Veracode - a key partner in securing our products
October 14, 2020

Veracode - a key partner in securing our products

David Nelson-Gal | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User

Modules Used

  • Dynamic Analysis (DAST)
  • Penetration Testing

Overall Satisfaction with Veracode

We use Veracode for security application scanning of our product. We also use Veracode as our manual penetration testing vendor. It is a critical part of our security hardening and validation processes.
  • Regular application scanning
  • MPT has been excellent and cost-effective
  • The organization, from rep to executives, have proactively listened to our needs.
  • Don't currently support our language for static analysis
  • Would be nice if Veracode had network scanning as well.
  • MPT costs have become more predictable
  • Veracode Scanning and MPTs are key components of our security auditing and make it easier to pass client IPsec reviews.
  • Qualys Web Application Scanning (WAS)
I have grown to trust Veracode more, ever since they released their Dynamic Scanning which can be set up as a regularly scheduled scan. We have also started to depend on Veracode as our MPT vendor as well. Finally, I've appreciated opportunities to talk with Veracode executives, leading to product improvements as well as insights for me about what is coming in the Veracode roadmap.

Qualys has more cumbersome support and their products are too complicated to use. Product teams are not very customer-centric. Company seems oriented towards much larger customers than I am. Still have to use them for Network Scanning but I would be willing to consider a Veracode offering if they had one.
In general, I have really grown to appreciate and trust Veracode as a vendor. Support has been good, their MPT testers have been thorough and competent, and their executives have been available and open to my issues.

I have had periodic issues making scans work effectively. I can't seem to self-service my way through them. Still, Veracode support people have been able to help get my scans to work and once they are scheduled, things are pretty smooth. The user interface has been rough historically but is getting better.
This used to be terrible. Had a difficult time figuring out where information was. Partly this was due to duplicative features, jargon labels, and user navigation. However, in the seven years I've been using the product, it has gotten better.

Some of my issues were associated with trying to get scans to work unassisted. Now that scans, once set up, just run periodically, I don't have to deal with that as much. Part of this might also be that I've learned what I need to know about getting around. And still part of this assessment is in comparison to other tools out there that are even worse.

Still, they could benefit from an investment in a full useability redesign from someone with an outside perspective, modernizing the UX but also studying and working through the bigger usability concerns. I would love to see better diagnostic tools around getting scans to work so I wouldn't need their tech support people to get scans to work. However, as long as the scheduler keeps going, my needs on this get ever rarer.

Do you think Veracode delivers good value for the price?


Are you happy with Veracode's feature set?


Did Veracode live up to sales and marketing promises?


Did implementation of Veracode go as expected?


Would you buy Veracode again?


Qualys Cloud Platform (formerly Qualysguard), Qualys Web Application Scanning (WAS), Graylog
Our relationship with Veracode has gotten steadily better over the years. In truth, I would be interested in moving more of my security validation processes to Veracode primarily because I've found it to be easier to work with than my other vendors.

Currently, Application Scanning and MPT are the two areas that I can use Veracode. I am interested in its static analysis tools but currently, we aren't using the programming languages they support. This may change.

I also would like to use Veracode for Network Vulnerability Scanning but it doesn't offer an option there so we work with other vendors. They are also not an option for intrusion monitoring/detection so we have to use other vendors.