We performed a comparison between CodeSonar and Veracode based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The most valuable features of CodeSonar were all the categorized classes provided, and reports of future bugs which might occur in the production code. Additionally, I found the buffer overflow and underflow useful."
"There is nice functionality for code surfing and browsing."
"What I like best about CodeSonar is that it has fantastic speed, analysis and configuration times. Its detection of all runtime errors is also very good, though there were times it missed a few. The configuration of logs by CodeSonar is also very fantastic which I've not seen anywhere else. I also like the GUI interface of CodeSonar because it's very user friendly and the tool also shows very precise logs and results."
"The tool is very good for detecting memory leaks."
"CodeSonar’s most valuable feature is finding security threats."
"It has been able to scale."
"The most valuable feature of CodeSonar is the catching of dead code. It is helpful."
"Veracode does not require any maintenance."
"It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no manual upload. The code review function is great. It allows you to find flaws in source code."
"The most valuable feature is Veracode SDP, which allows for something related to third-party vulnerabilities. When we build a product, we use a lot of third-party libraries instead of building everything from scratch. We just use a library which is already been built; we just use that component in our product. Sometimes, these libraries may have bugs or issues, and it's hard to keep track of them because we use thousands of them."
"The solution's ability to help create secure software is very valuable. We're a zero-trust networking company so we want to have the ability to say that we're practicing security seriously. Having something like Veracode allows us to have confidence when we're speaking to people about our product that we can back up what we're doing with a certification, with a reputable platform, and say, "This is what we're using to scan an application. Here's the number of vulnerabilities that are on an application. And here's the risk that we're accepting.""
"It has the ability to scale, and the fact that it doesn't produce a lot of false positives."
"Allows us to track the remediation and handling of identified vulnerabilities."
"To me, the principal feature is the CLI (command-line interface) because I put together a lot of implementations using it. Another important aspect is the low false-positive rate because the solution is very configurable. It is as low as 1 percent and that is a huge difference compared to competitors."
"The Static and Dynamic Analysis capabilities are very valuable to us. They've improved the speed of the inspection process."
"There could be a shared licensing model for the users."
"It would be beneficial for the solution to include code standards and additional functionality for security."
"In terms of areas for improvement, the use case for CodeSonar was good, but compared to other tools, it seems CodeSonar isn't a sound static analysis tool, and this is a major con I've seen from it. Right now, in the market, people prefer sound static analysis tools, so I would have preferred if CodeSonar was developed into a sound static analysis tool formally, in terms of its algorithms, so then you can see it extensively used in the market because at the moment, here in India, only fifty to sixty customers use CodeSonar. If the product is developed into a sound static analysis tool, it could compete with Polyspace, and from its current fifty customers, that number could go up to a hundred."
"The scanning tool for core architecture could be improved."
"CodeSonar could improve by having better coding rules so we did not have to use another solution, such as MISRA C."
"It was expensive."
"In a future release, the solution should upgrade itself to the current trends and differentiate between the languages. If there are any classifications that can be set for these programming languages that would be helpful rather than having everything in the generic category."
"Maybe the pipeline scanning doesn't support enough languages. It might only support Java and Python only, so that could be improved."
"I would like Veracode to also have the ability to fix these flaws in a future release."
"The current version of the application does not support testing for API."
"The user interface could be more sleek. Some scanning requirements aren't flexible. Some features take some time for new users to understand (like what exactly "modules" are)."
"Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries."
"The interface is too complex."
"I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use."
"Some features could be improved in terms of user-friendliness."
CodeSonar is ranked 21st in Application Security Tools with 7 reviews while Veracode is ranked 2nd in Application Security Tools with 194 reviews. CodeSonar is rated 8.2, while Veracode is rated 8.2. The top reviewer of CodeSonar writes "Nice interface, quick to deploy, and easy to expand". On the other hand, the top reviewer of Veracode writes "Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning ". CodeSonar is most compared with SonarQube, Coverity, Klocwork and Polyspace Code Prover, whereas Veracode is most compared with SonarQube, Checkmarx One, Fortify on Demand, Snyk and Fortify Static Code Analyzer. See our CodeSonar vs. Veracode report.
See our list of best Application Security Tools vendors and best Static Code Analysis vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.