TrustRadius: an HG Insights company

Veracode

Score8.7 out of 10

213 Reviews and Ratings

Get a Demo

What is Veracode?

Veracode provides advanced application security solutions, trusted by enterprises to develop and maintain secure software. Its platform identifies exploitable risks, speeds up vulnerability remediation, and reduces security debt at scale using a proprietary AI-assisted remediation engine.

Categories & Use Cases

Media

Screenshot of a fix
Screenshot of the Veracode Platform
Screenshot of SCA
Screenshot of SCA Github

1 / 4

Screenshot of a fix

Reviews

What users are saying about Veracode.
View all reviews

Veracode User Experience

Incentivized
Mickey Zarev
Senior Software Engineer in Information Technology at TradingApps (11-50 employees employees)

Use Cases and Deployment Scope

It is used across the organization. We are using it for static analysis of our code. We have selected the policy that requires our release code to minimize the level of security faults. Beside static analysis we use Software Composition Analysis and we found it very helpful in rectifying vulnerabilities from third-party libraries.

Pros

  • Good integration with Jenkins and Visual Studio.
  • Parsing the code well.
  • It has good dashboard.
  • SCA graphs for transitive dependencies are very useful in identifying the vulnerabilities.

Cons

  • The main problem is slow speed of the scan - it took 11 weeks in one instance.
  • The problem was ongoing for number of months and eventually they managed to slash the running time to one day. However, since than the running time usually takes 2-3 days as the scan always stop during the run.
  • While SCA for Java works very well, there are number of issues on the C++ side. It can not recognize the libraries build by default from source code third-party vendors
  • Especially newer version produces lots of False Positives

Most Important Features

  • Thorough scan of our code.
  • Integration with our release process.
  • Accurate info about vulnerabilities in third-party libraries

Return on Investment

  • At the moment due to very slow speed to the scan, we can not fully integrate it in our development process.
  • However, we are using it for our release process.
  • The analysis that Veracode software provides gives us and our client confidence that we are producing the secure code.

Alternatives Considered

GitHub

Other Software Used

Microsoft Office 2016 (discontinued), Microsoft Visual Studio, IntelliJ IDEA, Notepad++, Microsoft 365, Atlassian Jira

Usability

Secure your code from IDE to production

Incentivized
Verified User
Manager in Information Technology (5001-10,000 employees employees)

Use Cases and Deployment Scope

We use it a a SAST and SCA tool for all the developments in our organization. All our developers analyze the code they write using the IDE plugin and Veracode Fix to help make the software more secure.

Pros

  • IDE integration
  • Gitlab Enterprise integration
  • Reporting for Product Owners

Cons

  • SAML integration when you have multiple domains
  • Scan whole repos to get a sense of security maturity
  • Authorization model for reports and dashboard

Return on Investment

  • No critical or high vulnerabilities get to production
  • Complex onboarding on teams that don't work following enterprise guidelines or that doesn't have experts devs
  • Once the devs have it working and integrated to the IDE it is easy to use for them

Alternatives Considered

Sonatype Platform, GitLab and Fortify by OpenText

Other Software Used

Appdome, OneTrust Third-Party Management, HackEDU

My experience using Veracode tool

Sairam BathiniView profile
DevSecOps Engineer in Information Technology at DesIdea Software Technologies (51-200 employees employees)

Use Cases and Deployment Scope

I have been using Veracode for nearly 2 years, we are using its SAST and DAST features. Previously there was no source code validation in our software development life cycle. We used this tool to shift the security to left, and tried to make the process as automate as possible. The best use case of this tool is that it can be fit anywhere with flexible plugins at different stages of SDLC. Even the support is very good and co-operative.

Pros

  • Veracode does integrate into IDE where the development starts. IDE Scans will help in reducing the versions of code.
  • The best thing about Veracode is, that it is a SAAS platform, and we can run the scan and do our other work parallelly.
  • Veracode dynamic analysis is pretty good as it clearly shows the requests it sends to the server and the response it receives from the server. Which helps in analyzing the vulnerabilities more easily.

Cons

  • Reporting work can be improved.

Return on Investment

  • I am a senior security engineer, I could not give you the numbers, but I can see the difference before Veracode and after Veracode into the business.

Alternatives Considered

SonarQube, Qualys VMDR and JFrog Security (Xray)

Other Software Used

SonarQube, Qualys VMDR, JFrog Security (Xray)

One-stop SDLC Security

Incentivized
Verified User
Manager in Information Technology (11-50 employees employees)

Use Cases and Deployment Scope

We use Veracode as part of our SDLC, to provide for our SAST, DAST and SCA

Pros

  • Assemblies
  • Code scanning
  • Dynamic scanning
  • Presenting results

Cons

  • The web interface needs some getting used to
  • Some parts seem a little off, as its a different piece of software that Veracode is trying to fit in

Return on Investment

  • It makes our software offering safer
  • It educates developers
  • It saves time to have everything in 1 tool

Other Software Used

Microsoft Defender for Cloud

Superior code scanning enabling faster and more secure code.

Incentivized
Verified User
Director in Information Technology (51-200 employees employees)

Use Cases and Deployment Scope

We use Veracode to perform Static Application Security Testing (SAST) and Software Composition Analysis (SCA) scans against our code, repositories, and CI/CD pipelines for code deployments. We also utilized the IDE integration for software engineers to identify code issues earlier in the development lifecycle.

One of the areas Veracode excels in is their reporting. Our application development releases required a Veracode report to be included showing now high/critical findings.

Pros

  • SAST scanning
  • SCA scanning
  • Reporting
  • CI/CD integration

Cons

  • UI and UX felt a little outdates in some of the screens.
  • Lack of flexibility on their outdated pricing model. This has since been corrected in 2023/2024.

Return on Investment

  • High effectiveness in detecting insecure code
  • Streamlined release cycle by building security controls into deployments
  • Highly customizable reporting simplifying reporting to stakeholders.

Alternatives Considered

Snyk and SonarQube Cloud

Other Software Used

Cloudflare, Zscaler Internet Access, Zscaler Private Access, PortSwigger Burp Suite, KnowBe4 Security Awareness Training, Infosec IQ, incident.io

Related Products

Products similar to Veracode that may also meet your needs.
All comparisons
Fortify on Demand, from OpenText
CompareLearn more
Checkmarx
CompareLearn more
SonarQube Server
CompareLearn more
HCL AppScan
CompareLearn more
Snyk
CompareLearn more
Coverity Static Analysis (SAST)
CompareLearn more
Sentinel Source
CompareLearn more