Try our new research platform with insights from 80,000+ expert users
AVP, IS Manager at a financial services firm with 1,001-5,000 employees
Real User
Substantially reduces the number of unmitigated flaws in our code

What is our primary use case?

We use Veracode to scan custom-developed code for flaws.

How has it helped my organization?

  • The volume of unmitigated flaws in our applications has been substantially reduced.
  • In terms of AppSec best practices, the team at Veracode has provided industry benchmarks against which we are measuring our improvement.
  • Our customers have benefited from the added security assurance of our applications, although they may not know it.

What is most valuable?

The identification of flaws.

What needs improvement?

We would like to see improvement in reporting, in particular, end dates on mitigations.

Buyer's Guide
Veracode
November 2024
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,636 professionals have used our research since 2012.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

The solution is very stable.

What do I think about the scalability of the solution?

It has handled all the expansion we have required from it.

How are customer service and support?

Technical support is highly competent.

How was the initial setup?

It was already implemented when I joined the organization. However, we have expanded greatly.

What's my experience with pricing, setup cost, and licensing?

We are about to enter discussions for renewal. I have heard there may be some changes to pricing. I will reserve judgment until the discussions are complete.

What other advice do I have?

I would recommend it. It covers all our custom-developed applications and will expand as new applications and services are added.

We have 50-plus users of Veracode. Their roles include InfoSec, developers, development managers, QA, and configuration management. In terms of deployment and maintenance, we have four people in configuration management and InfoSec.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
it_user854784 - PeerSpot reviewer
Director Security and Risk OMNI Cloud Operations at a tech vendor with 1,001-5,000 employees
Real User
Keys for us are the static scanning and the ability to set policy profiles specific to us
Pros and Cons
  • "Valuable features for us are the static scanning of the software, which is very important to us; the ability to set policy profiles that are specific to us; the software composition analysis, to give us reports on known vulnerabilities from our third-party components."
  • "Veracode is a cloud-based platform, where they manage all the back-end, and they do a lot of analysis during the scans, and they do a lot of post-scan reconciliation."
  • "That it is a cloud-based solution is very valuable to us. We don't need that hardware running our scans and hosting the environment to be scanned. Also, the technology, the static scanning versus dynamic scanning produces a much better result, a more accurate result."

    What is our primary use case?

    Application development and secure code development.

    How has it helped my organization?

    We do automated scanning, so we use it as part of our development cycle. We do both automated security scanning as well as our own automated testing. We run the two in parallel and treat both outputs of, let's say, a sales functionality test. A security vulnerability is just a defect that needs to be resolved before we release the product.

    We do an automated upload to the Veracode platform for all of our applications - we have about 35 applications. For all of them, it's automatically done, pre-configured, pre-compiled, based on scripts that we worked out with Veracode. And then on a scheduled basis, the upload and scanning is done, in some cases, twice a month. In some of our applications, two to three times a week, we just constantly scan and look for exposures, and continue to feed that back to the development team and make sure that they don't release product that's not ready for market.

    We have found that our developers have become a lot more knowledgeable about how to develop secure code, and that was very important to us. We also became more knowledgeable about vulnerabilities in the market, which are the most critical to address. You could say it helped us to apply the right investment in the right place.

    In terms of best practices and guidance, we do quarterly reviews with Veracode, where they're analyzing our information alongside of us and providing feedback to our executive team to suggest strategic changes in certain approaches. We've also done benchmarks with them, where we've compared our maturity model to the industry's model, as far as security practices go and best practices for security and such. In some cases, we've made adjustments to improve, and in some cases we are confident we're ahead.

    Regarding our customers, for one, they can move to market faster, we can move to production faster. Also, we discuss our security program and the software development life cycle with them in pre-sales discussions, post-sales discussions, implementation approaches. What it does is, it gives them the confidence to move ahead in a more direct fashion, with one less headache for them to worry about.

    What is most valuable?

    • The static scanning of the software is very important to us.
    • The ability to set policy profiles that are specific to us. 
    • The software composition analysis, to give us reports on known vulnerabilities from our third-party components.

    What needs improvement?

    It's really hard to criticize something that has become somewhat seamless for us. If they wanted to expand their capabilities into other areas of security, that would be fine. They're a very knowledgeable group of people. We do meetings with them on a pretty regular basis. We gain insights from their perspectives.

    To me, if they just broadened their footprint into the areas that their feet feel comfortable going into, we'd have no problem pursuing that.

    For how long have I used the solution?

    Three to five years.

    What do I think about the stability of the solution?

    No issues with stability.

    What do I think about the scalability of the solution?

    None.

    How are customer service and technical support?

    Tech support is very effective. We can do online requests for read-outs with their tech support - but the more common support would be for security advisory, when we're looking at certain vulnerabilities that we're struggling with how to remediate. We can get online with one of their security engineers, and they provide advice to us some best practices on making the code changes to secure the system. They do a very good job of that.

    Which solution did I use previously and why did I switch?

    Prior to working with Veracode, we used a self-applied application. That is, we had the solution on-premise, but just could never quite get the routine approach that we've developed with Veracode. The program management features that Veracode offers to help us get our program up and going, along with the low false-positive rates that their solution provides - versus what we had done in the past - gave us some immediate traction. I think that we were able to make progress in the first five or six months working with Veracode, that we had not made in four or five years with previous approaches.

    It was a dynamic scanning solution but, again, it was on-premise. Veracode is a cloud-based platform, where they manage all the back-end, and they do a lot of analysis during the scans, and they do a lot of post-scan reconciliation, where the other solution was a good solution, but all of that work fell upon us to do for ourselves. Our focus is on developing features and functions for our application, and running an application security platform in-house is just not practical, just not our core competency.

    How was the initial setup?

    It was straightforward. We went from signing a deal on December 30th, to performing that first scan on January 5th, to completing that scan and starting to remediate issues on about January 15th. And that is one of the fastest wrap-ups of any technology that I've been associated with.

    What was our ROI?

    By implementing Veracode in our development process, what we've done is cost avoidance, not necessarily savings. By getting ahead of it, and releasing product to the market that's more secure, we have very few, if any, reported issues by our customers. So we don't have to go and do a maintenance repair of those. That's an avoidance of cost. 

    It's a pretty accepted standard that if you release a vulnerability or a flaw into the market, it's going to cost you 10 times more to address it after the fact than if you prevent it. I'd say that that, plus the automation of the scanning, has also reduced the amount of capacity or full time equivalence we have to apply to repair and scan.

    As I said, we have 35 applications, and instead of having 35 different people preparing their packages for upload and scan, it's automated. We don't have to spend money doing that as well. 

    So avoiding the cost of releasing vulnerabilities into the market that get caught by customers and reported back, is a big one; and then, reducing the investment of performing the continual scans.

    What's my experience with pricing, setup cost, and licensing?

    We're very comfortable with their model. We think they're a good value.

    We worked very closely with Veracode on understanding their license model, understanding what comprises the fee and what does not. With their assistance in design, we decomposed our application in a way where we are scanning a very significant amount of code without wasting their capacity and generating redundant reported issues. You scan in profiles, per se. And we work with them, in their offices, to design the most effective approach.

    So the advice I would have for customers is, you can get up and live fast, but work closely with Veracode to refine the method you use for scanning and the way you compile the applications. There's a concept called entry-point scanning, and that's probably not used well by the rest of their customers. We see our licensing as a good value because we leverage it heavily. I'd say many customers might not quite go to that level. But that's their choice.

    Which other solutions did I evaluate?

    I'd rather not give out competitor names.

    But the method we were using in the past was what is called dynamic scanning, or DAST. That required we have an environment that was up and running with the application, and then we could proceed to scan. You can see that if we have 35 applications, that means we've got 35 environments running our application internally, just for scanning purposes. That's a lot of hardware, whereas this methodology uses static scanning, where we upload the compiled code and we don't invest any hardware in doing that. The scanning capability not only does the scanning but contains the application code for us. There are a lot of complexities with trying to do a dynamic scan on-premise, versus a static scan on a platform.

    You almost can't compare the two. False-positive rate in the dynamic scanning was very high - 30 percent, maybe - and the false-positive rate for the static scanning is very low - maybe two to four percent. That is a significant value, because you don't have to spend a lot of time sorting through reported issues to determine if they're valid or not. We're pretty well assured that as we start investigating one, it's more than likely valid. We don't have that doubt entering in.

    It was a different approach. Two concepts: 

    1. That it is a cloud-based solution, which is very valuable to us, we don't need that hardware running our scans and hosting the environment to be scanned.
    2. The technology, the static scanning versus dynamic scanning produces a much better result, a more accurate result.

    What other advice do I have?

    We recommend Veracode to colleagues all the time.

    I'd give the advice of not getting hung up on trying to compare the static scanning to the dynamic scanning, that's number one. Don't even compare them. If you're doing neither, do statics first. It'll get the majority of your exposures addressed. Then you come in, in a second round, and do dynamic. Dynamic really becomes more of a confirmation of security.

    The other piece of advice I'd give is to "follow the directions." Make sure they understand how they're supposed to compile code. Take the advice of the program management team with their code, and follow their lead, and you'll come out in a very good position very quickly.

    I'd give Veracode a 10 out of 10 because the rate at which we gained control of our security posture, from a development perspective, was fast. There is a lack of wasted time on our developer organization in chasing down erroneously reported vulnerabilities. The erroneous reported vulnerabilities is very low, and that means that our developer time is very effective as we investigate a reported issue. As I said, it's 96, 98 percent probability it is real. So our developers gain confidence and don't second-guess the results. 

    The level of detail that we are provided for a given vulnerability - the data path that it follows, the precision with which the justification is provided - is very high. Again, you're highly confident in the result. You are provided a tremendous amount of detail about the vulnerability it found. And the rate at which you can ramp up and be productive is very fast.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Veracode
    November 2024
    Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
    816,636 professionals have used our research since 2012.
    it_user335091 - PeerSpot reviewer
    Senior Security Consultant at a retailer with 1,001-5,000 employees
    Vendor
    We were able to easily integrate static code testing into the SDLC process, moving from the waterfall to the agile methodology while still able to integrate Veracode testing within both.

    Valuable Features

    Static code analysis is a valuable feature.

    Improvements to My Organization

    We were able to easily integrate static code testing into the SDLC process. We moved from the waterfall to the agile methodology, and were still able to integrate Veracode testing within both methodologies.

    Room for Improvement

    It's been over a year since I used the product. But when I did, I found there were too many false positives.

    Use of Solution

    I used it for one year.

    Deployment Issues

    No issues encountered.

    Stability Issues

    No issues encountered.

    Scalability Issues

    No issues encountered.

    Customer Service and Technical Support

    Customer Service:

    8/10

    Technical Support:

    8/10

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Raj Nachiappan - PeerSpot reviewer
    Director of Solutions Architecture at VetsEZ
    Real User
    Penetration Testing solution used by development team for static code analysis
    Pros and Cons
    • "Our development team use this solution for static code analysis and pen testing."
    • "The runtime code analysis could be improved so that we can see every element in one place."

    What is our primary use case?

    Our development team use this solution for static code analysis and pen testing.

    What needs improvement?

    The runtime code analysis could be improved so that we can see every element in one place.

    For how long have I used the solution?

    I have used this solution for two years. 

    What other advice do I have?

    I would rate this solution an eight out of ten. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Managing Director at Harrods
    Real User
    Provides the capability to track remediation and the handling of identified vulnerabilities. The application does not support API or Dynamic Application Security Testing
    Pros and Cons
    • "Allows us to track the remediation and handling of identified vulnerabilities."
    • "Provides the capability to track remediation and the handling of identified vulnerabilities."
    • "The security team can track the remediation and risk acceptance statistics."
    • "The solution does not support Dynamic Application Security Testing."
    • "The current version of the application does not support testing for API."

    What is our primary use case?

    We are planning on introducing a static code analysis tool to support a DevOps effort in our environment. The objective of the solution is to allow the team to identify vulnerabilities in the source code and improve the hygiene of the developed code before deployment.

    How has it helped my organization?

    This is currently still under evaluation, and it is pending review and assessment against other static code analysis solutions.

    What is most valuable?

    The solution provides the capability for the application teams to track remediation and the handling of identified vulnerabilities. The system provides workflow capabilities for the application teams to send the completed scans to the security teams for their review. In addition, the security team can track the remediation and risk acceptance statistics.

    What needs improvement?

    The solution currently does not support Dynamic Application Security Testing which is an important facet of application security testing. In addition, the current version of the application does not support testing for API.

    For how long have I used the solution?

    Trial/evaluations only.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    it_user842937 - PeerSpot reviewer
    Systems Architect at a tech vendor with 201-500 employees
    Vendor
    Enables us to automatically submit each new build for scanning and get results directly into our JIRA
    Pros and Cons
    • "With the tools that Veracode provides, our developers are actually able to comprehend what the vulnerability was and then resolve it. So a lot of knowledge has been grown as a result, around security, with our developers."
    • "The most important feature is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to production or provide something to a client... Dynamic scanning actually hits our Web applications, to try to detect any well known Web application vulnerabilities as well."
    • "Veracode has a nice API that they provide to allow for custom things to be built, or automation. We actually have integrated Veracode into our software development cycle using their API. We actually are able to automatically, every time a new build of a software is completed, submit that application, kick off a scan, and we get results in a much more automated fashion."
    • "When those scans kick, Veracode integrates back into our JIRA and actually open tickets with the appropriate development teams. We can use that as a measurement of vulnerabilities opened, closed; we can tie them to releases. So, we get a whole lot more statistical information about security in our software products."
    • "The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually, but I believe that it's something have on their roadmap."

    What is our primary use case?

    Security scanning of the applications, of software that my company built.

    How has it helped my organization?

    We have a large developer base at our company ranging in a variety of skills sets. Some are very security aware, others really don't have the knowledge. What Veracode provides is really good feedback on what vulnerabilities were found in their code: examples, definitions, ways to mitigate. One of the huge benefits we've seen is just a bigger security awareness within our development staff.

    Further, with the tools that Veracode provides, they're actually able to comprehend what the vulnerability was and then resolve it. So a lot of knowledge has been grown as a result, around security, with our developers.

    Veracode provides application security best practices and guides our security and development teams because most of the time, in the issues that it opens, it has lots of links and details in there. There are also regular emails and newsletters and they send out about trends. So, there's a fair amount of communication and there are also a lot of details within the issues that they find. There's always plenty of material that they link to in issues. They do a really good job of providing a lot of communication and detailed documentation around our application security tools.

    Our customers have benefited in the fact that know that we put security right in front, as a priority. It's not an afterthought. They're a lot more aware that we're security conscientious, instead of just, "The software works, here you go."

    We also have reports. Some of our customers have asked for various types of reporting and security related stuff. Now, we're also able to give them these reports, essentially from Veracode's scans of our software. So, we have a lot more documentation about it. Instead of answering one-off questionnaires from our clients, we actually have a canned report we can provide. Again, all this material, we didn't have a year ago. We were just ad hoc answering things and hoping that they didn't question it anymore, and we really didn't have any good evidence. They were just taking us at our word.

    What is most valuable?

    The most important one is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to production or provide something to a client.

    We pair that with dynamic scanning, which actually hits our Web applications, to try to detect any well-known Web application vulnerabilities as well. It's really just a way for us to stay ahead of it and provide some assurances and security with the software that we deliver.

    Also, Veracode has a nice API that they provide to allow for custom things to be built, or automation. We actually have integrated Veracode into our software development cycle using their API. We actually are able to automatically, every time a new build of a software is completed, submit that application, kick off a scan, and we get results in a much more automated fashion. So the API is a huge thing that we use from Veracode, in addition to those two types of scans.

    In terms of integrating Veracode into our existing software development life cycle, we heavily use JIRA today for bug tracking issues, time management, and the like, for our development team. When those scans kick, Veracode integrates back into our JIRA and actually open tickets with the appropriate development teams. We can use that as a measurement of vulnerabilities opened, closed; we can tie them to releases. So, we get a whole lot more statistical information about security in our software products. That's really what we use in measuring there, the integration back to JIRA in issues found.

    What needs improvement?

    From a technical standpoint, I'm pretty happy with everything. The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually, but I believe that it's something have on their roadmap.

    Other than that, I don't really get too involved in the cost sides of things that's in my job, I'm more of a technical focus, but I have heard from my manager and a couple other people that the solution is quite expensive. So that is possibly one factor that could turn somebody away from Veracode. But, like I said, I really don't know much more about that. Technically, I'm very impressed and happy with what they've had to offer.

    For how long have I used the solution?

    One to three years.

    What do I think about the stability of the solution?

    I have not run into one issue with stability with it. I'm throwing stuff at it all day and I can't think of one time where I've had an issue with submitting a scan or getting a scan to complete. It's been pretty flawless.

    What do I think about the scalability of the solution?

    The one thing we hit was some licensing limitation. Again, it went back to cost, I believe. We had to go back and change our licensing model with Veracode to be able to scan all the things that we wanted to. I think there was some confusion up front with their licensing or cost. 

    Like I said, that's really the only area that I've heard some gripes about, but I'm far removed. I'm not sure if it was scalability or a licensing mishap, but we did have some issues early on, with the amount of things that we wanted to scan and what their limits were for us. But ever since whatever was straightened out there, I have not had an issue of scalability.

    How are customer service and technical support?

    Initially, I had some questions back and forth and I was able to get everything resolved, mostly via email. Overall, I thought the response time was good, the answers were concise and accurate. Within 24 hours I was getting a response via email from their support. For what I needed to set up, I really thought their support was great and really sharp.

    I don't work with the support that often, now that things are established. But to get off the ground running, they were extremely helpful.

    Which solution did I use previously and why did I switch?

    We had never done anything like this in the past. This was the solution that we chose. We didn't really evaluate anything else. I know that my boss has been a fan of some CA products in the past and really recommended this one. I did some digging on it, from a technical standpoint, and I said I believed it would be able to scan all our stuff, support our platforms, the languages that we write our applications in, so that's how we landed on Veracode.

    How was the initial setup?

    Without the API, it would have been extremely complex. It would have been very painful because it would have been a very manual process of submitting applications. 

    I am fortunate enough that I have a pretty strong development background, so I do a lot of coding myself. For the person without development experience, using the API would have been very difficult. Where I work, we're a little unique in that sense.

    But the rest of it, it's a cloud-based solution. I'm kicking off all my stuff over to Veracode and it's running in their environments and producing results. There's not a whole lot of setup besides that. It's not a big cost on an any infrastructure that we have to run or support. So, pretty painless really.

    What was our ROI?

    I wish I had some numbers - this is really not my area. I would assume that it's got to be a fair amount of cost savings, only because we're touching things earlier. We didn't have anything before. I don't have good stats to provide except for the fact that now we have something in our process, where before we didn't. Before, security things were only being addressed if somebody actually found something or, even worse, if a customer found something. We don't have a lot of historical data but it's got to be substantial.

    I believe, from a technical standpoint, it's paying off for the rest of the organization. I think ethically it's the right thing to do. Educating our staff - I don't really know how you measure that in a dollar amount - but our developers are getting education and are becoming more aware of security in their software. Me being a technical guy, those two things are huge, and the dollars don't add up enough. I'm not sure how you would measure it.

    It probably pays off more over time as well. We're still only a year into it. So we're still learning a lot ourselves.

    What's my experience with pricing, setup cost, and licensing?

    If you're licensing, and you're looking at licensing models, you might want to ask Veracode about their microservice, depending on the company. If you are a microservice architecture, I would suggest asking them about their microservice pricing. I would suggest that you evaluate that with your code and their other licensing model, which is like a lump sum in size of artifacts, and just make sure that you price that out with them, because there might be some tradeoffs that can be made in price.

    Which other solutions did I evaluate?

    There were some, but we didn't get serious about them because they didn't have everything that we wanted.

    What other advice do I have?

    I would advise that you figure out a way to integrate it into your software development lifecycle in a way that it's not intrusive to your developers. That was really something that I set out to do. I didn't want my developers to have to go into their code, and kick off scans, and upload their code. So, I would really suggest looking at your integrations, your JIRA, your Jenkins, all of your add-ons, and hopefully that fits into the SDLC process, and then automating via their API.

    Essentially, what we were able to achieve is, my developers still live within JIRA and the issues get opened from Veracode into JIRA and they work on things that way. They can remediate it, kick it that way, and if they need to they can log into Veracode. But I'd suggest making the SDLC process integrated as much as you can to make it something that developers aren't having to spend a lot of time doing every day.

    Overall, I would give Veracode a nine out of 10, just because nothing is perfect. But it does everything for us and it was so painless. I speak very highly of it for those reasons.

    I would highly recommend CA Veracode. Every engineer that I've dealt with has been really sharp. The review process they have is really good and the knowledge they have has been tremendous. I really recommend working with them.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Jesus Montes Ceron - PeerSpot reviewer
    Architect of solutions at IPComMx
    Reseller
    Top 10
    Utilized for scanning containers and integrated within DevOps workflows
    Pros and Cons
    • "The coverage of backdoors attacks on security that's the most valuable for my clients."
    • "There is room for improvement in documentation."

    What is our primary use case?

    We used Barracuda for scanning containers. And in all in DevOps workflow.

    What is most valuable?

    The coverage of backdoors attacks on security that's the most valuable for my clients.

    What needs improvement?

    There is room for improvement in documentation. Maybe the documentation about how to configure something. It is difficult to get the expected result. 

    For how long have I used the solution?

    I have been using this solution for two years. 

    What do I think about the stability of the solution?

    It's stable. It works very well in the parameter like an enterprise solution. We don't have any problems with that.

    How are customer service and support?

    We are very pleased with the support.

    How would you rate customer service and support?

    Positive

    How was the initial setup?

    I would rate my experience with the initial setup a six out of ten, where one is difficult and ten is easy to set up. 

    What about the implementation team?

    We work on the deployment process. The solution is deployed both on-prem and in the cloud environment.

    The solution doesn't require any maintenance. 

    What was our ROI?

    It took two years to see ROI for our clients.

    What's my experience with pricing, setup cost, and licensing?

    Veracode is expensive. But the solution is worth it. 

    What other advice do I have?

    Overall, I would rate the solution a nine out of ten. It is a good solution for security. In my personal opinion, there are not many products like Veracode in the market. 

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    it_user877104 - PeerSpot reviewer
    VP Worldwide Delivery Acceleration at a financial services firm
    Real User
    Improved our security posture without the overhead of supporting infrastructure
    Pros and Cons
    • "Because it is a SaaS offering, I do not have to support the infrastructure."
    • "Some important languages are not supported."
    • "We have encountered occasional issues with scalability."

    What is our primary use case?

    SAST vulnerability scanning. Veracode is embedded in our release pipeline.

    How has it helped my organization?

    It improved our security posture. In terms of cost savings relating to code fixes since implementing Veracode, I'm not sure there are any. How do you quantify reputational damage from a security breach? However, they have provided AppSec best practices and guidance to our security and development teams through our support agreement, weekly meetings, and annual review.

    What is most valuable?

    Because it is a SaaS offering, I do not have to support the infrastructure.

    What needs improvement?

    Some important languages are not supported.

    For how long have I used the solution?

    One to three years.

    What do I think about the stability of the solution?

    No issues with stability.

    What do I think about the scalability of the solution?

    We have encountered occasional issues with scalability.

    How is customer service and technical support?

    Tech support is excellent.

    How was the initial setup?

    The initial setup was extremely straightforward.

    What's my experience with pricing, setup cost, and licensing?

    Negotiate for the best deal.

    Which other solutions did I evaluate?

    Fortify, App Scanner, Checkmarx.

    What other advice do I have?

    Make sure the supported  languages align with your developers.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Buyer's Guide
    Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
    Updated: November 2024
    Buyer's Guide
    Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.