Veracode Reviews

<a href='' target='_blank' rel='nofollow noopener'>Customer Verified: Read more.</a>
98 Ratings
<a href='' target='_blank' rel='nofollow noopener'>trScore algorithm: Learn more.</a>
Score 8.6 out of 100

Do you work for this company? Learn how we help vendors

TrustRadius Top Rated for 2021

Overall Rating

Reviewer's Company Size

Last Updated

By Topic




Job Type


Reviews (1-25 of 60)

Companies can't remove reviews or game the system. Here's why.
May 08, 2021
Oscar Narváez Del Rio | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
Veracode has been defined as the platform for [our] IT security department to guarantee secure software development and testing before moving to production. Veracode provides dynamic and static code analysis to detect vulnerabilities and reduce risks in term of how strong the applications are regardless of their technology. As as SaaS, the platform is ready to start a project and provide capacity to scale based on the ongoing needs.
  • Mobile and web code analysis for digital channels.
  • Integration with automated pipelines.
  • SaaS model with scalable capacity.
  • Reports for capacity usage and license are basic.
  • Email notifications could be improved for better user experience and provide clear insights.
  • Plans for dynamic and static should be separated based on specific needs.
Veracode provides capacity to quickly start a secure development project based on continue scanning to detect vulnerabilities. Currently the mobile and web digital channels have turned into the main platforms for users' experience, but also the most critical in terms of fraud [or] attacks risks and the dynamic analysis is a good approach to overcome any risk; however, when implementing a dynamic analysis it is highly important to understand that actions to solve risks could be released automatically.
Read Oscar Narváez Del Rio's full review
May 03, 2021
Mohana Chintalapati | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
It's used by the Information Security team to review the source code of all our products. Veracode helps us do quick checks before a release and the Software Composition Analysis module has made it very easy to identify and keep track of all the OSS components used in our products. The way Veracode flags the license violation issues as well has been extremely helpful.
  • Sophisticated UI
  • Integration into CI/CD pipelines
  • Informative reports
  • Cover more types of vulnerabilities
  • Simplify the process of marking and approving mitigations
Veracode will suit any organization that wants to integrate security into their build pipeline.
Account managers are extremely helpful, always ready to assist with any issues we have. I've seen vendors with account executives that schedule too many meetings and send too many emails in the process of trying to be helpful and I've seen vendors who don't really care about the customers, too. However, Veracode has just the right amount of communication. Neither more nor less. It makes them easier to work with.

Responses from the support team are pretty quick as well.
Read Mohana Chintalapati's full review
May 02, 2021
John Morales | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Review Source
The Veracode solution will be leverage for the TriNet SaaS platform we develop and provides the HR services to our clients and colleagues.

The TriNet business objectives with the investment of Veracode are:
  • Improve security posture and quality in code and releases.​

  • Early detection of security risks in code.​

  • Maximize ROI tooling​

  • Visibility and traceability for security insights​.

  • Measure success via metrics.​

  • Industry leading code secureability solution.
  • Improve secure posture.
  • Early detection of security risks in code.
  • Improved DAST performance
  • Shift left performance as close to the developers IDE.
  • Improved correlation of security defects to Source Code, BitBucket and GitHub.
​Veracode is great for static, dynamic, and software composition analysis. I would like to see Veracode compete with SonarQube code quality to detect coding flaws
Read John Morales's full review
May 17, 2021
Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
Veracode is used by our department to ensure that our web applications are secure and that we are employing up-to-date security standards in our development. Veracode addresses not only our public facing website but also our coding practices.
  • Website scanning
  • Coding security standards
  • Library security
  • The Veracode website user interface is not intuitive and is difficult to navigate. New users will find that links will often have them going around in circles until they are lost.
  • The dynamic scanning does not allow for minimizing scans on repetitive forms. This could be provided with a regular expressing matching for links to sections of the tested web site to reduce the amount of repeat scans of the same form.
  • Software composition analysis does not handle applications with more than one framework well (e.g., a dot net core 3.x framework with a Vue front end). These have to be scanned individually and not analyzed in one run.
  • Reports are compartmentalized, offering values in one section that aren't available in another section, so that users cannot combine the separated values and use them in one report.
Veracode offers a unique solution to evaluate security from the coding standpoint, where other tools do not offer this viewpoint. This is what Veracode offers above all other tools that we evaluated.

Qualys WAS another tool that we have used and continue to use, which is similar to Veracode's dynamic analysis scanning. There are some capabilities that Qualys offers which Veracode does not, like blacklisting URLs by regular expression.

Veracode seems deficient in testing APIs, as I have not seen any ability to manipulate the HTML header to add authorization.
Read this authenticated review
March 19, 2021
Anonymous | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Review Source
Our Engineering department uses Veracode as a check on the software we develop before release and distribution to our customers or our SaaS environment. It's one of the most important tools in ensuring our security policies are upheld by development teams. We integrate Veracode into our CI/CD pipelines so that we don't have to wait long for results.
  • Accurate results
  • Understandable reports
  • Helps us stay on top of the changing security landscape
  • Good open source analysis
  • Scans can be slow depending on size
  • Some less common programming languages aren't supported
  • IDE integration costs extra
  • High cost
Veracode is good for static analysis of common programming languages. The results are easy to understand and take action on. But it's not immediate, you need some time in the cycle to detect and fix issues: if you're pushing to prod 50 times a day, figure out where this fits in the process. Also, it's not as useful where configuration or deployment are the major concerns.
Read this authenticated review
March 04, 2021
Anonymous | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Review Source
Veracode is used within the IT department. It helps to ensure the security quality of our products.
  • Veracode SAST scanner is exceptionally good as it does the scan on top of the compiled code, not source code. This gives you not a prediction of what can go wrong, but the exact knowledge of what will go wrong.
  • Web UI could be implemented better. Currently it is not very user friendly and looks a bit outdated.
For our case of big product development, Veracode is a very well suitable platform. It allows pretty seamless integration with the development lifecycle and provides very informative results.
Read this authenticated review
June 01, 2021
Anonymous | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Review Source
Veracode is using by our IT department only. It is very helpful product.
  • Sophisticated UI
  • Integration into CI/CD pipelines
  • Informative reports
  • Cover more types of vulnerabilities
  • Simplify the process of marking
  • approving mitigations
Veracode will suit any organization that wants to integrate security into their build pipeline.
Read this authenticated review
February 22, 2021
Anonymous | TrustRadius Reviewer
Score 1 out of 10
Vetted Review
Verified User
Review Source
It is used for scanning our iOS/Android apps and to flag out any potential security issues with the code since it uses SAST/DAST.
  • It flags out issues so we are able to take action on it
  • UI is not modern
  • Complex UI
  • Slow upload speeds
  • Extra work required to compile and submit your build
It is well suited if you are running SAST/DAST, but as with any solutions, there is no one size fits all, and it definitely had false positives as well, like any other scanners. I did not have a hand in deciding to purchase this, but it works decent and we can automate it. However I am located in SEA, and I find the upload speeds are very very slow. Something to take note of.

Update: 22 Nov 2020. In spirit of transparency, I dropped the rating from 7 to 2 because I was invited to write the review by the vendor (Principal of Customer Advocacy) on 9 October in exchange for a small incentive for my time. However more than a month has passed and there have been no replies despite followup emails to them. I would have expected much better and am sorely disappointed. I treat timely emails very seriously and especially not getting a single reply from vendors. Granted this is not a technical support ticket, but still unprofessional and not something I would expect from someone from Customer Advocacy. This is the main reason for the rating drop. Please draw your own conclusions from this experience I have.
No replies and emails were ignored from Colleen Reidy (Principal, Customer Advocacy).
You can do the upload process manually or automated the upload via CICD as well. It takes a long long time to upload it to the servers (from SEA region at least) and the UI is kinda confusing to me. There was some kind of refresh on the UI last year, but UX can be improved.
Read this authenticated review
November 18, 2020
Śrinivāsa Rao Kuruba | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
Veracode was used in our organisation by a few business units for Static Analysis Security Testing (SAST). It helps in finding software vulnerabilities in the code by scanning the binary derived objects of the source code written by developers, thus addressing the security aspects of the products the organisation is shipping to its customers.

Any aspect concerning the vulnerabilities of a software product is non-trivial and would be very costly if reported by the customers. Veracode helps find these beforehand, if the code (binaries) is scanned before being integrated into the product. With its wide variety of integrations, Veracode scanning can happen at any stages of the DevOps CI Pipeline, thereby facilitating the "shift left" mentality of finding defect/vulnerabilities in [the] code as early as possible in the software development life cycle.
  • Binary scanning. Veracode static analysis is based out of binaries derived from source code which is more accurate that just the pure source code scanning. This accuracy translates to less false positives in the defects reported, thereby saving time of developers in tackling the real issues.
  • Veracode being a SaaS platform reduces the IT burden on your organisation. No servers to worry about, no performance concerns, no storage expansion to plan ahead and no capacity/elasticity challenges to take care of on all the infra (compute, storage, networking).
  • Veracode platform is very quick to configure and very easy to use. It just takes a few minutes to setup an application profile and start scanning. It is particularly easy to use for modern programming languages like Java as the java binaries are optimal for scanning.
  • Learning - Veracode's eLearning portal is very good and has all the relevant training on various aspects of security and again is seamlessly available in the same platform/tenant where the teams scan.
  • Security Consultation - Very easy to get help within the platform itself for a security consultation which is invaluable for the first few scans. Veracode is probably one of the very few SAST solutions which has such easy provision to get security consultation.
  • There is an initial overhead on generating the binary artefacts for scanning. The binaries need to be loaded with debug symbols for Veracode to be able to trace the defect back to the file and line number. This is relatively easy for modern programming languages (e.g. Java) with latest build tools (e.g. maven/gradle) but can be quite challenging for languages which are platform specific (C/C++) and have dated build systems (e.g. make).
  • Entry Point Selection. After the binaries are uploaded for scanning, the Veracode platform analyses them (pre-scan) and provides a list of 'modules' to be selected for scanning. Only the points of entry of program execution need to be selected here, based on the application architecture. The 3rd party modules on which your code is dependent on need to be uploaded but not selected as entry points for execution. This typically needs some fine-tuning and teams take some iterations to optimise. This would need the product architect inputs which teams generally do not understand, as they treat scanning in general as a DevSecOps responsibility and only after scanning, the developers/architects pitch in. For Veracode, their inputs are needed even during the scanning, for the first few scans at least.
  • This is a both a pro and con. Veracode does not give any option to customise the scanning rules or tweak what it is scanning for. This makes for a much simpler setup but also gives no scope for creating an application-specific scanning profile. For instance, if I do not want Veracode to look for SQL injection for whatever reason, or if I want Veracode to only look for OWASP Top 10 vulnerabilities, I cannot configure.
  • Long scan times, specifically for C/C++ based product/app scans. Some of the scans for enterprise scale product in C/C++ used to take quite many hours, and at times a couple of days. There have been improvements in this during the course of our 3 years of usage but in general, scans take a long time to complete.
Well Suited
  • Well suited for modern programming languages
  • Super good for organisations which do not have a big IT budget to spend on infrastructure
  • Veracode Security consultation is invaluable for teams/Business Units which do not have a dedicated security team
  • These culminate and make it ideal for a startup to quickly benefit from Veracode's setup leanness to get going on Security scanning
Less Appropriate
  • For scanning large legacy applications/software (huge code base, multiple platforms to build, platform specific languages used)
- Almost no setup required and easy to configure
- Very easy to use, intuitive UI with integrated analytics and learning portals.
- Seamless to review the results, triage them, generate reports.
- Security progression of the product/application is tracked via successive scans.
- Privileges/Roles nicely fine grained and tightly controlled to let teams "view" only their products.
- Easy to create support cases, right from the platform itself instead of visiting any other website or customer support portal.
- Privilege to create the cases granted to all users of the platform by default instead of restricting to only the Admins.
- Responses/updates to the case very promptly given. Escalation channels available via the customer success managers.
- Delegation of the user-generated cases to the platform admins of the organisation very quickly done, the scope permitting.
- Security consultation, a form of support unique to Veracode, can be very easily availed post-scan.
Read Śrinivāsa Rao Kuruba's full review
October 14, 2020
David Nelson-Gal | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Review Source
We use Veracode for security application scanning of our product. We also use Veracode as our manual penetration testing vendor. It is a critical part of our security hardening and validation processes.
  • Regular application scanning
  • MPT has been excellent and cost-effective
  • The organization, from rep to executives, have proactively listened to our needs.
  • Don't currently support our language for static analysis
  • Would be nice if Veracode had network scanning as well.
Our relationship with Veracode has gotten steadily better over the years. In truth, I would be interested in moving more of my security validation processes to Veracode primarily because I've found it to be easier to work with than my other vendors.

Currently, Application Scanning and MPT are the two areas that I can use Veracode. I am interested in its static analysis tools but currently, we aren't using the programming languages they support. This may change.

I also would like to use Veracode for Network Vulnerability Scanning but it doesn't offer an option there so we work with other vendors. They are also not an option for intrusion monitoring/detection so we have to use other vendors.
In general, I have really grown to appreciate and trust Veracode as a vendor. Support has been good, their MPT testers have been thorough and competent, and their executives have been available and open to my issues.

I have had periodic issues making scans work effectively. I can't seem to self-service my way through them. Still, Veracode support people have been able to help get my scans to work and once they are scheduled, things are pretty smooth. The user interface has been rough historically but is getting better.
This used to be terrible. Had a difficult time figuring out where information was. Partly this was due to duplicative features, jargon labels, and user navigation. However, in the seven years I've been using the product, it has gotten better.

Some of my issues were associated with trying to get scans to work unassisted. Now that scans, once set up, just run periodically, I don't have to deal with that as much. Part of this might also be that I've learned what I need to know about getting around. And still part of this assessment is in comparison to other tools out there that are even worse.

Still, they could benefit from an investment in a full useability redesign from someone with an outside perspective, modernizing the UX but also studying and working through the bigger usability concerns. I would love to see better diagnostic tools around getting scans to work so I wouldn't need their tech support people to get scans to work. However, as long as the scheduler keeps going, my needs on this get ever rarer.
Read David Nelson-Gal's full review
October 13, 2020
Teresa Kosinski | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Review Source
Veracode is used across all departments in our organization tasked with creating and/or using software. It helps to ensure that we are up-to-date on the latest security threats, and their consultants help us to quickly resolve any issues we are not able to resolve ourselves. I greatly appreciate that the Veracode platform is incredibly versatile, and helps us get a more holistic view of our security profile. When we first started using it, within minutes it was easy to view where we should focus our fixes. Looking back, this alone was worth every penny.
  • Thorough static scans
  • Quick but deep dynamic scans
  • Detailed reports
  • Excellent consultants
  • Initial user training could be better; it's very confusing at first.
  • More online help
Veracode is great for deep scans of your codebase, as well as performing deep scans against your online application. I have been using it for several years, and it has consistently gotten more and more thorough while vastly improving performance.

Make sure, though, that your language is supported. Veracode supports several, but it doesn't support everything.
Veracode Support has been great. Any time I have had a question, they have responded in a prompt manner. I'd say nine out of ten times they are able to resolve any issues that have come up with a short email exchange. For issues requiring a bit more investigation, their consultants are tops.
Once you become accustomed to using Veracode, you will more thoroughly understand the many ways in which you can use their tools. My only complaint is that it can be a bit daunting for new users of the platform. Perhaps some "Introduction to Veracode Tools" would be helpful for new users.
Read Teresa Kosinski's full review
October 02, 2020
Derek Overby | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Review Source
We use Veracode to ensure that we are providing best-in-class security to our customers, as wells as meeting annual security assessment requirements specified by our partners in the financial services industry. Primarily our technology (software development) organization within our business is using Veracode services, however our entire organization is involved in the review of results and understands the importance of these security assessment services, the results of which we share with our partners.
  • Link findings to CVE/CVSS standards
  • Provide comprehensive report artifacts
  • Thorough manual penetration testing services
  • Expert support
  • Need easier CI integration tools
  • Need easier CI integration tools
  • Need easier CI integration tools
  • Look at GitHub and Snyk
Excellent for finding issues during static code analysis and dynamic application testing and linking those issues back to CVE/CVSS security standards. Also excellent at providing reporting artifacts for compliance processes and helping prioritize issues by severity. Additionally very helpful during the assessment, remediation and remediation review processes. This is why we are a repeat Veracode customer.
I have had several highly technical issues related to our Static, Dynamic, and Manual Penetration testing activities with Veracode, and each time I was able to schedule a consultation for myself and my team members quite easily using the Veracode platform and have our technical issue resolved expeditiously, which was very much appreciated.
The platform has many features that were not relevant to use, retrieving the different reports was not always straightforward and sometimes required special assistance. Overall I think the platform could use a UX refresh. I did not have considerable issues using the platform, however I think some less technical users would require significant training in order to effective use the product to meet their various needs.
Read Derek Overby's full review
October 01, 2020
Yaniv Toplian | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
We are using the tool to scan our code for vulnerabilities on a regular basis and fix the issues.
Secondly, we are using the software composition for 3rd-party open sources to indicate any vulnerabilities and upgrade possibilities related both to vulnerabilities and license issues and their support types.
  • It's a SaaS, which we aim to use.
  • We want a tool to pinpoint real vulnerabilities and not just throw 1000s of them.
  • We wanted a tool to support mitigation action and to keep it for the next runs as well.
  • We purchased 2 licenses and sometimes we get alerted on over use. Veracode checks this issue, as it seems to be the tool's problem.
  • The UX could be more intuitive.
  • It didn't find any vulnerabilities in our client-side code base, which I think is weird.
Veracode is useful because it is offered as SaaS, provides the option to mitigate issues, remembers the mitigated issues so you can filter them out in the next scanning, and is pretty easy to use. The SW composition tool also very beneficial as it scans all 3rd parties and open sources and points to license and vulnerabilities issues.

Aspects that could be improved include needing faster support if we have problems or questions, finding UI/client-side vulnerabilities, and integration into our CI (using TFS) process, which wasn't so trivial and we had to get their support.
In the beginning, we had several issues, mainly related to uploading our code projects for scanning. We dealt a lot with the PDB files and their format. Later, we had issues with how to integrate the tool to be automatically triggered by our CI/CD process and as we use TFS it was not an easy task. For all of that, we had to get support from Veracode/Veracode representatives. It could have been easier.
It's a new tool so there is a learning curve to adopt, learn, and use it. Overall, it was okay. Still, there are some UX improvements to consider, to navigate more easily to find your project and its related sub-project libraries.
Read Yaniv Toplian's full review
September 22, 2020
Rahul Chugh | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
Resolve Systems is a platform that helps in automating across the entire IT ecosystem. It is a Java-based platform with multiple components involved and a user-facing interface to access the tool. Veracode is used across the whole organization to perform static scan in GitHub-based code repo and dynamic scans on a running deployed system. Veracode reports are helpful for Resolve in making the systems more secure and shared with the customers if they ask about the security of the product.

  • Static Scan and Identifying Vulnerabilities
  • Daily Scans with hooks provided in GitHub
  • Reporting for executives and detailed levels for engineers
  • Allowing to do multiple scans in case of fixes made
  • Providing details of the vulnerability and recommend solutions
  • Dynamic scans are not that good - Burp gives us better results.
  • Static scans look for words like "password" but skips "p_assword."
Veracode is well suited for Static Code scans for an organization that wants to push security to the left of the development cycle. It has given Resolve Engineers a good sense of security and its needs when it comes to engineering.

Veracode is less suitable for dynamic scans as I can see that it did not work much for the Resolve product.
We have not used the support system that much so far, but as I hear from the Sales team, I guess they are really smart engineers who can help us solve the security issues or at least point us to the right direction when it comes to resolving the security vulnerabilities found by the system.
Read Rahul Chugh's full review
September 06, 2020
Michael Johnson | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Review Source
Veracode is being used on our core system. For our customers, trust in the security of our software is critical. Being able to show our commitment to software security and the use of a trusted brand to check our code helps with turning prospective clients into paying customers. It also helps us in audits for the industry regulations we must meet.
  • A focus only on code security--rather than cluttering up their offerings, Veracode focuses only on products and services around code security.
  • Scanning code--their scanning engine seems to be among the best in class and has a very low false-positive rate.
  • Reporting on the flaws found--the ability to review flaws from either a web interface or an IDE plugin helps speed up remediation.
  • Security profiles--these aren't laid out very well and can be intimidating.
  • Dynamic scanning--for some web applications, the dynamic scanner doesn't work well. It's one of the reasons we're not currently using it.
  • User permissions--some of the permissions are confusingly labeled or don't make sense if different permission isn't enabled. Having cascading access profiles or grouping permissions would help a lot here.
For any compiled language, Veracode does a great job of scanning for vulnerabilities. It's not quite there for interpreted languages like Javascript, possibly because of the complexity of scanning something that can be run through different systems and interpreted differently by them. They're also not really fit for a general "code quality" review, as they focus only on security flaws.
Veracode support is fairly responsive on issues. We haven't had to use them much.
Read Michael Johnson's full review
August 01, 2020
Christopher Sawyer | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User
Review Source
We use it in the IT department to scan websites for security vulnerabilities. We aim to catch static and dynamic flaws before releasing code to production. We are incorporating it into our Agile development process with the goal to become more mature with that integration so that we can have an Advanced Application Security Program.
  • Scan as a service
  • Less false positives
  • Helpful support
  • Scans can take a long time.
  • Need more feedback for active scans.
  • Has to compile.
Veracode is the most well rounded security tool I have used to scan both dynamic and static code in my career. Scanning as a service means I don't have to setup my own infrastructure and application, or deal with upgrades. But it does mean you will be put in a queue with others.
Veracode support is prompt and always there to help. They are willing to get on a call with you to resolve the issue as much as possible. I have wanted more information from them at times but I have only interacted with a few support staff. They will have to escalate to other team members depending on complexity.
Read Christopher Sawyer's full review
July 31, 2020
Nitin Reddy | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Review Source
Veracode is being used by the whole organization especially for the static code scan, DAST, and penetration testing.
  • Clear identification of possible vulnerabilities and clear direction or possible resolution guidance
  • Detailed report pinpointing the area of trouble
  • Good and prompt support over call to get clarification on the identified vulnerabilities
  • More documentation around different security scan services provided by Veracode would help the users to opt for more refined scans and gain more knowledge around the same.
Veracode is very useful for Internet-facing web applications as the risk of vulnerabilities keeps changing from time to time. On the other hand, Veracode also helps us with identifying vulnerabilities that surface and being up to date on all the latest developments in the area of website security.
I got a prompt response and all the clarification I needed about the security scan report. This helps the team and organization to mitigate the security risk.
Read Nitin Reddy's full review
July 31, 2020
Ying Shen | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Review Source
I am one of the developers of our application. This is an online application used by many hospitals and research institutes under the Partners umbrella. With the help of Veracode static and dynamic scan, we are able to identify potential security weaknesses and implement fixes before release.
  • Visual Studio integration
  • Support of CD/CI build with Veracode scan
  • Prompt response from Veracode support
  • Some static scans take a very long time, ie. 14 days in my case.
Veracode is a perfect fit for back end development with business logic implementation. (I don't recommend implementation, though.)

For straight UI with calls to the backend to retrieve data, it is not that essential to use Veracode scan. I see most times the score is pretty high, but it is still a security lock to make sure there are fewer security breaches.
Most of the time, I can get prompt support through email or scheduled support sessions (every Thursday). I can do ad hoc support through the Veracode portal too.
Read Ying Shen's full review
July 22, 2020
Prajit Gandhi | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Review Source
As per my knowledge, Veracode is used across the organization for compliance and security validation of in-house apps. Now all compliance and security composition analysis is done by Veracode. Based on the report, we apply our fixes so that it will be vulnerability proof. To be honest, it is quite irritating that Veracode is always getting updated frequently. We cannot cope with the pace. But at the same time, it is good because it made us aware of vulnerabilities that may impact our BAU.

We have a nightly pipeline in Jenkins that will generate the report and send it across stakeholders. Also when we commit in Github, that triggers a build lifecycle. Now this build lifecycle also has a toggle to include Veracode scan in build lifecycle if we want to. The default toggle condition is on.
  • Frequent vulnerability update
  • Painless triage flaws feature
  • Provides vulnerability fix information as part of SCA
  • GreenLight plugin can be improved so that we can scan the whole project (max file limitation is 1 MB).
  • Project-specific false positive: We have one transitive dependency and we never used it in our application. Still it will show as SCA vulnerability, because we cannot mark it as false positive at project scope.
  • Organization-specific MBD: For example, we have a common jar that is used to provide cross-organization functionality and it has Veracode issues. But whenever we update this common jar version all MBD will reopen. This is not blocking us. But as per DRY it is a time waste.
Veracode is well suited for quick vulnerability checks & identifying the fix. No need to check other websites like we used to do before Veracode--a big time-saver when we do a production release.

It is less appropriate for a few projects with lower budgets. Due to that constraint, we cannot use Veracode for those projects.
We had a few issues and consulted a Veracode expert in the past. It was quick and provided us what we needed at that moment. Even If we couldn't recollect correctly, the representative suggested some recommended ways to use plugins as well.
Read Prajit Gandhi's full review
July 21, 2020
RICARDO LIMA | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Review Source
It is used by the whole organization, not only development. It helps us fix vulnerabilities quicker, reinforce our security policies, and it even helps our decision making. It gives us indicators that help us to see our evolution in the maturity of our development teams. Veracode helps us guarantee that the solutions we develop for our clients are secure.
  • Output of indicators
  • Integrations
  • Easy to use and manage
  • Auditing
  • Integrations: they could be more customizable
  • Veracode License: this needs to be more transparent
  • Veracode DAST: needs to be more customizable. I want to be able to define the types of attacks that are going to occur.
Good scenarios: Veracode is very adaptable. We have multiple projects, and it helps us very well. Big projects or small projects, it's very good.

Bad Scenarios: For me, two scenarios didn't go so well. The first one is if you are using JIRA as your bugging tracker, the integration didn't work for me. The second is if you need to scan APIs endpoints, which Veracode currently doesn't.
We went through a lot of questions about the solutions, integrations, etc. when we were in the implementation stage. All the times we contacted Veracode's support our questions were solved in less than a week.
Read RICARDO LIMA's full review
July 21, 2020
Shrikar Somayajula | TrustRadius Reviewer
Score 6 out of 10
Vetted Review
Verified User
Review Source
We use Veracode across our banking product Good Money across various functions. We use Veracode as part of our security best practices of shifting left.
  • Availability of wide variety of security measures
  • Detailed documentation
  • Poor support model
  • Account Managers are unable to render technical help
Veracode is suitable for companies that are both getting started and ramping up App Sec programs.
It is less suitable for programs that are not self-serve due to the fact that their support model is not world-class and requires repeated follow-up.
Poor turn around time even for Sev1 tickets--very surface-level support.
Read Shrikar Somayajula's full review
September 03, 2020
Mauricio Giraldo | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Review Source
We use Veracode across the whole organization. Our policies demand that all public-facing software needs to go through SAST.
  • SDLC-CI/CD Integration
  • Code flexibility
  • Ease of use
  • Bundled solution (SAST + DAST)
  • User interface
  • Being able to correlate many dynamic scans to single applications
  • Reporting is very complete, but sometimes too complex.
Veracode is well suited for any company that has software pipelines, companies that need to comply with different regulations and standards.
The few times we needed to contact support, they helped us and followed-up until the issue was resolved completely.
Read Mauricio Giraldo's full review
August 03, 2020
Antonio Kang | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Review Source
We used it for manual penetration testing on our web application. This resulted in a report stating how vulnerable/not vulnerable our web application is to hackers/exploiters.
  • Communicates with customer well
  • Performed the task well
  • Nothing I can think of
Veracode achieved what it set out to (manual pen testing) very well. For any questions we had, they were happy to provide us with the answers and they were very responsive.
They were very responsive and reached out to the correct people to make sure that we got the answers we needed. For example, when we did not know how to download the correct report, they got back to us quickly with an explanation on how to download the correct report.
Read Antonio Kang's full review
July 31, 2020
Rajarajeswari Muthuraj | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Review Source
We have banking, automotive, and Insurance clients primarily. I am using Veracode for an insurance company containing online premium payments and some banking transactions. Veracode is used by various projects across my organization. Veracode is used to decode all security vulnerabilities.
  • Veracode focuses on their core solutions which I have great respect for as it is why they succeed.
  • Easy to Start and Scale with Elastic Compute Power
  • Rapid Risk Reduction
  • The scanner in the area of Static Analysis under Non-Fix by (informational-low) Policy needs improvement. It keeps on changing the count.
  • CWE ID 404 is having up's and down's
  • The Veracode profile changes. It keeps on giving some additional count.
It suits for all applications where security is a concern, especially for banking, insurance, and online transactions.
They operate a "service-based solution," removing many of the obstacles typical of on-premise scan solutions. Availability to program management, technical support, and executive interactions are all part of the system.
Read Rajarajeswari Muthuraj's full review
October 16, 2020
Anonymous | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Review Source
Veracode is being used as an application security service across our organization. We rely upon Veracode as an authority in mitigation efforts. The platform and its scanning services help manage potential flaws found within the applications that we support and host. Developers interact with Veracode and the security team to help resolve any flaws that are discovered.
  • I have found the Software Composition Analysis area to be the best among the competing products for Application Security.
  • Veracode's support services are impeccable.
  • Their program management teams are professional, helpful, and friendly.
  • Although an improvement to what was there previously, the Analytics section using Looker, could still use some improvement. It does seem that what Veracode has deployed is a very limited version of Looker. While helpful and useful, there seems to be so much more that Looker does (such as dynamic querying), however, the version that Veracode employs doesn't seem to offer this.
  • More user control of administrative functions such as user adding/deleting. Veracode still uses a 'soft delete'/'hard delete' functionality. This can become cumbersome for self-user-administration when a deleted user has to be re-added. A support call is then necessary to have this done.
  • Their idle timeout process needs work. While using the Looker tool, you must save your work every few minutes, as their 'Shark-attack-like' idle timeout will sneak up on you and redirect you away in an instant causing you to lose any unsaved work.
Overall, Veracode is one of the best, if not the best, products for application security out in the market. It is a great platform for keeping track of flaws and being able to report on them. Their support services and program management services are excellent, as they hire really good persons to handle these areas. There is still room for improvement in their analytics area.
Having worked with their support and program management teams now for over 4 years, I've been exposed to many support requests, concerns, and issues. We have even had one negative issue with their support team process, that was immediately addressed at their upper levels, and those upper-level management persons worked with me directly on the concerns. We recently had an issue with their mitigation process, and although it did take time to resolve, it was handled very professionally and escalated to the highest levels to address our concerns. Needs that have arisen from us as a customer have been addressed immediately and worked out with me directly by some of their most senior personnel to make sure our concerns are met. Again, their support services are among the best out there.
I believe this platform to be one of the most user friendly out there. After evaluating some other competitor platforms, I've seen one other that comes close to ease of use and others not so much. That is one of the main reasons we continue to renew with Veracode. Areas for improvement continue to be the analytics section and a very quick to annoy idle timer.
Read this authenticated review

What is Veracode?

Veracode supports software development by reducing the risk of security breach through comprehensive analysis, developer enablement, and governance tools. Unlike on-premises solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a combination of SaaS technology and on-demand expertise to enable DevSecOps. By integrating with the pipeline, enabling developers to fix security defects, and scaling programs through best practices, Veracode aims to help companies identify and address security flaws more quickly. Veracode is designed to cover all AppSec needs in one solution through a combination of five analysis types available for 24 programming languages, 77 frameworks, and application types as varied as microservices, mainframe, and mobile apps.

The vendor states that Veracode serves more than 2,500 customers worldwide across a wide range of industries, and that the Veracode Platform has assessed more than 14 trillion lines of code and helped companies fix more than 46 million security flaws.

Veracode Videos (4)

Veracode Downloadables

Veracode Competitors

Micro Focus Fortify on Demand, SonarQube, Checkmarx, Synopsys Coverity Static Application Security Testing (SAST), WhiteHat, HCL AppScan (formerly from IBM)

Veracode Support Options

 Free Version
Video Tutorials / Webinar

Veracode Technical Details

Deployment Types:SaaS
Operating Systems: Unspecified
Mobile Application:No

Frequently Asked Questions

What is Veracode?

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.

What is Veracode's best feature?

Reviewers rate Support Rating highest, with a score of 7.9.

Who uses Veracode?

The most common users of Veracode are from Enterprises and the Computer Software industry.