Overview
What is Veracode?
Veracode is a software security firm that identifies flaws and vulnerabilities across the software development lifecycle. Veracode’s Software Security Platform uses advanced AI algorithms trained on vast datasets of code, for more precise identification and rectification of security flaws.
Veracode, a great security tool for everyone
we …
Great In-Depth Analysis of In-House Applications
Thorough scanning engine and flexible reporting tools, so-so CI/CD and alerting
Veracode User Experience
Best in Security
Sleep Soundly - Use Veracode
Veracode SAST review
Veracode to the Rescue!
Great products; + Great price.
Worth the investment
Great DAST and Penetration Testing Platform.
Veracode Security far ahead of competitors
Elevating Security Through Automation and Integration
Vericode Use for Companies ERP Product offerings
Awards
Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards
Reviewer Pros & Cons
Video Reviews
1 video
Pricing
What is Veracode?
Veracode is a software security firm that identifies flaws and vulnerabilities across the software development lifecycle. Veracode’s Software Security Platform uses advanced AI algorithms trained on vast datasets of code, for more precise identification and rectification of security flaws.
Entry-level set up fee?
- No setup fee
Offerings
- Free Trial
- Free/Freemium Version
- Premium Consulting/Integration Services
Would you like us to let the vendor know that you want pricing?
968 people also want pricing
Alternatives Pricing
What is SonarQube?
SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.
What is Indusface WAS?
Indusface Web Application Scanner provides an application security audit to detect a range of high-risk Vulnerabilities, Malware, and Critical CVEs.
Product Details
- About
- Integrations
- Competitors
- Tech Details
- Downloadables
- FAQs
What is Veracode?
Veracode is an Application Risk Management solution for the AI era. Powered by trillions of lines of code scans and a proprietary AI-generated remediation engine, the Veracode platform enables organizations to build and maintain secure software from code creation to cloud deployment. Development and security teams can use Veracode to get actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale. Veracode offers capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, and Penetration Testing.
Learn more at www.veracode.com, on the Veracode blog, and on LinkedIn and Twitter.
Veracode Features
- Supported: Continuous Scanning to reduce risks at every phase of development - Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test throughout SDLC.
- Supported: Developer Experience - Finds and fixes laws in line with security integration into where developers work, automated remediation guidance, and in-context learning.
- Supported: Comprehensive Platform Experience - Streamlined governance, risk and compliance processes through flexible policy management, unified reporting and analytics, and peer benchmarking to mitigate risks fast and deliver a successful DevSecOpsprogram.
- Supported: Market Expansion - Meets data residency needs in EU with cloud-native instance built in Frankfurt, Germany on AWS.
- Supported: Contextual Platform Data - Fine-tuned with nearly 2 decades of scanning and customer learning. Predicts future vulnerabilities with self-healing capabilities through applying machine learning and artificial intelligence to the data.
- Supported: Cloud-native SaaS Architecture - Provides elastic scalability, high performance, and lower costs with cloud-native SaaS architecture.
Veracode Screenshots
Veracode Videos
Watch The Veracode Platform
Veracode Integrations
Veracode Competitors
Veracode Technical Details
Deployment Types | Software as a Service (SaaS), Cloud, or Web-Based |
---|---|
Operating Systems | Unspecified |
Mobile Application | No |
Supported Countries | North America, EMEA, APAC, LATAM |
Supported Languages | Java, .NET, PHP, Android, iOS, JavaScript, Python |
Veracode Downloadables
Frequently Asked Questions
Veracode Customer Size Distribution
Consumers | 0% |
---|---|
Small Businesses (1-50 employees) | 18% |
Mid-Size Companies (51-500 employees) | 65% |
Enterprises (more than 500 employees) | 17% |
Comparisons
Compare with
Reviews and Ratings
(200)Attribute Ratings
Reviews
(1-24 of 24)Great In-Depth Analysis of In-House Applications
- Veracode's static code analysis platform provides in-depth information as well as very useful suggestions regarding mitigation for flaws it discovers. This is very helpful in assisting developers towards a speedy and complete mitigation.
- Veracode does well to keep connected with their customers, ensuring the success of their customers on their platform is evidently one of their goals which they hold highly. This responsiveness continues into their technical support which is both helpful and fast to respond.
- Veracode continues to update their platforms, their capabilities, and their research often; the promise of continuous improvement from all facets provides value to us as an organization.
- We would like to see Veracode continue to improve the integrations available, particularly with respect to .NET IDEs. Part of our development team uses JetBrains' Rider which is, as of this time, unsupported for static integration.
- We would also like to see Veracode continue to improve their dynamic scan offerings; with the recent addition of DAST Essentials we feel this improvement may come sooner than later.
Best in Security
- SCA
- SAST
- Secure Code Training
- Add more labs in Secure Code Labs.
- Supporting perl would be great.
- Better to have standard deployment for all packages in upload and scan.
Sleep Soundly - Use Veracode
- Thorough static scans
- Quick but deep dynamic scans
- Detailed reports
- Excellent consultants
- Initial user training could be better; it's very confusing at first.
- More online help
- The UI can be confusing if you have a lot of different products.
Veracode to the Rescue!
- Customer support that won't permit any failures anywhere along the line.
- Regular updates to the platform that supports rapid changes in technology and development practices
- Sets the standard for how AppSec scanners should work
- Sometimes finding the right person to help takes a little time
- Pricing of SAST/SCA scans may scare off some potential customers until they understand that it's worth it.
Elevating Security Through Automation and Integration
In all, Veracode is a critical tool that helps us remain compliant with our various annual third-party audits.
- Automation
- Software Composition Analysis
- Integrations
- More insight into errors that may be causing an issue when configuring an integration, e.g. Veracode's Jira integration.
- Static Analysis can sometime get 'stuck' when using the Jenkins integration. Days, sometimes weeks can go by before we notice. Have to delete the 'stuck' scan and re-upload.
- Manual Pen Test account management/reminders. I would expect the vendor to reach out and schedule the pen test annually, maybe send a notification/reminder when the date starts getting close, things like that. From my experience it was on me to initiate our MPT.
Vericode Use for Companies ERP Product offerings
- Automated scanning of software libraries for vulnerabilities
- Management of multiple application, statuses and helps on security remediation
- Vericode Verified program to leverage the security investment as competitive advantage
- The time it takes to scan large projects makes it difficult to fit into our CI/CD/pipeline
- One of our app scans times out after 2 hours and we have to upload it and scan manually but there is no visibility the CI system has as to vulnerabilities found
- Integration with older development languages to scan. We have old 4GL based application that is not compatible with the tools
- Monitoring software development infrastructure.
- Prevention of security threats.
- Provision of intelligent security information.
- The features are awesome.
- I have familiarized with al the set features.
- The overall performance is good.
- Double checking the security of our code
- Integrating into our CI/CD process to help us catch and resolve new flaws
- Helping us maintain our compliance
- The documentation could really use some work
- I am skeptical of the thoroughness of the scans on newer languages and frameworks
- The scan takes too long
- The IDE tools leave much to be desired
- Too many false positives
The manual penetration test is very useful to have in addition to the flaw identification algorithm.
Due to the lengthy amount of time it takes to scan, it's not useful for testing every commit.
The Visual Studio extension to not make it easy for developers in day-to-day programming
Veracode helps to improve the security in applications
- SAST analysis in the pipeline it's very quick and helps to identify flaws
- Third party libraries analysis it's effective to review vulnerabilities and recommend a secure version
- Integration in the pipeline with various DevSecops Tools/Platforms
- More coverage in the languages/frameworks
- The crawl script for SAST analysis could be improved to support more functions
- More coverage for different versions of the IDEs
Veracode Meets Our Needs
- Static scanning is quick and efficient
- The scan reports are easy to read and informative
- Interaction with both account management and support staff is great
- The contracting process is easy
- The platform's interface could be a little more intuitive
- Sometimes we get a notification that our static license use has been exceeded but it has not
- Sometimes the static scan reports many, many potential flaws but it turns out the tool has not been programmed to correctly recognize a particular use case
- The configuration of dynamic scanning is a bit disjointed.
- It may just be our application but the dynamic scanning process needs to be improved. Note that we have an open case with Veracode on this so we do expect a resolution.
Review for a Left Shift Security Scanner
- Static Analysis SAST
- Dynamic Analysis DAST
- Software Composition Analysis SCA
- Interactive Analysis
- It sometimes can be tricky to use and not straight forward
- Learning and Training the product can be minimised
Veracode Review
- Recognize unseen security issues
- Detailed scan report
- Great personal support
- UI of platform still hard to use and navigate
- Loading of web application could be faster
- Auto generated bug in Azure DevOps should have more details about the flaw
Veracode Review
- scanning existing code
- scanning code as developers work so errors aren't introduced at all
- Developer Training - I found assigning training to be tricky and pulling useful reports very difficult
- Veracode reports are robust - but to a point where I am overwhelmed by choices
Important!
- Identify third part components security issues and suggest updates.
- Provides training course to solve the issues found in the analysis.
- Easy to configure in our devops integration platforms. Has a good documentation for it.
- Full Integration with Azure AD.
- User management in the portal. To be more clear.
- Separate the concept of an application and components of one.
- Arrange applications into Groups/Subgroups.
Help us build Secure code and drive your development teams towards best secure code practices
- Identify Vulnerabilities
- Great Developer Support and Training
- Automatic Identification Third party code.
- Multiple Scanning options Portal, IDE, CI Pipelines
- Web Analysis portal has minor learning curve.
- Improve the login timeout
- Any improvements in Scanning speeds would be helpful
- A modern UI design would be good.
Hands-on teaching platforms are the best!
- Learn by doing rather than telling; modules are passed by coding the solution, not answering a quiz.
- Was customized to the specific languages my developers use.
- Leaderboard is a great incentive for engineers to keep learning.
- I found it difficult to pass a few lessons the first time around because it was expecting me to code with specific language semantics that I didn't use, even though my solution met the security bar. More flexibility would be welcome here.
- The leaderboard is a great start but more gamification would drive more engagement. Badges, titles, custom UX profile changes that can be earned, etc.
- I recall that some of the external linked resources wouldn't open for me.
Veracode: Best-in-breed vendor for SAST, DAST & SCA, with enticing additions such as pen testing and developer training
- Static Application Security Testing (SAST).
- Dynamic Application Security Testing (DAST).
- Software Composition Analysis (SCA).
- Patchy usability and intuitiveness of the platform.
- API functionality could be improved.
- Better integration of functionality such as DAST and SCA, which sometimes appear "tacked on" to the core SAST offering.
Veracode helps create secure software for publishing in the cloud.
- Identify OSWAP issues.
- Easy integration into the developer environment with Greenlight.
- Ability to be integrated into the Jenkins pipeline.
- Failing the Jenkins pipeline build process. But this requires faster processing of the sources and returning the results quickly to the build process.
- Speed of the website should be quicker.
- Allowing preferences for the web display. In one application we have 223 sandboxes. I want my default rows per page to be >10 (I have a 4K monitor).
- Easier access to the reports and information we need for resolving vulnerabilities.
- Very good at scanning code for security vulnerabilities.
- Has an IDE tool called Greenlight to catch issues before they are committed to the code management system.
- Web site response speed is slow and sluggish for our applications.
- Confusing on some of the gaps where it wants other libraries uploaded. Need good examples for developer training and education.
- Since this is run as part of the Jenkins build process, one assumes the system could get those assets, just like it gets the source code that is used for analysis.
Veracode - A non-binary review for the binary scanner
Any aspect concerning the vulnerabilities of a software product is non-trivial and would be very costly if reported by the customers. Veracode helps find these beforehand, if the code (binaries) is scanned before being integrated into the product. With its wide variety of integrations, Veracode scanning can happen at any stages of the DevOps CI Pipeline, thereby facilitating the "shift left" mentality of finding defect/vulnerabilities in [the] code as early as possible in the software development life cycle.
- Binary scanning. Veracode static analysis is based out of binaries derived from source code which is more accurate that just the pure source code scanning. This accuracy translates to less false positives in the defects reported, thereby saving time of developers in tackling the real issues.
- Veracode being a SaaS platform reduces the IT burden on your organisation. No servers to worry about, no performance concerns, no storage expansion to plan ahead and no capacity/elasticity challenges to take care of on all the infra (compute, storage, networking).
- Veracode platform is very quick to configure and very easy to use. It just takes a few minutes to setup an application profile and start scanning. It is particularly easy to use for modern programming languages like Java as the java binaries are optimal for scanning.
- Learning - Veracode's eLearning portal is very good and has all the relevant training on various aspects of security and again is seamlessly available in the same platform/tenant where the teams scan.
- Security Consultation - Very easy to get help within the platform itself for a security consultation which is invaluable for the first few scans. Veracode is probably one of the very few SAST solutions which has such easy provision to get security consultation.
- There is an initial overhead on generating the binary artefacts for scanning. The binaries need to be loaded with debug symbols for Veracode to be able to trace the defect back to the file and line number. This is relatively easy for modern programming languages (e.g. Java) with latest build tools (e.g. maven/gradle) but can be quite challenging for languages which are platform specific (C/C++) and have dated build systems (e.g. make).
- Entry Point Selection. After the binaries are uploaded for scanning, the Veracode platform analyses them (pre-scan) and provides a list of 'modules' to be selected for scanning. Only the points of entry of program execution need to be selected here, based on the application architecture. The 3rd party modules on which your code is dependent on need to be uploaded but not selected as entry points for execution. This typically needs some fine-tuning and teams take some iterations to optimise. This would need the product architect inputs which teams generally do not understand, as they treat scanning in general as a DevSecOps responsibility and only after scanning, the developers/architects pitch in. For Veracode, their inputs are needed even during the scanning, for the first few scans at least.
- This is a both a pro and con. Veracode does not give any option to customise the scanning rules or tweak what it is scanning for. This makes for a much simpler setup but also gives no scope for creating an application-specific scanning profile. For instance, if I do not want Veracode to look for SQL injection for whatever reason, or if I want Veracode to only look for OWASP Top 10 vulnerabilities, I cannot configure.
- Long scan times, specifically for C/C++ based product/app scans. Some of the scans for enterprise scale product in C/C++ used to take quite many hours, and at times a couple of days. There have been improvements in this during the course of our 3 years of usage but in general, scans take a long time to complete.
- Well suited for modern programming languages
- Super good for organisations which do not have a big IT budget to spend on infrastructure
- Veracode Security consultation is invaluable for teams/Business Units which do not have a dedicated security team
- These culminate and make it ideal for a startup to quickly benefit from Veracode's setup leanness to get going on Security scanning
- For scanning large legacy applications/software (huge code base, multiple platforms to build, platform specific languages used)
Veracode Review
- Veracode supports enterprise-level security solutions
- Veracode scanning is very high in accuracy and feels 0FPs especially on java binaries, as per my experience, so far.
- Veracode training is very practical and it points to the specific OWASP issue, easy to understand
- It is very much up-to-date.
- Veracode site sometimes feels a bit slow, maybe my expectation of website performance is too high
- In customized reports, although the user unchecks Dynamic & MPT, in the report the counts still get displayed.
- Veracode pricing is not openly displayed anywhere.
- No trial versions for security/penetration testers
- No community version, even with fewer features
Veracode helped us meet our fin-tech compliance needs
- Link findings to CVE/CVSS standards
- Provide comprehensive report artifacts
- Thorough manual penetration testing services
- Expert support
- Need easier CI integration tools
- Need easier CI integration tools
- Need easier CI integration tools
- Look at GitHub and Snyk
Veracode is a good product and getting better all the time.
- The reports are in-depth and helpful.
- Great support--we get answers right away when we have questions.
- Training is great.
- Most current version of Rails was not supported for Static Scans, but is now
- Better support for Rails
Ease of use for the win!
- Static analysis
- Almost no false positives
- Very easy to use (cloud)
- Recurring false positives
- Summary report can show more summarized information
- Faster results--sometimes results take several hours
I think it's not appropriate if you want on-premises analysis for whatever reason. They don't offer this option.
Impressive application security tool set!
- Great job with SAST
- Easy integration into your pipeline
- Robust training for new developers
- Not as intuitive as some of the other providers
- Occasionally slow to manage between the different features
- Scanning can take longer than expected without much error handling to let the user know what's happening.