Skip to main content
TrustRadius
Veracode

Veracode

Overview

What is Veracode?

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.

Read more
Recent Reviews

Best in Security

10 out of 10
March 03, 2024
Incentivized
It's being used across whole organization, multiple engineering teams are using it for third-party libraries scan i.e. software …
Continue reading

Veracode to the Rescue!

10 out of 10
February 27, 2024
Veracode DAST is used on app applications in the portfolio. SAST/SCA scans and DAST scans are run monthly for all Critical application in …
Continue reading
Read all reviews

Awards

Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards

Reviewer Pros & Cons

View all pros & cons

Video Reviews

1 video

Veracode Review: Provides Helpful Support When Troubleshooting Security Needs
02:38
Return to navigation

Pricing

View all pricing
N/A
Unavailable

What is Veracode?

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.

Entry-level set up fee?

  • No setup fee

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting/Integration Services

Would you like us to let the vendor know that you want pricing?

918 people also want pricing

Alternatives Pricing

What is SonarQube?

SonarQube is a code quality and vulnerability solution for development teams that integrates with CI/CD pipelines to ensure the software you produce is secure, reliable, and maintainable.

What is Indusface WAS?

Indusface Web Application Scanner provides an application security audit to detect a range of high-risk Vulnerabilities, Malware, and Critical CVEs.

Return to navigation

Product Details

What is Veracode?

The Veracode platform is a software security solution that aims to be pervasive but not invasive, embedded into the environments that developers work in, with recommended fix and in-context learning. Security teams can use Veracode to manage policy, gain a comprehensive view of an organization's security posture though analytics and reporting, mitigate risks, and produce the evidence necessary to meet regulatory requirements.

It is presented as an always-on, continuous orchestration of secure development that gives organizations the confidence that the software being built is secure and meets compliance requirements.

Veracode Features

  • Supported: Continuous Scanning to reduce risks at every phase of development - Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test throughout SDLC.
  • Supported: Developer Experience - Finds and fixes laws in line with security integration into where developers work, automated remediation guidance, and in-context learning.
  • Supported: Comprehensive Platform Experience - Streamlined governance, risk and compliance processes through flexible policy management, unified reporting and analytics, and peer benchmarking to mitigate risks fast and deliver a successful DevSecOpsprogram.
  • Supported: Market Expansion - To meet data residency needs in EU with cloud-native instance built in Frankfurt, Germany on AWS.
  • Supported: Contextual Platform Data - Fine-tuned with nearly 2 decades of scanning and customer learning. Predicts future vulnerabilities with self-healing capabilities through applying machine learning and artificial intelligence to the data.
  • Supported: Cloud-native SaaS Architecture - Provides elastic scalability, high performance, and lower costs with cloud-native SaaS architecture.

Veracode Screenshots

Screenshot of The Veracode Platform HomepageScreenshot of Static Analysis ScansScreenshot of Findings Status and History DashboardScreenshot of The Veracode Platform

Veracode Videos

Veracode Static Analysis Demo
Veracode Software Composition Analysis Demo
Veracode Dynamic Analysis Demo

Watch The Veracode Platform

Veracode Technical Details

Deployment TypesSoftware as a Service (SaaS), Cloud, or Web-Based
Operating SystemsUnspecified
Mobile ApplicationNo
Supported CountriesNorth America, EMEA, APAC, LATAM
Supported LanguagesJava, .NET, PHP, Android, iOS, JavaScript, Python

Frequently Asked Questions

Veracode is an application security platform that performs five types of analysis; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Veracode offers on-demand expertise and aims to help companies fix security defects.

Checkmarx, Snyk, and SonarQube are common alternatives for Veracode.

Reviewers rate Support Rating highest, with a score of 8.

The most common users of Veracode are from Enterprises (1,001+ employees).

Veracode Customer Size Distribution

Consumers0%
Small Businesses (1-50 employees)18%
Mid-Size Companies (51-500 employees)65%
Enterprises (more than 500 employees)17%
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews and Ratings

(196)

Attribute Ratings

Reviews

(1-2 of 2)
Companies can't remove reviews or game the system. Here's why
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Veracode is being used as an application security service across our organization. We rely upon Veracode as an authority in mitigation efforts. The platform and its scanning services help manage potential flaws found within the applications that we support and host. Developers interact with Veracode and the security team to help resolve any flaws that are discovered.
  • I have found the Software Composition Analysis area to be the best among the competing products for Application Security.
  • Veracode's support services are impeccable.
  • Their program management teams are professional, helpful, and friendly.
  • Although an improvement to what was there previously, the Analytics section using Looker, could still use some improvement. It does seem that what Veracode has deployed is a very limited version of Looker. While helpful and useful, there seems to be so much more that Looker does (such as dynamic querying), however, the version that Veracode employs doesn't seem to offer this.
  • More user control of administrative functions such as user adding/deleting. Veracode still uses a 'soft delete'/'hard delete' functionality. This can become cumbersome for self-user-administration when a deleted user has to be re-added. A support call is then necessary to have this done.
  • Their idle timeout process needs work. While using the Looker tool, you must save your work every few minutes, as their 'Shark-attack-like' idle timeout will sneak up on you and redirect you away in an instant causing you to lose any unsaved work.
Overall, Veracode is one of the best, if not the best, products for application security out in the market. It is a great platform for keeping track of flaws and being able to report on them. Their support services and program management services are excellent, as they hire really good persons to handle these areas. There is still room for improvement in their analytics area.
  • Static flaw analysis section
  • Software Composition analysis section
  • Analytics dashboard
  • APIs both for developer submission of scans, and administrative retrieval of analytic data.
  • Veracode has helped in identifying many flawed areas within our applications.
  • Veracode's many services have helped our development teams recognize and understand the importance of secure coding standards within their own SDLC.
  • This isn't really a dig on Veracode, but despite their best efforts and ours, it still seems to be a hard sell to much of our user community to adopt a system like Veracode as a needed service.
During the course of our using Veracode, we still do evaluate other platforms to see what they offer, and how they compare to Veracode. I do most of the evaluations myself, and I still come back to Veracode as being the overall best platform. Most every platform, for better or worse, still charges about the same yearly amount as Veracode. Mind you, none of them including Veracode, are inexpensive services. But even though some of their competitors have enticing elements to their services, overall Veracode still offers the best service, turnaround time, and support for the money.
100
IT Development, Information security, vulnerability management. Development for the submission of scan and retrieval of findings. InfoSec and VM for administration, processing of analytic data.
1
Information security personnel, once an application developer with 25 years in that field. Detail oriented with aptitudes in troubleshooting, and loads of patience working with developers that need lots of guidance.
  • Application Vulnerability flaw identification and remediation
  • Data collection
  • Authoritative entity to ensure customer base that our applications are secure
  • Some clients want monthly reports on flaw progress, use of APIs to automate monthly retrieval of those specific client reports.
  • Hooking Veracode up to the VR module in Service Now to have regular pulls of analytic data into Service Now for further spotlight on flaws and ticket creation.
At this time, and we just renewed a month ago, I dont see any products out there overall that can offer what Veracode does. Yes, its not cheap by any means, but for the money its the best application security scanning tool out there.
No
  • Product Features
  • Product Usability
  • Product Reputation
We wanted something that not only our developers would find easy to use, but would also be easy to implement and administer. This would be a product that most developers use every day or at least most every day. I myself as the administer for our company use it every single day that Im on the job. So it needed to be a platform that provides easy but competent access to flaw data. Veracode does that. Not all the competitors do.
If we had to do it again, we would probably factor in more input from the development teams themselves. Veracode was our first foray into application security - so we had no prior experience. Now 5 years into it, not only myself, but the development teams have had a chance to work with it and find things they like and dont like.
  • Implemented in-house
No
Change management was minimal
Originally I thought Change management would be crucial in our use of Veracode. In the sense that no applications or updates are implemented without a passing scan to validate its deployment into production. But with contract dates and agreements in place, that process isnt always acceptable.
  • User adaptation/acceptance
  • Enrollment requirements / license limitations
We use it as a SAS service, so really just getting our teams to mold the use of Veracode into their SDLC has been a process of years in the making. It comes down to what your teams are ready and willing to accept and change. Management is key in getting their groups on board with using it regularly. If it doesnt have management backing, your security teams have little to no influence in getting this process off the ground fully.
Having worked with their support and program management teams now for over 5 years, I've been exposed to many support requests, concerns, and issues. We have even had one negative issue with their support team process, that was immediately addressed at their upper levels, and those upper-level management persons worked with me directly on the concerns. We recently had an issue with their mitigation process, and although it did take time to resolve, it was handled very professionally and escalated to the highest levels to address our concerns. Needs that have arisen from us as a customer have been addressed immediately and worked out with me directly by some of their most senior personnel to make sure our concerns are met. Again, their support services are among the best out there.
We did purchase premium support for Veracode - we do with each contract renewal. Its important to us to have access to knowledgeable representatives on an ASAP as needed basis. The group I work with is always there when needed. Ive worked with several project management teams at Veracode now in our 5 years - all of them have been top notch, including my current group. When there are problems, they address them immediately.
Yes
Ive reported bugs that for the most part have not hindered our experience using Veracode. Most of the bugs I have reported are with the platform itself where it could just use improvement to its feature or presentation. Most of those have just gone into a collective for future fixes or enhancements. The only one that I would really like to see fixed sooner rather than later exists with the Looker analytics - idle timeout.. that is a hinderance.
Just recently actually.. I had a dynamic scan that all of a sudden just stopped working when I updated the password for the credentials I had been using. After trying to diagnose and fix it myself for a week or so, I called in a consultation call for it. Veracode support stepped in and resolved the issue almost immediately. Put in a patch on the internal scanner, and boom - off and running again. Very pleased with the level of support there...
I believe this platform to be one of the most user friendly out there. After evaluating some other competitor platforms, I've seen one other that comes close to ease of use and others not so much. That is one of the main reasons we continue to renew with Veracode. Areas for improvement continue to be the analytics section and a very quick to annoy idle timer.
  • Detailed flaw analysis
  • Retrieval of analytic data for report generation
  • I think the whole elearning system needs an overhaul.
  • The analytics dashboard area can be cumbersome when you are constantly plagued with idle timeouts while you are working on a look.
Yes
Not an app or anything, but you can view the website platform over a mobile device.. difficult to use at best, but it can work when in a serious crunch (no laptop access).. Ive been able to delete a scan when needed over that medium. But the presentation of the site isnt really designed for mobile use, and the display does suffer.
Score 8 out of 10
Vetted Review
Verified User
Incentivized
We employ Veracode's static and dynamic scanning offerings to scan our application code for vulnerabilities on a regular basis. We also use the software composition testing of third-party, open-source libraries as a check against our use of a second similar tool. These features, as well as others we employ external to Veracode, help to increase our application's security posture. We have also recently contracted for their manual APT offering.
  • Static scanning is quick and efficient
  • The scan reports are easy to read and informative
  • Interaction with both account management and support staff is great
  • The contracting process is easy
  • The platform's interface could be a little more intuitive
  • Sometimes we get a notification that our static license use has been exceeded but it has not
  • Sometimes the static scan reports many, many potential flaws but it turns out the tool has not been programmed to correctly recognize a particular use case
  • The configuration of dynamic scanning is a bit disjointed.
  • It may just be our application but the dynamic scanning process needs to be improved. Note that we have an open case with Veracode on this so we do expect a resolution.
Use of this platform allows us to better control vulnerabilities and demonstrate to clients that we take our security posture seriously. Of course this, though important, is only one aspect of ensuring our code is as secure as possible. The feature set of the tool is quite mature and serves our needs quite well for the most part.
  • Scanning capabilities
  • Reporting capabilities
  • Our use of the tools has allowed us to pass large client security requirements
  • Our use of the tools has allowed us to more easily pass RFP security requirements
  • Our use of the tools is beneficial in helping to meet general security audit requirements
We have not evaluated other solutions similar to those offered by Veracode.
2
Software Development management Software developer
2
Knowledge in software development and software security is helpful if not required.
  • Static scanning capabilities
  • Dynamic scanning capabilities
  • Manual APT offering
  • We may integrate the dynamic scanning tool into our build process. The capability is there, we just have not explored it yet.
It is likely we will renew our use of the Static scanning tool. We will be evaluating and determining later whether we continue with the Dynamic scanning offering and the Manual APT service.
No
  • Product Features
Though it would have been smart to evaluate other, similar offerings, we did not due to time constraints. We would next time.
  • Implemented in-house
Yes
Static scanning
Manual APT
Dynamic scanning
Change management was minimal
  • Dynamic scanning configuration
Quite painless for the most part though dynamic scanning configuration issues were encountered.
  • No Training
Most areas can be figured out on your own. Other areas, depending on needs, may require a bit of assistance.
Just about right.
No
No - there is no facility to customize the interface
No - the product does not support adding custom code
No
We have only had to contact support a few times in the nine years we've used their products. For the most part, Veracode has been very responsive either via email or on calls. These requests have either been for something that did not seem to be right in the interface or for scan-finding call-outs.
No. Did not feel it was necessary. Standard support is fine for our requirements.
No
There have been a couple of times when their support staff has helped us collaboratively determine an appropriate direction in remediating a reported flaw. We have found them to be very knowledgeable and helpful in these situations.
Overall Veracode's static scanning tool works well and is pretty intuitive. I do find myself trying to remember how to find certain features or screens from time to time, but I eventually stumble upon them. To be fair, I am only in the tool once every three months. I do find their dynamic scanning tool a bit confusing regarding the setup and configuration of a target URL. I do eventually find things but I do believe this process could be improved upon.
  • Scan reports
  • Dynamic scan configuration
It meets our needs.
Veracode has always been up and available to us.
At this point, it runs well and mostly in a timely fashion. Dynamic scans take days but this may be a config issue still to be resolved.
They have always been very responsive to our needs.
They have always been responsive to our needs.
Pricing
Not really. Members of all teams have been great to work with.
No
No
No
Return to navigation