale. Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, and Penetration Testing.

Learn more at www.veracode.com, on the Veracode blog, and on LinkedIn and Twitter.

Sample Customers

ServiceMaster, Saltworks, SAP

Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.