Synopsys Software Risk Manager vs Veracode comparison

Synopsys Software Risk Manager

Read 203 Veracode reviews

20,179 Views
14,125 Comparison Views

90% willing to recommend

Comparison Buyer's Guide

Download the report

Executive SummaryUpdated on Jul 27, 2025

Veracode and Synopsys Software Risk Manager are competing in the software security category. Veracode has an edge in pricing and support, while SSRM stands out with its comprehensive features and perceived value.

Features: Veracode offers a cloud-based platform, automated scanning, and extensive integration capabilities. SSRM provides thorough risk assessment tools, tailored security recommendations, and a strong focus on compliance.

Ease of Deployment and Customer Service: Veracode integrates easily with existing workflows and has responsive customer service. SSRM might require more initial setup but offers customization flexibility, with supportive yet reserved customer service.

Pricing and ROI: Veracode presents competitive setup costs, appealing to budget-conscious buyers with a balance between investment and returns. SSRM entails a higher initial cost but delivers significant ROI through advanced features and comprehensive security solutions.

To learn more, read our detailed Static Application Security Testing (SAST) Report (Updated: August 2025).

Static Application Security Testing (SAST)

August 2025

Download the complete report

Helped 865,164 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Categories and Ranking

Synopsys Software Risk Manager

Ranking in Static Application Security Testing (SAST)

33rd

Ranking in Software Composition Analysis (SCA)

28th

Ranking in Application Security Posture Management (ASPM)

11th

Average Rating

0.0

Reviews Sentiment

7.0

Number of Reviews

Ranking in other categories

No ranking in other categories

Veracode

Ranking in Static Application Security Testing (SAST)

2nd

Ranking in Software Composition Analysis (SCA)

3rd

Ranking in Application Security Posture Management (ASPM)

2nd

Average Rating

8.0

Reviews Sentiment

7.0

Number of Reviews

203

Ranking in other categories

Application Security Tools (2nd), Container Security (8th), Static Code Analysis (1st)

Mindshare comparison

As of August 2025, in the Static Application Security Testing (SAST) category, the mindshare of Synopsys Software Risk Manager is 0.3%, down from 0.4% compared to the previous year. The mindshare of Veracode is 7.8%, down from 10.2% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST)

Featured Reviews

Saravanan_Radhakrishnan

Senior Manager at Happiest Minds Technologies

Facilitates continuous assessment of applications, covering both static and dynamic security aspects

Code Dx lacks one aspect, the dynamic security part, known as DAST. It's not an on-premise solution; it's in the cloud now. There are compliance standards and data standards where the customer might need to have the data on-premises for dynamic security testing. So that is one shortfall. An area of improvement could be developing an on-premise DAST solution. The current one is a complete cloud-based solution, and that can be one of the areas of improvement.

Read full review

Sajal Sharma

Test Analyst - Security at Net solutions India Pvt.

Offers shift-left security strategy and helps us with the latest security configurations, OWASP standards, and SAST standards

It's robustness is the main benefit to the organization. As it gets upgraded with time, it also improves the coverage – security configuration coverages and vulnerability coverages. It also updates itself with the latest known vulnerabilities that are uploaded to the NVD, OWASP, or other databases. So it gets upgraded itself with that. And so with each upgrade, it gets better and better. The solution offers the ability to prevent vulnerable code from going into production. It provides us with a report containing multiple remediations and mitigations for each vulnerability. For example, if it finds a cross-site scripting vulnerability, it will also include references like CWE and CVE records, instructions on how to fix it, and the specific line of code or module where the vulnerability is present. This helps us fix the issues accordingly. I'm a penetration tester and DevSecOps engineer. I evaluate the findings, mark false positives, and manually exploit vulnerabilities if they exist. If we need further clarification, we raise a ticket with the Veracode team and get consultancy from them. We are a software development team. If we find a vulnerability, I exploit it and come back with the best possible mitigation, and the dev team fixes it. If we use Veracode Fix, it might use third-party implementations or make changes we aren't aware of. We need to be very aware of what our application is using internally. It should be known to us. As per my experience, the solution's policy reporting ensures compliance with industry standards. It comes with multiple features. I get the most out of it, and it's good. The solution provides visibility into application status at every phase of development. Like static analysis, dynamic analysis, software composition, and manual penetration tests - throughout the SDLC We have a pipeline that I maintain. I use the Veracode API account and have integrated it with AWS and our Jenkins pipeline. We use Snyk for SCA and Veracode for SAST scanning. At the earliest stage of the build, the SAST scan runs along with the JS and PHP files. It provides us with reports, which are then handed over to the other tools we depend on. If I validate the report or check the Veracode dashboard and find vulnerabilities, I mark them as false positives or existing issues. We work on multiple projects, but the one I'm handling these days only uses Veracode for SAST. It's been about one and a half years since I've been working with Veracode and this project. It is quite impressive. There are some things Veracode cannot find, like code obfuscations inside the code and some insecure randoms. Sometimes, it misses those flaws. But overall, if I compare it with other tools, it is better. I will definitely recommend others to use this tool. We run the scan before each deployment. If the dev team builds a new module or something, we scan it along with all the files. If we find anything, we get it fixed. That's how it works. Veracode is quite important to the organization's shift-left security strategy because we make a scan for each deployment. Sometimes, if I think we need to perform a shift-left, I just make a scan before deployment and check for any misconfiguration or vulnerability in the code.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"The customers were looking for something around static security and dynamic security, and in all those areas, they were looking for an industry leader with a proven solution. Synopsys is a Gartner leader, so I position this particular technology for the technical pre-sales part of it."

"Veracode is easy to use even if you're not a security professional. I like the dynamic analysis feature, which offers a lot of cost savings when used in production."

"The integration with DevOps pipelines is seamless."

"What I found most valuable in Veracode is that it gives me a part-by-part report of the entire EAR file and lets me set up the application for a limited time. Once that expires, Veracode allows you to automatically renew it, which is one of the features I find remarkable in Veracode."

"I have found the user interface extremely helpful in prioritizing issues."

"Provides the capability to track remediation and the handling of identified vulnerabilities."

"All the features provided by Veracode are valuable, including static scan, dynamic scan, and MPT (Manual Penetration Testing)."

"When those scans kick, Veracode integrates back into our JIRA and actually open tickets with the appropriate development teams. We can use that as a measurement of vulnerabilities opened, closed; we can tie them to releases. So, we get a whole lot more statistical information about security in our software products."

"The most valuable feature is the efficiency of the tool in finding vulnerabilities."

More Veracode pros

Cons

"The initial setup is a bit challenging because things are not easy. It needs a lot of technology adaptability plus the customer's environment-specific use cases."

"Software developers are always thinking about the next big thing but lose sight of what's happening right now. If you have an idea for a feature request, you must submit it to be voted on by the Veracode community. I don't like this. No one will look at it unless enough people vote for it."

"Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had."

"We have some constraints interacting with Veracode self-support. I'm not talking about their technical support. I'm talking about self-support. We sometimes have a hard time communicating with them."

"Maybe the boards could be made easier to understand or easier to customize."

"We use Ruby on Rails and we still don't have any support for that from Veracode."

"There needs to be better API integration to the development team's pipeline, which is something that is missing and needs to be improved."

"The scanning could be a little faster. The process around three or four minutes, but it would help if it could be further reduced."

"It's very expensive for a small organization."

More Veracode cons

Pricing and Cost Advice

"It is more of an enterprise solution for budget-conscious customers. So, it's moderately priced. It's not for everybody."

"I think it's a great value. It's at a price point that a small company like mine can afford to use versus, if it was too exorbitant, I wouldn't be able to use this product. The cost of the license is small in comparison to the value it brings"

"Aside from the standard licensing fees, we also have to pay for a competent Success Manager."

"Compared to other similar products, the licensing and pricing are definitely competitive. If you see Checkmarx as the market leader, then we are talking about Veracode being a fraction of the cost. You also have to consider your hidden costs: you need a team to maintain it, a server, and resources. From that point of view, Veracode is great because the cost is really a fraction of many competitors."

"We are still considering it at the enterprise level. It has a subscription-based model. We find its price a little high based on the features it provides."

"I think the pricing is in line with the rest of the tools. I think you get what you pay for. It is certainly not inexpensive, but the value proposition is there. There are certainly cheaper tools, but I don't think we'd be getting the support that we get with those, and that is what separates this product from the others."

"As compared to others, it is a costly solution. It is overpriced, and many organizations with a limited budget cannot afford it. That is why they are going for other tools, but those tools are not that effective. Veracode is better in terms of quality. If you want good service, you have to pay for it."

"Veracode provides value for the cost, with no additional charges apart from the standard licensing fee."

"It is an expensive solution, but it's the best solution available on the market. If you want something at the top, you have to pay a bit more than the average."

More Veracode pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

865,164 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

19%

Manufacturing Company

14%

Computer Software Company

10%

Government

Financial Services Firm

16%

Computer Software Company

16%

Manufacturing Company

Insurance Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

No data available

Questions from the Community

What do you like most about Synopsys Code Dx?

The customers were looking for something around static security and dynamic security, and in all those areas, they were looking for an industry leader with a proven solution. Synopsys is a Gartne...

What is your experience regarding pricing and costs for Synopsys Code Dx?

I would rate the pricing model an eight out of ten, where one is low and ten is high. Because it is more of an enterprise solution for budget-conscious customers. So, it's moderately priced. It's n...

What needs improvement with Synopsys Code Dx?

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...

What do you like most about Veracode?

The SAST and DAST modules are great.

What is your experience regarding pricing and costs for Veracode?

The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.

SonarQube Server (formerly SonarQube) vs Synopsys Software Risk Manager

Comparisons

Compared 16% of the time

Acunetix vs Synopsys Software Risk Manager

Compared 12% of the time

Checkmarx One vs Synopsys Software Risk Manager

Compared 12% of the time

Coverity vs Synopsys Software Risk Manager

Compared 12% of the time

More Synopsys Software Risk Manager Competitors

SonarQube Server (formerly SonarQube) vs Veracode

Compared 17% of the time

Checkmarx One vs Veracode

Compared 10% of the time

GitHub Advanced Security vs Veracode

Compared 7% of the time

OpenText Core Application Security vs Veracode

Compared 4% of the time

Coverity vs Veracode

Compared 4% of the time

More Veracode Competitors

Product Reports

Application Security Posture Management (ASPM)

August 2025

Download Synopsys Software Risk Manager product report

Download Veracode product report

July 2025

Also Known As

Code Dx

Crashtest Security , Veracode Detect

Overview

Software Risk Manager is an application security posture management (ASPM) solution that enables security and development teams to manage their application security programs at enterprise scale. By unifying policy, test orchestration, correlation, prioritization, and built-in static application security testing (SAST) and software composition analysis (SCA) engines, organizations can streamline their security activities across the enterprise.

Black Duck

Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.

Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), and manual penetration testing. These tools are designed to help developers detect vulnerabilities early in development while maintaining speed in deployment. Veracode also emphasizes scalability, offering features for enterprises that manage a large number of applications across different teams. Its robust reporting and analytics capabilities allow organizations to continuously monitor their security posture and track progress toward remediation.

What are the key features of Veracode?

Static Analysis (SAST) - Scans source code for vulnerabilities before deployment.
Dynamic Analysis (DAST) - Examines applications in a running state to detect flaws in real-time.
Software Composition Analysis (SCA) - Identifies risks in open-source libraries and third-party components.
Manual Penetration Testing - Offers expert analysis for more complex vulnerabilities.
Integrations with DevOps tools - Seamlessly integrates with CI/CD pipelines for automated security checks.

What benefits should users consider in Veracode reviews?

Early detection of vulnerabilities - Helps developers fix security issues early in the development process.
Scalability - Supports organizations with large-scale application portfolios.
Compliance support - Ensures applications meet various security standards and regulations.
Developer training - Provides tools for educating developers on secure coding practices.
Comprehensive reporting - Offers detailed reports that track remediation and risk trends.

Veracode is widely adopted in industries like finance, healthcare, and government, where compliance and security are critical. It helps these organizations maintain strict security standards while enabling rapid development through its integration with Agile and DevOps methodologies.

Veracode helps businesses secure their applications efficiently, ensuring they can deliver safe and compliant software at scale.

Sample Customers

Discover why companies like: CGI said, "Synopsys and Software Risk Manager have provided the results we’re looking for".

Manhattan Associates, Azalea Health, Sabre, QAD, Floor & Decor, Prophecy International, SchoolCNXT, Keap, Rekner, Cox Automotive, Automation Anywhere, State of Missouri and others.