Tenable.io vs Veracode

What users are saying about

Score 8.4 out of 10

Based on 45 reviews and ratings

Score 9 out of 10

Based on 158 reviews and ratings

Attribute Ratings

Tenable.io is rated higher in 2 areas: Likelihood to Renew, Support Rating
Veracode is rated higher in 1 area: Likelihood to Recommend

Tenable.io

80%

6 Ratings

8.9

Veracode

89%

106 Ratings

Tenable.io

90%

1 Rating

8.2

Veracode

82%

4 Ratings

Tenable.io

N/A

0 Ratings

7.3

Veracode

73%

26 Ratings

Tenable.io

N/A

0 Ratings

9.1

Veracode

91%

1 Rating

Tenable.io

N/A

0 Ratings

6.4

Veracode

64%

1 Rating

Tenable.io

88%

4 Ratings

7.8

Veracode

78%

54 Ratings

Tenable.io

N/A

0 Ratings

7.3

Veracode

73%

2 Ratings

Tenable.io

N/A

0 Ratings

7.3

Veracode

73%

1 Rating

Pros

Setup of the internal scanner was fairly simple and straight forward.
An update came out for the internal scanner that allows you to add an Internal Certificate Authority for lookup.
Has automated reporting to keep executives and compliance departments informed.
Internal scanner can be configured to auto-update itself.
"Recast Rules" allows your organization to redefine a vulnerabilities' classification, if it is not applicable or your disagree.
External PCI scans allow you to remediate before submitting to Tenable.io for review.
Tenable.io staff was very patient and helpful. They provided some limited guidance with remediation.
Internal and External scans can be automated. schedule for the automated scans is very granular.

Read full review

Verified User

Administrator in Information Technology

Banking Company, 201-500 employees

View all 6 answers on this topic

The pipeline scan is a very fast way to scan code and inform developers if a new flaw is introduced by their pull requests.
Upload & Scan provides an in-depth analysis of the codebase, which features like reporting being made easy.
SCA Scans help us not only identify the vulnerabilities but also in helping fix them and in identifying if our application is using that part of the vulnerable library or not.
Veracode is very easy to integrate into the CI/CD pipelines (especially Jenkins)

Read full review

Verified User

Engineer in Engineering

Internet Company, 5001-10,000 employees

View all 106 answers on this topic

Cons

Have to switch between interfaces to access certain functionality
Scan speeds/resource utilization at times
Executive level reporting could do with some improvements

Read full review

Verified User

Engineer in Engineering

Financial Services Company, 51-200 employees

View all 6 answers on this topic

There is an initial overhead on generating the binary artefacts for scanning. The binaries need to be loaded with debug symbols for Veracode to be able to trace the defect back to the file and line number. This is relatively easy for modern programming languages (e.g. Java) with latest build tools (e.g. maven/gradle) but can be quite challenging for languages which are platform specific (C/C++) and have dated build systems (e.g. make).
Entry Point Selection. After the binaries are uploaded for scanning, the Veracode platform analyses them (pre-scan) and provides a list of 'modules' to be selected for scanning. Only the points of entry of program execution need to be selected here, based on the application architecture. The 3rd party modules on which your code is dependent on need to be uploaded but not selected as entry points for execution. This typically needs some fine-tuning and teams take some iterations to optimise. This would need the product architect inputs which teams generally do not understand, as they treat scanning in general as a DevSecOps responsibility and only after scanning, the developers/architects pitch in. For Veracode, their inputs are needed even during the scanning, for the first few scans at least.
This is a both a pro and con. Veracode does not give any option to customise the scanning rules or tweak what it is scanning for. This makes for a much simpler setup but also gives no scope for creating an application-specific scanning profile. For instance, if I do not want Veracode to look for SQL injection for whatever reason, or if I want Veracode to only look for OWASP Top 10 vulnerabilities, I cannot configure.
Long scan times, specifically for C/C++ based product/app scans. Some of the scans for enterprise scale product in C/C++ used to take quite many hours, and at times a couple of days. There have been improvements in this during the course of our 3 years of usage but in general, scans take a long time to complete.

Read full review

Śrinivāsa Rao Kuruba

Manager, Information Technology

Broadcom Inc.Computer Software, 10,001+ employees

View all 106 answers on this topic

Pricing Details

General

Free Trial

—

Free/Freemium Version

—

Premium Consulting/Integration Services

—

Entry-level set up fee?

Starting Price

—

General

Free Trial

—

Free/Freemium Version

—

Premium Consulting/Integration Services

—

Entry-level set up fee?

Starting Price

—

Likelihood to Renew

Tenable.io 9.0

Based on 1 answer

We like to renew tenable each year we have had it so far.

Read full review

Verified User

Administrator in Information Technology

Law Practice Company, 1001-5000 employees

View all 1 answers on this topic

Veracode 8.2

Based on 4 answers

At this time, and we just renewed a month ago, I dont see any products out there overall that can offer what Veracode does. Yes, its not cheap by any means, but for the money its the best application security scanning tool out there.

Read full review

Verified User

Engineer in Information Technology

Information Technology & Services Company, 10,001+ employees

View all 4 answers on this topic

Usability

No score

No answers yet

No answers on this topic

Veracode 7.3

Based on 26 answers

This used to be terrible. Had a difficult time figuring out where information was. Partly this was due to duplicative features, jargon labels, and user navigation. However, in the seven years I've been using the product, it has gotten better.Some of my issues were associated with trying to get scans to work unassisted. Now that scans, once set up, just run periodically, I don't have to deal with that as much. Part of this might also be that I've learned what I need to know about getting around. And still part of this assessment is in comparison to other tools out there that are even worse. Still, they could benefit from an investment in a full useability redesign from someone with an outside perspective, modernizing the UX but also studying and working through the bigger usability concerns. I would love to see better diagnostic tools around getting scans to work so I wouldn't need their tech support people to get scans to work. However, as long as the scheduler keeps going, my needs on this get ever rarer.

Read full review

David Nelson-Gal

Chief Product Officer, Founder

Viakoo, IncInformation Technology & Services, 11-50 employees

View all 26 answers on this topic

Reliability and Availability

No score

No answers yet

No answers on this topic

Veracode 9.1

Based on 1 answer

Veracode has always been up and available to us.

Read full review

Verified User

Vice-President in Information Technology

Insurance Company, 11-50 employees

View all 1 answers on this topic

Performance

No score

No answers yet

No answers on this topic

Veracode 6.4

Based on 1 answer

At this point, it runs well and mostly in a timely fashion. Dynamic scans take days but this may be a config issue still to be resolved.

Read full review

Verified User

Vice-President in Information Technology

Insurance Company, 11-50 employees

View all 1 answers on this topic

Support Rating

Tenable.io 8.8

Based on 4 answers

Support is usually really great at walking you through any steps you need to take when you get stuck on something. There are a few false positives and errors that have come up over the years that required their help to get through. Unfortunately, the steps required to diagnose some problems are more tedious than I think should be necessary. (IE: SQL instances can throw errors that clog up your logs because one plugin affects it in a certain way. The process to diagnose this is to watch timestamps of plugins in a log while monitoring the SQL logs at the same time and using your best guess as to what is causing it.)

Read full review

Randy Munroe

Information Security Analyst

Randall-ReillyMarketing and Advertising, 201-500 employees

View all 4 answers on this topic

Veracode 7.8

Based on 54 answers

Veracode Support has been great. Any time I have had a question, they have responded in a prompt manner. I'd say nine out of ten times they are able to resolve any issues that have come up with a short email exchange. For issues requiring a bit more investigation, their consultants are tops.

Read full review

Teresa Kosinski

Senior Configuration Manager

McKessonHospital & Health Care, 10,001+ employees

View all 54 answers on this topic

Implementation Rating

No score

No answers yet

No answers on this topic

Veracode 7.3

Based on 2 answers

We use it as a SAS service, so really just getting our teams to mold the use of Veracode into their SDLC has been a process of years in the making. It comes down to what your teams are ready and willing to accept and change. Management is key in getting their groups on board with using it regularly. If it doesnt have management backing, your security teams have little to no influence in getting this process off the ground fully.

Read full review

Verified User

Engineer in Information Technology

Information Technology & Services Company, 10,001+ employees

View all 2 answers on this topic

Alternatives Considered

Tenable.io has a comparable set of features, with excellent support and a competitive price. After less than desirable experiences with another company, we moved to Tenable and haven't looked back since.

Read full review

Matthew White

Cloud Security Architect/SQL Server DBA

BLUE MOTOR FINANCE LIMITEDFinancial Services, 51-200 employees

View all 6 answers on this topic

I have used SonarQube for code quality and security analysis in the past, but Veracode's Software Composition Analysis analysis makes a big difference in terms of identifying vulnerabilities in dependencies. It would make it a lot easier if the IDE plugin could show the transitive dependency the introduces the vulnerabilities. I'm very pleased [in] Veracode reporting so far.

Read full review

Verified User

Professional in Engineering

Financial Services Company, 5001-10,000 employees

View all 106 answers on this topic

Scalability

No score

No answers yet

No answers on this topic

Veracode 7.3

Based on 1 answer

It meets our needs.

Read full review

Verified User

Vice-President in Information Technology

Insurance Company, 11-50 employees

View all 1 answers on this topic

Return on Investment

Since this is a requirement for our PCI compliance and the cost is relatively low, the ROI isn't really something we need to think too much about, Tenable's pricing is fair and affordable.

Read full review

Verified User

Director in Information Technology

Online Media Company, 201-500 employees

View all 6 answers on this topic

As I already stated, the cost per application is very high which makes the use of Veracode too expensive for many of out applications.
The analysis report is accepted by our clients as a proper SSAT report.
Most of out competition does not perform any type of SSAT on the applications they create. This is something we offer and be the only one out there doing this type of testing.

Read full review

Glenn Jones

Sr. Systems and Security Architect

Mathematica Policy ResearchResearch, 1001-5000 employees

View all 106 answers on this topic

Tenable.io

Veracode

Tenable.io

Veracode

Tenable.io

Veracode

Tenable.io

Veracode

Tenable.io

Veracode

Tenable.io

Veracode

Tenable.io

Veracode

Tenable.io

Veracode

Tenable.io

Veracode

Likelihood to Recommend

Tenable.io

Veracode

Pros

Tenable.io

Veracode

Cons

Tenable.io

Veracode

Pricing Details

General

Free Trial

Free/Freemium Version

Premium Consulting/Integration Services

Entry-level set up fee?

Starting Price

General

Free Trial

Free/Freemium Version

Premium Consulting/Integration Services

Entry-level set up fee?

Starting Price

Likelihood to Renew

Tenable.io

Veracode

Usability

Tenable.io

Veracode

Reliability and Availability

Tenable.io

Veracode

Performance

Tenable.io

Veracode

Support Rating

Tenable.io

Veracode

Implementation Rating

Tenable.io

Veracode

Alternatives Considered

Tenable.io

Veracode

Scalability

Tenable.io

Veracode

Return on Investment

Tenable.io

Veracode

Add comparison