We performed a comparison between Sonatype Repository Firewall and Veracode based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The product's network and intrusion protection features are valuable. It also has rules and compliance features for security."
"Another thing that I like about Sonatype is that if you download something today, and five days from today it becomes vulnerable, it will notify you."
"The Veracode support team is excellent."
"Static analysis scanning engine is a key feature."
"I can have quick results by just uploading compiled components."
"One thing that I like about Veracode is that it is quite a good tool for dynamic application testing."
"I contacted the solution's technical support during the automation part, and it went well, after which I never faced any issues."
"We have to look at it from the perspectives of how important it is to fix something and when it should be prioritized for fixing. The JSON output from the agent-based scans gives us the CVS core, and that makes things much easier."
"The static analysis gives you deep insights into problems."
"We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes."
"What I don't like is the lack of an option to pick up the phone and call someone for support. That is something they need to improve on. They need to have a professional services package, or they need to include that option with their services."
"The tool needs to improve its file systems. The product should also include zero test feature."
"I do expect large applications with millions of lines of code to take a while, but it would be nice if there was a possibility to be able to have a baseline initial scan. I know that Veracode touts that there are Pipeline Scans that are supposed to take 90 seconds or less, and we've tried to do that ourselves with our ERP application. However, it actually times out after two hours of scanning. If the static scan itself or another option to run a lower tier scan can be integrated earlier on into our SDLC, it would be great. Right now, it takes so long that we usually leave it till a bit later in the cycle, whereas if it ran faster, we could push it to the time when a developer will be checking in code. That would make us feel a lot more confident that we'd be able to catch things almost instantaneously."
"The on-platform reporting needs to be opened up much more. We'd like to be able to look at the inspection data from a trending perspective in a much more open manner. I need to be able to sort and filter much more flexibly than I can today."
"If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing."
"There needs to be better API integration to the development team's pipeline, which is something that is missing and needs to be improved."
"I would like to see more technical support for some of the connectors, some more detailed diagrams or run-books on how to install some of stuff; more hand-holding in the sense of understanding our environment."
"An area for improvement I found in Veracode is the connectivity because currently, my company uses a plugin for the dev-ops cloud-based connectivity. A pretty helpful feature would be if Veracode gives a direct code for connecting to the Oracle server directly and authenticating it via a unique server."
"The reporting was detailed, but there were some things that were missing. It showed us on which line an error was found, but it could have been more detailed."
"In the last month or so, I had a problem with the APIs when doing some implementations. The Veracode support team could be more specific and give me more examples. They shouldn't just copy the URL for a doc and send it to me."
Sonatype Repository Firewall is ranked 34th in Application Security Tools with 3 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. Sonatype Repository Firewall is rated 8.4, while Veracode is rated 8.2. The top reviewer of Sonatype Repository Firewall writes "You will get clean code every time, and that's a great achievement". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". Sonatype Repository Firewall is most compared with JFrog Xray, Cisco Secure Firewall, Black Duck, GitHub and GitLab, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and Fortify Static Code Analyzer. See our Sonatype Repository Firewall vs. Veracode report.
See our list of best Application Security Tools vendors and best Software Composition Analysis (SCA) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.