Skip to main content
TrustRadius
Veracode

Veracode

Overview

What is Veracode?

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.

Read more
Recent Reviews

Best in Security

10 out of 10
March 03, 2024
Incentivized
It's being used across whole organization, multiple engineering teams are using it for third-party libraries scan i.e. software …
Continue reading

Veracode to the Rescue!

10 out of 10
February 27, 2024
Veracode DAST is used on app applications in the portfolio. SAST/SCA scans and DAST scans are run monthly for all Critical application in …
Continue reading
Read all reviews

Awards

Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards

Reviewer Pros & Cons

View all pros & cons

Video Reviews

1 video

Veracode Review: Provides Helpful Support When Troubleshooting Security Needs
02:38
Return to navigation

Pricing

View all pricing
N/A
Unavailable

What is Veracode?

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.

Entry-level set up fee?

  • No setup fee

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting/Integration Services

Would you like us to let the vendor know that you want pricing?

919 people also want pricing

Alternatives Pricing

What is SonarQube?

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

What is Indusface WAS?

Indusface Web Application Scanner provides an application security audit to detect a range of high-risk Vulnerabilities, Malware, and Critical CVEs.

Return to navigation

Product Details

What is Veracode?

The Veracode platform is a software security solution that aims to be pervasive but not invasive, embedded into the environments that developers work in, with recommended fix and in-context learning. Security teams can use Veracode to manage policy, gain a comprehensive view of an organization's security posture though analytics and reporting, mitigate risks, and produce the evidence necessary to meet regulatory requirements.

It is presented as an always-on, continuous orchestration of secure development that gives organizations the confidence that the software being built is secure and meets compliance requirements.

Veracode Features

  • Supported: Continuous Scanning to reduce risks at every phase of development - Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test throughout SDLC.
  • Supported: Developer Experience - Finds and fixes laws in line with security integration into where developers work, automated remediation guidance, and in-context learning.
  • Supported: Comprehensive Platform Experience - Streamlined governance, risk and compliance processes through flexible policy management, unified reporting and analytics, and peer benchmarking to mitigate risks fast and deliver a successful DevSecOpsprogram.
  • Supported: Market Expansion - To meet data residency needs in EU with cloud-native instance built in Frankfurt, Germany on AWS.
  • Supported: Contextual Platform Data - Fine-tuned with nearly 2 decades of scanning and customer learning. Predicts future vulnerabilities with self-healing capabilities through applying machine learning and artificial intelligence to the data.
  • Supported: Cloud-native SaaS Architecture - Provides elastic scalability, high performance, and lower costs with cloud-native SaaS architecture.

Veracode Screenshots

Screenshot of The Veracode Platform HomepageScreenshot of Static Analysis ScansScreenshot of Findings Status and History DashboardScreenshot of The Veracode Platform

Veracode Videos

Veracode Static Analysis Demo
Veracode Software Composition Analysis Demo
Veracode Dynamic Analysis Demo

Watch The Veracode Platform

Veracode Technical Details

Deployment TypesSoftware as a Service (SaaS), Cloud, or Web-Based
Operating SystemsUnspecified
Mobile ApplicationNo
Supported CountriesNorth America, EMEA, APAC, LATAM
Supported LanguagesJava, .NET, PHP, Android, iOS, JavaScript, Python

Frequently Asked Questions

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.

Checkmarx, Snyk, and SonarQube are common alternatives for Veracode.

Reviewers rate Support Rating highest, with a score of 8.

The most common users of Veracode are from Enterprises (1,001+ employees).

Veracode Customer Size Distribution

Consumers0%
Small Businesses (1-50 employees)18%
Mid-Size Companies (51-500 employees)65%
Enterprises (more than 500 employees)17%
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews and Ratings

(196)

Attribute Ratings

Reviews

(51-75 of 127)
Companies can't remove reviews or game the system. Here's why
Score 10 out of 10
Vetted Review
Verified User
Incentivized
We use this for static analysis as well as with agent-based scan and this combination helps us detect potential vulnerabilities at the development phase only and address them.
  • Find and tell us find packages those are out of date
  • Tell us venerability's in CSS, JS and third party components
  • Recommends coding improvements based in better coding practices
  • Sometimes static scan gets stuck for days which otherwise takes 3-4 hours most of the times
I won't recommend it for smaller products.
Sathya Patlolla | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Incentivized
We use Veracode to Scan code for OWSAP and other vulnerabilities via IDE, CICD Pipelines. Developers are able to review and compare the code file against the results of the scan and resolve or mitigate the flaws. I am particularly impressed by the scanning abilities automatically exclusion of some Third-party code.
  • Identify Vulnerabilities
  • Great Developer Support and Training
  • Automatic Identification Third party code.
  • Multiple Scanning options Portal, IDE, CI Pipelines
  • Web Analysis portal has minor learning curve.
  • Improve the login timeout
  • Any improvements in Scanning speeds would be helpful
  • A modern UI design would be good.
The best thing about the Veracode is scanning abilities and Developer Training.
Score 10 out of 10
Vetted Review
Verified User
Incentivized
We used Veracode for training developers on how to start thinking of security as another vector for what constitutes shippable software on par with code quality. Just as in the past it took a cultural shift to get engineers to believe that they shouldn't even think about shipping code without unit tests or peer review, I wanted my engineers to start viewing security the same way.
  • Learn by doing rather than telling; modules are passed by coding the solution, not answering a quiz.
  • Was customized to the specific languages my developers use.
  • Leaderboard is a great incentive for engineers to keep learning.
  • I found it difficult to pass a few lessons the first time around because it was expecting me to code with specific language semantics that I didn't use, even though my solution met the security bar. More flexibility would be welcome here.
  • The leaderboard is a great start but more gamification would drive more engagement. Badges, titles, custom UX profile changes that can be earned, etc.
  • I recall that some of the external linked resources wouldn't open for me.
Great for teaching teams to think about security as part of their engineering culture, and not as an afterthought ("I don't have time to think about this, but it's ok because our security team will catch any problems during the review").
Score 8 out of 10
Vetted Review
Verified User
Incentivized
I use Veracode Pipeline Scan locally to scan the code for flaws and SCA analysis, and I use Veracode Static Plugin to view the results of Veracode scans in the Jenkins pipeline. I view the reports in Jenkins and triage flaws for my team to work on.
  • Identify flaws and indicate its location in the code
  • Describe the flaw and vulnerabilities in great detail
  • Provide links to solutions on how to fix the flaws
  • Providing the dependency tree to show which dependency is introducing the vulnerability transitively will be helpful
  • Ways to automatically exclude vulnerable dependencies via the IDE plugin
  • Code suggestions to automatically fix the flaws in the IDE
Veracode is very helpful in identifying the flaws and vulnerabilities in our code. It takes longer to run on the Jenkins pipeline, and I wonder if there is a way to make it run faster when there [are] not a lot of code changes from the previous build. The interactive report helps me triage the flaws for my team to fix and improve security. I wish there was an automated tool in the IDE that suggests code fixes and dependency exclusions remove vulnerabilities.
Edwin Delph | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User
Incentivized
We use Veracode to scan our code for static code analysis and 3rd party dependency to identify security vulnerabilities. Scanning is done using pipelines in our continuous integration process.
  • Identify vulnerabilities in static code without too many false positives[.]
  • Identify vulnerabilities in 3rd party dependencies without too many false positives[.]
  • The speed of scanning can use some improvement, especially when trying to use automated scans in continuous integration pipelines.
Veracode is well suited for detecting vulnerabilities. It is not as well suited for identifying code smells (code quality).
November 28, 2021

Thanksgiving review

Score 10 out of 10
Vetted Review
Verified User
Incentivized
We evangelize the use of Veracode to other departments who develop their software code, additionally conduct walkthroughs and training. Business problems usually range from vehicle security-related development, analytical development, and digital transformation.
  • enhanced the code quality
  • code security is evangelized to be imbibed in the DNA of all application teams
  • usage of veracode globally within NISSAN
  • web scanning using dynamic analysis
  • adding multiple users at the same time
  • navigation of analytics dashboard
1) Code quality for new development.
2) dynamic scanning of web applications.
3) less appropriate when we have to scan the previous version of the code.
Score 9 out of 10
Vetted Review
Verified User
Incentivized
I used Veracode for various applications in [the] organization, and I am able to identify and resolve many code vulnerabilities with the help of Veracode. Initially, I started with the .net application and now organization is planning to work on scanning angular apps and now I am exploring it, Plugins provided by Veracode are also really useful to analyze problems at the time of development.
  • helps us to find out issues in code, majorly sql injections and untrusted initialization
  • Support is really very helpful
  • Plug-ins are helpful
  • Easy to integrate in CI/CD pipeline
  • Easy to use in IDE
  • Sometime it's hard to resolve problems, the way Veracode expected
  • Not able to find support videos/links for full project scans of other languages, the way they are available for .net
I think this is the best tool to identify problems in code and this also helps to reduce flaws in code which really makes the application robust and the client also feels confident while using it. But scan actually takes longer time than expected and many times it's not telling us the proper reason of why it is failing while uploading file during scan.
November 24, 2021

Veracode Rocks!

Score 10 out of 10
Vetted Review
Verified User
Incentivized
We are using Veracode for static analysis for our code for one of our major clients. The application has been greatly helpful in managing security risks to all our applications. I [especially] love the flexibility in the way a scan can be conducted. It can be CI/CD pipeline, or we can directly upload our codebase and scan it, which helps us with managing multiple applications at the same time.
  • Static analysis of applications helps in managing risks[.]
  • Software composition analysis scan helps us in managing risks introduced through [third-party] libraries[.]
  • Recommendations for fixing the issues and exact code location is provided[.]
  • It is super easy to reach customer support and they have been able to resolve our queries with half an hour consultation calls[.]
  • The website definitely can be faster. Navigating through several pages eats up a whole lot of time.
It has been an excellent [user-friendly] tool and that is why our whole client organization is using it to scan their applications. We currently have 25+ applications being scanned every 6 weeks or so and we have been able to fix and identify all the issues with great ease. The fix recommendations with the exact code location are of great help. The support staff is excellent in resolving the issues and [is] always reachable[.]
Michael Butcher | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Incentivized
Veracode is used to alert my team of any potential threat vectors that may be exposed. We [can] each build for new threats. I also give recommendations on how to fix any issues found by Veracode.
  • identify Vuneralbilities
  • Recommend Fixes
  • Ease of Use
  • Product Support
  • Provide warning when API key is about to expire
Veracode is great for Angular and Java scans. It may not be as appropriate on Native Mobile Code Scans.
October 28, 2021

Veracode review

Score 7 out of 10
Vetted Review
Verified User
Incentivized
Veracode is used across the whole organization, by all LOBs. It's a pretty good platform with a user-friendly interface and useful recommendations. The analytics capabilities are also well designed and you can build your own dashboard.
  • Vulnerability assessment.
  • Remediation process.
  • Analytics dashboard may need to be more user-friendly. Sometimes difficult to retrieve the results as expected.
I have experienced SAST and SCA capabilities with Veracode. DAST features are unknown to me.
Score 10 out of 10
Vetted Review
Verified User
Incentivized
Veracode is truly the best AppSec tool available. You don't have to install anything if you don't want to as it's offered as a SaaS. It's as easy to implement as writing a few lines of code or installing a plugin on your CI/CD pipeline, their false-negative ratio is close to zero because of their AI and the pipeline scan really gets the job done within a few minutes while giving you the opportunity to run full-scans to generate reports of your entire environment. Their team is incredible and super helpful when needed. We're using Veracode to scan all of our APIs right in the development environment to make sure that we don't have any critical vulnerability running in our production environment and to reduce costs regarding vulnerability correction/mitigation.
  • Super fast CI/CD pipeline scanning.
  • BoM when using SCA along with its vulnerabilities and licenses.
  • Ease of use and implementation as it's a SaaS.
  • Custom policies to break your app's build.
  • Pipeline scan sometimes doesn't give you enough debug messages to know what went wrong.
  • DAST could have an option to scan APIs using a swagger.json file.
You can use Veracode with every single app that you have (almost) independently of its programming language. With the (thankfully) not-so-new pipeline scan you can scan your apps/APIs during the build process in seconds/minutes along with the SCA scanning to decide whether to fail the build or not. With DAST you can scan your web-based APPs as long as they're not APIs as it crawls your website to do its fuzz testing, but I hope that they add that feature in the future allowing some swagger.json files to be uploaded to the console as well to help the DAST scanning.
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Veracode is used across the whole organisation for static & dynamic application security testing as well as software composition analysis (tracking open-source and other third-party components) to evaluate our security posture and ensure compliance to global security policy & standards. Provides visibility of potential security vulnerabilities in applications, categorised by severity to help prioritise remediation.
  • Static Application Security Testing (SAST).
  • Dynamic Application Security Testing (DAST).
  • Software Composition Analysis (SCA).
  • Patchy usability and intuitiveness of the platform.
  • API functionality could be improved.
  • Better integration of functionality such as DAST and SCA, which sometimes appear "tacked on" to the core SAST offering.
It's well-suited where you want a best-in-class vendor for static and dynamic security testing who can also perform additional services such as penetration testing. It's also great if you need the ability to have consultations with Veracode experts to help understand flaws, either regularly or from time to time. If you need proactive account management to help ensure you are getting the best out of the Veracode application, again, you are in luck because this is an area in which Veracode shines. All of this functionality, flexibility, and the "human touch" does come at a price, so while I would say Veracode is excellent value for money, for very small or highly budget-conscious organisations, they may not be the best fit.
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Our company uses the Veracode SAST tool to ensure the code quality. We run it on a weekly basis as part of our CI / CD pipeline. The Veracode tool creates reports, and we check the report. If a report includes high, very high or critical issues - we fix these issues immediately and rerun the SAST tool.
  • Great SAST analysis for Java.
  • Very professional security consultants.
  • Great SAST analysis for Javascripts.
  • Easy way to export reports.
  • The platform performance (UI) should be improved. Now each action takes a lot of time.
  • The SAST analysis for Angular should be improved.
The Veracode SAST tool provides very good analysis for Java. If you need a security consultation, you will discuss it with professionals. They will explain to you in a very good way why some flaw are raised and why some flow are not raised. If the tool has some problem in the scan, the problem will be resolved in a reasonable time frame.

There is room for improvement:
  • The UI reacts very slowly and sometimes takes a lot of time till you see the next screen.
  • SAST tool should add support in a faster way for new languages like new versions of Angular.
October 12, 2021

Veracode Rocks!

Score 9 out of 10
Vetted Review
Verified User
Incentivized
We are using it for application security. Primarily using dynamic scans and Static Scans of our servers. We are scanning our production servers and our development servers in a scheduled time frame. Additionally, we run unscheduled scans from time to time. We are also using the manual penetration feature.
  • Works great for scheduled scans.
  • Works great for unscheduled scans.
  • We also like the analysis details that it provides for the scans.
  • Only send a e-mail when an issue is noted.
  • Send one e-mail a week to the primary operator for status on all scheduled scans that do not have issues noted.
We have enjoyed working with the Veracode team and are looking forward to continuing to work with them.
Ravi L | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Veracode usage decision was made by the corporate security team and is used across multiple projects that are customer-facing. One of the goals of the corporate security team was to ensure all applications that are developed and deployed to our customers follow secure development practices. There are no security vulnerabilities that can be exploited and in turn affect the business of our customers. Our current project is specifically a distributed system where each customer has their own environment setup. In this environment, we cannot ensure the customer environment is secure as it is not under our control. The only control we could put in place was the security of the application. With Veracode, we run manual penetrations tests at the end of each release and static scans each week to ensure we comply with the corporate-defined security standards. At the same time also ensuring that there are no security vulnerabilities.
  • Static scan.
  • Penetration testing.
  • Integration with Jenkins.
In my opinion, Veracode should be used for all software development projects. There are no scenarios where a project can be less secure or more secure. Secure code should be given as much importance as functional code. With the number of security incidents that keep happening, it is never too much to secure the application. Veracode static scans should be part of every CI/CD pipeline. One scenario that needs to be considered is that the static scan currently identifies vulnerabilities that are suited for web applications. There are plenty of vulnerabilities that are not applicable to Desktop applications that can somehow be avoided from being flagged.
September 24, 2021

Veracode Review

Oleksandr Klymenko | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Veracode is used in the software R&D department. It is an important stage in our quality process. With using Veracode, we make sure that our source code corresponds to high security standards. We also use it for checking security in 3rd party libraries used in our products. For us, Veracode address the static scanning part of security testing. So together with Secure design principles, penetration testing, and security scanning Veracode adds its value into our company security program and helps to make products better from security and code quality perspective.
  • Tools for Continuous integration (Jenkins integration, Pipeline plugin, Agent-based SCA.
  • Intuitive interface.
  • Great reporting capabilities.
  • Great technical support.
  • Maybe more connection between tools. E.g. promoting Agent-based SCA scans to a policy. But it is minor inconvenience. Actually we're really pleased with Veracode functionality and tools.
  • Less false-positives in scan results as we have to spend time to analyze those issues.
  • Sometimes issues that should already be mitigated are appearing in scan results again, which also adds some work to review them again and mitigate.
Veracode as a set of tools can benefit any software development process. I also think that Veracode tools ecosystem can be appropriate for any team that wants to make their project more secure. Although [the] amount of issues, especially after first scans of product, may be shocking. So to comply with Veracode levels may need a lot of effort and investments.
Score 8 out of 10
Vetted Review
Verified User
Incentivized
We used Veracode across our entire secure software development lifecycle as a key component of our Jenkins pipelines to analyze code for security issues. We have rules to remedy all critical, high, and medium issues for non-PCI applications. PIC applications also require the remediation of low vulnerability classification. I like that we have a standards tool for code analysis that uses the same rules and thresholds for our code.
  • Identify OSWAP issues.
  • Easy integration into the developer environment with Greenlight.
  • Ability to be integrated into the Jenkins pipeline.
  • Failing the Jenkins pipeline build process. But this requires faster processing of the sources and returning the results quickly to the build process.
  • Speed of the website should be quicker.
  • Allowing preferences for the web display. In one application we have 223 sandboxes. I want my default rows per page to be >10 (I have a 4K monitor).
  • Easier access to the reports and information we need for resolving vulnerabilities.
Positives
  • Very good at scanning code for security vulnerabilities.
  • Has an IDE tool called Greenlight to catch issues before they are committed to the code management system.
Improvements Needed
  • Web site response speed is slow and sluggish for our applications.
  • Confusing on some of the gaps where it wants other libraries uploaded. Need good examples for developer training and education.
  • Since this is run as part of the Jenkins build process, one assumes the system could get those assets, just like it gets the source code that is used for analysis.
Score 10 out of 10
Vetted Review
Verified User
Incentivized
It is used to get the best security in coding and deploying code with security. We use the APIs that Veracode provides for automation, reducing increasingly the time that the users sign in to the platform and download the report in their application profile.
  • Security.
  • Best practices.
  • Detailed reports.
  • Automation.
  • Third-party reports.
  • Customizable reports - SCA download by API.
Veracode it is well suited in our scenario but for microservices isn't well suited. Because we have 1500+ microservices, licensing is a real problem if you have less than 1GB.
Score 1 out of 10
Vetted Review
Verified User
Incentivized
We use it across the engineering department to scan our code for possible security flaws.
  • The security consultants are very empathic and pleasant to work with.
  • The static scaner has a very unpredictable runtime on large scale applications.
  • The amount of false positives is extremely high in C/C++ settings.
  • The Web portal is not geared to an efficient working style. It has very slow loading times and actively discourages the use of multiple tabs.
The static scanner does not work well with large scale C applications.
Score 10 out of 10
Vetted Review
Verified User
Incentivized
Veracode is used as a scanning tool for thousands of apps across the whole organization. The scan result it generates serves as a deciding factor as to whether or not the application will push through the production environment/stage. The scan also tells the application team where the vulnerabilities or weak points are, as well as the security posture of the application.
  • The identified security vulnerabilities are detailed and well-explained.
  • Description of the solution/mitigation is well-presented.
  • Links to different topics that cover/discuss the vulnerability are present and not that of dead links.
  • Proactive Veracode supports are always ready to assist and even go beyond what they are asked to do.
  • The status of the scan, as shown in the Application section, is different from the Dynamic Analysis section.
  • Bug on stopping the scan and deleting the previous application scans.
  • Unable to download the dynamic analysis scan report; had to go to static scan result first to download the report.
  • Linking of application is seldom not working.
As part of the team that does dynamic analysis scan, personally, the strongest points of Veracode are being able to identify weak ciphers, missing CSP headers, SQL injections, CSRF, and XSS. Applications that run in Internet Explorer is one of its limitations and not its strong suit, though rarely, it was able to scan successfully if the application only used a basic login page.
Score 6 out of 10
Vetted Review
Verified User
Incentivized
Veracode is being used to test all applications for any security risks. It helps ensure that all applications moving to production satisfy the standards mentioned in the policy. Veracode scan is efficient in recognizing any security flaws and also provides paths within the code that are problematic. Reviewing those paths eases the debug process and helps in improving application quality.
  • Providing paths within the code that can be easily followed for fixing any issue.
  • Documentation provides suggestions to improve flaws.
  • Rates flaws in levels to better understand severity.
  • Run scans faster (by caching data from previous scans).
Veracode is suited for applications that have the least dynamic inputs. Any application with multiple dynamic inputs leads to problems that need to be manually mitigated by design.
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Veracode is being used for several different types of scanning at my organization. Primarily, it is used for static scanning, which occurs frequently, and secondarily it is used to scan for malicious third-party packages within the codebase. We have also implemented dynamic scanning with Veracode to maintain the security of web applications being developed.
  • Easy to implement.
  • Effective and quick.
  • Great support team.
  • The interface looks slightly outdated. No real complaints.
Veracode is well suited for a mature cyber environment that already has a functional git process & enough developers to be regularly pushing new code that needs to be scanned. If you're a startup with two developers, Veracode is probably not for you, as implementing it into your CI/CD system would be more work than the solution is worth.
Score 10 out of 10
Vetted Review
Verified User
Incentivized
Platform Engineering Department has started using it recently.
  • Great for open source library scanning.
  • Great for static scanning.
  • Great for manual PEN testing.
  • And, great for dynamic testing too.
  • Be more proactive with smaller startups to make sure we are embedding these tools into our workflow. Don't leave it up to the organization! Hold their hands through it!
Full turnkey SCA, SAST, DAST and PEN testing from a single gartner-top-right-quadrant company is critical for us! Veracode does that for us!
June 01, 2021

Helpful tool

Score 9 out of 10
Vetted Review
Verified User
Incentivized
Veracode is using by our IT department only. It is very helpful product.
  • Sophisticated UI
  • Integration into CI/CD pipelines
  • Informative reports
  • Cover more types of vulnerabilities
  • Simplify the process of marking
  • approving mitigations
Veracode will suit any organization that wants to integrate security into their build pipeline.
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Veracode is used by our department to ensure that our web applications are secure and that we are employing up-to-date security standards in our development. Veracode addresses not only our public facing website but also our coding practices.
  • Website scanning
  • Coding security standards
  • Library security
  • The Veracode website user interface is not intuitive and is difficult to navigate. New users will find that links will often have them going around in circles until they are lost.
  • The dynamic scanning does not allow for minimizing scans on repetitive forms. This could be provided with a regular expressing matching for links to sections of the tested web site to reduce the amount of repeat scans of the same form.
  • Software composition analysis does not handle applications with more than one framework well (e.g., a dot net core 3.x framework with a Vue front end). These have to be scanned individually and not analyzed in one run.
  • Reports are compartmentalized, offering values in one section that aren't available in another section, so that users cannot combine the separated values and use them in one report.
Veracode offers a unique solution to evaluate security from the coding standpoint, where other tools do not offer this viewpoint. This is what Veracode offers above all other tools that we evaluated.

Qualys WAS another tool that we have used and continue to use, which is similar to Veracode's dynamic analysis scanning. There are some capabilities that Qualys offers which Veracode does not, like blacklisting URLs by regular expression.

Veracode seems deficient in testing APIs, as I have not seen any ability to manipulate the HTML header to add authorization.
Return to navigation