Search code examples
securitystatic-analysisveracode

What are some really good and practical alternatives for Veracode

I am relatively new and unfamiliar with the concept of SCA and vulnerability scans and I've just heard about Veracode and want to venture into more options that are available which share some ( or have some additional functionality ) to Veracode. Thanks!

Solution

  • Veracode provides us with three kinds of scans, namely:

    • Static Scans (SAST) - requires source code and integrated into SLDC at an early stage
    • Dynamic Scans (DAST) - requires running instance and integrated towards the end of SLDC
    • Manual PenTest
    • SCA - part of SAST, checks for vulnerabilities in libraries you are using for your project

    For more information on the difference between SAST and DAST: https://www.synopsys.com/blogs/software-security/sast-vs-dast-difference/

    After researching for a while CheckMarx can be used as an alternative SAST solution to Veracode and it offers SCA just like Veracode too