Skip to main content
TrustRadius
Veracode

Veracode

Overview

What is Veracode?

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.

Read more
Recent Reviews

Best in Security

10 out of 10
March 03, 2024
Incentivized
It's being used across whole organization, multiple engineering teams are using it for third-party libraries scan i.e. software …
Continue reading

Veracode to the Rescue!

10 out of 10
February 27, 2024
Veracode DAST is used on app applications in the portfolio. SAST/SCA scans and DAST scans are run monthly for all Critical application in …
Continue reading
Read all reviews

Awards

Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards

Reviewer Pros & Cons

View all pros & cons

Video Reviews

1 video

Veracode Review: Provides Helpful Support When Troubleshooting Security Needs
02:38
Return to navigation

Pricing

View all pricing
N/A
Unavailable

What is Veracode?

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.

Entry-level set up fee?

  • No setup fee

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting/Integration Services

Would you like us to let the vendor know that you want pricing?

919 people also want pricing

Alternatives Pricing

What is SonarQube?

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

What is Indusface WAS?

Indusface Web Application Scanner provides an application security audit to detect a range of high-risk Vulnerabilities, Malware, and Critical CVEs.

Return to navigation

Product Details

What is Veracode?

The Veracode platform is a software security solution that aims to be pervasive but not invasive, embedded into the environments that developers work in, with recommended fix and in-context learning. Security teams can use Veracode to manage policy, gain a comprehensive view of an organization's security posture though analytics and reporting, mitigate risks, and produce the evidence necessary to meet regulatory requirements.

It is presented as an always-on, continuous orchestration of secure development that gives organizations the confidence that the software being built is secure and meets compliance requirements.

Veracode Features

  • Supported: Continuous Scanning to reduce risks at every phase of development - Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test throughout SDLC.
  • Supported: Developer Experience - Finds and fixes laws in line with security integration into where developers work, automated remediation guidance, and in-context learning.
  • Supported: Comprehensive Platform Experience - Streamlined governance, risk and compliance processes through flexible policy management, unified reporting and analytics, and peer benchmarking to mitigate risks fast and deliver a successful DevSecOpsprogram.
  • Supported: Market Expansion - To meet data residency needs in EU with cloud-native instance built in Frankfurt, Germany on AWS.
  • Supported: Contextual Platform Data - Fine-tuned with nearly 2 decades of scanning and customer learning. Predicts future vulnerabilities with self-healing capabilities through applying machine learning and artificial intelligence to the data.
  • Supported: Cloud-native SaaS Architecture - Provides elastic scalability, high performance, and lower costs with cloud-native SaaS architecture.

Veracode Screenshots

Screenshot of The Veracode Platform HomepageScreenshot of Static Analysis ScansScreenshot of Findings Status and History DashboardScreenshot of The Veracode Platform

Veracode Videos

Veracode Static Analysis Demo
Veracode Software Composition Analysis Demo
Veracode Dynamic Analysis Demo

Watch The Veracode Platform

Veracode Technical Details

Deployment TypesSoftware as a Service (SaaS), Cloud, or Web-Based
Operating SystemsUnspecified
Mobile ApplicationNo
Supported CountriesNorth America, EMEA, APAC, LATAM
Supported LanguagesJava, .NET, PHP, Android, iOS, JavaScript, Python

Frequently Asked Questions

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.

Checkmarx, Snyk, and SonarQube are common alternatives for Veracode.

Reviewers rate Support Rating highest, with a score of 8.

The most common users of Veracode are from Enterprises (1,001+ employees).

Veracode Customer Size Distribution

Consumers0%
Small Businesses (1-50 employees)18%
Mid-Size Companies (51-500 employees)65%
Enterprises (more than 500 employees)17%
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews and Ratings

(196)

Attribute Ratings

Reviews

(1-25 of 127)
Companies can't remove reviews or game the system. Here's why
Score 8 out of 10
Vetted Review
Verified User
Incentivized
To be SoC2 and ISO compliant and also to protect our SaaS, we are using this tool to scan every component that we build for SA and SCA.
we also have an obligation regarding the fix time and we use the dashboards to keep track of it.
  • Integrates with any CI CD tool like Jenkins
  • Shows result in a simple way using dashboards
  • allows mitigations in a clear manner
  • Scans fail if another scan is already in progress using the Java CLI
  • Module selection is slow to load when it comes to big applications
  • Module selection is sometimes not clear on what is scannable and what is not and why
  • remediation actions for SCA issue. you can recommend on how to fix it in a clear way and not forcing the user to click many times to understand it.
Integrate Veracode Java CLI with Jenkins and run it on every component build pipeline
Score 10 out of 10
Vetted Review
Verified User
Incentivized
Within our organization we have a large portfolio of applications written over many years by many different developers. As part of our continuous improvement and dedication to security we have integrated Veracode's static code analysis platform into our process of monitoring and reviewing our portfolio, greatly increasing our coverage. As a company with smaller development teams we greatly value resource efficiency, and tools which can improve it; to this extent our developers can utilize their time effectively remediating important flaws the platform discovers, and our organization can feel assured that our focus on security continues to evolve and grow.
  • Veracode's static code analysis platform provides in-depth information as well as very useful suggestions regarding mitigation for flaws it discovers. This is very helpful in assisting developers towards a speedy and complete mitigation.
  • Veracode does well to keep connected with their customers, ensuring the success of their customers on their platform is evidently one of their goals which they hold highly. This responsiveness continues into their technical support which is both helpful and fast to respond.
  • Veracode continues to update their platforms, their capabilities, and their research often; the promise of continuous improvement from all facets provides value to us as an organization.
  • We would like to see Veracode continue to improve the integrations available, particularly with respect to .NET IDEs. Part of our development team uses JetBrains' Rider which is, as of this time, unsupported for static integration.
  • We would also like to see Veracode continue to improve their dynamic scan offerings; with the recent addition of DAST Essentials we feel this improvement may come sooner than later.
Within our organization it is clear that when a codebase is available, and in a language that Veracode supports, the use of Veracode (with a particular focus to the static scanning platform) is a great suggestion. The depth of information it can provide with respect to security flaws is valuable, with very little setup required from the developers. When a codebase is unavailable, say in the instance of third-party applications for which you are creating extensions or some form of module, then static code scanning is not an option but even then dynamic scanning (DAST) may prove to be helpful, though potentially less so.
Score 7 out of 10
Vetted Review
Verified User
Incentivized
We use Veracode for all the software we build in-house. Being in the financial services industry there's a lot of regulation and emphasis on security, and we've made Veracode a mandatory part of our production deployment process to satisfy some of those requirements. The reports Veracode generates are used by both management and development teams.
  • PDF & web reports are very well laid out.
  • Custom dashboards are very flexible/powerful.
  • Flaw remediation suggestions are specific and helpful for most flaws & languages.
  • Documentation is clear and detailed.
  • Veracode support is excellent.
  • Scan times can be long
  • Atlassian / Bamboo CICD integration isn't the best
  • No alerting functionality when new flaws are found
  • No auto rescan functionality
  • The web interface is slow
Veracode is excellent when you need good reporting/auditability to satisfy regulatory requirements. It works well for very large organizations and guides even entry-level developers through the process of how to set it up and start resolving flaws.

It's probably not as good for smaller companies, where CI/CD is a top priority, or where cost is a concern.
Score 7 out of 10
Vetted Review
Verified User
Incentivized
It is used across the organization. We are using it for static analysis of our code. We have selected the policy that requires our release code to minimize the level of security faults.
Beside static analysis we use Software Composition Analysis and we found it very helpful in rectifying vulnerabilities from third-party libraries.
  • Good integration with Jenkins and Visual Studio.
  • Parsing the code well.
  • It has good dashboard.
  • SCA graphs for transitive dependencies are very useful in identifying the vulnerabilities.
  • The main problem is slow speed of the scan - it took 11 weeks in one instance.
  • The problem was ongoing for number of months and eventually they managed to slash the running time to one day. However, since than the running time usually takes 2-3 days as the scan always stop during the run.
  • While SCA for Java works very well, there are number of issues on the C++ side. It can not recognize the libraries build by default from source code third-party vendors
Overall, we are generally satisfied with the product. It gives very accurate information about vulnerabilities in our code using static analysis.
It has a good performance for the Java static analysis. However, for C++ is very slow.
As well the Software Composition Analysis for C++ code is not yet finished product. It can not recognize libraries build from source code, using the default build method from third-party vendors. That is the case even for libraries that have been in use for number of years.
March 03, 2024

Best in Security

Score 10 out of 10
Vetted Review
Verified User
Incentivized
It's being used across whole organization, multiple engineering teams are using it for third-party libraries scan i.e. software composition analysis and static application security testing. There is security labs for engineers and those who are interested in learning about security vulnerabilities and remediation, secure code training (labs). These labs are being used for encouraging developers in learning about secure coding by conducting secure code tournaments.
  • SCA
  • SAST
  • Secure Code Training
  • Add more labs in Secure Code Labs.
  • Supporting perl would be great.
  • Better to have standard deployment for all packages in upload and scan.
It's more suited in software composition analysis for third library scans (SCA) and static application security testing (SAST). Currently being utilised by us and security labs, we are using these labs for tournaments for developers to learn about secure coding, even for learning purposes. It's helpful in the IDE stage - greenlight where developers can find issues/vulnerabilities during coding (Shift left).
Teresa Kosinski | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Incentivized
Veracode is used across all departments in our organization tasked with creating and/or using software. It helps to ensure that we are up-to-date on the latest security threats, and their consultants help us to quickly resolve any issues we are not able to resolve ourselves. I greatly appreciate that the Veracode platform is incredibly versatile, and helps us get a more holistic view of our security profile. When we first started using it, within minutes it was easy to view where we should focus our fixes. Looking back, this alone was worth every penny.
  • Thorough static scans
  • Quick but deep dynamic scans
  • Detailed reports
  • Excellent consultants
  • Initial user training could be better; it's very confusing at first.
  • More online help
  • The UI can be confusing if you have a lot of different products.
Veracode is great for deep scans of your codebase, as well as performing deep scans against your online application. I have been using it for several years, and it has consistently gotten more and more thorough while vastly improving performance. Make sure, though, that your language is supported. Veracode supports several, but it doesn't support everything.
February 27, 2024

Veracode SAST review

Score 8 out of 10
Vetted Review
Verified User
Incentivized
We replaced our old tools with Veracode 1 year ago. To reinforce our security posture and help us prevent vulnerable code from being added to our products.Each pull request must be analyzed and meet our security policy before it can be merged.We also have to maintain 5 versions and assess the conformity of each of these versions with our policy.
  • Low false positive rate by taking into account context and input sanitization
  • List and details of mitigation proposals
  • Clear reports and the ability to create your own dashboards
  • Some popular dependency managers are not currently supported (e.g. conan, pnpm)
  • Analysis of compiled languages requires specific preparation before compilation
Well suited:
SAST is well suited to the analysis of individual commits in non-compiled languages.
New vulnerabilities are added as comments in the pull request.We generate daily compliance analyses by running nightly tasks.
This provides a daily report to the security team and the managers on SAST and SCA.
Flaw mitigation involves every developer in the investigation and proposal.
This helps the owners by reducing their workload and sharing knowledge across squads.

Less appropriate:
Cpp analysis on each commit is not appropriate for our modules, as it takes too long to get results (Caused by unsupported Conan dependency manager).
For public repositories, generated baseline files need to be saved securely to avoid sharing.
February 27, 2024

Veracode to the Rescue!

Score 10 out of 10
Vetted Review
Verified User
Veracode DAST is used on app applications in the portfolio. SAST/SCA scans and DAST scans are run monthly for all Critical application in the portfolio. In total there around 120 applications in scope for the program.
  • Customer support that won't permit any failures anywhere along the line.
  • Regular updates to the platform that supports rapid changes in technology and development practices
  • Sets the standard for how AppSec scanners should work
  • Sometimes finding the right person to help takes a little time
  • Pricing of SAST/SCA scans may scare off some potential customers until they understand that it's worth it.
Veracode is useful across the spectrum of development teams' AppSec maturity, size of the development community, and varied skill sets to address application security. Veracode excels in bringing together threat management teams and development teams with a single view into all application vulnerabilities and their treatment.
Krishna Bala | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Incentivized
We wanted a secure scan method for static, dynamic, and manual PEN testing. We wanted to make sure that we could "shift left" with our development and have security scans done at the beginning of the development process. Not at the end when it is already in the field and more challenging to update.
  • Static Scan
  • Dynamic Scan
  • Manual PEN testing
  • Open source scans with Software Composition Analysis
  • Dynamic DAST fails every once in a while and creates problems during release completion.
We wanted a secure scan method for static, dynamic and also manual PEN testing. We wanted to make sure that we could "shift left" with our development and have security scans done at the beginning of the development process. Not at the end when it is already in the field and more difficult to update. Veracode allows us to do all this in our CI/CD pipeline early and also in the development IDE (static scans).
February 13, 2024

Worth the investment

Alex Fuglaar, CISSP | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Incentivized
Identifying vulnerabilities in our code before they go into production.
  • Explains the potential issue well
  • Explains a possible solution
  • Scans the code quickly so we can start remediation ASAP
  • Very user friendly
  • Integrate with LLM functions to expand remediation options
Allows a small infosec team to quickly scan large amounts of code and offer remediation solutions.
Score 10 out of 10
Vetted Review
Verified User
Incentivized
We use Veracode as our primary source for Dynamic (DAST) Scans and Annual penetration testing. We were looking for ways to consolidate tooling in our organization with a centralized cloud product and Veracode provides that.
  • Provides robust readouts on vulnerabilities.
  • Allows for detailed or customized reports to fit your organizations or clients needs.
  • Remediating findings in the tool is exceptionally easy to understand and execute.
  • MPT Results should be segmented from DAST/SAST results.
  • MPT Reports should include more information on scoping and testing dates as generally provided by accounting firms conducting similar tests.
  • Vulnerability readouts should not be so hidden in the platform (It shouldn't take as many clicks to get to and view).
This application is exceptionally suited for regular compliance checks/scans. Being able to 'set it and forget it' is critical to allowing continuous scanning. However, DAST Scans do not appear to allow true continuous scanning as you have to re-create scanning rules once annually (Likely due to contract terms).
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Primarily for scanning web applications, while others might use it to secure mobile apps, APIs, or even IoT devices. The ultimate goal is to reduce the risk of security breaches and ensure that software applications are developed and maintained. IDE integration and security testing are the best feature to identify and address security vulnerabilities in my software applications.
  • IDE Integration
  • SCA
  • SAST
  • Plug-in pipeline
  • CI/CD
  • Pull requests
It used in DevOps to identify security flaw before going to production. Common and hidden areas of software can be ignored if it’s too wide, so the report and triage flaws help security teams to understand where to improve. Furthermore, MPT an great to provide details and vulnerabilities that from DAST doesn’t arise.
Score 10 out of 10
Vetted Review
Verified User
Incentivized
We use Veraocode for Static and Dynamic scans and Software Composition Analysis (SCA) across multiple products. The Jenkins automation is a lifesaver for Static scans and SCA since it gets us out of the business of uploading builds manually. We're also utilizing the Jira integration to manage vulnerabilities, from creating new tickets to resolving and closing them when a vulnerability is no longer present. Dynamic scanning can take some tweaking to get running smoothly, however, once things are dialed in, it's another scan that can be scheduled to run automatically. Arguably the most powerful tool, Software Composition Analysis, runs along with our Static scans and gives us insight into vulnerabilities in third-party libraries, newer versions available where a vulnerability is resolved, as well as their licenses.

In all, Veracode is a critical tool that helps us remain compliant with our various annual third-party audits.
  • Automation
  • Software Composition Analysis
  • Integrations
  • More insight into errors that may be causing an issue when configuring an integration, e.g. Veracode's Jira integration.
  • Static Analysis can sometime get 'stuck' when using the Jenkins integration. Days, sometimes weeks can go by before we notice. Have to delete the 'stuck' scan and re-upload.
  • Manual Pen Test account management/reminders. I would expect the vendor to reach out and schedule the pen test annually, maybe send a notification/reminder when the date starts getting close, things like that. From my experience it was on me to initiate our MPT.
Veracode is well suited for small software companies, as well as organizations supporting multiple products. A well-defined and orchestrated build process will be a huge help when setting up a build upload integration with Veracode. Once scans are running smoothly, and assuming you have an integration with your ticketing system, you will rarely have to sign into Veracode's interface.
Score 8 out of 10
Vetted Review
Verified User
Incentivized
We use Vericode to provide initial and ongoing security analysis of our software products. We supply ERP software solutions to the paper manufacturing industry. We are a leading supplier of software to this industry and it is important to us to provide a product that is thoroughly tested and free of known critical vulnerabilities. We have incorporated Vericode into our SLDC cycles and perform SCA and Dynamic scans within our release cycles. Our application is a very large full ERP application using many third party libraries. Without Vericode we would be flying without a net.
  • Automated scanning of software libraries for vulnerabilities
  • Management of multiple application, statuses and helps on security remediation
  • Vericode Verified program to leverage the security investment as competitive advantage
  • The time it takes to scan large projects makes it difficult to fit into our CI/CD/pipeline
  • One of our app scans times out after 2 hours and we have to upload it and scan manually but there is no visibility the CI system has as to vulnerabilities found
  • Integration with older development languages to scan. We have old 4GL based application that is not compatible with the tools
Help raise the level of awareness throughout the organization on the importance of proper security measures for software development. Allows you to establish a campaign that touts your organizations concern and action towards continual technology threats. Working the Vericode tools into an automated build cycle allows continual focus on the security vulnerabilities within your applications. We are hoping Vericode adapts to large scale applications that allow us to auto scan our application that has over 3 million lines of code.
Christine Canassa | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Incentivized
This product has efficient data security control tools that enhances safe working environment for all teams. It gives our team CI and CD critical data that gives us reliable development infrastructure for better results. It prevents the software development ecosystem for security threats that can affect efficient production. I have not experienced project implementation challenges since we started working with this platform.
  • Monitoring software development infrastructure.
  • Prevention of security threats.
  • Provision of intelligent security information.
  • The features are awesome.
  • I have familiarized with al the set features.
  • The overall performance is good.
It is easily customizable to suit company security policies. The software has simple coding tools that enables our team to identify errors before completion of any given project. The security intelligence that has been provided over the time has saved the company the cost of security drawbacks. The customer support team is ever available when reached for any solution.
Score 8 out of 10
Vetted Review
Verified User
We use the Veracode software platform to look for vulnerabilities in our code as well as in the third party libraries we were using. We are in the medical software industry, so the data we deal with is very sensitive in nature so we take security and privacy very seriously.
  • Very good customer support
  • Quick responses to questions
  • Microsoft ADO pipeline support for other scan features
  • Reports that can be generated outside of the website
  • Summary of multiple reports at the user level and not administrative level
Having detailed reports generated by Veracode that highlights code vulnerabilities as well as security issues with third party libraries are features that are important in our industry. It is well suited for providing software teams all of the outstanding issues they may exist so that time is saved in not having to do all of that research ourselves.
January 10, 2023

Veracode For your Code

Score 10 out of 10
Vetted Review
Verified User
Incentivized
This helps in understanding and resolving vulnerabilities in our code which is really good to have. And the most interesting feature is its Veracode Greenlight which gives real-time output and resolution. We can also schedule calls with the security experts for any resolution or queries. I highly recommend [using] Veracode.
  • Realtime resolution
  • Consultation calls
  • Detailed report
  • Using sourceclr
  • for DAST scan
  • Linking SCA with SAST should be more clear
Veracode is suited for organizations [that] give their customer both security and privacy. Veracode will dive deep into the code and points out the flaws which are dangerous to both the organization and the customer using it. I prefer not using Veracode if You don't have the time to revisit your module and resolve the issue because it may take time from the developer's perspective (This is a hypothetical scenario).
Mike Clarkson | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
This is a very thorough tool to statically scan your source code. It works very well for us, and it's always interesting to see how your code writing changes over time as you become more security focused. We are in the process of setting up dynamic scans, but for now we are doing static scans only. They take a little time to complete, but we are scanning our entire software suite so it's to be expected. We have found a number of issues, some of which are in legacy code which we are probably not going to fix as it is actively being replaced.
  • Static scans
  • User Interface
  • Results of scans with detailed descriptions of what the issue is and how to potentially fix it
  • The time to complete a static scan
The ease of integration into our CI/CD pipeline (it only added a couple of minutes extra per build) followed by a weekly static scan of our entire code base which in turn generates results of all the severe items identified. Sometimes they are false positives as it's in libraries we don't control, but we pass on the findings back to the library maintainer(s). Often we have to modify our code slightly to mitigate/patch/fix the issue.
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Veracode is used to find any flaws that can affect the application in production even before the product is deployed in any environment. Almost all types of scans can be performed using Veracode. Veracode is famous for its SAST and SCA scan, which attracts users due to its transparency and security.
  • SAST Scan
  • SCA
  • DAST
  • Flagging false positive.
  • Linking of SCA and SAST Scan.
  • Needed to see an aggregated score for all the modules in an application.
I will say it is a nine because the aggregated score of all the modules in an application is not shown anywhere in the Veracode. Otherwise, it's good for the easiness and stability of the application that a developer and an organization are keen to see in a penetration application, respectively.
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Due to the regulatory requirements in Germany (VAT), we are required to meet certain security standards. Veracode helps us to check the security of applications as well as third-party libraries and to uncover vulnerabilities. The possibility of telephone consultation helps us to understand and eliminate the defects.
  • To uncover vulnerabilities.
  • To get a security awareness in the company.
  • to secure our applications as much as possible.
  • Good held and explanations for vulnerabilities.
  • Good tele consulting in a short time.
  • Concrete example implementations for best practices for the flaws and for different programming languages.
Well suites: - to uncover security weaknesses - to get security awareness - to get information about the specific flaws.
Score 8 out of 10
Vetted Review
Verified User
Incentivized
As a Developer, I have to make sure that the System we are building is safe. Therefore Veracode helped a lot by scanning our Code for vulnerabilities. Therefore our Security Department opens up a Ticket Process wherefore we simply open up a new Static Code Scan and wait for the result. When all the vulnerabilities are fixed, we get a sign-off.
  • Customer Service.
  • Easy Usability.
  • Well Documentation.
  • Details on Documentation.
  • Customer Communication for Appointments.
I think that Veracode is a good basic code scan in order to ensure code security. It is super easy to integrate into CI-CD processes and offers good protection against common code vulnerabilities. It is less appropriate to consider it as the ONLY security consideration for your application.
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Our company maintains highly confidential information about our clients. Keeping our systems and data secure and protected is at the heart of what we do. We use Veracode to help us in this endeavor. We rely on Veracode's products and services to ensure that we maintain the level of trust and confidence that our clients give to us.
  • Double checking the security of our code
  • Integrating into our CI/CD process to help us catch and resolve new flaws
  • Helping us maintain our compliance
  • The documentation could really use some work
  • I am skeptical of the thoroughness of the scans on newer languages and frameworks
  • The scan takes too long
  • The IDE tools leave much to be desired
  • Too many false positives
It is useful for maintaining security compliance.
The manual penetration test is very useful to have in addition to the flaw identification algorithm.

Due to the lengthy amount of time it takes to scan, it's not useful for testing every commit.
The Visual Studio extension to not make it easy for developers in day-to-day programming
Score 9 out of 10
Vetted Review
ResellerIncentivized
Veracode helps our clients to deliver secure applications in an agile way in less time and focus the efforts of developers to work on real flaws, this can be done from a single SAST scan to a complete integration in a CI/CD enviroment, analyzing vulnerabilities in the code of the developers, thrid party libraries, executing dynamic anlysis all automated to be compaint to security standards and best practices
  • SAST analysis in the pipeline it's very quick and helps to identify flaws
  • Third party libraries analysis it's effective to review vulnerabilities and recommend a secure version
  • Integration in the pipeline with various DevSecops Tools/Platforms
  • More coverage in the languages/frameworks
  • The crawl script for SAST analysis could be improved to support more functions
  • More coverage for different versions of the IDEs
It's an excellent security application platform, with different integrations that can fit in the SDLC, as the SAAS solution works perfect to quick starts and the integrations are fast and easy to execute, can be implemented in a modular way starting just with training in secure code or can be robust to integrate into all the develop environment
Score 7 out of 10
Vetted Review
Verified User
Incentivized
We use the Static Analysis feature of Veracode to ensure no vulnerabilities are present in our code bases. If a flaw is reported, we consult with the internal team and then set up a Veracode consultation if required for mitigation ideas. After fixing / mitigating the flaw we scan again to check if any further flaws are being reported - if not, we go ahead with the next steps in the project lifecycle.
  • Reporting vulnerabilties
  • Static Analysis of code
  • Scan all dependencies
  • UI experience could be smoother
  • Navigation could be better
  • Response time could be optimized
Veracode is a good choice for static analysis of code. If the code refers to any customized dependency, then Veracode does not consider the external dependency unless it is bundled along with the main archive while running the scan - it could be automated so that the dependencies mentioned in pom / gradle file are considered by default without us having to upload it manually.
Douglas Perreault | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Incentivized
For years Veracode has been an integral part of our process to reduce our security vulnerability footprint. All of our code is scanned through Veracode's static scan process to ensure we are removing any older vulnerabilities and not introducing new ones. We also use the software composition analysis information to ensure we aren't using any versions of third-party software which may have any vulnerabilities.
  • Pointing out use of 3rd-paty software versions that are out-of-date
  • Providing an easy way to triage flaws -- tying together the flaw, source code, and an explanation in one easy-to-use path
  • Providing an easy-to-use plug-in for Visual Studio allowing on-the-fly validation of code without having to complete a full scan
  • It would be nice if we could more easily customize post-scan reports. The reports are fairly lengthy and not everyone on the team needs all of the details.
  • It's not always obvious as to what features are available. For example, for years I had no idea one could promote a sandbox scan to a policy scan without having to resubmit it.
I would say that Veracode is well-suited for any software development it supports. I use it with both Java and .Net based applications and find it works well for both. Veracode cannot provide detailed information if PDB files are not sent with the .Net compiled code.
Return to navigation