TrustRadius: an HG Insights company

Veracode

Score8.7 out of 10

217 Reviews and Ratings

Learn More

What is Veracode?

Veracode provides advanced application security solutions, trusted by enterprises to develop and maintain secure software. Its platform identifies exploitable risks, speeds up vulnerability remediation, and reduces security debt at scale using a proprietary AI-assisted remediation engine.

Categories & Use Cases

Media

Screenshot of a fix
Screenshot of the Veracode Platform
Screenshot of SCA
Screenshot of SCA Github

1 / 4

Screenshot of a fix

Reviews

What users are saying about Veracode.
View all reviews

My experience with Veracode

Incentivized
Nicolas GarcinView profile
R&D manager in Research & Development at Neoxam (501-1000 employees employees)

Use Cases and Deployment Scope

* We run static scans on a regular basis (integrated in our continuous integration) on all our major branches.
* We review the Software Composition Analysis and the "Triage flaws" section on a regular basis (minimum every week).
* We run a dynamic scan before each major version release.
* Our goal is to fix all the Very high/high/medium vulnerabilities this year. We'll then look at the minor ones.

Pros

  • Report generation
  • Flaws description and remediation strategy
  • Consultation requests

Cons

  • Scan results stability: from one scan to another, additional flaws appear whereas code did not change.
  • Entry points selection: hard to be sure selection is optimal, should be automatized or hidden.
  • Branches management: we currently use sandboxes to scan different branches of our software. Would be good to have real branches management.

Return on Investment

  • Adoption by developers: they are more aware of security aspects.
  • Allows us to see where we are in terms of applicative security
  • We're able to deliver clear security reports to our clients

Alternatives Considered

JFrog Security (Xray), Coverity Static Analysis (SAST) and CheckMark 1095

Other Software Used

SonarQube, JFrog Security (Xray), OWASP ZAP

Usability

Shaping the security code reviews and SCA through Veracode

Incentivized
Abhineet SagarView profile
DevSecOps Engineer II in Engineering at Helpshift (501-1000 employees employees)

Pros

  • It proivides insights about most prevelant issues that we currently observe as a security team
  • Helps to monitor Mean time to resolve which is MTTR (very important metric) to support our workflow management
  • Scanning the code security issues on compiled code makes it very initutive about all metrics that matters

Cons

  • The filtering options could be more intuitive — it’s not always easy to find exactly what you’re looking for without trial and error.
  • While Veracode integrates with a decent number of tools, we’ve found it a bit rigid compared to some newer players in the space. Some more API or webhook integrations should be there

Return on Investment

  • I remember one usecase where we were looking for a open source tool to scan our limited prod API;s BOLA usecase and Veracode came handy, it directly abled to stored our static creds and perfectly scanned for the use cases. Really saved our effort.
  • MTTR solved our Agile way of working where I was able to establish a SLA across dev accounts
  • Overall it provided a positive ROI talking in terms of flexibility

Alternatives Considered

Semgrep and SonarQube Server

Other Software Used

SonarQube Server, Semgrep, PortSwigger Burp Suite, Kyverno, GitHub Copilot

Veracode and me . . .

Incentivized
Verified User
General Manager in Information Technology (10,001+ employees employees)

Use Cases and Deployment Scope

Veracode is our primary Vulnerability Management solution, to help us identify vulnerabilities in our applications as early in our development lifecycle as possible. The data is sent into our central monitoring and data visualisation tool. We are trying to reduce our attack surface without compromising our ability to do business.

Pros

  • Documentation
  • Customer Support
  • Roadmaps

Cons

  • Data Visualisation
  • Sharing data in human readable format
  • Integrations with SecOps tooling

Return on Investment

  • Reduced costs of bug bounty program
  • Reduced business/application downtime

Alternatives Considered

Snyk

Usability

Veracode A Powerful Code Security Tool

Incentivized
Verified User
Strategist in Information Technology (10,001+ employees employees)

Use Cases and Deployment Scope

We use Veracode to identify and help remediate high risk technical debt, as well as shift left for our developers so that they are fully equipped to prevent new flaws from making it to production code. Veracode has been a highly useful tool, albeit complicated, in meeting our application security goals.

Pros

  • Application Security
  • Flaw Analytics
  • Dashboards and Metrics

Cons

  • Ease of Use
  • Integration Complexity
  • Analytics Complexity

Return on Investment

  • More secure code
  • Confidence in App rollouts
  • Better communication with Development teams

Other Software Used

IntSights Cyber Intelligence, from Rapid7, Netskope CASB

Veracode User Experience

Incentivized
Mickey Zarev
Senior Software Engineer in Information Technology at TradingApps (11-50 employees employees)

Use Cases and Deployment Scope

It is used across the organization. We are using it for static analysis of our code. We have selected the policy that requires our release code to minimize the level of security faults. Beside static analysis we use Software Composition Analysis and we found it very helpful in rectifying vulnerabilities from third-party libraries.

Pros

  • Good integration with Jenkins and Visual Studio.
  • Parsing the code well.
  • It has good dashboard.
  • SCA graphs for transitive dependencies are very useful in identifying the vulnerabilities.

Cons

  • The main problem is slow speed of the scan - it took 11 weeks in one instance.
  • The problem was ongoing for number of months and eventually they managed to slash the running time to one day. However, since than the running time usually takes 2-3 days as the scan always stop during the run.
  • While SCA for Java works very well, there are number of issues on the C++ side. It can not recognize the libraries build by default from source code third-party vendors
  • Especially newer version produces lots of False Positives

Most Important Features

  • Thorough scan of our code.
  • Integration with our release process.
  • Accurate info about vulnerabilities in third-party libraries

Return on Investment

  • At the moment due to very slow speed to the scan, we can not fully integrate it in our development process.
  • However, we are using it for our release process.
  • The analysis that Veracode software provides gives us and our client confidence that we are producing the secure code.

Alternatives Considered

GitHub

Other Software Used

Microsoft Office 2016 (discontinued), Microsoft Visual Studio, IntelliJ IDEA, Notepad++, Microsoft 365, Atlassian Jira

Usability

Related Products

Products similar to Veracode that may also meet your needs.
All comparisons
Fortify on Demand, from OpenText
CompareLearn more
Checkmarx
CompareLearn more
SonarQube
CompareLearn more
HCL AppScan
CompareLearn more
Snyk
CompareLearn more
Coverity Static Analysis (SAST)
CompareLearn more
Sentinel Source
CompareLearn more