What users are saying about
<a href='https://www.trustradius.com/static/about-trustradius-scoring#question3' target='_blank' rel='nofollow noopener'>Customer Verified: Read more.</a>
Top Rated
158 Ratings
2 Ratings
<a href='https://www.trustradius.com/static/about-trustradius-scoring' target='_blank' rel='nofollow noopener'>trScore algorithm: Learn more.</a>
Score 9 out of 100

Veracode

<a href='https://www.trustradius.com/static/about-trustradius-scoring#question3' target='_blank' rel='nofollow noopener'>Customer Verified: Read more.</a>
Top Rated
158 Ratings
<a href='https://www.trustradius.com/static/about-trustradius-scoring' target='_blank' rel='nofollow noopener'>trScore algorithm: Learn more.</a>
Score 9 out of 100

Attribute Ratings

  • CAST Highlight is rated higher in 2 areas: Likelihood to Recommend, Support Rating

Likelihood to Recommend

10.0

CAST Highlight

100%
1 Rating
8.9

Veracode

89%
105 Ratings

Likelihood to Renew

CAST Highlight

N/A
0 Ratings
8.2

Veracode

82%
4 Ratings

Usability

CAST Highlight

N/A
0 Ratings
7.2

Veracode

72%
25 Ratings

Availability

CAST Highlight

N/A
0 Ratings
9.1

Veracode

91%
1 Rating

Performance

CAST Highlight

N/A
0 Ratings
6.4

Veracode

64%
1 Rating

Support Rating

10.0

CAST Highlight

100%
2 Ratings
7.7

Veracode

77%
53 Ratings

Implementation Rating

CAST Highlight

N/A
0 Ratings
7.3

Veracode

73%
2 Ratings

Product Scalability

CAST Highlight

N/A
0 Ratings
7.3

Veracode

73%
1 Rating

Likelihood to Recommend

CAST Highlight

I think CAST is a great tool to give insight into your applications. The tool can be met with resistance from team members as the tool is going to expose defects that should be addressed. Out of the box, it may need some tailoring to focus on certain areas so that you are not overwhelmed with defects the first time you scan your code. But ultimately, you will want to eliminate all defects in the code and have all violations turned on.
Gene Baker | TrustRadius Reviewer

Veracode

It just works and allows for a left shift, which has been shown as a vast reduction in dev work and cost. With policy and other outlines, your security team can help Devs program safer applications and protect your company's platforms from vulnerability...
Robert Hood | TrustRadius Reviewer

Pros

CAST Highlight

  • Identifies common coding vulnerabilities.
  • Compares code to industry best practices.
  • Assesses the code for data privacy compliance.
Gene Baker | TrustRadius Reviewer

Veracode

  • The pipeline scan is a very fast way to scan code and inform developers if a new flaw is introduced by their pull requests.
  • Upload & Scan provides an in-depth analysis of the codebase, which features like reporting being made easy.
  • SCA Scans help us not only identify the vulnerabilities but also in helping fix them and in identifying if our application is using that part of the vulnerable library or not.
  • Veracode is very easy to integrate into the CI/CD pipelines (especially Jenkins)
Anonymous | TrustRadius Reviewer

Cons

CAST Highlight

  • Code scans could be faster. A large application may need to be broken down into smaller sub-applications in order to facilitate faster code scans.
  • We spent a lot of time trying to figure out how to best structure our code base in the application for ultimate performance.
Gene Baker | TrustRadius Reviewer

Veracode

  • There is an initial overhead on generating the binary artefacts for scanning. The binaries need to be loaded with debug symbols for Veracode to be able to trace the defect back to the file and line number. This is relatively easy for modern programming languages (e.g. Java) with latest build tools (e.g. maven/gradle) but can be quite challenging for languages which are platform specific (C/C++) and have dated build systems (e.g. make).
  • Entry Point Selection. After the binaries are uploaded for scanning, the Veracode platform analyses them (pre-scan) and provides a list of 'modules' to be selected for scanning. Only the points of entry of program execution need to be selected here, based on the application architecture. The 3rd party modules on which your code is dependent on need to be uploaded but not selected as entry points for execution. This typically needs some fine-tuning and teams take some iterations to optimise. This would need the product architect inputs which teams generally do not understand, as they treat scanning in general as a DevSecOps responsibility and only after scanning, the developers/architects pitch in. For Veracode, their inputs are needed even during the scanning, for the first few scans at least.
  • This is a both a pro and con. Veracode does not give any option to customise the scanning rules or tweak what it is scanning for. This makes for a much simpler setup but also gives no scope for creating an application-specific scanning profile. For instance, if I do not want Veracode to look for SQL injection for whatever reason, or if I want Veracode to only look for OWASP Top 10 vulnerabilities, I cannot configure.
  • Long scan times, specifically for C/C++ based product/app scans. Some of the scans for enterprise scale product in C/C++ used to take quite many hours, and at times a couple of days. There have been improvements in this during the course of our 3 years of usage but in general, scans take a long time to complete.
Śrinivāsa Rao Kuruba | TrustRadius Reviewer

Pricing Details

CAST Highlight

General

Free Trial
Yes
Free/Freemium Version
Premium Consulting/Integration Services
Yes
Entry-level set up fee?
Optional
Included

Starting Price

$25,000 per year

Veracode

General

Free Trial
Free/Freemium Version
Premium Consulting/Integration Services
Entry-level set up fee?
No

Starting Price

Likelihood to Renew

CAST Highlight

No score
No answers yet
No answers on this topic

Veracode

Veracode 8.2
Based on 4 answers
At this time, and we just renewed a month ago, I dont see any products out there overall that can offer what Veracode does. Yes, its not cheap by any means, but for the money its the best application security scanning tool out there.
Anonymous | TrustRadius Reviewer

Usability

CAST Highlight

No score
No answers yet
No answers on this topic

Veracode

Veracode 7.2
Based on 25 answers
This used to be terrible. Had a difficult time figuring out where information was. Partly this was due to duplicative features, jargon labels, and user navigation. However, in the seven years I've been using the product, it has gotten better.Some of my issues were associated with trying to get scans to work unassisted. Now that scans, once set up, just run periodically, I don't have to deal with that as much. Part of this might also be that I've learned what I need to know about getting around. And still part of this assessment is in comparison to other tools out there that are even worse. Still, they could benefit from an investment in a full useability redesign from someone with an outside perspective, modernizing the UX but also studying and working through the bigger usability concerns. I would love to see better diagnostic tools around getting scans to work so I wouldn't need their tech support people to get scans to work. However, as long as the scheduler keeps going, my needs on this get ever rarer.
David Nelson-Gal | TrustRadius Reviewer

Reliability and Availability

CAST Highlight

No score
No answers yet
No answers on this topic

Veracode

Veracode 9.1
Based on 1 answer
Veracode has always been up and available to us.
Anonymous | TrustRadius Reviewer

Performance

CAST Highlight

No score
No answers yet
No answers on this topic

Veracode

Veracode 6.4
Based on 1 answer
At this point, it runs well and mostly in a timely fashion. Dynamic scans take days but this may be a config issue still to be resolved.
Anonymous | TrustRadius Reviewer

Support Rating

CAST Highlight

CAST Highlight 10.0
Based on 2 answers
Tech support and pro services are top-notch.
Gene Baker | TrustRadius Reviewer

Veracode

Veracode 7.7
Based on 53 answers
Veracode Support has been great. Any time I have had a question, they have responded in a prompt manner. I'd say nine out of ten times they are able to resolve any issues that have come up with a short email exchange. For issues requiring a bit more investigation, their consultants are tops.
Teresa Kosinski | TrustRadius Reviewer

Implementation Rating

CAST Highlight

No score
No answers yet
No answers on this topic

Veracode

Veracode 7.3
Based on 2 answers
We use it as a SAS service, so really just getting our teams to mold the use of Veracode into their SDLC has been a process of years in the making. It comes down to what your teams are ready and willing to accept and change. Management is key in getting their groups on board with using it regularly. If it doesnt have management backing, your security teams have little to no influence in getting this process off the ground fully.
Anonymous | TrustRadius Reviewer

Alternatives Considered

CAST Highlight

These other tools only do a part of what CAST does. CAST gives a comprehensive view into the code looking at all aspects, code quality, security, maintainability, vulnerability, privacy, reuse, etc. These other tools only focus on one or two dimensions.
Gene Baker | TrustRadius Reviewer

Veracode

I have used SonarQube for code quality and security analysis in the past, but Veracode's Software Composition Analysis analysis makes a big difference in terms of identifying vulnerabilities in dependencies. It would make it a lot easier if the IDE plugin could show the transitive dependency the introduces the vulnerabilities. I'm very pleased [in] Veracode reporting so far.
Anonymous | TrustRadius Reviewer

Scalability

CAST Highlight

No score
No answers yet
No answers on this topic

Veracode

Veracode 7.3
Based on 1 answer
It meets our needs.
Anonymous | TrustRadius Reviewer

Return on Investment

CAST Highlight

  • I believe once we had the tool working for our code base, we immediately saw positive ROI.
  • We spent some time getting to where our code code be scanned efficiently but some of that was trying to do things ourselves instead of fully utilizing Cast Professional Services. I highly recommend to do an engagement with CAST to have them help setup the tool in your environment or to run it in the cloud for you.
Gene Baker | TrustRadius Reviewer

Veracode

  • As I already stated, the cost per application is very high which makes the use of Veracode too expensive for many of out applications.
  • The analysis report is accepted by our clients as a proper SSAT report.
  • Most of out competition does not perform any type of SSAT on the applications they create. This is something we offer and be the only one out there doing this type of testing.
Glenn Jones | TrustRadius Reviewer

Screenshots

Add comparison