Tomcat is an open-source web server supported by Apache.
N/A
Veracode
Score 9.2 out of 10
Mid-Size Companies (51-1,000 employees)
Veracode provides advanced application security solutions, trusted by enterprises to develop and maintain secure software. Its platform identifies exploitable risks, speeds up vulnerability remediation, and reduces security debt at scale using a proprietary AI-assisted remediation engine.
These are not like Veracode, but things that we use in addition to Veracode to make sure we reduce our vulnerabilities, not only in our application but also in the dependencies that we add to our application.
Excellent value for companies wishing to host Java applications in the cloud. Utilizing hosting tools such as load balancers and network and application firewalls, Tomcat can be part of a powerful system to host web applications to thousands of users. There has been consistency in the development and support of Tomcat since its initial release in the late '90s and the best commonalities have been carried forward. If you host Java web applications, Tomcat is as good as any for an application server.
Veracode is well suited for development applications that can be made more secure right from the beginning. There is an excellent extension in Visual Studio that scans code from the IDE. However, it is less appropriate or incompatible with scanning SOAP or WSDL APIs. It supports only REST APIs.
Veracode performs Static Application Security Testing (SAST) very well by finding flaws in the code using entry points so that it tests for everything a user can interact with in the application. This approach is very helpful for avoiding a lot of false positives early on.
Veracode performs SCA automatically on every SAST scan, so that we don't have to manually scan the application again for SCA scans.
Veracode integrates very well with the ticketing tools, so that it becomes very easy to track every finding and its status within our ticketing tool.
Using tomcat manager to troubleshoot is not very informative. Error messages are vague, you have to dig into log files for more information about the problems.
Is great for simple web applications, but may not work for heavy development which may require a full J2EE stack, might like JBoss better.
Security in tomcat is not straightforward, as I discovered that you have to understand how to set up realms in tomcat in order to hash passwords, which I was not overly familiar with, which is a big deal when setting up users in the tomcat-users.xml file.
At this time, and we just renewed a month ago, I dont see any products out there overall that can offer what Veracode does. Yes, its not cheap by any means, but for the money its the best application security scanning tool out there.
Tomcat has a very rich API set which allows us to implement our automation script to trigger the deployment, configure, stop and start Tomcat from the command line. In our projects, we embedded Tomcat in our Eclipse in all of the developer's machines so they could quickly verify their code with little effort, Azure Webapp has strong support for Tomcat so we could move our application to Azure cloud very easy. One drawback is Tomcat UI quite poorly features but we almost do not use it.
- Almost no setup required and easy to configure - Very easy to use, intuitive UI with integrated analytics and learning portals. - Seamless to review the results, triage them, generate reports. - Security progression of the product/application is tracked via successive scans. - Privileges/Roles nicely fine grained and tightly controlled to let teams "view" only their products.
Tomcat doesn't have a built-in watchdog that ensures restart upon failure, so you have to provide it externally. A very good solution is java service wrapper. The community edition is able to restart Tomcat upon out of memories exceptions.
Tomcat support to customize memory used and allow us to define the Connection pool and thread pool to increase system performance and availability, Tomcat server itself consume very little memory and almost no footprint. We use Tomcat in our production environment which has up to thousands of concurrent users and it is stable and provides a quick response.
Overall, Veracode support is helpful, community support is great, and documentation is available for self-service. Our Customer Success Manager is very helpful and reaches out regularly to see if we need assistance. We have not utilized many of the other resources offered by Veracode, however, in the future we would like to leverage secure coding training for our Development teams.
We use it as a SAS service, so really just getting our teams to mold the use of Veracode into their SDLC has been a process of years in the making. It comes down to what your teams are ready and willing to accept and change. Management is key in getting their groups on board with using it regularly. If it doesnt have management backing, your security teams have little to no influence in getting this process off the ground fully.
Eclipse Jetty is the best alternative for Apache Tomcat because which is also an open-source and lightweight servlet container like Tomcat. A major advantage of this over Tomcat is that Jetty server can easily be embedded with the source code of web applications. Since it requires less memory to operate, you may realize that it is very efficient.
Veracode is slower with scan results however the flaws discovered and sites crawled are almost the same. Rapid7 InsightAppSec only does dynamic scans. Veracode did find more links on a site crawl. Rapid7 InsightAppSec has more out of the box reports than Veracode. Both integration to DevOps tools were striaghtforward.
Tomcat is cheap and very quick to deploy, so it has benefited much when situation needs applications to be deployed quickly without wasting time on licensing and installations.
Plenty of documentation available so no vendor training is required. Support contract is not needed as well.
Veracode's platform has had a very positive impact on our security posture, paving the path towards having coverage monitored automatically on hundreds of internal applications throughout the development lifecycle.
Veracode's platform has also had a very positive impact on improving the security knowledge of our development team, providing meaningful feedback as well as training options to reduce mitigation time and help to prevent flaws before they are created.
