Veracode is the best SAST/DAST tool in the market as of today
October 25, 2021

Veracode is the best SAST/DAST tool in the market as of today

Roberto Perrotti Filho | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)

Overall Satisfaction with Veracode

Veracode is truly the best AppSec tool available. You don't have to install anything if you don't want to as it's offered as a SaaS. It's as easy to implement as writing a few lines of code or installing a plugin on your CI/CD pipeline, their false-negative ratio is close to zero because of their AI and the pipeline scan really gets the job done within a few minutes while giving you the opportunity to run full-scans to generate reports of your entire environment. Their team is incredible and super helpful when needed. We're using Veracode to scan all of our APIs right in the development environment to make sure that we don't have any critical vulnerability running in our production environment and to reduce costs regarding vulnerability correction/mitigation.
  • Super fast CI/CD pipeline scanning.
  • BoM when using SCA along with its vulnerabilities and licenses.
  • Ease of use and implementation as it's a SaaS.
  • Custom policies to break your app's build.
  • Pipeline scan sometimes doesn't give you enough debug messages to know what went wrong.
  • DAST could have an option to scan APIs using a swagger.json file.
  • Pipeline Scanning
  • SCA
  • SaaS
  • Patented AI
  • Datacenter/Infrastructure security certifications
  • Greater Shift-Left.
  • Less worries on app vulnerabilities.
  • Better knowledge about our vulnerabilities towards the external world.
Veracode is SaaS, it runs quicker, and it has better results in terms of false positives. The company itself is a lot better than Micro Focus in terms of support and CS, it's easier to license and they truly want to help your company get better results, in terms of AppSec, they don't just sell it and leave you by yourself.

Do you think Veracode delivers good value for the price?

Yes

Are you happy with Veracode's feature set?

Yes

Did Veracode live up to sales and marketing promises?

Yes

Did implementation of Veracode go as expected?

Yes

Would you buy Veracode again?

Yes

You can use Veracode with every single app that you have (almost) independently of its programming language. With the (thankfully) not-so-new pipeline scan you can scan your apps/APIs during the build process in seconds/minutes along with the SCA scanning to decide whether to fail the build or not. With DAST you can scan your web-based APPs as long as they're not APIs as it crawls your website to do its fuzz testing, but I hope that they add that feature in the future allowing some swagger.json files to be uploaded to the console as well to help the DAST scanning.