Veracode Review from Security Engineer Perspective
Updated June 14, 2022

Veracode Review from Security Engineer Perspective

Anonymous | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)

Overall Satisfaction with Veracode

We use Veracode as our Static Analysis Security Testing tool. As a security engineer I am administering Veracode and managing/ supporting our developers with using Veracode. It is our main application security code analysis tool and has been built into all of our processes, automation, and developer pipelines and reporting tools.
  • The tool seems to have been build for automation.
  • As a security engineer, I prefer the types of findings discovered through DAST or IAST since I can easily verify findings, but the SAST findings may be easier for the developers since it points to the area of code.
  • While it's hard to get developers to take advantage of the consultation calls, I like the fact we can get a highly technical person to walk us through any type of Veracode question.
  • The UI has gone through times of instability which can be a pain when things are broken.
  • Selecting the correct modules for large applications can be a headache as well as stressful since you need to get that portion right to get the types of results you need.
  • There is a bit of a learning curve to navigating Veracode so I see developers who don't use it often struggle to get to their scan results and handle them properly.
  • After building up the automation of submitting scans it pretty much runs its self.
  • When it's working well it's great, but you need to be on the lookout for any hiccups it had that will cause your automation to break.
The overall product selection was done by someone else for many reasons.
What I liked more about Contrast than Veracode was the type of results it gave. Findings were a lot more actionable since these were observable exploits that could be easily tested by the security team against the QA environments, it gave you examples of which parameter to exploit which made verification easy. The other portion of the scan results I liked more were the severity ratings. I disagree with how Veracode has set some of the vulnerability severity ratings where a JavaScript exec() is a critical severity (even though it's really just a DOM based XSS), and something like XXE or Path Traversal is only a medium, even though you can do a lot more damage with something like that.
The down side to Contrast was how involved different teams had to be to get scan results on time. Veracode makes doing constant scanning very easy every time there is an update in the code.
Support has always been very helpful both through using their consultation calls, and the email support.
For people who don't use the Veracode platform all the time it can be a little challenging, so when I need developers to check on a vulnerability I may need to hop on a call to walk them through the UI. Otherwise the integrations with pipelines, IDEs, reporting tools is pretty easy.

Do you think Veracode delivers good value for the price?

Not sure

Are you happy with Veracode's feature set?


Did Veracode live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Veracode go as expected?


Would you buy Veracode again?


I think Veracode would fit into to most organizations application security programs, but if you already are lacking build automation and pipelines you won't be able to harness that portion which is where I see Veracode shining. Doing scans manually would work, but you would be missing out.