Rapid7 AppSpider vs Veracode comparison

Read 199 Veracode reviews

16,278 Views
11,522 Comparison Views

90% willing to recommend

Rapid7 AppSpider

Comparison Buyer's Guide

Download the report

Executive SummaryUpdated on Oct 8, 2024

Veracode and Rapid7 AppSpider are leading competitors in the application security testing category. Rapid7 AppSpider has the upper hand due to extensive features and vulnerabilities coverage, making it a preferred choice for advanced users despite its higher costs.

Features: Veracode is known for its extensive reporting capabilities, seamless integration with development tools, and user-friendly setup. Rapid7 AppSpider is favored for its broad vulnerability coverage, ease of automation, and superior scanning depth.

Room for Improvement: Veracode users suggest enhancements in the dashboard, streamlined onboarding process, and operational efficiency. Rapid7 AppSpider users call for improved speed, reduced false positives, and accuracy of results.

Ease of Deployment and Customer Service: Veracode offers straightforward deployment and attentive customer service, which benefits new users. Rapid7 AppSpider provides a robust, customizable deployment model, offering flexibility for customers seeking advanced solutions.

Pricing and ROI: Veracode offers lower initial setup costs, making it attractive for budget-conscious buyers, with promises of a quick ROI. Rapid7 AppSpider, while more expensive upfront, provides long-term value through extensive features and capabilities.

To learn more, read our detailed Rapid7 AppSpider vs. Veracode Report (Updated: April 2025).

Rapid7 AppSpider vs. Veracode

April 2025

Download the complete report

Helped 851,604 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Categories and Ranking

Rapid7 AppSpider

Ranking in Static Application Security Testing (SAST)

29th

Average Rating

7.8

Reviews Sentiment

6.7

Number of Reviews

Ranking in other categories

No ranking in other categories

Veracode

Ranking in Static Application Security Testing (SAST)

2nd

Average Rating

8.2

Reviews Sentiment

7.0

Number of Reviews

199

Ranking in other categories

Application Security Tools (2nd), Container Security (5th), Software Composition Analysis (SCA) (2nd), Penetration Testing Services (4th), Static Code Analysis (1st), Application Security Posture Management (ASPM) (1st)

Mindshare comparison

As of May 2025, in the Static Application Security Testing (SAST) category, the mindshare of Rapid7 AppSpider is 0.5%, down from 0.5% compared to the previous year. The mindshare of Veracode is 8.5%, down from 10.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST)

Featured Reviews

Andrei Bigdan

Executive Manager at B2B-Solutions LLC

Useful vulnerability reporting data, flexible, and simple implementation

I have had some stability problems but it could be the Microsoft Windows operating system. I found that closing other applications helps with stability. It is helpful to have as much memory as possible, such as eight gigabytes. The more pages being processed the more resources you need. I rate the stability of Rapid7 AppSpider a nine out of ten.

Read full review

AkashKhurana

Senior Software Engineer at Publicis Sapient

Easy to configure, stable, and good vulnerability detection

Veracode's ability to prevent vulnerable code from being deployed into production is crucial. Typically, if a dependency we use has security issues or concerns, Veracode suggests upgrading to a more secure version. For example, if we're using a PayPal dependency with version 1.3 and it has a security bug, Veracode suggests upgrading to version 1.4 which fixes the issue. We usually make our project compatible with version 1.4, but sometimes Veracode recommends removing the dependent code altogether and adding the updated dependency from another repository. Veracode provides suggestions for resolving security issues and we implement them in our code after resolving any conflicts. We run the Veracode scan again and if it fails, we do not deploy the code to production. This is critical as it ensures that security issues such as bugs and fixes are addressed. Veracode consistently assists us in identifying security issues in third-party dependencies, while also ensuring the maintenance of code quality. Preventing security bugs and threats in our code improves the overall code quality of our company, which is essential given the significant concerns surrounding security today. Veracode's policy reporting is helpful for ensuring compliance with industry standards and regulations. Veracode's solution plays a major role in achieving compliance, including HIPAA compliance. Without Veracode scans, identifying security threats and third-party dependencies would be a tedious task for DevOps professionals. Veracode provides visibility into the status of our application during every phase of development, including continuous integration and continuous development CI/CD pipeline stages. This includes builds, package creation for deployment, and various enrollment stages such as develop, queue, stage, above, and production enrollment. Prior to each stage, a Veracode scan is run. This can be accessed through Jenkins or the CI/CD pipeline by clicking on the Veracode scan option, which provides a detailed report highlighting any security issues and concerns. Veracode performs statistical analysis, dynamic analysis, software composition analysis, and manual penetration tests throughout our software development life cycle. Veracode scans not only for third-party security issues but also for possible issues in our own code. This occurs in every phase of development, including the SDLC. For example, if we use an encryption algorithm with a private or public key that is easy to decode, Veracode will identify this as an error or warning in the report and suggest using multiple layers of encryption for the keys. The entire CI/CD process is part of DevOps. Therefore, the responsibility of configuring the Veracode tool usually falls on the DevOps professional. It is essential to integrate Veracode with the CI/CD pipeline within the project to ensure it is always incorporated. Whenever there is a priority or mandatory check required before deployment, Veracode should run beforehand. This integration is carried out by our DevSecOps team. Veracode's false positive rate is good, as it helps us identify possible security concerns in our code. In my opinion, it is advisable to run a Veracode scan on all codes. I have worked in the IT industry for five years, and I have observed that Veracode has been implemented in every project I have worked on. If a tool is improving our code quality and providing us with insights into potential security issues, it is always beneficial to use it. The false positive rate boosts our developers' confidence in Veracode when addressing vulnerabilities. Veracode also provides suggestions when there is a security issue with a dependency in version 1.7, prompting us to consider using version 1.8, which does not have security issues. This process involves the developers, and it leaves a positive impression on our managers and clients, demonstrating our commitment to security. We can show them that we were previously using version 1.7 but updated to version 1.8 after identifying the security issue with Veracode's help. Unfortunately, there is no centralized platform to check for network issues or problems with dependencies and versions. Veracode provides a centralized solution where we can scan our project and receive results. Veracode has helped our organization address flaws in our software and automation processes. Its positive impact has been reflected in our ROI, which increased when we started using Veracode. Without Veracode, we would be susceptible to security issues and potential hacking. However, after implementing Veracode scans, we have not encountered any such problems. It is critical for us to use Veracode because we capture sensitive data such as pharmacy information for real-time users, including patient prescriptions and refill schedules. This sensitive data could pose a significant problem if our code or software has security vulnerabilities. Fortunately, Veracode scans allow us to prevent such issues. Veracode has helped our developers save time by providing a solution that eliminates the need to manually check for dependencies or search the internet for information on which dependencies have issues. Instead, Veracode provides a detailed report that identifies the issues and recommends the appropriate version to use. Using Veracode ensures the quality of our code and also saves time for our developers. In my career of five years, Veracode has helped me resolve code issues eight times. Veracode has reduced our SecOps costs by identifying security vulnerabilities in our code. Without Veracode, if we were to go live with these issues, it could result in a breach of our encrypted data, potentially causing significant harm to our organization. This would require significant time and cost to resolve the issue and restore the data. Veracode has improved the quality of our code and reduced the risk of such incidents occurring, thereby minimizing their impact on our organization.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"It scans all the components developed within a web application."

"AppSpider's most valuable feature is reporting - everything is stored in the local database so it can be sent to other machines."

"The most valuable feature of Rapid7 AppSpider is the vulnerability reporting data. Additionally, the data is reported in a convenient way rather than seeing them as a PDF. We are able to generate all the reports exactly what we want in a flexible way."

"The entire solution is interactive and has a point-and-click user experience, which makes it easy to find items or drill down on information. You don't need specialized skills to use the product."

"I would say that it is stable, as I am not aware of any major issues."

"The initial deployment is very straightforward and simple. The product is stable if configured properly."

"I like the ability the product has to detect vulnerabilities quickly, when it has been released in our environment, then displaying them to us."

"It is really accurate and the rate of false positives is very low."

More Rapid7 AppSpider pros

"The coverage of backdoors attacks on security that's the most valuable for my clients."

"With the tools that Veracode provides, our developers are actually able to comprehend what the vulnerability was and then resolve it. So a lot of knowledge has been grown as a result, around security, with our developers."

"Each time I raise a ticket regarding something, they are very quick about the responses and get connected instantly."

"The one thing we really liked about Veracode when we got it was the consultation calls; that our developers are able to schedule them on their own, instead of going to a "gatekeeper." They upload their code, they have questions, they schedule it, they speak with someone on the other side who is an expert, they can speak developer-to-developers."

"The SAST and DAST modules are great."

"Ours is a Java-based application and Veracode can detect vulnerabilities in both Angular, which is used for the UI, and also in the backend code, which includes APIs and microservices."

"Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code."

"We use Veracode static analysis during development to eliminate vulnerability issues"

More Veracode pros

Cons

"There are some glitches with stability, and it is an area for improvement."

"The product needs to be able to scale for large companies, like ours. We have millions of IP addresses that need to be scanned, and the scalability is not great."

"For Japanese customers, localization is needed. The product should offer a GUI in Japanese and provide Japanese reports for end-users."

"Support response times are slow and can be improved."

"This price of this solution is a little bit expensive."

"AppSpider could improve in the area of integration. They need to add more integration opportunities."

"AppSpider has some problems with the RAM needed while scanning."

"The tech support is responsive but issues remain unresolved."

More Rapid7 AppSpider cons

"I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan."

"The reporting was detailed, but there were some things that were missing. It showed us on which line an error was found, but it could have been more detailed."

"Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans."

"The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved."

"The scanning is a little slow, but other than that it's fine. It's usually when the binaries get up into the multi-hundred megabyte size."

"The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it."

"Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them."

"Veracode is a little costly. It's cost-effective for a large enterprise, but it may be too expensive for small businesses."

More Veracode cons

Pricing and Cost Advice

"The price is pretty fair."

"The licensing cost depends on the number of users."

"It is expensive if you want to buy the Enterprise version that is able to scan multiple applications at once."

"AppSpider is closed-source software and you need to acquire a license in order to use it."

"The price of Rapid7 AppSpider cost 9,000 annually but there is limited usage. Large companies are able to negotiate a better price or a better deal for the usage with the vendor."

"Compared to the typical software composition analysis solutions, Veracode is not so costly, although the static analysis part of it is a little costlier."

"The Veracode price model is based on application profiles, which is how you package your components for scanning."

"The pricing is fair."

"The price of Veracode Static Analysis could improve."

"The pricing depends on the functionality each client desires."

"I believe the price is fair according to market standards."

"The pricing and licensing are reasonable, and relatively straightforward, and different licensing and subscription models are available."

"No issues, the pricing seems reasonable."

More Veracode pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

851,604 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

18%

Computer Software Company

13%

Healthcare Company

Manufacturing Company

Computer Software Company

16%

Financial Services Firm

16%

Manufacturing Company

Insurance Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

Questions from the Community

What do you like most about Rapid7 AppSpider?

The most valuable feature of Rapid7 AppSpider is the vulnerability reporting data. Additionally, the data is reported in a convenient way rather than seeing them as a PDF. We are able to generate a...

What is your experience regarding pricing and costs for Rapid7 AppSpider?

The price is not high, but for Japanese customers, localization may incur additional costs.

What needs improvement with Rapid7 AppSpider?

For Japanese customers, localization is needed. The product should offer a GUI in Japanese and provide Japanese reports for end-users.

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...

What do you like most about Veracode?

The SAST and DAST modules are great.

What is your experience regarding pricing and costs for Veracode?

The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.

Rapid7 InsightAppSec vs Rapid7 AppSpider

Comparisons

Compared 44% of the time

Acunetix vs Rapid7 AppSpider

Compared 11% of the time

Invicti vs Rapid7 AppSpider

Compared 8% of the time

OWASP Zap vs Rapid7 AppSpider

Compared 7% of the time

Qualys Web Application Scanning vs Rapid7 AppSpider

Compared 5% of the time

More Rapid7 AppSpider Competitors

SonarQube Server (formerly SonarQube) vs Veracode

Compared 20% of the time

Checkmarx One vs Veracode

Compared 10% of the time

GitHub Advanced Security vs Veracode

Compared 6% of the time

Snyk vs Veracode

Compared 5% of the time

Fortify on Demand vs Veracode

Compared 5% of the time

More Veracode Competitors

Product Reports

Download Rapid7 AppSpider product report

Rapid7 AppSpider

May 2025

Download Veracode product report

April 2025

Also Known As

AppSpider

Crashtest Security , Veracode Detect

Overview

SPAs, APIs, mobile—the evolution of application technology is measured in months, not years. Is your web application security testing tool designed to keep up? AppSpider lets you collect all the information needed to test all the apps so that you aren’t left with gaping application risks.

Our dynamic application security testing (DAST) solution crawls to the deepest, darkest corners of even the most modern and complex apps to effectively test for risk and get you the insight you need to remediate faster. With AppSpider on your side (or, rather, all of your sides), you’ll be able to scan all the apps today and always be ready for whatever comes next.

Rapid7

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
Scalability - Supports organizations with large-scale application portfolios.
Compliance support - Ensures applications meet various security standards and regulations.
Developer training - Provides tools for educating developers on secure coding practices.
Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.

Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Sample Customers

Microsoft

Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.