Reviews of veracode & features to look for in a static / source code analyzer

Care to share the reviews of veracode (esp compared to Fortify)?

What are the key features to look for in a source code analyzer besides the languages that it support
& it ought to scan for OWASP top 10?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
1) If you only has binary then Veracode is apt. If you have source code then Fortify is preferred. The latter has got some good support on the visual studio team services for integrating into VSTS if you are going for a Microsoft based CI/CD Pipeline integration. But it adds a heavy cost to build times for the codes, so it should be part of the small sprint agile runs to make the final code secure rather have it at the tail ends. VeraCode is more into blackbox testing and good for testing legacy binaries especially when you are missing past codes (due to poor code version tracking etc). That said, Fortify can also conduct the binaries testing too on premise or in cloud as compared to Veracode that has only cloud based scanning which some user may have concerns to upload into the cloud platform.

Fortify key features
  • Enables customers to create, supplement and expand a Software Security Assurance program.
  • Uses open APIs to embed application security testing into all stages of the development tool chain; development, deployment, and production. E.g. it offers a technology for runtime application security protection (Real-Time Analyzer), which is a "software firewall" that resides inside an application to protect vulnerable locations within it, and can also monitor and report on application activity
  • Provides out-of-the-box vulnerability shielding protection via integration with TippingPoint
Veracode key Features
  • The ability on static scans to be able to do sandbox scans which do not generate metrics. And quickly perform a one-time automated scan of large numbers of applications for a limited set of high-risk, high-confidence vulnerabilities at a price of $150 per website (500-scan minimum). May be past info though
  • Surfaces every vulnerability that has been identified, so there is not much human intervention as a default.
  • Allows user to prioritize own vulnerabilities as opposed to having someone else try to get in between. E.g.  the console has an optional integration with EMC's governance, risk and compliance (GRC) tool, Archer
  • Leader in conducting  application-security-testing-as-a-service offerings as compared to others. However,  no automated record/replay vulnerability capabilities and  no WAF integration

2. Some key features
  • Must have the developer in mind - In other words, developer buy-in to use it diligent is important and ease off their building and rescanning using their familiar development studio or kit
  • Intelligence test capability with minimal human intervention - allows customised fields or fuzzy inputs to be automated  used to test modules, API calls etc and learn and automate the cycle to adapt and generate further fields.
  • Compliance baseline template support - able to not only have OWASP but other software quality template with metric on code complexity, cohesiveness and coupling level.
  • Good knowledge based integration - able to retain past building instruction and  common lapses surfaced and retrieve past reporting and resolution to secure the code.
  • Good bug-finding performance - Look for both thoroughness and accuracy. Fewer false positives means less manual work.
  • Centralized reporting component - For team of developers and managers who want access to findings, trending and overview reporting.
See this
  • DO retain the human element. While the tools will provide long lists of vulnerabilities, it takes a skilled professional to interpret and prioritize the results.
  • DON'T anticipate a short scan. The rule of thumb, according to Coverity, is for each hour of build time, allow for two hours for the analysis to be complete.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.