Try our new research platform with insights from 80,000+ expert users

ShiftLeft vs Veracode comparison

 

Comparison Buyer's Guide

Executive Summary
 

Categories and Ranking

ShiftLeft
Ranking in Application Security Tools
24th
Ranking in Static Application Security Testing (SAST)
18th
Ranking in Software Composition Analysis (SCA)
11th
Average Rating
10.0
Reviews Sentiment
7.1
Number of Reviews
1
Ranking in other categories
No ranking in other categories
Veracode
Ranking in Application Security Tools
2nd
Ranking in Static Application Security Testing (SAST)
2nd
Ranking in Software Composition Analysis (SCA)
2nd
Average Rating
8.2
Reviews Sentiment
7.1
Number of Reviews
197
Ranking in other categories
Container Security (4th), Penetration Testing Services (3rd), Static Code Analysis (1st), Application Security Posture Management (ASPM) (1st)
 

Mindshare comparison

As of November 2024, in the Application Security Tools category, the mindshare of ShiftLeft is 0.1%, down from 0.2% compared to the previous year. The mindshare of Veracode is 10.4%, down from 11.3% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Featured Reviews

SS
Effectively in identify and fix bugs early in the development lifecycle
When it comes to ShiftLeft, the most valuable feature is definitely its ease of use and cost-effectiveness. Previously, security professionals had to spend a lot of time and effort running around, asking people to fix issues in their products, architectures, code, and even networks. With ShiftLeft, everything becomes robust and secure from within. Instead of relying on external measures like Web Application Firewalls (WAF) that are applied from the outside in, ShiftLeft takes a proactive approach. It helps prevent issues from arising in the first place, making it much easier for both security teams and developers. It's also cost-effective because you don't have to constantly go back, make changes to the code, and then push it again. Writing secure code from the start ensures that there are no vulnerabilities when it goes live. So, I would say the main features of ShiftLeft are its cost-effectiveness and ease of adaptability or use.
Sajal Sharma - PeerSpot reviewer
Offers shift-left security strategy and helps us with the latest security configurations, OWASP standards, and SAST standards
It's robustness is the main benefit to the organization. As it gets upgraded with time, it also improves the coverage – security configuration coverages and vulnerability coverages. It also updates itself with the latest known vulnerabilities that are uploaded to the NVD, OWASP, or other databases. So it gets upgraded itself with that. And so with each upgrade, it gets better and better. The solution offers the ability to prevent vulnerable code from going into production. It provides us with a report containing multiple remediations and mitigations for each vulnerability. For example, if it finds a cross-site scripting vulnerability, it will also include references like CWE and CVE records, instructions on how to fix it, and the specific line of code or module where the vulnerability is present. This helps us fix the issues accordingly. I'm a penetration tester and DevSecOps engineer. I evaluate the findings, mark false positives, and manually exploit vulnerabilities if they exist. If we need further clarification, we raise a ticket with the Veracode team and get consultancy from them. We are a software development team. If we find a vulnerability, I exploit it and come back with the best possible mitigation, and the dev team fixes it. If we use Veracode Fix, it might use third-party implementations or make changes we aren't aware of. We need to be very aware of what our application is using internally. It should be known to us. As per my experience, the solution's policy reporting ensures compliance with industry standards. It comes with multiple features. I get the most out of it, and it's good. The solution provides visibility into application status at every phase of development. Like static analysis, dynamic analysis, software composition, and manual penetration tests - throughout the SDLC We have a pipeline that I maintain. I use the Veracode API account and have integrated it with AWS and our Jenkins pipeline. We use Snyk for SCA and Veracode for SAST scanning. At the earliest stage of the build, the SAST scan runs along with the JS and PHP files. It provides us with reports, which are then handed over to the other tools we depend on. If I validate the report or check the Veracode dashboard and find vulnerabilities, I mark them as false positives or existing issues. We work on multiple projects, but the one I'm handling these days only uses Veracode for SAST. It's been about one and a half years since I've been working with Veracode and this project. It is quite impressive. There are some things Veracode cannot find, like code obfuscations inside the code and some insecure randoms. Sometimes, it misses those flaws. But overall, if I compare it with other tools, it is better. I will definitely recommend others to use this tool. We run the scan before each deployment. If the dev team builds a new module or something, we scan it along with all the files. If we find anything, we get it fixed. That's how it works. Veracode is quite important to the organization's shift-left security strategy because we make a scan for each deployment. Sometimes, if I think we need to perform a shift-left, I just make a scan before deployment and check for any misconfiguration or vulnerability in the code.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"When it comes to ShiftLeft, the most valuable feature is definitely its ease of use and cost-effectiveness."
"I appreciate the integration provided by Veracode that seamlessly integrates with our CI/CD tools and allows us to integrate with IPA as well."
"Veracode supports a broad range of code technologies, and it can analyze large applications. Fortify takes a long time and may not be able to generate the report for larger applications. We don't have these constraints with Veracode."
"The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process."
"The most valuable feature is the remediation consulting that they give. I feel like any vendor can identify the flaws but fixing the flaws is what is most important. Being able to have those consultation calls, schedule them in the platform, and have that discussion with an applications expert, that process scales well and that is what has allowed a lot more reduction of risk to happen."
"We have found the static analysis to be useful in Veracode Static Analysis. However, we are in the process of testing."
"The most valuable feature of Veracode is the binary scan feature for auditing, which allows us to audit the software without the source code."
"The Veracode technical support is very good. They are responsive and very knowledgeable."
"The SCA, agent-based analysis, is valuable. SAST and DAST take time, while this is quite fast. It gives the results very quickly. We have implemented it into our CI/CD pipeline."
 

Cons

"Having support from senior management is crucial in making it mandatory for teams to collaborate with the security team throughout the development process."
"Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk"
"The current version of the application does not support testing for API."
"The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I wouldn't even say it is a complaint. It is probably the only thing I worry about: Occasionally hitting something that is built in some other obscure development model, where we either can't scan it or can't scan it very well."
"It could have better integration with our pipeline. If we could have better integration with our application pipeline, e.g., Jira, Bamboo, or Azure DevOps, then that will be very helpful. Right now, it is quite hard to integrate the solution into our existing pipeline."
"The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users."
"The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified."
"It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects."
"When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications."
 

Pricing and Cost Advice

Information not available
"The price of Veracode Static Analysis is expensive. There is an annual fee to use the solution and the company is upfront with the pricing model and fees."
"Veracode is affordable for large organizations, but its pricing may be out of reach for small and medium companies."
"I'm unfamiliar with the solution's pricing, but it must be worth the cost from a company perspective, as we have been using it for years and have no plans to move away from it."
"For enterprises, Veracode has done a fairly good job, but its pricing is not suitable for startups. The microservice distributed architecture for a startup is very small. I had to do a lot of discussions on the pricing initially. I previously worked in an enterprise organization where I used Veracode, and that's how I got to know about Veracode, but that was a big organization with more than a thousand employees. So, the cost is very different for them because the size of the application is different. Its pricing makes sense there, but when we try to onboard this solution for the startup ecosystem, pricing is not friendly. Because I knew the product and I knew its value, I onboarded it, but I don't think any other startup at our scale will onboard it."
"For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization."
"To my knowledge, licensing for Veracode Static Analysis is paid yearly by my company."
"We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive."
"I know that Veracode is a semi-pricey solution. If you are serious about security, I would recommend that you use an open-source option to learn how the scanning process works and then look into Veracode if you want to really step up your game and have an all-in-one solution."
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
816,406 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Retailer
13%
Computer Software Company
12%
Recreational Facilities/Services Company
12%
Legal Firm
9%
Financial Services Firm
18%
Computer Software Company
16%
Manufacturing Company
8%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
No data available
 

Questions from the Community

What do you like most about ShiftLeft?
When it comes to ShiftLeft, the most valuable feature is definitely its ease of use and cost-effectiveness.
What needs improvement with ShiftLeft?
When it comes to areas of improvement for ShiftLeft, I believe it could benefit from greater support from senior management. It's important to have their involvement when it comes to architectural ...
What advice do you have for others considering ShiftLeft?
I would highly recommend ShiftLeft. It greatly simplifies the job for both security professionals and developers. By identifying and fixing bugs earlier in the development lifecycle, it significant...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
What do you like most about Veracode?
The SAST and DAST modules are great.
What is your experience regarding pricing and costs for Veracode?
The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.
 

Also Known As

No data available
Crashtest Security , Veracode Detect
 

Overview

 

Sample Customers

Information Not Available
Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools. Updated: November 2024.
816,406 professionals have used our research since 2012.