Skip to main content
TrustRadius
Veracode

Veracode

Overview

What is Veracode?

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.

Read more
Recent Reviews

Best in Security

10 out of 10
March 03, 2024
Incentivized
It's being used across whole organization, multiple engineering teams are using it for third-party libraries scan i.e. software …
Continue reading

Veracode to the Rescue!

10 out of 10
February 27, 2024
Veracode DAST is used on app applications in the portfolio. SAST/SCA scans and DAST scans are run monthly for all Critical application in …
Continue reading
Read all reviews

Awards

Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards

Reviewer Pros & Cons

View all pros & cons

Video Reviews

1 video

View Playlist
Veracode Review: Provides Helpful Support When Troubleshooting Security Needs
02:38
Return to navigation

Pricing

View all pricing
Veracode

Veracode

N/A
Unavailable

What is Veracode?

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.

Entry-level set up fee?

  • No setup fee

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting/Integration Services

Would you like us to let the vendor know that you want pricing?

942 people also want pricing

Alternatives Pricing

SonarQube

SonarQube

$160
per year per installation
What is SonarQube?

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

Indusface WAS

Indusface WAS

$59
per month
What is Indusface WAS?

Indusface Web Application Scanner provides an application security audit to detect a range of high-risk Vulnerabilities, Malware, and Critical CVEs.

Return to navigation

Product Details

What is Veracode?

The Veracode platform is a software security solution that aims to be pervasive but not invasive, embedded into the environments that developers work in, with recommended fix and in-context learning. Security teams can use Veracode to manage policy, gain a comprehensive view of an organization's security posture though analytics and reporting, mitigate risks, and produce the evidence necessary to meet regulatory requirements.

It is presented as an always-on, continuous orchestration of secure development that gives organizations the confidence that the software being built is secure and meets compliance requirements.

Veracode Features

  • Supported: Continuous Scanning to reduce risks at every phase of development - Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test throughout SDLC.
  • Supported: Developer Experience - Finds and fixes laws in line with security integration into where developers work, automated remediation guidance, and in-context learning.
  • Supported: Comprehensive Platform Experience - Streamlined governance, risk and compliance processes through flexible policy management, unified reporting and analytics, and peer benchmarking to mitigate risks fast and deliver a successful DevSecOpsprogram.
  • Supported: Market Expansion - To meet data residency needs in EU with cloud-native instance built in Frankfurt, Germany on AWS.
  • Supported: Contextual Platform Data - Fine-tuned with nearly 2 decades of scanning and customer learning. Predicts future vulnerabilities with self-healing capabilities through applying machine learning and artificial intelligence to the data.
  • Supported: Cloud-native SaaS Architecture - Provides elastic scalability, high performance, and lower costs with cloud-native SaaS architecture.

Veracode Screenshots

Screenshot of The Veracode Platform HomepageScreenshot of Static Analysis ScansScreenshot of Findings Status and History DashboardScreenshot of The Veracode Platform

Veracode Videos

Veracode Static Analysis Demo
Veracode Software Composition Analysis Demo
Veracode Dynamic Analysis Demo

Watch The Veracode Platform

Veracode Integrations

Veracode Competitors

Veracode Technical Details

Deployment TypesSoftware as a Service (SaaS), Cloud, or Web-Based
Operating SystemsUnspecified
Mobile ApplicationNo
Supported CountriesNorth America, EMEA, APAC, LATAM
Supported LanguagesJava, .NET, PHP, Android, iOS, JavaScript, Python

Veracode Downloadables

Frequently Asked Questions

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.

Checkmarx, Snyk, and SonarQube are common alternatives for Veracode.

Reviewers rate Support Rating highest, with a score of 8.

The most common users of Veracode are from Enterprises (1,001+ employees).

Veracode Customer Size Distribution

Consumers0%
Small Businesses (1-50 employees)18%
Mid-Size Companies (51-500 employees)65%
Enterprises (more than 500 employees)17%
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews and Ratings

(197)

Attribute Ratings

Reviews

(1-3 of 3)
Companies can't remove reviews or game the system. Here's why
February 27, 2024

Veracode to the Rescue!

Verified User
Contributor in Information Technology
Mining & Metals Company, 10,001+ employees
Score 10 out of 10
Vetted Review
Verified User
Use Cases and Deployment Scope
Veracode DAST is used on app applications in the portfolio. SAST/SCA scans and DAST scans are run monthly for all Critical application in the portfolio. In total there around 120 applications in scope for the program.
Pros and Cons
  • Customer support that won't permit any failures anywhere along the line.
  • Regular updates to the platform that supports rapid changes in technology and development practices
  • Sets the standard for how AppSec scanners should work
  • Sometimes finding the right person to help takes a little time
  • Pricing of SAST/SCA scans may scare off some potential customers until they understand that it's worth it.
Likelihood to Recommend
Veracode is useful across the spectrum of development teams' AppSec maturity, size of the development community, and varied skill sets to address application security. Veracode excels in bringing together threat management teams and development teams with a single view into all application vulnerabilities and their treatment.
Return on Investment
  • Faster scan times make it easier for developers to address exposed vulns
  • Simplified reporting removes the need for external data and reporting mechanisms
Security Needs
As long as two products are not doing identical work, it makes sense to diversify to make sure we're using best-in-class tools and processes.
Reporting and Analytics
Very important! They're used daily to check on progress and stay on top of new defects as they pop up. It's also useful for identifying application functions that are repeatedly generating defect reports so we can hone in to the defective code, fix it, and clear out potentially hundreds of reported CWEs in one fell swoop.
Secure Software Development
From the beginning of coding through post-deployment Veracode works seamlessly
So far, Veracode is being built-in to become a natural part of the process. People are encouraged to begin using Veracode from the first set of code with IDE-based scans to sandbox scans and finally to gated or policy scans.
Alternatives Considered
Veracode stands out as the best of breed for all types of AppSec scanners.
Other Software Used
Users and Roles
All developers use Veracode at their desktops, along with Azure pipeline scans and sandbox scans. Greenlight is used in the IDE for development. Other users are the AppSec Team in the CISO's office for oversight and management of the platform, and the compliance teams who pull data directly from the Veracode API.
Support Headcount Required
5
We have a dedicated team of 3 people in India who work directly with the development team in Indonesia and 2 people in the US who support the installation and manage site users.
Business Processes Supported
  • Rapid remediation of High and Very High severity defects
  • Open Source library security and currency
  • Recurring use of DAST on all Web and API-based apps.
Innovative Uses
  • Showcasing results from AppSec processes
  • Training on basic concepts, like CWEs and Mitigation processing
Future Planned Uses
  • We're hopeful that Veracode Fix works as advertised!
  • Develop a repository of best practices for remediating defects
  • Custom cleansers
Likelihood to Renew
10
It's become a required element for all things AppSec in custom coded applications across the enterprise.
Products Replaced
Yes
It replaced two products - Tenable DAST scanning and Checkmarx CXSuite. Those products were poorly managed and coverage was too limited for them to be useful as a security scanner.
Key Differentiators
  • Scalability
  • Ease of Use
  • Other
Veracode reputation was the driving factor. Knowing how powerful and instantly useful Veracode can be drove our easy decision to procure it!
Evaluation Lessons Learned
I would short-cut it and go with the vendor I know would serve us best and Veracode made that choice simple!
Support Rating
10
Veracode bends over backwards to make sure that customers are successful in ALL aspects of application security - from lifecycle-related activities to individual application scan activities. When developers have questions, the Veracode Community likely has the answers!
Usability
8
It takes a bit of time to get developers up to speed on setups, triage, working with defects, etc. For developers who have a backgound in scanners and computer science, they can more rapidly understand concepts like taint analysis and that makes it simpler for them to gain the best uses from the product(s). Since all scanning is tied to an application, it's easy to find everything one needs to know about the app's security and lifecycle in one place.
Easy Tasks
  • Mitigation processing
  • Custom cleansers
Difficult Tasks
  • Veracode Learning could use some help from educators
Mobile Interface Availability and Impressions
Yes, but I don't use it
September 01, 2022

Veracode Stands Tall Among the Leading Application Security Platforms

Verified User
Engineer in Information Technology
Information Technology & Services Company, 10,001+ employees
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
Veracode is being used as an application security service across our organization. We rely upon Veracode as an authority in mitigation efforts. The platform and its scanning services help manage potential flaws found within the applications that we support and host. Developers interact with Veracode and the security team to help resolve any flaws that are discovered.
Pros and Cons
  • I have found the Software Composition Analysis area to be the best among the competing products for Application Security.
  • Veracode's support services are impeccable.
  • Their program management teams are professional, helpful, and friendly.
  • Although an improvement to what was there previously, the Analytics section using Looker, could still use some improvement. It does seem that what Veracode has deployed is a very limited version of Looker. While helpful and useful, there seems to be so much more that Looker does (such as dynamic querying), however, the version that Veracode employs doesn't seem to offer this.
  • More user control of administrative functions such as user adding/deleting. Veracode still uses a 'soft delete'/'hard delete' functionality. This can become cumbersome for self-user-administration when a deleted user has to be re-added. A support call is then necessary to have this done.
  • Their idle timeout process needs work. While using the Looker tool, you must save your work every few minutes, as their 'Shark-attack-like' idle timeout will sneak up on you and redirect you away in an instant causing you to lose any unsaved work.
Likelihood to Recommend
Overall, Veracode is one of the best, if not the best, products for application security out in the market. It is a great platform for keeping track of flaws and being able to report on them. Their support services and program management services are excellent, as they hire really good persons to handle these areas. There is still room for improvement in their analytics area.
Most Important Features
  • Static flaw analysis section
  • Software Composition analysis section
  • Analytics dashboard
  • APIs both for developer submission of scans, and administrative retrieval of analytic data.
Return on Investment
  • Veracode has helped in identifying many flawed areas within our applications.
  • Veracode's many services have helped our development teams recognize and understand the importance of secure coding standards within their own SDLC.
  • This isn't really a dig on Veracode, but despite their best efforts and ours, it still seems to be a hard sell to much of our user community to adopt a system like Veracode as a needed service.
Alternatives Considered
During the course of our using Veracode, we still do evaluate other platforms to see what they offer, and how they compare to Veracode. I do most of the evaluations myself, and I still come back to Veracode as being the overall best platform. Most every platform, for better or worse, still charges about the same yearly amount as Veracode. Mind you, none of them including Veracode, are inexpensive services. But even though some of their competitors have enticing elements to their services, overall Veracode still offers the best service, turnaround time, and support for the money.
Other Software Used
Users and Roles
100
IT Development, Information security, vulnerability management. Development for the submission of scan and retrieval of findings. InfoSec and VM for administration, processing of analytic data.
Support Headcount Required
1
Information security personnel, once an application developer with 25 years in that field. Detail oriented with aptitudes in troubleshooting, and loads of patience working with developers that need lots of guidance.
Business Processes Supported
  • Application Vulnerability flaw identification and remediation
  • Data collection
  • Authoritative entity to ensure customer base that our applications are secure
Innovative Uses
  • Some clients want monthly reports on flaw progress, use of APIs to automate monthly retrieval of those specific client reports.
Future Planned Uses
  • Hooking Veracode up to the VR module in Service Now to have regular pulls of analytic data into Service Now for further spotlight on flaws and ticket creation.
Likelihood to Renew
10
At this time, and we just renewed a month ago, I dont see any products out there overall that can offer what Veracode does. Yes, its not cheap by any means, but for the money its the best application security scanning tool out there.
Products Replaced
No
Key Differentiators
  • Product Features
  • Product Usability
  • Product Reputation
We wanted something that not only our developers would find easy to use, but would also be easy to implement and administer. This would be a product that most developers use every day or at least most every day. I myself as the administer for our company use it every single day that Im on the job. So it needed to be a platform that provides easy but competent access to flaw data. Veracode does that. Not all the competitors do.
Evaluation Lessons Learned
If we had to do it again, we would probably factor in more input from the development teams themselves. Veracode was our first foray into application security - so we had no prior experience. Now 5 years into it, not only myself, but the development teams have had a chance to work with it and find things they like and dont like.
Implementation Details / Implementation Partner
  • Implemented in-house
Implementation Phases
No
Change Management Lessons
Change management was minimal
Originally I thought Change management would be crucial in our use of Veracode. In the sense that no applications or updates are implemented without a passing scan to validate its deployment into production. But with contract dates and agreements in place, that process isnt always acceptable.
Implementation Issues
  • User adaptation/acceptance
  • Enrollment requirements / license limitations
Implementation Rating
8
We use it as a SAS service, so really just getting our teams to mold the use of Veracode into their SDLC has been a process of years in the making. It comes down to what your teams are ready and willing to accept and change. Management is key in getting their groups on board with using it regularly. If it doesnt have management backing, your security teams have little to no influence in getting this process off the ground fully.
Support Rating
10
Having worked with their support and program management teams now for over 5 years, I've been exposed to many support requests, concerns, and issues. We have even had one negative issue with their support team process, that was immediately addressed at their upper levels, and those upper-level management persons worked with me directly on the concerns. We recently had an issue with their mitigation process, and although it did take time to resolve, it was handled very professionally and escalated to the highest levels to address our concerns. Needs that have arisen from us as a customer have been addressed immediately and worked out with me directly by some of their most senior personnel to make sure our concerns are met. Again, their support services are among the best out there.
Premium Support
We did purchase premium support for Veracode - we do with each contract renewal. Its important to us to have access to knowledgeable representatives on an ASAP as needed basis. The group I work with is always there when needed. Ive worked with several project management teams at Veracode now in our 5 years - all of them have been top notch, including my current group. When there are problems, they address them immediately.
Bug Resolution
Yes
Ive reported bugs that for the most part have not hindered our experience using Veracode. Most of the bugs I have reported are with the platform itself where it could just use improvement to its feature or presentation. Most of those have just gone into a collective for future fixes or enhancements. The only one that I would really like to see fixed sooner rather than later exists with the Looker analytics - idle timeout.. that is a hinderance.
Exceptional Examples of Veracode Support
Just recently actually.. I had a dynamic scan that all of a sudden just stopped working when I updated the password for the credentials I had been using. After trying to diagnose and fix it myself for a week or so, I called in a consultation call for it. Veracode support stepped in and resolved the issue almost immediately. Put in a patch on the internal scanner, and boom - off and running again. Very pleased with the level of support there...
Usability
9
I believe this platform to be one of the most user friendly out there. After evaluating some other competitor platforms, I've seen one other that comes close to ease of use and others not so much. That is one of the main reasons we continue to renew with Veracode. Areas for improvement continue to be the analytics section and a very quick to annoy idle timer.
Easy Tasks
  • Detailed flaw analysis
  • Retrieval of analytic data for report generation
Difficult Tasks
  • I think the whole elearning system needs an overhaul.
  • The analytics dashboard area can be cumbersome when you are constantly plagued with idle timeouts while you are working on a look.
Mobile Interface Availability and Impressions
Yes
Not an app or anything, but you can view the website platform over a mobile device.. difficult to use at best, but it can work when in a serious crunch (no laptop access).. Ive been able to delete a scan when needed over that medium. But the presentation of the site isnt really designed for mobile use, and the display does suffer.
September 01, 2021

Best security coding service

Verified User
Engineer in Customer Service
Banking Company, 201-500 employees
Score 10 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
It is used to get the best security in coding and deploying code with security. We use the APIs that Veracode provides for automation, reducing increasingly the time that the users sign in to the platform and download the report in their application profile.
Pros and Cons
  • Security.
  • Best practices.
  • Detailed reports.
  • Automation.
  • Third-party reports.
  • Customizable reports - SCA download by API.
Likelihood to Recommend
Veracode it is well suited in our scenario but for microservices isn't well suited. Because we have 1500+ microservices, licensing is a real problem if you have less than 1GB.
Most Important Features
  • Greenlight IDE.
  • Automation.
  • APIs.
Alternatives Considered
It is my first code analysis tool and I have to say that it is pretty easy to use.
Other Software Used
Jira Service Management (Jira Service Desk), Bamboo Agile, Jenkins
Users and Roles
500
Support Headcount Required
4
Developer and Cibersecurity ( DevSecOps )
Business Processes Supported
  • Security in code analysis.
  • Automation.
  • Greenlight IDE very fast analyzer.
Innovative Uses
  • Integrating with Active Directory (Azure).
  • Integrating with Bamboo.
  • Integrating with JIRA.
  • Integrating and automation in Jenkins.
Future Planned Uses
  • Integrating with another platforms.
Likelihood to Renew
10
Products Replaced
No
Key Differentiators
  • Product Features
  • Product Usability
  • Product Reputation
Evaluation Lessons Learned
It would not change because it is easy to use.
Support Rating
10
Because they are pretty fast and respond to the request.
Premium Support
Yes, to have more priority in automation scenarios, more rapid help in some cases.
Bug Resolution
Yes
I'm waiting for confirmation, because the fix of this bug will affect my entire organization.
Exceptional Examples of Veracode Support
They helped when I had some troubles with API requests.
Usability
10
It is very easy and intuitive to use.
Easy Tasks
  • File upload.
  • Easy report and fix info.
Difficult Tasks
  • Packaging.
Mobile Interface Availability and Impressions
No
Return to navigation