1. Home
  2. Application Security Tools
  3. Veracode Reviews
  4. User Review of Veracode
Veracode offers peace of mind with its comprehensive security scanning
May 17, 2021

Veracode offers peace of mind with its comprehensive security scanning

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)
  • Dynamic Analysis (DAST)

Overall Satisfaction with Veracode

Veracode is used by our department to ensure that our web applications are secure and that we are employing up-to-date security standards in our development. Veracode addresses not only our public facing website but also our coding practices.
  • Website scanning
  • Coding security standards
  • Library security
  • The Veracode website user interface is not intuitive and is difficult to navigate. New users will find that links will often have them going around in circles until they are lost.
  • The dynamic scanning does not allow for minimizing scans on repetitive forms. This could be provided with a regular expressing matching for links to sections of the tested web site to reduce the amount of repeat scans of the same form.
  • Software composition analysis does not handle applications with more than one framework well (e.g., a dot net core 3.x framework with a Vue front end). These have to be scanned individually and not analyzed in one run.
  • Reports are compartmentalized, offering values in one section that aren't available in another section, so that users cannot combine the separated values and use them in one report.
  • Software code analysis
  • Vulnerability database
  • Software composition analysis
  • Dynamic analysis scanning of TLS ciphers with security evaluation remarks
  • Static code analysis
  • Improves coding practices and preventing coding errors that create security problems from escaping the development cycle
  • Makes sure that our public-facing web applications are secured with up-to-date findings
  • Help in identifying licensing issues and security in our embedded libraries
  • Qualys Web Application Scanning (WAS)
The Qualys Web Application Scanning (WAS) product that we've used is similar to the Veracode Dynamic Application (DA) scanning tool. Overall, the Veracode DA scanning offers a better interface and an easier-to-read analysis report, which identifies and gives links into specific error findings in the CWE and OWASP sites. The added benefit of Veracode is that these findings are coupled with Static Application Scans (an evaluation of the code) to provide a more complete picture than Qualys provided. I'm not aware of any tool that Qualys has that offers a similar benefit as Veracode combined static and dynamic scanning.

Do you think Veracode delivers good value for the price?

Not sure

Are you happy with Veracode's feature set?

Yes

Did Veracode live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Veracode go as expected?

Yes

Would you buy Veracode again?

Yes

Visual Studio IDE, Microsoft Visual Studio Code, Microsoft SQL Server, Eclipse, ReSharper, Node.js, Oracle Java SE, Oracle SQL Developer, Redgate SQL Compare, Redgate SQL Data Compare, Docker, Kubernetes, Helm, Ubuntu Linux, Fedora Linux, Oracle Solaris, GitHub, Microsoft Teams, Atlassian Confluence, Postman, Sublime Text, GNU Emacs, Vim
Veracode offers a unique solution to evaluate security from the coding standpoint, where other tools do not offer this viewpoint. This is what Veracode offers above all other tools that we evaluated.

Qualys WAS another tool that we have used and continue to use, which is similar to Veracode's dynamic analysis scanning. There are some capabilities that Qualys offers which Veracode does not, like blacklisting URLs by regular expression.

Veracode seems deficient in testing APIs, as I have not seen any ability to manipulate the HTML header to add authorization.