TrustRadius: an HG Insights company
Back to Overview
Veracode Logo

Veracode Reviews and Ratings

Rating: 9.2 out of 10
Score
9.2 out of 10

Community insights

TrustRadius Insights for Veracode are summaries of user sentiment data from TrustRadius reviews and, when necessary, third party data sources.

Pros

Customer Support Effectiveness: Users have consistently praised Veracode's customer support for being responsive, helpful, and quick to address their needs. This level of support has been instrumental in resolving issues efficiently and maintaining user satisfaction.

Ease of Use and Integration: Reviewers appreciate the platform's user-friendly interface, well-documented steps for administration, and seamless integration with code repositories, making it easy to navigate and work with. This simplicity contributes to a smoother workflow for users across different tasks.

Comprehensive Analysis and Suggestions: Many users highlight the static code analysis platform for providing in-depth information, valuable suggestions for flaw mitigation across various programming languages, and aiding developers in promptly resolving issues. The actionable insights offered by the platform significantly enhance the development process for organizations.

Reviews

137 Reviews

Secure your code from IDE to production

Rating: 9 out of 10
Incentivized

Use Cases and Deployment Scope

We use it a a SAST and SCA tool for all the developments in our organization. All our developers analyze the code they write using the IDE plugin and Veracode Fix to help make the software more secure.

Pros

  • IDE integration
  • Gitlab Enterprise integration
  • Reporting for Product Owners

Cons

  • SAML integration when you have multiple domains
  • Scan whole repos to get a sense of security maturity
  • Authorization model for reports and dashboard

Likelihood to Recommend

It is very good as a SAST & SCA tool when you want to work with your developers so they start generating more secure apps.

It doesn't work very well if you want to measure your security level without including the devs in the process, specially if the way they work and how they use git is heterogeneous.

VU
Verified User
Manager in Information Technology (5001-10,000 employees)
Vetted Review
Veracode
1 year of experience

One-stop SDLC Security

Rating: 10 out of 10
Incentivized

Use Cases and Deployment Scope

We use Veracode as part of our SDLC, to provide for our SAST, DAST and SCA

Pros

  • Assemblies
  • Code scanning
  • Dynamic scanning
  • Presenting results

Cons

  • The web interface needs some getting used to
  • Some parts seem a little off, as its a different piece of software that Veracode is trying to fit in

Likelihood to Recommend

Veracode might be less appropriate for small companies, which need the functionality but can’t afford it (yet)

VU
Verified User
Manager in Information Technology (11-50 employees)
Vetted Review
Veracode
1 year of experience

Superior code scanning enabling faster and more secure code.

Rating: 9 out of 10
Incentivized

Use Cases and Deployment Scope

We use Veracode to perform Static Application Security Testing (SAST) and Software Composition Analysis (SCA) scans against our code, repositories, and CI/CD pipelines for code deployments. We also utilized the IDE integration for software engineers to identify code issues earlier in the development lifecycle.

One of the areas Veracode excels in is their reporting. Our application development releases required a Veracode report to be included showing now high/critical findings.

Pros

  • SAST scanning
  • SCA scanning
  • Reporting
  • CI/CD integration

Cons

  • UI and UX felt a little outdates in some of the screens.
  • Lack of flexibility on their outdated pricing model. This has since been corrected in 2023/2024.

Likelihood to Recommend

Veracode has robust coverage of supported programming languages. We faced an issue with a competitor product where we could not scan compiled javascript (jar) files. Veracode is able to scan jar files no problem in addition to many other languages.

VU
Verified User
Director in Information Technology (51-200 employees)
Vetted Review
Veracode
4 years of experience

My experience using Veracode tool

Rating: 9 out of 10

Use Cases and Deployment Scope

I have been using Veracode for nearly 2 years, we are using its SAST and DAST features. Previously there was no source code validation in our software development life cycle. We used this tool to shift the security to left, and tried to make the process as automate as possible. The best use case of this tool is that it can be fit anywhere with flexible plugins at different stages of SDLC. Even the support is very good and co-operative.

Pros

  • Veracode does integrate into IDE where the development starts. IDE Scans will help in reducing the versions of code.
  • The best thing about Veracode is, that it is a SAAS platform, and we can run the scan and do our other work parallelly.
  • Veracode dynamic analysis is pretty good as it clearly shows the requests it sends to the server and the response it receives from the server. Which helps in analyzing the vulnerabilities more easily.

Cons

  • Reporting work can be improved.

Likelihood to Recommend

It is best suited for the Agile model projects, where business will have the continuous releases of their products. Other than that I can't comment on the scenario where it is less appropriate as I need to experience it more.

SB
Sairam Bathini
DevSecOps Engineer in Information Technology at DesIdea Software Technologies (51-200 employees)
Vetted Review
Veracode
3 years of experience
View profile

Good SaaS service for finding security vulnerabilities in code.

Rating: 9 out of 10
Incentivized

Use Cases and Deployment Scope

In my organization, Veracode is used as an enterprise mandate to scan any application or service built by the development teams before deploying it into higher or pre-production/testing environments. After the scans, the security team reviews the results to mitigate or fix the vulnerabilities found by Veracode static and dynamic scans following the recommendations provided by the tool, sometimes like upgrading a third-party library to a newer version through SCA.

Pros

  • It is good at recommending fixing issues with third-party dependencies used in application code with detailed version information and knowing which version fixes what.
  • It has a very nice interface for triaging flaws. One can sort the vulnerabilities found in code from Very Likely to be exploited to least likely to be exploited.
  • There is a collections feature that allows us to group together groups of application profiles belonging to the same suite of applications.

Cons

  • The Veracode CLI can be provided as a setup or installer file instead of the powershell command to install it from the script.
  • There should be a copy feature that takes comments from vulnerabilities found in one application profile and imports them into matching flaws of another application profile.
  • The automated module selection at the review step just after the upload should be better at identifying entry points and should select only custom-developed code modules instead of third-party ones (at least the common ones).

Likelihood to Recommend

Veracode is well suited for development applications that can be made more secure right from the beginning. There is an excellent extension in Visual Studio that scans code from the IDE. However, it is less appropriate or incompatible with scanning SOAP or WSDL APIs. It supports only REST APIs.

VU
Verified User
Team Lead in Information Technology (5001-10,000 employees)
Vetted Review
Veracode
1 year of experience

My experience with Veracode

Rating: 7 out of 10
Incentivized

Use Cases and Deployment Scope

* We run static scans on a regular basis (integrated in our continuous integration) on all our major branches.

* We review the Software Composition Analysis and the "Triage flaws" section on a regular basis (minimum every week).

* We run a dynamic scan before each major version release.

* Our goal is to fix all the Very high/high/medium vulnerabilities this year. We'll then look at the minor ones.

Pros

  • Report generation
  • Flaws description and remediation strategy
  • Consultation requests

Cons

  • Scan results stability: from one scan to another, additional flaws appear whereas code did not change.
  • Entry points selection: hard to be sure selection is optimal, should be automatized or hidden.
  • Branches management: we currently use sandboxes to scan different branches of our software. Would be good to have real branches management.

Likelihood to Recommend

* (+) Report generation for our clients: reports are very comprehensive and look professional.

* (-) Veracode pipeline scan: takes too much time, need to split our application so that it can fit within the timeout (2h). Currently we're not able to use it, we still use "upload & scan" functionality in our CI pipelines. This is a showstopper to be able to break the build in case of new vuln, and also to use Fix AI based tool.

NG
Nicolas Garcin
R&D manager in Research & Development at Neoxam (501-1000 employees)
Vetted Review
Veracode
5 years of experience
View profile

It works.

Rating: 9 out of 10
Incentivized

Use Cases and Deployment Scope

At my company, Veracode is also used for security and threat assessment. It affects many business units that I'm not willing to discuss.

Pros

  • Updated security risk assessments.
  • Efficient processing of new vulnerabilities.
  • Real-time scanning of resources.

Cons

  • Expanded support for third-party integration would be excellent!

Likelihood to Recommend

We use it for integrated security scanning and reporting, so I would recommend it to others for that purpose. If your company uses Atlassian products, there are also Jira integrations.

VU
Verified User
Analyst in Corporate (5001-10,000 employees)
Vetted Review
Veracode
1 year of experience

Longtime Veracode User Review.

Rating: 9 out of 10
Incentivized

Use Cases and Deployment Scope

For static code analysis and mobile application assessments. It solves the problem of manually reviewing the applications and the source code. It provides different applicable scan policies, highly detailed remediation steps, + evidence of where the vulnerability is located. The meager rate of false positives is one of the most critical factors of the product.

Pros

  • Static code review.
  • SAST
  • DAST

Cons

  • UI could be simpler.
  • Add a live chat support feature.
  • Increase customizations for scan policies.

Likelihood to Recommend

For static code analysis and mobile application assessments. It solves the problem of manually reviewing the applications and the source code. It provides different applicable scan policies, highly detailed remediation steps + evidence of where the vulnerability is located. The meager rate of false positives is one of the most critical factors of the product.

VU
Verified User
Analyst (201-500 employees)
Vetted Review
Veracode
2 years of experience

Detailed Analysis: Impact and Efficiency of Veracode on Cybersecurity Posture of an Organization

Rating: 8 out of 10
Incentivized

Use Cases and Deployment Scope

We use Veracode for performing Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Software Composition Analysis (SCA) scans for all of our products. These scans help us find and address security vulnerabilities early in the Secure Development Life Cycle (SDLC) of every product. We have also automated the SAST, DAST and SCA scans by adding the Veracode scan step in our CI/CD pipelines.

Pros

  • Veracode performs Static Application Security Testing (SAST) very well by finding flaws in the code using entry points so that it tests for everything a user can interact with in the application. This approach is very helpful for avoiding a lot of false positives early on.
  • Veracode performs SCA automatically on every SAST scan, so that we don't have to manually scan the application again for SCA scans.
  • Veracode integrates very well with the ticketing tools, so that it becomes very easy to track every finding and its status within our ticketing tool.

Cons

  • Veracode sometimes marks some findings as fixed and then in subsequent scans, it reopens the finding. All of this happens even when there is no change in the source code.
  • Triaging SCA and License risk findings on Veracode UI is very difficult when you compare it with the SAST findings. I think the "Triage Findings" UI should be same for all the types of findings for better user experience.
  • Veracode's integration with ticketing tools is unidirectional, meaning it only syncs the status from Veracode to the ticketing tool and not the other way around. If the integration is bidirectional, triaging findings could be very convenient.

Likelihood to Recommend

Veracode is a very powerful tool for performing Static Application Security Testing (SAST) and Software Composition Analysis (SCA) for any application. It gives very few false positives from the get go, so less work for the AppSec team for filtering out the false positives.

However, it is not very good at performing Dynamic Application Security Testing (DAST). So, its not a one-stop scanning tool that fulfills all the needs.

VU
Verified User
Engineer in Engineering (501-1000 employees)
Vetted Review
Veracode
1 year of experience

What I think about Veracode.

Rating: 9 out of 10
Incentivized

Use Cases and Deployment Scope

We have a system that needs to be safe and secure as it contains a lot of confidential information. We use Veracode to do Dynamic, Static Code and Software Composition Analysis scans. Veracode has helped us identify and fix various security and coding issues which we expect will make our system safer and more secure.

Pros

  • It can identify OWAP issues.
  • It provides help on how to fix issues.
  • Their support helps any problems that may arise.

Cons

  • Navigating around the system, especially when going back sometime take multiple clicks as it just keeps reloading the same page.
  • While we haven't tried the new packaging tools, however, the way we do packaging and uploading code for static code analysis has been laborious.
  • Setting up login process for Dynamic Code Analysis, is not easy as we need to modify scripts files.

Likelihood to Recommend

There are a lot of different things to configure to get everything up and running. If would be great if there was a Wizard that help step through all the different parts, based on what has been purchased. Once setup, the scans and reports are usually good.

Also, the emails when scans have completed should include some highlights of the results like were there any new issues discovered that need to be focused on. Otherwise, it requires constant reviewing.

VU
Verified User
C-Level Executive in Information Technology (11-50 employees)
Vetted Review
Veracode
1 year of experience

Video reviews

View playlist