Onapsis vs. Veracode

Overview
ProductRatingMost Used ByProduct SummaryStarting Price
Onapsis
Score 9.0 out of 10
N/A
Onapsis, headquartered in Boston, offers application security software to enterprises in the form of the Onapsis Security Platform for SAP and the Onapsis Security Platform for Oracle E-Business Suite.N/A
Veracode
Score 8.7 out of 10
Mid-Size Companies (51-1,000 employees)
Veracode provides advanced application security solutions, trusted by enterprises to develop and maintain secure software. Its platform identifies exploitable risks, speeds up vulnerability remediation, and reduces security debt at scale using a proprietary AI-assisted remediation engine.N/A
Pricing
OnapsisVeracode
Editions & Modules
No answers on this topic
No answers on this topic
Offerings
Pricing Offerings
OnapsisVeracode
Free Trial
NoYes
Free/Freemium Version
NoYes
Premium Consulting/Integration Services
NoNo
Entry-level Setup FeeNo setup feeNo setup fee
Additional DetailsDeveloper pricing options available
More Pricing Information
Community Pulse
OnapsisVeracode
Considered Both Products
Onapsis
Chose Onapsis
Onapsis reduces risk and protects critical operations which protect the applications powering business by continuously monitoring for vulnerabilities and prioritizing remediation based on risk assessment. Onapsis is also a great tool as it implements continuous compliance. It …
Chose Onapsis
Honestly, I havent use something like Onapsis before and currently I am not aware if there is something similiar out there. They are one of a kind and is a complete suit, so is unlikelly that someone from outside will appear with a better solution.
Veracode
Chose Veracode
We selected Veracode after testing these tools with 3 important solutions and Veracode had a great ratio of findings, with low false positive, and the best price between the tools that were good enough.
Chose Veracode
I found SonarQube to have some decent data for code quality checks but it underperformed for code security.

Snyk is a decent product and strong competitor to Veracode for SCA. Snyk's SAST offering is not as good as Veracode and does not support as many languages.
Chose Veracode
Sonatype only identifies and scans third-party dependency and not custom-developed code—at least that's what it was doing back in 2018 when I used to utilize its services. Interface-wise, too, Veracode looks much cleaner and easier to navigate than Sonatype. Support and …
Chose Veracode
As mentioned previously, we're always considering other options. Veracode is what we need right now, and I don't think it would be fair to competitors to compare them to what we need right now. Tomorrow, we might need something else and not require Veracode—that isn't a change …
Chose Veracode
Veracode seems to provide better support and good scan coverage. Veracode also provides multiple scan types like Dynamic, Static Code, Software Composition which others may only offer 1 or 2. I might be missing it but some others like Sentinel provide schedule monthly, …
Chose Veracode
Veracode is slower with scan results however the flaws discovered and sites crawled are almost the same. Rapid7 InsightAppSec only does dynamic scans. Veracode did find more links on a site crawl. Rapid7 InsightappSec has more out of the box reports than Veracode. Both …
Chose Veracode
Veracode is easier to integrate and faster than Fossa although Mend has more visual features
Chose Veracode
Veracode was brought in to supplement services previously provided by other vendors. As our org recently acquired another organization, we identified Veracode as a 'go-forward' system needed to consolidate security tooling in the organization.
Chose Veracode
PortSwigger Burp Suite, Cisco SecureX, Microsoft Defender for Cloud and Darktrace
Chose Veracode
Mend.IO formerly WhiteSource software is a product we used prior to Vericode. It did not have all of the capabilities or depth of Vericode. Additionally, Whitesource did not offer automatic scanning as part of their product and there was no Certification program to speak of.
Chose Veracode
We used Accunetix as well mainly for web site security testing. We used Veracode for code and third party analysis.
Chose Veracode
Sonar cube was quicker, but not as thorough. Both integrated into our CI/CD pipeline, however the integration for Veracode is more straight forward.
Chose Veracode
Veracode is much better at uncovering security weaknesses and providing information and consulting. I use Veracode because our company decided for.
Chose Veracode
Veracode stands out as the best of breed for all types of AppSec scanners.
Chose Veracode
The maturity of the Veracode and the continuous improvements in its products it's one of the principal characteristics of chosee it, Veracode it's a SaaS platform and was born in the cloud, so this is a great option for our clients to be quick to implement also the easy of …
Chose Veracode
Checkmarx and Veracode have a few common points and some features which are different. Checkmarx UI is more user-friendly, but the level of detailing in Veracode reports is better. Veracode is a good choice for static analysis of code. if the user interface can be made smoother …
Chose Veracode
As the developer, not the business stakeholder, I did not select Veracode specifically. However, after using the application I believe it was the right choice. Veracode is thorough in its analyses, in its database of flaws, in its methodology of uncovering vulnerabilities, and …
Chose Veracode
One Stop solution for security evaluation. Others were not so accurate and covering all the scenarios we were looking to plug.
Chose Veracode
Veracode is the clear choice. We evaluated the other products, but none compared to Veracode as an industry standard.
Best Alternatives
OnapsisVeracode
Small Businesses
GitLab
GitLab
Score 8.7 out of 10
GitLab
GitLab
Score 8.7 out of 10
Medium-sized Companies
Veracode
Veracode
Score 8.7 out of 10
GitLab
GitLab
Score 8.7 out of 10
Enterprises
Veracode
Veracode
Score 8.7 out of 10
GitLab
GitLab
Score 8.7 out of 10
All AlternativesView all alternativesView all alternatives
User Ratings
OnapsisVeracode
Likelihood to Recommend
9.0
(0 ratings)
8.7
(0 ratings)
Likelihood to Renew
-
(0 ratings)
8.9
(0 ratings)
Usability
-
(0 ratings)
7.3
(0 ratings)
Availability
-
(0 ratings)
9.1
(0 ratings)
Performance
-
(0 ratings)
6.4
(0 ratings)
Support Rating
-
(0 ratings)
9.0
(0 ratings)
Implementation Rating
-
(0 ratings)
9.1
(0 ratings)
Configurability
-
(0 ratings)
6.4
(0 ratings)
Ease of integration
-
(0 ratings)
5.5
(0 ratings)
Product Scalability
-
(0 ratings)
7.3
(0 ratings)
Vendor post-sale
-
(0 ratings)
8.9
(0 ratings)
Vendor pre-sale
-
(0 ratings)
8.2
(0 ratings)
User Testimonials
OnapsisVeracode
Likelihood to Recommend
As a user, I would recommend Onapsis for people who are shorthanded in security or basis teams. One thing to be clear is that this is not a cheap product but still every penny counts here. If your SAP system has multiple products and connections then Onapsis is a great tool.
Read full review
* (+) Report generation for our clients: reports are very comprehensive and look professional. * (-) Veracode pipeline scan: takes too much time, need to split our application so that it can fit within the timeout (2h). Currently we're not able to use it, we still use "upload & scan" functionality in our CI pipelines. This is a showstopper to be able to break the build in case of new vuln, and also to use Fix AI based tool.
Read full review
Pros
  • Eliminating the manual process improves the overall accuracy of results and also frees up valuable resources to focus on other different projects.
  • Onapsis provides great leverage to our technical teams in order to review in a standardized way of the landscape.
  • Onapsis always matches vulnerabilities with useful context and finds possible solutions.
  • Onapsis is usually implemented to continuously monitor, and alert us on any issues on the SAP systems. Not only this but implementing Onapsis also eliminates the network on the year-end and month-end audits and helps in making the overall process faster, smooth, efficient as well as accurate.
Read full review
  • I like the support given by Veracode, they are very responsive and they help you get things done.
  • Veracode has well documented steps for administrating the platform and managing integrations for code scanning.
  • Veracode is easy to use and the integration of to code repositories is seemless.
Read full review
Cons
  • Multiple UIs
  • No proper customization of UI log-off
  • Tedious setup of Control component
  • No proper error messages received
Read full review
  • We would like to see Veracode continue to improve the integrations available, particularly with respect to .NET IDEs. Part of our development team uses JetBrains' Rider which is, as of this time, unsupported for static integration.
  • We would also like to see Veracode continue to improve their dynamic scan offerings; with the recent addition of DAST Essentials we feel this improvement may come sooner than later.
Read full review
Likelihood to Renew
No answers on this topic
At this time, and we just renewed a month ago, I dont see any products out there overall that can offer what Veracode does. Yes, its not cheap by any means, but for the money its the best application security scanning tool out there.
Read full review
Usability
No answers on this topic
- Almost no setup required and easy to configure - Very easy to use, intuitive UI with integrated analytics and learning portals. - Seamless to review the results, triage them, generate reports. - Security progression of the product/application is tracked via successive scans. - Privileges/Roles nicely fine grained and tightly controlled to let teams "view" only their products.
Read full review
Reliability and Availability
No answers on this topic
Veracode has always been up and available to us.
Read full review
Performance
No answers on this topic
At this point, it runs well and mostly in a timely fashion. Dynamic scans take days but this may be a config issue still to be resolved.
Read full review
Support Rating
No answers on this topic
Overall, Veracode support is helpful, community support is great, and documentation is available for self-service. Our Customer Success Manager is very helpful and reaches out regularly to see if we need assistance. We have not utilized many of the other resources offered by Veracode, however, in the future we would like to leverage secure coding training for our Development teams.
Read full review
Implementation Rating
No answers on this topic
We use it as a SAS service, so really just getting our teams to mold the use of Veracode into their SDLC has been a process of years in the making. It comes down to what your teams are ready and willing to accept and change. Management is key in getting their groups on board with using it regularly. If it doesnt have management backing, your security teams have little to no influence in getting this process off the ground fully.
Read full review
Alternatives Considered
There are other tools which we have compared with Onapsis,
  1. SAP ETD
  2. SAP CVA
  3. SecurityBridge
These tools along with the highlighted ones in the above list do not cover all components of Onapsis and as far as we have seen, there is no tool providing the same competencies. It provides good insights, and is constantly updating. On top of that Onapsis Research Labs constantly contributes towards SAP Patch Tuesday regarding multiple "Hot News" vulnerabilities.
Read full review
Sonatype only identifies and scans third-party dependency and not custom-developed code—at least that's what it was doing back in 2018 when I used to utilize its services. Interface-wise, too, Veracode looks much cleaner and easier to navigate than Sonatype. Support and consultation with how-to guides and documents make Veracode easier to use.
Read full review
Scalability
No answers on this topic
It meets our needs.
Read full review
Return on Investment
  • Helps in automating the regulatory compliances
  • Increases productivity by freeing resources in the firm
  • Provides better protection for sensitive information
  • Tedious to implement
  • Time difference between the ERP systems and Onapsis Appliances may cause an issue
  • Difficult to troubleshoot as error messages are not clear
Read full review
  • Positive: Scanning all our applications on Veracode provides us an overview of our cyber security posture for the organization as a whole.
  • Positive: Performing the SAST, SCA and DAST scanning for all the applications at the early stages of the SDLC helps us identify and mitigate security vulnerabilities early, reducing the risk of data breaches and cyber-attacks.
  • Negative: Sometimes Veracode SAST scanner closed and reopens some findings, leading to reliability issues on the scanner itself.
Read full review
ScreenShots

Veracode Screenshots

Screenshot of a fixScreenshot of the Veracode PlatformScreenshot of SCAScreenshot of SCA Github