Solid Value for Class-Leading Security Scanning
September 06, 2020

Solid Value for Class-Leading Security Scanning

Michael Johnson | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)

Overall Satisfaction with Veracode

Veracode is being used on our core system. For our customers, trust in the security of our software is critical. Being able to show our commitment to software security and the use of a trusted brand to check our code helps with turning prospective clients into paying customers. It also helps us in audits for the industry regulations we must meet.
  • A focus only on code security--rather than cluttering up their offerings, Veracode focuses only on products and services around code security.
  • Scanning code--their scanning engine seems to be among the best in class and has a very low false-positive rate.
  • Reporting on the flaws found--the ability to review flaws from either a web interface or an IDE plugin helps speed up remediation.
  • Security profiles--these aren't laid out very well and can be intimidating.
  • Dynamic scanning--for some web applications, the dynamic scanner doesn't work well. It's one of the reasons we're not currently using it.
  • User permissions--some of the permissions are confusingly labeled or don't make sense if different permission isn't enabled. Having cascading access profiles or grouping permissions would help a lot here.
  • Increased trust in system security from clients
  • Easier security audits for regulation compliance
  • Faster remediation of security flaws before they get published
SonarQube is a great general code quality analyzer, and we do use it as a companion to Veracode. However, it's not security-focused and tends to have a higher false-positive rate for security issues it flags. It's also not as easy to generate reports from the findings unless you pay for the very expensive Enterprise edition. Qualys Cloud Platform only offers dynamic scanning, which we feel misses over half our platform code and thus is an incomplete solution for us.
Veracode support is fairly responsive on issues. We haven't had to use them much.

Do you think Veracode delivers good value for the price?


Are you happy with Veracode's feature set?


Did Veracode live up to sales and marketing promises?


Did implementation of Veracode go as expected?


Would you buy Veracode again?


For any compiled language, Veracode does a great job of scanning for vulnerabilities. It's not quite there for interpreted languages like Javascript, possibly because of the complexity of scanning something that can be run through different systems and interpreted differently by them. They're also not really fit for a general "code quality" review, as they focus only on security flaws.