Veracode - A non-binary review for the binary scanner
November 18, 2020

Veracode - A non-binary review for the binary scanner

Śrinivāsa Rao Kuruba | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)
  • Developer Training
  • eLearning

Overall Satisfaction with Veracode

Veracode was used in our organisation by a few business units for Static Analysis Security Testing (SAST). It helps in finding software vulnerabilities in the code by scanning the binary derived objects of the source code written by developers, thus addressing the security aspects of the products the organisation is shipping to its customers.

Any aspect concerning the vulnerabilities of a software product is non-trivial and would be very costly if reported by the customers. Veracode helps find these beforehand, if the code (binaries) is scanned before being integrated into the product. With its wide variety of integrations, Veracode scanning can happen at any stages of the DevOps CI Pipeline, thereby facilitating the "shift left" mentality of finding defect/vulnerabilities in [the] code as early as possible in the software development life cycle.
  • Binary scanning. Veracode static analysis is based out of binaries derived from source code which is more accurate that just the pure source code scanning. This accuracy translates to less false positives in the defects reported, thereby saving time of developers in tackling the real issues.
  • Veracode being a SaaS platform reduces the IT burden on your organisation. No servers to worry about, no performance concerns, no storage expansion to plan ahead and no capacity/elasticity challenges to take care of on all the infra (compute, storage, networking).
  • Veracode platform is very quick to configure and very easy to use. It just takes a few minutes to setup an application profile and start scanning. It is particularly easy to use for modern programming languages like Java as the java binaries are optimal for scanning.
  • Learning - Veracode's eLearning portal is very good and has all the relevant training on various aspects of security and again is seamlessly available in the same platform/tenant where the teams scan.
  • Security Consultation - Very easy to get help within the platform itself for a security consultation which is invaluable for the first few scans. Veracode is probably one of the very few SAST solutions which has such easy provision to get security consultation.
  • There is an initial overhead on generating the binary artefacts for scanning. The binaries need to be loaded with debug symbols for Veracode to be able to trace the defect back to the file and line number. This is relatively easy for modern programming languages (e.g. Java) with latest build tools (e.g. maven/gradle) but can be quite challenging for languages which are platform specific (C/C++) and have dated build systems (e.g. make).
  • Entry Point Selection. After the binaries are uploaded for scanning, the Veracode platform analyses them (pre-scan) and provides a list of 'modules' to be selected for scanning. Only the points of entry of program execution need to be selected here, based on the application architecture. The 3rd party modules on which your code is dependent on need to be uploaded but not selected as entry points for execution. This typically needs some fine-tuning and teams take some iterations to optimise. This would need the product architect inputs which teams generally do not understand, as they treat scanning in general as a DevSecOps responsibility and only after scanning, the developers/architects pitch in. For Veracode, their inputs are needed even during the scanning, for the first few scans at least.
  • This is a both a pro and con. Veracode does not give any option to customise the scanning rules or tweak what it is scanning for. This makes for a much simpler setup but also gives no scope for creating an application-specific scanning profile. For instance, if I do not want Veracode to look for SQL injection for whatever reason, or if I want Veracode to only look for OWASP Top 10 vulnerabilities, I cannot configure.
  • Long scan times, specifically for C/C++ based product/app scans. Some of the scans for enterprise scale product in C/C++ used to take quite many hours, and at times a couple of days. There have been improvements in this during the course of our 3 years of usage but in general, scans take a long time to complete.
  • Veracode was one of the few scanning tools adopted by almost every team in the couple of Business Units where it was recommended. In a way, it is the only scanning tool with complete adoption.
  • Veracode reports detailing vulnerabilities and the accompanying documentation/learning sections helped developers understanding security aspects of coding, driving a culture of not just writing working code, but [doing] it securely.
  • Veracode Analytics Dashboards helped the leadership have a bird's eye view of the security score/compliance of all the products in their Business Units.
Earlier in our organisation, Fortify was used (formerly from HP but now owned by Micro Focus). The general consensus was that there was too much noise (false positives), taking a lot of time to find and then fix the real issues.

SonarQube is also used in our organisation but not as widely as Veracode was used, due to the former's more generic scope on quality rather than the laser sharp focus Veracode has on Vulnerabilities.

Owing to the overall company's directive and cost objectives, Coverity eventually succeeded Veracode as the recommended SAST application, but the choice was not on purely technical grounds.
- Almost no setup required and easy to configure
- Very easy to use, intuitive UI with integrated analytics and learning portals.
- Seamless to review the results, triage them, generate reports.
- Security progression of the product/application is tracked via successive scans.
- Privileges/Roles nicely fine grained and tightly controlled to let teams "view" only their products.
- Easy to create support cases, right from the platform itself instead of visiting any other website or customer support portal.
- Privilege to create the cases granted to all users of the platform by default instead of restricting to only the Admins.
- Responses/updates to the case very promptly given. Escalation channels available via the customer success managers.
- Delegation of the user-generated cases to the platform admins of the organisation very quickly done, the scope permitting.
- Security consultation, a form of support unique to Veracode, can be very easily availed post-scan.

Do you think Veracode delivers good value for the price?

Not sure

Are you happy with Veracode's feature set?


Did Veracode live up to sales and marketing promises?


Did implementation of Veracode go as expected?


Would you buy Veracode again?


Well Suited
  • Well suited for modern programming languages
  • Super good for organisations which do not have a big IT budget to spend on infrastructure
  • Veracode Security consultation is invaluable for teams/Business Units which do not have a dedicated security team
  • These culminate and make it ideal for a startup to quickly benefit from Veracode's setup leanness to get going on Security scanning
Less Appropriate
  • For scanning large legacy applications/software (huge code base, multiple platforms to build, platform specific languages used)

Using Veracode

Like to use
Relatively simple
Easy to use
Technical support not required
Well integrated
Quick to learn
Feel confident using
  • Easy to upload and scan without much setup/configuration
  • Easy to integrate with CI Orchestrators like Jenkins and IDEs like Eclipse/IntelliJ
  • Elegant and integrated platform for scanning, viewing results, triaging vulnerabilities, generating reports/dashboards and learning. The complete SAST workflow
  • Entry point selection after the pre-scan
  • Identifying the warnings/errors in the modules after pre-scan
  • Exporting defects/vulnerabilities during the triaging of them (need to go the analytics section for flaw export)