SonarQube

vs
Veracode

Buyer's Guide &

Reviews
May 2022
SonarQube and Veracode

Get a custom version of this report...personalized for you!

Thanks for downloading this PeerSpot report.

Note that this is a generic report based on reviews and opinions from the entire PeerSpot
community. We offer a customized report personalized for you based on:

• Your industry
• Company size
• Which solutions you're already considering

It includes recommendations for you based on what other people like you are researching and
using.

It takes 2-3 minutes to get the report using our shortlist builder wizard. We recommend it!

Get your personalized report here.

2
SonarQube and Veracode

Contents

Advice From Real Users 4-9

Top Review by Topic of SonarQube and Veracode 10-11

Overview 12

Answers From the Community 13

Reviews From Real Users 14-24

Reviews By Users Who Have Researched Both Solutions 25-29

Vendor Directory 30

Top Application Security Vendors 31-32

Top 5 Solutions by Ranking Factor 33

About This Report and PeerSpot 34

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

3
SonarQube and Veracode

Advice From Real Users

SonarQube

PROS

"The most valuable feature of this solution is that it is free." [Full Review]

MarkRyall

"We are using the Community edition." "So, we don't have to incur any licensing costs." "This is the best part." [Full Review]

HimanshuSh
arma

"We consider it a handy tool that helps to resolve our issues immediately." [Full Review]

reviewer181
2603

"This solution has the capability to analyze source code in almost all the languages in the market." [Full Review]

FilipeMarceli
no

"We use this solution for qualitative coding." "We make use of the SonarLint plugin as well as the dashboard." [Full Review]

Purushotha
man K

"SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce
issues." [Full Review]

reviewer115
8774

"Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications." [Full Review]

Denis
Walrave

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

4
SonarQube and Veracode

Advice From Real Users

SonarQube

CONS

"There could be better integration with other products." [Full Review]

MarkRyall

"There is no automation." "You need to put the code there and test." "You then pull the results and put them back in the
development environment." "There is no integration with the development environment." "We would like it to be integrated
with our development environment, which is basically the CI/CD pipeline or the IDE that we have." [Full Review]
HimanshuSh
arma

"It should be user-friendly." [Full Review]

reviewer181
2603

"This is a well-rounded solution, however, some features could be made available on the free version." "The price of the
solution could be reduced." [Full Review]

FilipeMarceli
no

"We previously experienced issues with security but a segregated security violation has been implemented and the issues we
experienced are being fixed." [Full Review]

Purushotha
man K

"SonarQube can improve by scanning the internal library which currently it does not do." "We are looking for a solution for this."
[Full Review]

reviewer115
8774

"The handling of the contents of Docker container images could be better." [Full Review]

Denis
Walrave

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

5
SonarQube and Veracode

Advice From Real Users

SonarQube

PRICING AND LICENSING ADVICE

"It's an open-source solution, with no additional costs." [Full Review]

MarkRyall

"We are using the Community edition of SonarQube." [Full Review]

HimanshuSh
arma

"As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many
benefits." "For this reason, we use the free version." "In the future, as our product cycles develop and evolve at a more steady
pace, we hope to invest in the licensing for this tool." [Full Review]
FilipeMarceli
no

"We are using the Developer Edition and the cost is based on the amount of code that is being processed." [Full Review]

reviewer115
8774

"We're using an older version because it is the open-source flavor of it and we can continue using it at no cost." "We're not
paying any licensing at all, which was another factor in choosing this route so that we can learn and grow with it and not be
committed to licenses and other similar things." "If we choose to get something else, we have to relearn, but we don't have to
reviewer841 relicense." "Basically, we're paying no license costs." [Full Review]
284

"The free version of SonarQube does everything that we need it to." [Full Review]

reviewer1141
026

"SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee." "It's is not clear if it is an
annual fee or a one-off." [Full Review]

Angelo
Quaglia

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

6
SonarQube and Veracode

Advice From Real Users

Veracode

PROS

"The dynamic scanning tool is what I like the best." "Compared to other tools that I've used for dynamic scanning, it's much
faster and easier to use." [Full Review]

Chris
Sawyer

"The static scan is the feature that we use the most, as it gives us insight into our source code." "We have it integrated with our
continuous integration, continuous delivery system, so we can get insight quickly." [Full Review]

Stephen
Pack

"There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything."
"There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and
in what part of the code they were found." "All the details are together in one place." [Full Review]
reviewer170
5929

"The visibility into application status helps reduce risk exposure for our software." "Today, any findings provided by the DAST
are reviewed by the developers and we have internal processes in place to correct those findings before there can be a
release." "So it absolutely does prevent us from releasing weak code." [Full Review]
Reviewer33
9593

"Good static analysis and dynamic analysis." [Full Review]

Nachu
Subramania
n

"The main feature that I have found valuable is the solution's ability to find issues in static analysis." "Additionally, there are
plenty of useful tools." [Full Review]

reviewer159
6348

"It's comprehensive from a feature standpoint." [Full Review]

reviewer154
2384

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

7
SonarQube and Veracode

Advice From Real Users

Veracode

CONS

"I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use." [Full Review]

Chris
Sawyer

"The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the
developer environment (IDE)." "They do have a plugin, which we've used in the past, but we were not as positive about it." [Full
Review]
Stephen
Pack

"I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to
engage with Veracode's technical team." "Veracode could show them a repo, how they should do things, this is what these
results mean, here is a dashboard, here's the interpretation, here's where you find the results." [Full Review]
reviewer170
5929

"Scheduling can be a little difficult." "For instance, if you set up recurring scheduled scans and a developer comes in and says,
"Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually
have to change our schedule configuration and that means we lose the recurring scheduling settings we had." [Full Review]
Reviewer33
9593

"The product has issues with scanning." [Full Review]

Nachu
Subramania
n

"The solution could improve the Dynamic Analysis Security Testing(DAST)." [Full Review]

reviewer159
6348

"The reports on offer are too verbose." [Full Review]

reviewer154
2384

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

8
SonarQube and Veracode

Advice From Real Users

Veracode

PRICING AND LICENSING ADVICE

"From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because
for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately." [Full Review]

Stephen
Pack

"Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward." [Full Review]

reviewer131
0136

"Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the
security consultations; everything is included in the license." [Full Review]

Srinivasa
Rao Kuruba

"It is very reasonably priced compared to what we were paying our previous vendor." "For the same price, we are getting much
more value and reducing our AppSec costs from 40 to 50 percent." [Full Review]

reviewer145
0479

"The pricing is really fair compared to a lot of other tools on the market." [Full Review]

reviewer1451
973

"We use this product per project rather than per developer..." "Your development model will really determine what the best fit
is for you in terms of licensing, because of the project-based licensing." "If you do a few projects, that's more attractive." "If you
have a large number of developers, that would also make the product a little more attractive." [Full Review]
reviewer144
8070

"Veracode is expensive." "Some of its products are expensive." "I don't think it's way more expensive than its competitors."
"The dynamic is definitely worth it, as I think it's cheaper than the competitors." "The static scan is a little bit more expensive,
around 20 percent more expensive." "The manual pen test is more expensive, but it is an expensive service because it's a
Karen manual pen test and we also do retests." "I don't think it is way more expensive than the competitors, but it's about 15 to 20
Meohas
percent more expensive." [Full Review]

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

9
SonarQube and Veracode

Top Reviews by Topic

SonarQube Veracode

VALUABLE
FEATURES reviewer841284 Stephen Pack

I like that it's easy to navigate not just in terms of The static scan is the feature that we use the most,
code findings but you can actually see them in the as it gives us insight into our source code. We
context of your source code because it gives you have it integrated with our continuous integration,
a copy of your code with the items that it found continuous delivery system, so we can get insight
and highlights them. You can see it directly in your quickly. We're doing scans daily, so that's the most
code, so you can easily go back and make the important feature for us. The interface is great. It
corrections in the code. It basically finds the allows us to look at our different applications,
problems for you and tells you where they are. understand all of the different types of scans, as
[Full Review] well as the results. The types of testing include
SAST, DAST, and SCA, and it pulls all of ... [Full
Review]

Raja_Reddy

reviewer1705929

One of the most valuable features of SonarQube

is its ability to detect code quality during
development. There are rules that define various With the static component analysis, they scan your
technologies—Java, C#, Python, everything—and code statically and they look specifically at third-
these rules declare the coding standards and party libraries and at any third-party code that you
code quality. With SonarQube, everything is have in your product for vulnerabilities, updates,
detectable during the time of development and and changes in licensing. For example, if one of
continuous integration, which is an advantage. them changed from a license that allowed for
SonarQube also has a Quality Gate, where the more changes on your side to something that is
code should reach 85%. Below that, the code more restrictive, they would flag that for you so
cannot be promoted to a further environmen... that you can evaluate it and know immediately
[Full Review] that you need to take some action. They keep
abreast of ... [Full Review]

reviewer1407126
Marcello Teodori

The main factor that makes the product valuable

for us is that it is free because budget is always an The feature that we use the most is the static
issue. We do not have to pay for it, but there are analysis, by uploading the artifacts. We have two
many cons to using a free product at times. It is a types of applications. They are either Java Server
very good tool even if it is free. The dashboard applications using Spring Boot or JavaScript
and the media that it provides are all quite helpful. frontend applications. We scan both using the
We are always using SonarQube. But currently, we static analysis. Before, we used to do the software
were trying to evaluate some more tools because composition on one side and the static analysis.
Sonar in the free version has around 10 to 15 For about a year now, we have had a proper
languages. If we go to the commercial version, th... security architect who's in charge of organizing
[Full Review] the way that we scan for security. He suggested
that we only use the... [Full Review]

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

10
SonarQube and Veracode

Top Reviews by Topic

SonarQube Veracode

ROOM FOR
IMPROVEMENT reviewer841284 Stephen Pack

The learning curve can be fairly steep at first, but The ideal situation in terms of putting the results in
then, it's not an entry-level type of application. It's front of the developers would be with Veracode
not like an introduction to C programming. You integration into the developer environment (IDE).
should know not just C programming and how to They do have a plugin, which we've used in the
make projects but also how to apply its findings to past, but we were not as positive about it. The
the bigger picture. I've had users who said that pricing model was expensive and the results were
they wish it was easier to understand how to not the same as the full solution analysis. It gives a
configure, but I don't know if that's doable differently scoped "just in time" analysis within the
because what it's doing is a very complicated context of the IDE, so it didn't speak to the same
thing. I don't know if it is possible to make a problem space. The best situation would be t...
complicated t... [Full Review] [Full Review]

Raja_Reddy reviewer1705929

SonarQube could be improved with more dynamic One thing I would strongly encourage Veracode
testing—basically, now, it's a static code analysis to do, early on in the process—in the first 30
scan. For example, when the developer writes the days—is to provide a strong professional services-
code and does the corresponding unit test, he can type of engagement where they come to the table
cover functional and non-functional. So the with the front solution engineers, and work with
SonarQube could be improved by helping to their customer's team and their codebase to show
execute unit tests and test dynamically, using how the product can be integrated into GitHub or
various parameters, and to help detect any their own repository. They should guide them on
vulnerabilities. Currently, it'll just give the test case best practices for getting the most out of
and say whether it passes or fails—it won't give Veracode, and demonstrate it with live scanning
you any other input ... [Full Review] on the customer's code.... [Full Review]

reviewer1407126 Marcello Teodori

Integration could be better in SonarQube in the What could improve a lot is the user interface
free version. It does not have any bug tracking because it's quite dated. And in general, as we are
tool, like Jira. They are not integrated with enough heavy users of GitHub, the integration with the
additional programming tools. There is one issue user interface of GitHub could be improved as
with the dashboard. The dashboard which is there well. There is also room for improvement in the
is okay. But sometimes if we have to work on reporting in conjunction with releases. Every time
multiple issues the application is giving us errors. we release software to the outside world, we also
Say we have five issues. All five issues might not need to provide an inventory of the libraries that
be very important, so in cases where there are we are using, with the current state of
multiple issues, we would just want it to give us a vulnerabilities, so that it is clear. And if we can't
warni... [Full Review] upgrade a lib... [Full Review]

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

11
SonarQube and Veracode

Overview
SOLUTION SonarQube Veracode

OVERVIEW SonarQube is the leading tool for continuously Veracode covers all your Application Security
inspecting Code Quality and Code Security, and needs in one solution through a combination of
guiding development teams during code reviews. five analysis types; static analysis, dynamic
SonarQube provides clear remediation guidance analysis, software composition analysis, interactive
for 27 languages so developers can understand application security testing, and penetration
and fix issues, and so teams can deliver better and testing. Unlike on-premise solutions that are hard
safer software. SonarQube integrates into your to scale and focused on finding rather than fixing,
workflow to provide the right feedback at the right Veracode comprises a unique combination of
time: in-IDE with SonarLint, in pull requests, and in SaaS technology and on-demand expertise that
SonarQube itself. With over 225,000 deployments enables DevSecOps through integration with your
helping... pipeline, and...

SAMPLE Bank of America, Siemens, Cognizant, Thales, State of Missouri, Rekner

CUSTOMERS
Cisco, eBay

TOP Veracode vs. SonarQube SonarQube vs. Veracode

COMPARISONS Compared 24% of the time Compared 44% of the time

Checkmarx vs. SonarQube Checkmarx vs. Veracode

Compared 21% of the time Compared 14% of the time

Micro Focus Fortify on Demand vs. SonarQube Micro Focus Fortify on Demand vs. Veracode
Compared 13% of the time Compared 11% of the time

TOP INDUSTRIES, Comms Service Provider ... 6% Consumer Goods Company ... 7%
BASED ON Manufacturing Company ... 8% Insurance Company ... 9%
REVIEWERS*
Financial Services Firm ... 22% Computer Software Company ... 12%
Computer Software Company ... 26% Financial Services Firm ... 33%
TOP INDUSTRIES, Manufacturing Company ... 7% Manufacturing Company ... 6%
BASED ON Financial Services Firm ... 13% Financial Services Firm ... 11%
COMPANIES
READING REVIEWS* Comms Service Provider ... 17% Comms Service Provider ... 16%
Computer Software Company ... 26% Computer Software Company ... 28%
COMPANY SIZE, 201-1000 Employees ... 18% 1-200 Employees ... 25%
BASED ON 1-200 Employees ... 26% 201-1000 Employees ... 26%
REVIEWERS*
1001+ Employees ... 56% 1001+ Employees ... 49%
COMPANY SIZE, 1-200 Employees ... 32% 1-200 Employees ... 29%
BASED ON 201-1000 Employees ... 20% 201-1000 Employees ... 31%
COMPANIES
READING REVIEWS* 1001+ Employees ... 48% 1001+ Employees ... 40%

* Data is based on the aggregate profiles of PeerSpot Users researching this solution.

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

12
 SonarQube and Veracode

Answers from the Community

Which gives you more for your money - SonarQube or Veracode?

Why is one better than the other?

We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those.
The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise
and Developer commercial editions offer a lot more rules and functionalities. Veracode is mostly in space of security testing and
reviewer15 amongst the leader in this space. It's a commercial product and has no community edition, to the best of my knowledge. Depending on
72348
your use cases, you will need both of these areas to be covered through these or other tools.

See all 6 answers >>

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

13
SonarQube and Veracode

SonarQube review by a real user

Good integration and has useful feedback features, such as Quality

Gate

Manager at kellton

Raja_Reddy

WHAT IS OUR PRIMARY USE CASE?

Our primary use case of SonarQube is getting feedback on code. We are using Spring Boot and Java 8. We are also using
SonarLint, which is an Eclipse IDE plugin, to detect vulnerabilities during development. Once the developer finishes the code
and commits the code into the Bitbucket code repository, the continuous integration pipeline will automatically run using
Jenkins. As part of this pipeline, there is a build unit test and a SonarQube scan. All the parameters are configured as per
project requirements, and the SonarQube scan will run immediately once the developer commits the code to the repository.
The advantage of this is that we can see immediate feedback: how many vulnerabilities there are, what the code quality is, the
code quality metrics, and if there are any issues with the changes that we made. Since the feedback is immediate, the
developer can rectify it immediately and can further communicate changes. This helps us with product quality and having less
vulnerabilities in the early stages of development. 

This solution is deployed on-premise. 

WHAT IS MOST VALUABLE?

One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that
define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality.
With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage.
SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further
environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that
increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing
hackers to exploit the code. 

Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in
Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the
code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP
vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do
penetration testing from the outside. 

14
SonarQube and Veracode

Continued from previous page

WHAT NEEDS IMPROVEMENT?

SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when
the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the
SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help
detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other
input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and
fix issues in the early stages, which would help us deliver the product and reduce costs. 

Another area with room for improvement is in regard to automating things, since the process currently needs to be done
manually.

Aside from other helpful features, the most important thing that SonarQube needs to do—the key feature—is to detect security
vulnerabilities. The rest of the other features are helpful to the developer and the team to deliver the product faster, but
security is a mandatory feature. 

As for additional features, SonarQube covers most of the languages, but there is still room for improvement covering the latest
version of the tech stack—for example, Java 13. They're still improving, and they're focusing on SonarCloud nowadays.
Currently, we aren't using all the top quality features of SonarCloud. I also think it would be helpful if SonarQube could
integrate with Jira, a work management tool, or other communication tools, like Skype or Microsoft Teams, so that a bot could
report directly to the developer. 

FOR HOW LONG HAVE I USED THE SOLUTION?

I have been using SonarQube for the past three years. 

WHAT DO I THINK ABOUT THE STABILITY OF THE SOLUTION?

The stability and performance of SonarQube are good. We use it on a daily basis, as part of our code development. 

As far as maintenance, it mainly happens when the product is being developed. There may be some features which can be
enhanced, based on customer feedback and the tech stack, such as how we can improve performance of have a deployment
with zero downtime. There are so many technologies coming, so many things happening, and there is always room for code
improvements and the product we develop. Our top considerations are quality and security, which are being improved in a
continuous process. There are many new features and enhancements coming in—for example, if you want to upgrade from
the Java 6 version, then you can upgrade the tech stack, which will reduce the number of lines of code and improve
performance. 

15
SonarQube and Veracode

Continued from previous page

WHAT DO I THINK ABOUT THE SCALABILITY OF THE SOLUTION?

This solution is easy to scale. The instances in which we are deploying it are easy to scale because we are using it in
production. We aren't supposed to deploy as part of the development, but the scalability feature is there because we are
using Ansible, Kubernetes, and Docker. 

In our organization, there are currently around 25,000 people working with SonarQube. 

WHICH SOLUTION DID I USE PREVIOUSLY AND WHY DID I SWITCH?

We also use Checkmarx and Snyk. One of the main differences between them and SonarQube is that they have dynamic
testing and analysis, rather than static analysis. 

HOW WAS THE INITIAL SETUP?

The initial setup wasn't a complex process. It was straightforward, and I had no issues. The deployment happened
automatically and the pipeline was complete in three minutes. It depends on the scale of the project, the number of code
repositories, the number of modules you are deploying, and all that. I would say deployment should take five minutes,
maximum. 

WHAT ABOUT THE IMPLEMENTATION TEAM?

We implemented this solution through an in-house team. Everything happens internally and we have our own internal tools, so
there are no third-parties involved in development. 

WHAT'S MY EXPERIENCE WITH PRICING, SETUP COST, AND LICENSING?

I'm not too aware of the pricing because a different team covers that, but SonarQube has been on the market for a very long
time, so I would guess the pricing would be decent. 

16
SonarQube and Veracode

Continued from previous page

WHAT OTHER ADVICE DO I HAVE?

I rate SonarQube an eight out of ten. 

To those looking to implement SonarQube, I would advise you not to run it manually—integrate it with tools like Bitbucket and
Jenkins, and make it automatic. If you change one line of code, the SonarQube should run automatically and give you the
report. Don't go and run it manually and check the reports and all—it should run automatically to the entire code base, not to
your particular module. So you need to configure that, as well as your project requirements and what code quality metrics will
be achievable—like 85% or 95%—because you want code quality for a better product, without loopholes. You need to
configure these things before starting to work with SonarQube. 

WHICH DEPLOYMENT MODEL ARE YOU USING FOR THIS SOLUTION?

On-premises

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

17
SonarQube and Veracode

Veracode review by a real user

Good reporting, comprehensive interface, and integrates well into

our build pipeline

Software development program leader at

Vendavo

Stephen Pack

WHAT IS OUR PRIMARY USE CASE?

My company produces a SaaS application that is used by very large customers for pricing analytics and sales workflows. The
data that our customers put into our software is very sensitive and confidential. This means that they want a high degree of
confidence that our solution is secure.

We use Veracode as one of the pillars that we can point to as helping us to deliver on the promise of having a secure product.
We have a multi-dimensional security program and Veracode is one important aspect of that.

HOW HAS IT HELPED MY ORGANIZATION?

Veracode provides guidance for fixing vulnerabilities. It provides guidance to help us understand what it flags, and what we
can do about it. It still takes some interpretation and insight on our side, but we aren't generally security experts, so we get
good information from Veracode to help inform us.

The developers are able to understand the types of issues Veracode looks for, and then as they see that happen, it helps
them to learn. It's good because they consider it the next time and hopefully, we don't need Veracode to flag the issue
because there is no issue.

With respect to efficiency when it comes to creating secure software, Veracode is able to help us with very low overhead.
There's not a lot of work needed on our side unnecessarily. Once we've wired everything together, it's seamless to get the
scan done and get the results back and know what we need to do about them.

We use Veracode for some of our older, more monolithic software, as well as for our newer solutions, which are designed to
be cloud-native. We've found Veracode useful in both use cases; first, with our huge monolithic software, as well as with our
microservices cloud-native solutions.

In terms of AppSec, there are a lot of benefits that cloud-native design brings in terms of not only cost and scalability, but
testability and security. Certainly, the design patterns of cloud-native are well aligned with delivering good security practices.
Working with products that support cloud-native solutions is an important part of our evolution.

Using Veracode has helped with developer security training and skill-building. It's definitely a good way to create awareness
and to deliver information that's meaningful and in context. It's not abstract or theoretical. It's the code that they've written
yesterday that they're getting feedback on, and it is a pretty ideal way to learn and improve.

The static scan capability is very powerful. It's very good in terms of the signal-to-noise ratio. The findings that we get are

18
meaningful, or at least understandable, and there's not a bunch of junk that some other code scanning tools can sometimes
produce. Having results like that make it hard to find the valuable bits. Veracode is highly effective at finding meaningful
issues.

The speed of the static scan is okay. It meets or exceeds our expectations. For our monolithic application, which is a million
lines of code, it takes a while to scan, but that's totally understandable. If it could be done magically in five minutes, I wouldn't
say that's bad. Overall, it's very reasonable and appropriate.

Veracode has policy reporting features for ensuring compliance with industry standards and regulations. We have one such
policy configured and it's helpful to highlight high-priority areas. We can address and help focus our effects, which ensures
that we're spending our time in the best way possible for security movement. The policy is a good structure to guide results
over time.

We use Veracode as one metric that we track internally. It gives us information in terms of knowing that we are resolving
issues and not introducing issues. I cannot estimate metrics such as, for example, Veracode has made us 10% more secure. I
can certainly say it's very important when we talk to our customers about the steps we follow. We do external pen tests, we do
web app pen tests, and we also use Veracode. It's certainly very helpful in those conversations, where we can state that it
is one of our security practices, but there's no outcome-based quantitative statistic that I can point to.

WHAT IS MOST VALUABLE?

The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our
continuous integration, continuous delivery system, so we can get insight quickly. We're doing scans daily, so that's the most
important feature for us.

The interface is great. It allows us to look at our different applications, understand all of the different types of scans, as well as
the results. The types of testing include SAST, DAST, and SCA, and it pulls all of the information together into a single view. It
also produces reports that we can give to our customers when requested.

Veracode certainly provides a quick and intuitive way to understand the results, to see the context of them, and to identify
what we need to do to address them. In general, it's a pretty quick way to get the information that we need in the most useful
way possible. Then, we can turn around an action plan.

We have it integrated with our build pipeline and that works well. It's very important because we don't have to complete a
separate, manual step of sending the software up to Veracode to scan it and get the results. It's great. the more things that we
can integrate into the build pipeline, the better. It's a very positive thing.

Veracode is very good in terms of not having a lot of false positives. It would be very frustrating if a tool gave you 10 good
results but 50 false positives. Even with the issues that we get that we choose not to address, we can still understand why
they're being flagged. We have found that the results are meaningful and accurate, which gives us confidence in the solution
when fixing vulnerabilities. 

We may choose not to address them for different reasons. For example, it could be because it's an issue about input
sanitization, but we have another layer on top of that component to handle that task. We can recognize that it's important that
Veracode is flagging those things at that lower level, and that they're bringing that additional insight and consideration to the
designs that we're choosing. Overwhelmingly, even the issues we choose not to address are still valuable and meaningful, so
the actual false positive rate is quite low.

This is a very useful and powerful tool that ensures our code is well-designed and correctly implemented. It is important that
it's only one aspect of a security program and not the only insight or the only test. That said, it provides us with some pretty
important feedback and insights that we wouldn't have a great way to get otherwise.

19
SonarQube and Veracode

Continued from previous page

WHAT NEEDS IMPROVEMENT?

The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the
developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it. The
pricing model was expensive and the results were not the same as the full solution analysis. It gives a differently scoped "just
in time" analysis within the context of the IDE, so it didn't speak to the same problem space.

The best situation would be the one where the developers don't even need to log into the web portal, and the results from the
scans would be delivered into their IDEs. It would be an asynchronous job, but if they could see the results right there, while
they're working on the code, then they wouldn't need to go to a separate tool to look at the information to figure out what to
do next.

The workflow today on the build side is optimal, so imagine that's still doing the same thing but then in the backend, whenever
a developer has that project open in the browser, if they chose to, they could enable a view to see the most recent Veracode
results of that module. That scan might be from last night or six hours ago or any other point, and that's fine. It would be the
best possible situation to put the results and the actions right in front of the developer, in the tool that they're already using
when they're touching the code.

The only other thing that we've found a reasonable workaround with is how to work with microservices in the context of
Veracode. This was necessary because Veracode's licensing model and the interaction model are built around an idea of an
application. When you're talking about a section of business logic that's being delivered by possibly dozens of microservices,
there is some friction with Veracode in terms of how that application gets defined and how the scans occur and get reported
on.

When we reached out to Veracode about this, I got a slide deck that provided us with different options of how they
recommend proceeding in this context. It was helpful, and clearly a question they've considered and they had answers ready
to go on. The ideas helped us and essentially reinforced what we were already thinking. It's getting the job done, but it still
feels like a little bit of a square peg in a round hole and it could be a little smoother in terms of that interaction.

The problem boils down to how we fit the microservices architecture into the Veracode notion of an application. We need to
be able to get a holistic view across the microservices, which is extremely challenging, especially when those microservices
are owned by different teams who have different needs to see and respond to the scans. 

FOR HOW LONG HAVE I USED THE SOLUTION?

I have been using Veracode for between five and six years.

20
SonarQube and Veracode

Continued from previous page

WHAT DO I THINK ABOUT THE STABILITY OF THE SOLUTION?

The stability is great. They've probably had some downtime, but I don't know about them. From our perspective, it's been
solid.

I know the web portal has some planned downtimes because I see the splash screens about them. They're good about
warning you, but they're also performed at very weird times, like the middle of the night, so it's never blocked me from getting
in when I need to get in.

WHAT DO I THINK ABOUT THE SCALABILITY OF THE SOLUTION?

We use Veracode for all of our software development. We have more than 100 engineers, and our entire engineering team is
using it. Obviously, every team has some designated people who look at this more than others, so not everybody's in there
every day, but in terms of the software we write, we know that it's all being scanned constantly.

Over the last few years, we've made a couple of acquisitions of other companies and when we've done that, we very quickly
brought those solutions in as well. We've seen the value and because of that, it's part of our onboarding process when we
integrate other companies into our environment.

If we create another solution or we acquire another company, we will certainly expand our use of Veracode to match within
our current solution stack.

HOW ARE CUSTOMER SERVICE AND SUPPORT?

The support has been good at understanding issues. There are two aspects of technical support. One concerns issues with
the platform in terms of functionality, and the other is that they will provide you with assistance in terms of interpreting your
findings.

Our experience from the technical side is that they helped us with figuring out how to best use the platform for microservices
applications. They were very helpful in that conversation.

We also have experience with the other layer of technical support that Veracode provides, which is where you can get
consultations about the findings. We've done a few of those where you set up an appointment with a Veracode engineer. It
helps to understand the results if the platform isn't totally clear on why something is a problem or what we need to do about it.
For us, that's been pretty good.

Obviously, the Veracode engineer doesn't have the full understanding of what our application does and in a short call, you
can't possibly do an architectural deep dive to understand the context of an issue, but their conversations have been useful
when we've had them in terms of understanding issues and context and if we need to do anything.

21
SonarQube and Veracode

Continued from previous page

WHICH SOLUTION DID I USE PREVIOUSLY AND WHY DID I SWITCH?

Prior to using Veracode, we used other code quality scanning tools, but not anything at the level of Veracode for security
issues.

HOW WAS THE INITIAL SETUP?

The initial setup was straightforward. It was pretty easy to get going and we've incrementally gotten better and deeper as
we've used it over the years.

The initial setup was manual uploads of applications, and then it was about incorporating it into our build pipelines and using
the sandbox to support our microservices architecture. We've gotten more mature over time, but time to initial use and results
were very easy.

Only a very short time is required for deployment, as there is very little that has to be done. Ours was completed within a
couple of days and that's a matter of coordination in terms of getting our teams to upload a solution and figure it out. It was a
learning experience for us but there was no time or delay brought on by the solution.

When we first began with Veracode, the initial strategy was just to get our first solution uploaded and scanned and see what
the results looked like. We didn't have a systematic history of doing that, back then.

With approximately 500 employees, we're not a huge company. Deploying it in an enterprise company would be a different
situation but for us, it was just a matter of understanding how we needed to configure the platform and how we needed to
provide our software and states and get good results.

It probably took a couple of uploads of trial and error and we were running.

WHAT ABOUT THE IMPLEMENTATION TEAM?

We implemented the solution in-house. It is not that complicated.

In terms of maintenance, there is certainly some overhead involved for each team. They have to make sure that the build
pipeline integration is still working and essentially, that we're still getting results. Occasionally, for whatever reason, it breaks
and somebody has to go in and fix it.

I can't say that there is no staffing required for maintenance but it's rare. In total, a few hours a month across the company is
spent keeping it going. More time is spent evaluating and resolving the findings, which is part of our development work. That's
not imposed by the solution but rather a positive outcome from using Veracode. As such, I wouldn't count that as
maintenance. 

22
SonarQube and Veracode

Continued from previous page

WHAT WAS OUR ROI?

We have seen a return on our investment with Veracode. I can't point to a dollar figure, but I've been directly involved
in customer conversations where we can talk about our security program and how Veracode is an important element. We've
distributed report summaries and talked about results with our customers and having this information in those conversations is
definitely valuable.

It's also very useful that we can talk about it with our security auditors. We have SOC 1, SOC 2, and ISO 27001, and they don't
specify that you must have a static analysis tool. But when we need to maintain secure engineering practices, having a tool
like Veracode is very important for us to demonstrate that to auditors. There's certainly value there as well.

There is also a tremendous value on the marketplace that we get from having those security audits and certificates, which is
a second-order of value that Veracode drives.

I can't say with certainty that Veracode reduces the cost of application security, although I would say that it focuses our effort.
It gives us guidance and prioritization on where we should spend time. Otherwise, we might not know about particular issues.
We might inadvertently spend time on things that aren't that valuable. So, the value is more about focusing on where we need
to spend time.

WHAT'S MY EXPERIENCE WITH PRICING, SETUP COST, AND LICENSING?

From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because
for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately.

I like that the platform provides you with some flexibility. We had to revise our licensing because it did not fit our environment.
We wanted to license based on the number of applications, rather than another measure such as the number of lines of code.
There was clearly some complexity that led us to be in that situation, although it seems preventable. Ever since our last
renewal, the licensing has been smooth and clear. There is a certain amount of flexibility in that regard but also, they allow us
some leeway in our current model.

There have been times when for some reason, we spin up a new application on a temporary basis. It may be because we're
trying a new configuration. Even though we're licensed for a certain number of applications, the platform lets us exceed that.
Consequently, we receive an email stating that we can't do that forever, but it's very useful to have the flexibility for the couple
of times that we've used it to briefly exceed the application account.

WHICH OTHER SOLUTIONS DID I EVALUATE?

I am not sure what other solutions, if any, the company looked at before choosing Veracode initially. We have renewed it since
that time and we pretty quickly decided to stick with Veracode, rather than switching. However, because of the relatively high
cost, we will probably evaluate other options next time it's up for renewal.

23
SonarQube and Veracode

Continued from previous page

WHAT OTHER ADVICE DO I HAVE?

We see at least quarterly updates about new features or things that have been fixed. It happens without our involvement,
which is great.

My advice for anybody who is considering Veracode is to test it. Although I have not compared Veracode against other
products as part of an evaluation process, it would be very useful and very easy to actually try it. Top-load your application, get
the results and take a look at what Veracode finds. This is the most useful activity somebody could do.

This is a product that lives up to its promise. It's easy to use, and it's predictable. There are some improvement opportunities
but on the whole, it's very good at what it does. 

I would rate this solution a nine out of ten.

WHICH DEPLOYMENT MODEL ARE YOU USING FOR THIS SOLUTION?

Public Cloud

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

24
SonarQube and Veracode

Researched Veracode But Chose SonarSource

Review by a real user:

Senior Technical Architect at a tech services

company with 501-1,000 employees

reviewer1158774

WHAT IS OUR PRIMARY USE CASE?

We are using SonarQube for scanning our services for issues as part of our IT department.

WHAT IS MOST VALUABLE?

SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce
issues. 

WHAT NEEDS IMPROVEMENT?

SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this.

FOR HOW LONG HAVE I USED THE SOLUTION?

I have been using SonarQube for approximately three years.

WHAT DO I THINK ABOUT THE STABILITY OF THE SOLUTION?

SonarQube is a stable solution.

25
SonarQube and Veracode

Continued from previous page

WHAT DO I THINK ABOUT THE SCALABILITY OF THE SOLUTION?

I have found SonarQube to be stable. However, we have not tested it with more than one million lines of code.

We have a server that SonarQube is running on and we have approximately 50 people using it.

HOW ARE CUSTOMER SERVICE AND SUPPORT?

We have used technical support in the past but not recently.

I would rate the support from SonarQube a four out of five.

WHICH SOLUTION DID I USE PREVIOUSLY AND WHY DID I SWITCH?

I have used Veracode previously.

HOW WAS THE INITIAL SETUP?

The initial setup is straightforward for SonarQube.

WHAT ABOUT THE IMPLEMENTATION TEAM?

We did the implementation in-house.

The DevOps team handles the maintenance of SonarQube.

26
SonarQube and Veracode

Continued from previous page

WHAT'S MY EXPERIENCE WITH PRICING, SETUP COST, AND LICENSING?

We are using the Developer Edition and the cost is based on the amount of code that is being processed.

WHAT OTHER ADVICE DO I HAVE?

If SonarQube meets the needs of your use case then I use it.

I rate SonarQube an eight out of ten.

WHICH DEPLOYMENT MODEL ARE YOU USING FOR THIS SOLUTION?

Public Cloud

IF PUBLIC CLOUD, PRIVATE CLOUD, OR HYBRID CLOUD, WHICH CLOUD PROVIDER DO YOU USE?

Amazon Web Services (AWS)

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

27
SonarQube and Veracode

Researched Veracode But Chose SonarSource

Review by a real user:

Security Project Leader at a computer

software company with 501-1,000 employees

TUDOR
CALINESCU

WHAT IS OUR PRIMARY USE CASE?

SonarQube can be used to analyze application code. We are testing SonarQube with some of our other products. We use the
Sonar Link plugin with Teamscale, which is then applied to the main product we are using.

WHAT IS MOST VALUABLE?

I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage,
code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them
in JIRA or Bugzilla.

WHAT NEEDS IMPROVEMENT?

We have to combine several products in order to cover as many flaws that might exist in the code. We have to integrate
several products to set the security functionality of the product. SonarQube should have better functionality to cover all areas
of security limiting our need for other products.

We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are
applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main
issues. There were several routines involved to solve those performance issues but this process should be improved.

FOR HOW LONG HAVE I USED THE SOLUTION?

I have been using this solution for approximately three years.

28
SonarQube and Veracode

Continued from previous page

WHAT DO I THINK ABOUT THE STABILITY OF THE SOLUTION?

There can be some stability issues.

WHICH SOLUTION DID I USE PREVIOUSLY AND WHY DID I SWITCH?

I have used Veracode.

WHICH OTHER SOLUTIONS DID I EVALUATE?

I have evaluated many other solutions similar to SonarQube.

WHAT OTHER ADVICE DO I HAVE?

I rate SonarQube a six out of ten.

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

29
SonarQube and Veracode

Vendor Directory
BetterCloud BetterCloud Micro Focus Fortify Application Defender

Bionic Bionic NSFOCUS NSFOCUS WVSS

Blue Cedar Blue Cedar NTT Application Sentinel Dynamic

Security
CAST CAST Highlight
Onapsis Onapsis
Cequence Security Cequence Security
Perforce Klocwork
Checkmarx Checkmarx
PortSwigger PortSwigger Burp Suite Professional
Cisco Portshift
Qualys Qualys Web Application Scanning
Contrast Security Contrast Security Protect
Quotium Quotium Seeker
Contrast Security Contrast Security Assess
Rapid7 NT OBJECTives NTOSpider [EOL]
Conviso Conviso Platform
Reflectiz Reflectiz
Data Theorem Data Theorem API Secure
Semmle Semmle QL
Digital Defense Frontline WAS
ShiftLeft ShiftLeft
Digital.ai Digital.ai Application Protection
Snyk Snyk
Digital.ai Digital.ai App Aware
SonarSource SonarQube
ERPScan ERPScan SMART Cybersecurity Platform
Sonatype Sonatype Nexus Firewall
GitGuardian GitGuardian Internal Monitoring
Sonatype Sonatype Nexus Lifecycle
GitGuardian GitGuardian Public Monitoring
Spirent Spirent CyberFlood
GrammaTech CodeSonar
Sqreen Sqreen
HCL HCL AppScan
Synopsys Coverity
IMMUNIO IMMUNIO
Tenable Network Tenable.io Web Application Scanning
Invicti Acunetix Security

Invicti Invicti Trend Micro Trend Micro Cloud One Application

Security
Jscrambler Jscrambler
Trustwave Trustwave App Scanner [EOL]
Kenna Security Kenna.AppSec
Veracode Veracode
Kiuwan Kiuwan
Virsec Systems Virsec Security Platform
MathWorks Polyspace Code Prover
w3af w3af
Micro Focus Micro Focus SecurityScope [EOL]
Waratek Waratek ARMR
Micro Focus Micro Focus Fortify on Demand
WhiteSource WhiteSource

30
SonarQube and Veracode

Top Application Security Vendors

Over professionals have used PeerSpot research. Here are the top vendors based on product reviews, ratings, and comparisons. All
reviews and ratings are from real users, validated by our triple authentication process.

Chart Key

Views Comparisons Reviews Words/Review Average Rating

Number of views Number of times compared Total number of reviews on Average words per review Average rating based on
to another product PeerSpot on PeerSpot reviews

Bar length
The total ranking of a product, represented by the bar length, is based on a weighted aggregate score. The score is calculated as follows:

For each ranking factor of Reviews, Views, and Comparisons, the product with the highest count in each ranking factor gets a maximum 18
points. Every other product gets assigned points based on its total in proportion to the #1 product in that ranking factor. For example, if a
product has 80% of the number of reviews compared to the product with the most reviews then the product's points for reviews would be 18
* 80% = 14.4.

Both Rating and Words/Review are awarded on a fixed linear scale. For Rating, the maximum score is 28 points awarded linearly between 6-
10 (e.g. 6 or below=0 points; 7.5=10.5 points; 9.0=21 points; 10=28 points). For Words/Review, the maximum score is 18 points awarded
linearly between 0-900 words (e.g. 600 words = 12 points; 750 words = 15 points; 900 or more words = 18 points). If a product has fewer than
ten reviews, the point contribution for Rating and Words/Review is reduced: 1/3 reduction in points for products with 5-9 reviews, two-thirds
reduction for products with fewer than five reviews.

Reviews that are more than 24 months old, as well as those written by resellers, are completely excluded from the ranking algorithm.

All products with 50+ points are designated as a Leader in their category.

1 SonarQube

87,773 views 72,214 comparisons 59 reviews 492 words/review 8.0 average rating

2 Veracode

54,238 views 30,557 comparisons 25 reviews 1,340 words/review 8.2 average rating

3 Snyk

24,805 views 18,838 comparisons 18 reviews 1,603 words/review 8.3 average rating

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

31
SonarQube and Veracode

4 Sonatype Nexus Lifecycle

24,511 views 14,295 comparisons 11 reviews 1,510 words/review 8.5 average rating

5 Checkmarx

42,545 views 32,912 comparisons 18 reviews 469 words/review 7.6 average rating

6 PortSwigger Burp Suite Professional

20,991 views 17,004 comparisons 16 reviews 463 words/review 8.5 average rating

7 Micro Focus Fortify on Demand

23,195 views 17,199 comparisons 16 reviews 522 words/review 7.9 average rating

8 Contrast Security Assess

3,136 views 1,393 comparisons 7 reviews 2,218 words/review 8.9 average rating

9 GitGuardian Internal Monitoring

633 views 123 comparisons 7 reviews 1,713 words/review 8.9 average rating

10 Coverity

20,707 views 15,398 comparisons 5 reviews 689 words/review 7.6 average rating

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

32
SonarQube and Veracode

Top 5 Solutions by Ranking Factor

Views

VIEWS

1 SonarQube 87,773

2 Veracode 54,238

3 Checkmarx 42,545

4 Snyk 24,805

5 Sonatype Nexus Lifecycle 24,511

Reviews

REVIEWS

1 SonarQube 59

2 Veracode 25

3 Checkmarx 18

4 Snyk 18

5 PortSwigger Burp Suite Professional 16

Words / Review

WORDS /
REVIEW

1 Contrast Security Assess 2,218

2 GitGuardian Internal Monitoring 1,713

3 Snyk 1,603

4 Sonatype Nexus Lifecycle 1,510

5 Sonatype Nexus Firewall 1,355

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

33
SonarQube and Veracode

About this report

This report is comprised of a list of enterprise level vendors. We have also included several real user reviews posted on peerspot.com. The
reviewers of these products have been validated as real users based on their LinkedIn profiles to ensure that they provide reliable opinions
and not those of product vendors.

About PeerSpot
The Internet has completely changed the way we make buying decisions. We now use ratings and review sites to see what other real users
think before we buy electronics, book a hotel, visit a doctor or choose a restaurant. But in the world of enterprise technology, most of the
information online and in your inbox comes from vendors but what you really want is objective information from other users.

We created PeerSpot to provide technology professionals like you with a community platform to share information about enterprise software,
applications, hardware and services.

We commit to offering user-contributed information that is valuable, objective and relevant. We protect your privacy by providing an
environment where you can post anonymously and freely express your views. As a result, the community becomes a valuable resource,
ensuring you get access to the right information and connect to the right people, whenever you need it.

PeerSpot helps tech professionals by providing:

• A list of enterprise level vendors

• A sample of real user reviews from tech professionals
• Specific information to help you choose the best vendor for your needs

Use PeerSpot to:

• Read and post reviews of vendors and products

• Request or share information about functionality, quality, and pricing
• Contact real users with relevant product experience
• Get immediate answers to questions
• Validate vendor claims
• Exchange tips for getting the best deals with vendors

PeerSpot
244 5th Avenue, Suite R-230 • New York, NY 10001
www.peerspot.com
[email protected]
+1 646.328.1944

© 2022 PeerSpot
To read more reviews please visit https://www.peerspot.com/products/comparisons/sonarqube_vs_veracode?tid=pdf_comp_18823-29714

34