Great for automation and reporting of application security testing
September 03, 2020

Great for automation and reporting of application security testing

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)

Overall Satisfaction with Veracode

Veracode is used by our organization to conduct static application security test (SAST) scans. The SAST scans are either manually submitted through the Veracode portal or automated via CI/CD integration. It is being used across the whole organization for all custom-developed applications. Veracode's usage addresses requirements to run SAST scans on all custom-developed applications before releasing to production.
  • Analytics - Veracode has the most powerful reporting/dashboard feature I have seen across all other SAST vendors.
  • App sec program improvement - Veracode program managers take a stake in your organization's security posture and guides you through the enhancement of your overall SDLC.
  • Technical support - Veracode support is very prompt and the "consultation" feature is a must-have.
  • Licensing - it is not easy to determine license consumption in a given time frame and the reliance on analysis size leads to large license consumption and issues.
  • Auditing - it is not a very straightforward process for developers to triage flaws/review issues in the portal.
  • Faster go-to-market speeds due to SAST integration and timely triage of findings
  • Visibility into security posture of entire portfolio
  • High license costs when applications are not packaged correctly for scanning
Our organization uses both Fortify and Veracode. Veracode is great for any applications using third party components and testing applications that Fortify doesn't support. Veracode is typically faster with supporting new technologies, given the reliance on binaries as compared to source code in Fortify. Veracode has much better reporting than Fortify.
Default Veracode support is always prompt. Program managers are also prompt and attentive to your organization's unique issues. Consultations do take some time to schedule, however they provide great benefits to teams once completed.

Do you think Veracode delivers good value for the price?


Are you happy with Veracode's feature set?


Did Veracode live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Veracode go as expected?

I wasn't involved with the implementation phase

Would you buy Veracode again?


In my organization's experience with Veracode, it is well-suited for SAST of custom-developed applications using third-party libraries. However, the packaging/scanning process does get quite complex when scanning complex solutions. Veracode is also well-suited as an official reporting dashboard of application security posture over time, allowing for many different customized views.