Veracode is a popular application security testing platform, landing as one of the leaders in the most recent Gartner Magic Quadrant. With Dynamic Analysis (DAST), Software Composition Analysis (SCA), and Static Analysis (SAST) all wrapped into a single platform, Veracode has been considered a one stop shop for many security teams. However, despite the lead in the Magic Quadrant and the breadth of products offered, customer feedback of the Veracode product is often lacking. It is often described as selling a big vision that the product fails to deliver on.
There are certain use cases where Veracode performs well, but software teams that are delivering modern applications and that desire to shift security left typically search for alternatives that are built for developers and DevOps automation.
Below are Veracode alternatives that modern teams are often picking.
Alternatives to Veracode DAST
StackHawk
As the only product built for automation in CI/CD, StackHawk is the modern DAST platform on the market. With StackHawk, dynamic application security tests are automated in the DevOps pipeline, alerting engineering teams if they have introduced a new vulnerability before the release to production. This approach drastically reduces the time to discover new vulnerabilities, and with a developer-centric platform, engineers are equipped to fix vulnerabilities themselves while still in the context of the code they are working on.
Additionally, StackHawk is the leader in DAST for modern technologies. Modern application stacks introduce different requirements for dynamic testing. Today’s applications are backed by APIs, with more and more of the risk found at the API layer. StackHawk offers best-in-class API security testing for REST, GraphQL, and SOAP APIs. With StackHawk, teams can test the underlying APIs and microservices independently, allowing for more performant tests and identification of vulnerabilities earlier in the development lifecycle.
Burp Suite
Security teams that are not ready to shift DAST left may prefer Burp Suite by Portswigger. Burp Suite has long been a favorite among penetration testers, and with the release of Burp Suite Enterprise, the product is growing in popularity among internal security teams as well.
For security teams that prefer to review all vulnerabilities themselves as a first step in the process, Burp Suite is the product of choice. Burp Suite Enterprise runs as a point and click scan, which makes it easy for security teams to test the production application or a publicly available staging site.
Note that while the product messages DevSecOps, the scan is simply run as a trigger from a CI/CD run rather than running a scan as part of the CI/CD pipeline. This is a step left in security testing, but still requires vulnerabilities to be publicly facing before they can be discovered.
→ For more DAST tools and a guide on what to look for, be sure to check out our DAST Overview and Tooling Guide
Alternatives to Veracode SCA
Snyk
In recent years, Snyk has quickly become the software composition analysis tool of choice. Snyk actively maintains the open source Snyk Intel Vulnerability Database, which is the leading vulnerability database in the market. The Snyk Open Source product, its SCA offering, leverages the vulnerability database to alert developers when a dependency in their codebase contains a vulnerability.
Snyk’s developer centric approach has led to its rapid growth and adoption. Developers are alerted in their IDE if they’ve included a dependency that contains a vulnerability, and teams can instrument automation in CI/CD to ensure that vulnerabilities don’t hit production. Additionally, with automated pull requests and patching, Snyk makes it easy for developers to deploy secure applications.
Dependabot
Dependabot is the SCA tool built into GitHub. It compares the dependency graph of the codebase against a database of known vulnerabilities, alerting users if a dependency they are using is vulnerable. Additionally, Dependabot reviews any changes to dependencies in the pull request, allowing teams to catch vulnerabilities before they are added to the code base. Dependabot is enabled on all public repos by default and can be enabled on private repos by a user with admin privileges.
Alternatives to Veracode SAST
Snyk
Snyk Code, the latest product release from Snyk, builds upon the company’s developer-centric application security foundation to deliver static application security testing for developers. True to its DNA, Snyk Code is integrated into the IDE, alerting a developer of security vulnerabilities when they are first introduced. With this, it is easy for developers to fix the bug while they are working on that part of the codebase instead of having to revisit it weeks or months later. Additionally, Snyk Code is integrated into the DevOps pipeline, allowing security teams to write rules that prevent vulnerabilities from being pushed to production.
Semgrep
Semgrep is a new open source static analysis tool that is maintained and commercially supported by r2c. Semgrep makes it easy to leverage existing security rules for static analysis, and also supports writing custom rules. Semgrep makes it easy to automate testing, with the ability to run tests in the IDE, CLI, or in CI/CD. Semgrep supports 17 languages, including Go, Java, Javascript, Python, and more.
GitHub CodeQL
CodeQL is a semantic analysis tool built around the QL query language. It draws on an open source community maintained set of queries to help developers identify vulnerabilities in their code. CodeQL supports testing for C/C++, C#, Go, Java, JavaScript/TypeScript, and Python. Some people are more familiar with CodeQL under the Semmle brand, the original creators of the product that was then acquired by GitHub.
Best in Class Alternative to Veracode
Finding the right suite of application security testing tools is dependent on the specific use cases of a given team. However, here at StackHawk, one of our favorite combinations is StackHawk for DAST (we are obviously biased, but also believe you’ll agree if you give us a try) and Snyk for SAST and SCA. For a glimpse of how these tools can work together, check out the following video:
