Overview
What is Veracode?
Veracode is a software security firm that identifies flaws and vulnerabilities across the software development lifecycle. Veracode’s Software Security Platform uses advanced AI algorithms trained on vast datasets of code, for more precise identification and rectification of security flaws.
Veracode, a great security tool for everyone
we …
Great In-Depth Analysis of In-House Applications
Thorough scanning engine and flexible reporting tools, so-so CI/CD and alerting
Veracode User Experience
Best in Security
Sleep Soundly - Use Veracode
Veracode SAST review
Veracode to the Rescue!
Great products; + Great price.
Worth the investment
Great DAST and Penetration Testing Platform.
Veracode Security far ahead of competitors
Elevating Security Through Automation and Integration
Vericode Use for Companies ERP Product offerings
Awards
Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards
Reviewer Pros & Cons
Video Reviews
1 video
Pricing
What is Veracode?
Veracode is a software security firm that identifies flaws and vulnerabilities across the software development lifecycle. Veracode’s Software Security Platform uses advanced AI algorithms trained on vast datasets of code, for more precise identification and rectification of security flaws.
Entry-level set up fee?
- No setup fee
Offerings
- Free Trial
- Free/Freemium Version
- Premium Consulting/Integration Services
Would you like us to let the vendor know that you want pricing?
972 people also want pricing
Alternatives Pricing
What is SonarQube?
SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.
What is Indusface WAS?
Indusface Web Application Scanner provides an application security audit to detect a range of high-risk Vulnerabilities, Malware, and Critical CVEs.
Product Details
- About
- Integrations
- Competitors
- Tech Details
- Downloadables
- FAQs
What is Veracode?
Veracode is an Application Risk Management solution for the AI era. Powered by trillions of lines of code scans and a proprietary AI-generated remediation engine, the Veracode platform enables organizations to build and maintain secure software from code creation to cloud deployment. Development and security teams can use Veracode to get actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale. Veracode offers capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, and Penetration Testing.
Learn more at www.veracode.com, on the Veracode blog, and on LinkedIn and Twitter.
Veracode Features
- Supported: Continuous Scanning to reduce risks at every phase of development - Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test throughout SDLC.
- Supported: Developer Experience - Finds and fixes laws in line with security integration into where developers work, automated remediation guidance, and in-context learning.
- Supported: Comprehensive Platform Experience - Streamlined governance, risk and compliance processes through flexible policy management, unified reporting and analytics, and peer benchmarking to mitigate risks fast and deliver a successful DevSecOpsprogram.
- Supported: Market Expansion - Meets data residency needs in EU with cloud-native instance built in Frankfurt, Germany on AWS.
- Supported: Contextual Platform Data - Fine-tuned with nearly 2 decades of scanning and customer learning. Predicts future vulnerabilities with self-healing capabilities through applying machine learning and artificial intelligence to the data.
- Supported: Cloud-native SaaS Architecture - Provides elastic scalability, high performance, and lower costs with cloud-native SaaS architecture.
Veracode Screenshots
Veracode Videos
Watch The Veracode Platform
Veracode Integrations
Veracode Competitors
Veracode Technical Details
Deployment Types | Software as a Service (SaaS), Cloud, or Web-Based |
---|---|
Operating Systems | Unspecified |
Mobile Application | No |
Supported Countries | North America, EMEA, APAC, LATAM |
Supported Languages | Java, .NET, PHP, Android, iOS, JavaScript, Python |
Veracode Downloadables
Frequently Asked Questions
Veracode Customer Size Distribution
Consumers | 0% |
---|---|
Small Businesses (1-50 employees) | 18% |
Mid-Size Companies (51-500 employees) | 65% |
Enterprises (more than 500 employees) | 17% |
Comparisons
Compare with
Reviews and Ratings
(200)Attribute Ratings
Reviews
(1-25 of 62)Veracode Is A Best Of Bread Code Analysis Tool
- I like the support given by Veracode, they are very responsive and they help you get things done.
- Veracode has well documented steps for administrating the platform and managing integrations for code scanning.
- Veracode is easy to use and the integration of to code repositories is seemless.
- It would be good if Veracode could find a way to improve how long it takes to complete a scan job. The scan time is usually long compared to other tools in the market.
- Veracode should find a way to give adminstrator the ability to add other administrators to the platform.
- Veracode should invest in devloping more reports that demonstrate trends of flaws vs remediations.
Veracode, a great security tool for everyone
we also have an obligation regarding the fix time and we use the dashboards to keep track of it.
- Integrates with any CI CD tool like Jenkins
- Shows result in a simple way using dashboards
- allows mitigations in a clear manner
- Scans fail if another scan is already in progress using the Java CLI
- Module selection is slow to load when it comes to big applications
- Module selection is sometimes not clear on what is scannable and what is not and why
- remediation actions for SCA issue. you can recommend on how to fix it in a clear way and not forcing the user to click many times to understand it.
- PDF & web reports are very well laid out.
- Custom dashboards are very flexible/powerful.
- Flaw remediation suggestions are specific and helpful for most flaws & languages.
- Documentation is clear and detailed.
- Veracode support is excellent.
- Scan times can be long
- Atlassian / Bamboo CICD integration isn't the best
- No alerting functionality when new flaws are found
- No auto rescan functionality
- The web interface is slow
It's probably not as good for smaller companies, where CI/CD is a top priority, or where cost is a concern.
Veracode User Experience
Beside static analysis we use Software Composition Analysis and we found it very helpful in rectifying vulnerabilities from third-party libraries.
- Good integration with Jenkins and Visual Studio.
- Parsing the code well.
- It has good dashboard.
- SCA graphs for transitive dependencies are very useful in identifying the vulnerabilities.
- The main problem is slow speed of the scan - it took 11 weeks in one instance.
- The problem was ongoing for number of months and eventually they managed to slash the running time to one day. However, since than the running time usually takes 2-3 days as the scan always stop during the run.
- While SCA for Java works very well, there are number of issues on the C++ side. It can not recognize the libraries build by default from source code third-party vendors
It has a good performance for the Java static analysis. However, for C++ is very slow.
As well the Software Composition Analysis for C++ code is not yet finished product. It can not recognize libraries build from source code, using the default build method from third-party vendors. That is the case even for libraries that have been in use for number of years.
Best in Security
- SCA
- SAST
- Secure Code Training
- Add more labs in Secure Code Labs.
- Supporting perl would be great.
- Better to have standard deployment for all packages in upload and scan.
Sleep Soundly - Use Veracode
- Thorough static scans
- Quick but deep dynamic scans
- Detailed reports
- Excellent consultants
- Initial user training could be better; it's very confusing at first.
- More online help
- The UI can be confusing if you have a lot of different products.
Veracode SAST review
- Low false positive rate by taking into account context and input sanitization
- List and details of mitigation proposals
- Clear reports and the ability to create your own dashboards
- Some popular dependency managers are not currently supported (e.g. conan, pnpm)
- Analysis of compiled languages requires specific preparation before compilation
SAST is well suited to the analysis of individual commits in non-compiled languages.
New vulnerabilities are added as comments in the pull request.We generate daily compliance analyses by running nightly tasks.
This provides a daily report to the security team and the managers on SAST and SCA.
Flaw mitigation involves every developer in the investigation and proposal.
This helps the owners by reducing their workload and sharing knowledge across squads.
Less appropriate:
Cpp analysis on each commit is not appropriate for our modules, as it takes too long to get results (Caused by unsupported Conan dependency manager).
For public repositories, generated baseline files need to be saved securely to avoid sharing.
Veracode to the Rescue!
- Customer support that won't permit any failures anywhere along the line.
- Regular updates to the platform that supports rapid changes in technology and development practices
- Sets the standard for how AppSec scanners should work
- Sometimes finding the right person to help takes a little time
- Pricing of SAST/SCA scans may scare off some potential customers until they understand that it's worth it.
Worth the investment
- Explains the potential issue well
- Explains a possible solution
- Scans the code quickly so we can start remediation ASAP
- Very user friendly
- Integrate with LLM functions to expand remediation options
Elevating Security Through Automation and Integration
In all, Veracode is a critical tool that helps us remain compliant with our various annual third-party audits.
- Automation
- Software Composition Analysis
- Integrations
- More insight into errors that may be causing an issue when configuring an integration, e.g. Veracode's Jira integration.
- Static Analysis can sometime get 'stuck' when using the Jenkins integration. Days, sometimes weeks can go by before we notice. Have to delete the 'stuck' scan and re-upload.
- Manual Pen Test account management/reminders. I would expect the vendor to reach out and schedule the pen test annually, maybe send a notification/reminder when the date starts getting close, things like that. From my experience it was on me to initiate our MPT.
- Monitoring software development infrastructure.
- Prevention of security threats.
- Provision of intelligent security information.
- The features are awesome.
- I have familiarized with al the set features.
- The overall performance is good.
A normal review of Veracode
- Very good customer support
- Visual Studio Add Ons
- Quick responses to questions
- Microsoft ADO pipeline support for other scan features
- Reports that can be generated outside of the website
- Summary of multiple reports at the user level and not administrative level
Excellent Code Security Scanning Cloud Service
- Static scans
- User Interface
- Results of scans with detailed descriptions of what the issue is and how to potentially fix it
- The time to complete a static scan
Veracode makes your life easy and safe.
- SAST Scan
- SCA
- DAST
- Flagging false positive.
- Linking of SCA and SAST Scan.
- Needed to see an aggregated score for all the modules in an application.
Heathy, bug-free Code brought to you in association with Veracode
- Reporting vulnerabilties
- Static Analysis of code
- Scan all dependencies
- UI experience could be smoother
- Navigation could be better
- Response time could be optimized
Catch Vulnerabilities before Hackers Do
- Pointing out use of 3rd-paty software versions that are out-of-date
- Providing an easy way to triage flaws -- tying together the flaw, source code, and an explanation in one easy-to-use path
- Providing an easy-to-use plug-in for Visual Studio allowing on-the-fly validation of code without having to complete a full scan
- It would be nice if we could more easily customize post-scan reports. The reports are fairly lengthy and not everyone on the team needs all of the details.
- It's not always obvious as to what features are available. For example, for years I had no idea one could promote a sandbox scan to a policy scan without having to resubmit it.
One Stop Security Solution for your apps
- Identify security loopholes
- Gives us detailed issue reports
- provide a sense of confidence for the developers. We plugged some critical ones with this
- provide summary reports that we can share with clients as well
- Dynamic Analysis sometimes took a lot of time to run
- The user interface especially accessing reporting was difficult to find
- Provide direct integration with DevOps pipelines in the future if possible to run the static analysis for commits if required
1. Review your source code and security patching on the code.
2. Run real time test and penetration testing with dynamic data
3. Instill confidence with the customers
Not so well
1. timeout on the app is annoying
2. UI is not so great
Veracode Stands Tall Among the Leading Application Security Platforms
- I have found the Software Composition Analysis area to be the best among the competing products for Application Security.
- Veracode's support services are impeccable.
- Their program management teams are professional, helpful, and friendly.
- Although an improvement to what was there previously, the Analytics section using Looker, could still use some improvement. It does seem that what Veracode has deployed is a very limited version of Looker. While helpful and useful, there seems to be so much more that Looker does (such as dynamic querying), however, the version that Veracode employs doesn't seem to offer this.
- More user control of administrative functions such as user adding/deleting. Veracode still uses a 'soft delete'/'hard delete' functionality. This can become cumbersome for self-user-administration when a deleted user has to be re-added. A support call is then necessary to have this done.
- Their idle timeout process needs work. While using the Looker tool, you must save your work every few minutes, as their 'Shark-attack-like' idle timeout will sneak up on you and redirect you away in an instant causing you to lose any unsaved work.
Good product, lives up to expectations
- Explanation of security flaws
- Triaging and reporting
- Adding developer mitigations and comments
- Good integration with tooling
- It could be easier to navigate and find what you're looking for
- Can generate a lot of false positives, depending on policy
Veracode Meets Our Needs
- Static scanning is quick and efficient
- The scan reports are easy to read and informative
- Interaction with both account management and support staff is great
- The contracting process is easy
- The platform's interface could be a little more intuitive
- Sometimes we get a notification that our static license use has been exceeded but it has not
- Sometimes the static scan reports many, many potential flaws but it turns out the tool has not been programmed to correctly recognize a particular use case
- The configuration of dynamic scanning is a bit disjointed.
- It may just be our application but the dynamic scanning process needs to be improved. Note that we have an open case with Veracode on this so we do expect a resolution.
A solid offering for the right company
- Static Scans
- SCA Analysis
- API Documentation
- API random failures
- Customization
- Automation speed
- Support
- Workflow and Process improvements for support
- Flaw remediation
- code quality
- cleansing functions
- remove false positive
- Old sandbox results should be available at least for a quarter for comparison
- already remediated flaws should not be reopened in any scenario
Veracode
- SCA
- customer support
- 2fa
- DAST
- bulk user management
- SSO configuration
Veracode Helps Us To Identify Vulnerability in Code.
- Very ease to use and error details are clear
- I can fix the code easily.
- Support base is good.
- Some times UI will be little slow.
- Maybe our HVD network issues
- Not sure
Why Veracode Can Save You... Money, Time, Security
- Intergrations
- Policy enforcement
- Build pipeline access
- Build a ticket management screen into the platform
- Easier integrations to SSO/SAML
- A different method of having API users, they should be either integrated into the team (an API key as part of the team) or at least separate from the regular user area.