Veracode, a great security tool for everyone
To be SoC2 and ISO compliant and also to protect our SaaS, we are using this tool to scan every component that we build for SA and SCA.
we …
we …
Overview
What is Veracode?
Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.
Recent Reviews
Awards
Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards
Reviewer Pros & Cons
- Veracode continues to update their platforms, their capabilities, and their research often; the promise of continuous improvement from all facets prov...
- We would also like to see Veracode continue to improve their dynamic scan offerings; with the recent addition of DAST Essentials we feel this improvem...
Video Reviews
1 video
Veracode Review: Provides Helpful Support When Troubleshooting Security Needs
02:38
Pricing
N/A
Unavailable
What is Veracode?
Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.
Entry-level set up fee?
- No setup fee
Offerings
- Free Trial
- Free/Freemium Version
- Premium Consulting/Integration Services
Would you like us to let the vendor know that you want pricing?
942 people also want pricing
Alternatives Pricing
What is SonarQube?
SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.
What is Indusface WAS?
Indusface Web Application Scanner provides an application security audit to detect a range of high-risk Vulnerabilities, Malware, and Critical CVEs.
Product Details
- About
- Integrations
- Competitors
- Tech Details
- Downloadables
- FAQs
What is Veracode?
The Veracode platform is a software security solution that aims to be pervasive but not invasive, embedded into the environments that developers work in, with recommended fix and in-context learning. Security teams can use Veracode to manage policy, gain a comprehensive view of an organization's security posture though analytics and reporting, mitigate risks, and produce the evidence necessary to meet regulatory requirements.
It is presented as an always-on, continuous orchestration of secure development that gives organizations the confidence that the software being built is secure and meets compliance requirements.
Veracode Features
- Supported: Continuous Scanning to reduce risks at every phase of development - Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test throughout SDLC.
- Supported: Developer Experience - Finds and fixes laws in line with security integration into where developers work, automated remediation guidance, and in-context learning.
- Supported: Comprehensive Platform Experience - Streamlined governance, risk and compliance processes through flexible policy management, unified reporting and analytics, and peer benchmarking to mitigate risks fast and deliver a successful DevSecOpsprogram.
- Supported: Market Expansion - To meet data residency needs in EU with cloud-native instance built in Frankfurt, Germany on AWS.
- Supported: Contextual Platform Data - Fine-tuned with nearly 2 decades of scanning and customer learning. Predicts future vulnerabilities with self-healing capabilities through applying machine learning and artificial intelligence to the data.
- Supported: Cloud-native SaaS Architecture - Provides elastic scalability, high performance, and lower costs with cloud-native SaaS architecture.
Veracode Screenshots
Veracode Videos
Veracode Static Analysis Demo
Veracode Software Composition Analysis Demo
Veracode Dynamic Analysis Demo
Watch The Veracode Platform
Veracode Integrations
Veracode Competitors
Veracode Technical Details
| Deployment Types | Software as a Service (SaaS), Cloud, or Web-Based |
|---|---|
| Operating Systems | Unspecified |
| Mobile Application | No |
| Supported Countries | North America, EMEA, APAC, LATAM |
| Supported Languages | Java, .NET, PHP, Android, iOS, JavaScript, Python |
Veracode Downloadables
Frequently Asked Questions
Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.
Reviewers rate Support Rating highest, with a score of 8.
The most common users of Veracode are from Enterprises (1,001+ employees).
Veracode Customer Size Distribution
| Consumers | 0% |
|---|---|
| Small Businesses (1-50 employees) | 18% |
| Mid-Size Companies (51-500 employees) | 65% |
| Enterprises (more than 500 employees) | 17% |
Comparisons
Compare with
Reviews and Ratings
(197)Attribute Ratings
Reviews
(1-11 of 11)Companies can't remove reviews or game the system. Here's why
March 03, 2024
Best in Security
It's being used across whole organization, multiple engineering teams are using it for third-party libraries scan i.e. software composition analysis and static application security testing. There is security labs for engineers and those who are interested in learning about security vulnerabilities and remediation, secure code training (labs). These labs are being used for encouraging developers in learning about secure coding by conducting secure code tournaments.
- SCA
- SAST
- Secure Code Training
- Add more labs in Secure Code Labs.
- Supporting perl would be great.
- Better to have standard deployment for all packages in upload and scan.
February 27, 2024
Veracode to the Rescue!
Score 10 out of 10
Vetted Review
Verified User
Veracode DAST is used on app applications in the portfolio. SAST/SCA scans and DAST scans are run monthly for all Critical application in the portfolio. In total there around 120 applications in scope for the program.
- Customer support that won't permit any failures anywhere along the line.
- Regular updates to the platform that supports rapid changes in technology and development practices
- Sets the standard for how AppSec scanners should work
- Sometimes finding the right person to help takes a little time
- Pricing of SAST/SCA scans may scare off some potential customers until they understand that it's worth it.
June 14, 2022
Veracode Review from Security Engineer Perspective
We use Veracode as our Static Analysis Security Testing tool. As a security engineer I am administering Veracode and managing/ supporting our developers with using Veracode. It is our main application security code analysis tool and has been built into all of our processes, automation, and developer pipelines and reporting tools.
- The tool seems to have been build for automation.
- As a security engineer, I prefer the types of findings discovered through DAST or IAST since I can easily verify findings, but the SAST findings may be easier for the developers since it points to the area of code.
- While it's hard to get developers to take advantage of the consultation calls, I like the fact we can get a highly technical person to walk us through any type of Veracode question.
- The UI has gone through times of instability which can be a pain when things are broken.
- Selecting the correct modules for large applications can be a headache as well as stressful since you need to get that portion right to get the types of results you need.
- There is a bit of a learning curve to navigating Veracode so I see developers who don't use it often struggle to get to their scan results and handle them properly.
April 27, 2022
Review for a Left Shift Security Scanner
Veracode is mostly being used as a SAST and DAST-based tool. Its been used as part of our Continuous Integration and Continuous Delivery injected in the Devops Pipeline. It helps to identify the vulnerability in your code as a left shift strategy before the code gets actually deployed in the production . The tool can identify defects and bad practices both as Static and Dynamic analysis of the code. It has prevented many defects arising in production , thereby increased efficiency and reduced code rework
- Static Analysis SAST
- Dynamic Analysis DAST
- Software Composition Analysis SCA
- Interactive Analysis
- It sometimes can be tricky to use and not straight forward
- Learning and Training the product can be minimised
January 27, 2022
Veracode Review
Developers scan application code for vulnerabilities. It helps to keep our apps safer from hacking.
- scanning existing code
- scanning code as developers work so errors aren't introduced at all
- Developer Training - I found assigning training to be tricky and pulling useful reports very difficult
- Veracode reports are robust - but to a point where I am overwhelmed by choices
December 20, 2021
Help us build Secure code and drive your development teams towards best secure code practices
We use Veracode to Scan code for OWSAP and other vulnerabilities via IDE, CICD Pipelines. Developers are able to review and compare the code file against the results of the scan and resolve or mitigate the flaws. I am particularly impressed by the scanning abilities automatically exclusion of some Third-party code.
- Identify Vulnerabilities
- Great Developer Support and Training
- Automatic Identification Third party code.
- Multiple Scanning options Portal, IDE, CI Pipelines
- Web Analysis portal has minor learning curve.
- Improve the login timeout
- Any improvements in Scanning speeds would be helpful
- A modern UI design would be good.
December 16, 2021
Hands-on teaching platforms are the best!
We used Veracode for training developers on how to start thinking of security as another vector for what constitutes shippable software on par with code quality. Just as in the past it took a cultural shift to get engineers to believe that they shouldn't even think about shipping code without unit tests or peer review, I wanted my engineers to start viewing security the same way.
- Learn by doing rather than telling; modules are passed by coding the solution, not answering a quiz.
- Was customized to the specific languages my developers use.
- Leaderboard is a great incentive for engineers to keep learning.
- I found it difficult to pass a few lessons the first time around because it was expecting me to code with specific language semantics that I didn't use, even though my solution met the security bar. More flexibility would be welcome here.
- The leaderboard is a great start but more gamification would drive more engagement. Badges, titles, custom UX profile changes that can be earned, etc.
- I recall that some of the external linked resources wouldn't open for me.
November 18, 2020
Veracode - A non-binary review for the binary scanner
Veracode was used in our organisation by a few business units for Static Analysis Security Testing (SAST). It helps in finding software vulnerabilities in the code by scanning the binary derived objects of the source code written by developers, thus addressing the security aspects of the products the organisation is shipping to its customers.
Any aspect concerning the vulnerabilities of a software product is non-trivial and would be very costly if reported by the customers. Veracode helps find these beforehand, if the code (binaries) is scanned before being integrated into the product. With its wide variety of integrations, Veracode scanning can happen at any stages of the DevOps CI Pipeline, thereby facilitating the "shift left" mentality of finding defect/vulnerabilities in [the] code as early as possible in the software development life cycle.
Any aspect concerning the vulnerabilities of a software product is non-trivial and would be very costly if reported by the customers. Veracode helps find these beforehand, if the code (binaries) is scanned before being integrated into the product. With its wide variety of integrations, Veracode scanning can happen at any stages of the DevOps CI Pipeline, thereby facilitating the "shift left" mentality of finding defect/vulnerabilities in [the] code as early as possible in the software development life cycle.
- Binary scanning. Veracode static analysis is based out of binaries derived from source code which is more accurate that just the pure source code scanning. This accuracy translates to less false positives in the defects reported, thereby saving time of developers in tackling the real issues.
- Veracode being a SaaS platform reduces the IT burden on your organisation. No servers to worry about, no performance concerns, no storage expansion to plan ahead and no capacity/elasticity challenges to take care of on all the infra (compute, storage, networking).
- Veracode platform is very quick to configure and very easy to use. It just takes a few minutes to setup an application profile and start scanning. It is particularly easy to use for modern programming languages like Java as the java binaries are optimal for scanning.
- Learning - Veracode's eLearning portal is very good and has all the relevant training on various aspects of security and again is seamlessly available in the same platform/tenant where the teams scan.
- Security Consultation - Very easy to get help within the platform itself for a security consultation which is invaluable for the first few scans. Veracode is probably one of the very few SAST solutions which has such easy provision to get security consultation.
- There is an initial overhead on generating the binary artefacts for scanning. The binaries need to be loaded with debug symbols for Veracode to be able to trace the defect back to the file and line number. This is relatively easy for modern programming languages (e.g. Java) with latest build tools (e.g. maven/gradle) but can be quite challenging for languages which are platform specific (C/C++) and have dated build systems (e.g. make).
- Entry Point Selection. After the binaries are uploaded for scanning, the Veracode platform analyses them (pre-scan) and provides a list of 'modules' to be selected for scanning. Only the points of entry of program execution need to be selected here, based on the application architecture. The 3rd party modules on which your code is dependent on need to be uploaded but not selected as entry points for execution. This typically needs some fine-tuning and teams take some iterations to optimise. This would need the product architect inputs which teams generally do not understand, as they treat scanning in general as a DevSecOps responsibility and only after scanning, the developers/architects pitch in. For Veracode, their inputs are needed even during the scanning, for the first few scans at least.
- This is a both a pro and con. Veracode does not give any option to customise the scanning rules or tweak what it is scanning for. This makes for a much simpler setup but also gives no scope for creating an application-specific scanning profile. For instance, if I do not want Veracode to look for SQL injection for whatever reason, or if I want Veracode to only look for OWASP Top 10 vulnerabilities, I cannot configure.
- Long scan times, specifically for C/C++ based product/app scans. Some of the scans for enterprise scale product in C/C++ used to take quite many hours, and at times a couple of days. There have been improvements in this during the course of our 3 years of usage but in general, scans take a long time to complete.
October 01, 2020
My Veracode Review
We are using the tool to scan our code for vulnerabilities on a regular basis and fix the issues.
Secondly, we are using the software composition for 3rd-party open sources to indicate any vulnerabilities and upgrade possibilities related both to vulnerabilities and license issues and their support types.
Secondly, we are using the software composition for 3rd-party open sources to indicate any vulnerabilities and upgrade possibilities related both to vulnerabilities and license issues and their support types.
- It's a SaaS, which we aim to use.
- We want a tool to pinpoint real vulnerabilities and not just throw 1000s of them.
- We wanted a tool to support mitigation action and to keep it for the next runs as well.
- We purchased 2 licenses and sometimes we get alerted on over use. Veracode checks this issue, as it seems to be the tool's problem.
- The UX could be more intuitive.
- It didn't find any vulnerabilities in our client-side code base, which I think is weird.
July 06, 2020
Impressive application security tool set!
We use Veracode as part of our SDLC. We leverage the SAST, DAST, and e-learning for our entire DevOps team(s). This addresses keeping our platforms secure and aware of new vulnerabilities and how to resolve or mitigate our risks.
- Great job with SAST
- Easy integration into your pipeline
- Robust training for new developers
- Not as intuitive as some of the other providers
- Occasionally slow to manage between the different features
- Scanning can take longer than expected without much error handling to let the user know what's happening.
May 28, 2020
Very powerful product, with some pains
We use Veracode to scan (Dynamic and Static) during our development lifecycle, and we use Veracode Pentests Annually.
- The tools are very granular.
- The Vulnerability Libraries are very big.
- It correlates the different types of scans well.
- Very complicated pricing
- Very high learning curve
- Complicated user interface