Try our new research platform with insights from 80,000+ expert users
it_user837504 - PeerSpot reviewer
Information Technology at a insurance company with 51-200 employees
Real User
Give us insight into code without having to upload it, saving a lot of NDA paperwork
Pros and Cons
  • "Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it."
  • "It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no manual upload. The code review function is great. It allows you to find flaws in source code."
  • "It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help."

What is our primary use case?

We test two mission-critical web applications (C# Web forms).

How has it helped my organization?

We used to revise code with free tools (like VCG) but they are not even in the same universe. Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it.

Also, from the very relevant results and issues that were pinpointed by Veracode, I can say that our customer security was greatly enhanced by its use.

What is most valuable?

It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no manual upload. The code review function is great. It allows you to find flaws in source code, but the source code never leaves your workstation, it is all client side, no NDA needed.

What needs improvement?

It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help (but not now, now that I've learned it).

Buyer's Guide
Veracode
March 2025
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
849,190 professionals have used our research since 2012.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No, we did not detect a single glitch or fault in a year. We once had a periodic maintenance activity on the Veracode platform during a deadline, but it was clearly announced in advance, so we just went around it and had no issues.

What do I think about the scalability of the solution?

No, you don’t have such concerns on Veracode. The process is really "launch and forget" (and wait for results).

How are customer service and support?

The team that assists us with it is just great, especially considering there is a language barrier for some of our employees. Veracode did its best to get those employees in the loop with the chance to attend the meeting, as well with the aid of written English.

Which solution did I use previously and why did I switch?

VCG (Visual Code Grepper) but I am not even going to compare them. VCG is as good as they come, but Veracode is a different breed. An application went through VCG and we were pretty confident. Then, Veracode results just blew us out of our shoes.

How was the initial setup?

I manage the Veracode suite for my company, and I was personally walked through the various steps. Once I was up and running, we had another two-hour session to explain to us how a proper Veracode assessment should be planned (developers, code reviewers). As a result, I believe we have not only a pretty solid code review process up and running, but this was all provided to us at no additional cost.

What we felt is that the Veracode guys want to enjoy and use their solution first. They are not pushing to get consultancy time if that can be avoided. If you need consultancy time you can have it and the prices are convenient. We did not. All the help came at no additional cost.

What was our ROI?

It is difficult to assert, but it helps a lot with maintaining compliance with our main customers, and helps us to pinpoint some specific issues. The cost of not having Veracode would be pretty high for us.

What's my experience with pricing, setup cost, and licensing?

The licensing and prices were upfront and clear. They stand behind everything that is said during the commercial phase and during the onboarding phase. Even the most irrelevant "that can be done" was delivered, no matter how important the request was.

The licensing is fair, it is time-limited (e.g. one year) but there is a size cap for every app. If your applications are big (due third-party libraries, for example) you should discuss this beforehand and explore suitable agreements.

Which other solutions did I evaluate?

Competitors were evaluated but seemed, at once, too bloated or not relevant to all our specific requests. We were not interested in buying a product (such as a standalone program) rather we were interested in getting a tool for creating a process, and Veracode is that.

What other advice do I have?

In terms of integrating Veracode into our existing software development lifecycle, as our two existing applications are quite mature, and not changed often, we have not taken steps to have Jenkins or another CI tool that would allow us to get the full power from the Veracode environment. We look forward doing it, starting with the next app that gets developed from scratch.

CA Veracode provided AppSec best practices and guidance to our security and development team during the kickoff phase. They offered assistance on specific code issues that were hard to fix, and guidance on preparing a credible set of rules for Veracode policy, all this at no additional cost.

As Veracode licensing is generally time-related, I suggest you start the subscription once everything is ready for consumption, assign a specific person to it and declaring it mandatory at the policy level. Losing two months of great value because the devs are too busy, or because they think they don’t need it, or they fear the results, or because no one is taking charge of the Veracode process, is really a pity. Once the clock starts ticking, try to take advantage as much as you can.

I would recommend Veracode to anyone involved in high-risk environments.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
reviewer1465254 - PeerSpot reviewer
Software Engineer at a tech services company with 1,001-5,000 employees
Real User
Verification that an app is secure gives us higher credibility with clients and better performance
Pros and Cons
  • "It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail."
  • "I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help."

What is our primary use case?

We use the Static Analysis, Dynamic Analysis, and SCA, the software composition analysis.

How has it helped my organization?

The Static Analysis has identified flaws.

From a developer point of view, it has really helped me to know about many security best practices that I need to follow.

There are also security specialists, although it's not my area, who work on strategy to mitigate flaws. It classifies things into three levels: high, medium, and low, the latter being the ones that you can live with. It tells you which are very critical and you need to fix. That helps management to determine the strategy of what to fix next.

When you reach a level of security in your application and you get verification from Veracode that your app is secure, that helps in selling products. Mitigating flaws and being sure that your product is secure is going to give you higher credibility with clients and better performance.

In our use case, some of our products have dependencies in separate apps. Before going into production, each dependency has its own sandbox to help us identify the vulnerabilities in that certain dependency. Then there is the software composition analysis, the SCA, that helps us scan all the vulnerabilities when those modules are integrated with each other. Before deploying the whole app into production, we fix the flaws and increase the score. We have a whole company policy that some high-level security experts put in place. Before we move on to the next level of scanning we need to get to a certain score. That has really helped us. Each time, they make the analysis a little harder, to dive deeper into the code and go through different scenarios to find more flaws. That has really helped us have the minimum required number of issues and security flaws, when we go into production.

What is most valuable?

The most valuable features are the application analyses: 

  • Static Analysis
  • Dynamic Analysis
  • SCA, the software composition analysis, to scan all the models together. 

These are the three features we've mostly been using.

It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail. 

You can detect which line is causing the issue and it gives you some insights about, for example, if you have a dependency problem in your inputs or some known vulnerabilities. It even gives you an article so that you can read about it and know how to mitigate it in some cases. Sometimes there are well-known flaws in third-parties and you should upgrade to another version to resolve your issues. Veracode guides you.

I haven't tried any other platforms, but from what I have seen, it is really fast. You just upload the files, which is easy to do, and you can follow the scanning progress on the platform. Once it's done you get an email and you just access the platform. I don't know what other tools are like, but for me, Veracode is user-friendly.

What needs improvement?

I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help. 

I would also like to see more integration with other frameworks. There were some .NET Core versions that weren't supported back when we started, but now they're providing more support for it.

For how long have I used the solution?

I've used Veracode since October, 2018.

What do I think about the stability of the solution?

The solution we are using is stable. So far, it seems to be really practical.

What do I think about the scalability of the solution?

In our company, other products are using it, not just our product. So it's surely being used by other developers. There is also management between the applications. Each team has its own hierarchy in the company and the organizational levels are handled well in the solution. We have an upper manager and the administrator of the app. And each product has its own dashboards and its own access rights, so I cannot see the results of other people.

How are customer service and technical support?

There was a time when we needed support from them. We organized a call because the license the company had included the possibility to have a support call with one of the Veracode guys, when we first started using it. They were very helpful, showing us how to use it. They provided support on how to integrate the extension. We had a one hour call with them and they were really helpful.

They also asked for some feedback. It feels really good to have that community working together. We feel engaged with the whole Veracode community.

What other advice do I have?

I've participated in some of the online courses, which helped. There are some levels that the team should have. You follow some courses, you get to level one, and then you move on to the next level. Each level of certification was really useful to learn about some of the flaws and some of the vulnerabilities that we could face. They give you some great use cases and how to remedy things in C# and many different languages. The online course also shows you how a developer can make some mistakes in his code, and how those mistakes can be used to bypass app security. By knowing that, you can avoid doing it in the future.

There were also some events organized recently—security labs—and they were also useful. There were tasks and I even had to work on them outside of work, but they were really helpful and a challenge.

The training also helped us to identify the existing vulnerabilities in our code and some of the third-parties that we are using that have vulnerabilities in them. We know we need to upgrade them.

My advice is that you should follow the training, initially. It was really helpful, even at the first level. Then, go on and read all the detailed documentation online. There are even some video tutorials which are really helpful. These are the steps that I followed.

There is a section on the supported frameworks. Veracode supports a wide variety of languages, but it would be good to check that before diving into the analysis and why it's not detecting your code.

I have been really satisfied with the areas of Veracode that I have had a chance to work with.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Veracode
March 2025
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
849,190 professionals have used our research since 2012.
reviewer1596348 - PeerSpot reviewer
IT security architect at a consumer goods company with 10,001+ employees
Real User
Effective static analysis, plenty of tools, but needs better support for languages
Pros and Cons
  • "The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools."
  • "The solution could improve the Dynamic Analysis Security Testing(DAST)."

What is our primary use case?

We are using this solution for static analysis.

What is most valuable?

The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools.

What needs improvement?

The solution could improve the Dynamic Analysis Security Testing(DAST).

There could be better support for different languages. It is very difficult in some languages to prepare the solution for the static analysis and this procedure is really hard for a pipeline, such as GitHub. They should make it easy to scan projects for any language like they do in other vendors, such as Checkmarx.

We have found there are a lot of false positives and the severity rating we have been receiving has been different compared to other vendor's solutions. For example, in Veracode, we receive a rating of low but in others solutions, we receive a rating of high when doing the glitch analysis.

For how long have I used the solution?

We have been using this solution for approximately six years.

How are customer service and technical support?

We have not had much free expert support from the vendor. We have had to have a team of highly skilled individuals to make the solution work.

How was the initial setup?

The initial setup is difficult. For example, in Android, if I need to scan an ordinary APK Android application, we need to generate the APK and when you are working in GitHub, you need to do a lot of work to make these combinations able to be scanned by Veracode.

What about the implementation team?

We did the implementation ourselves.

Which other solutions did I evaluate?

I have previously evaluated Checkmarx.

What other advice do I have?

The solution is good at finding issues and provide some very useful tools. I would advise those wanting to implement this solution to purchase professional support from the vendor. If you do not, you run the risk of having many problems such as the ones we have faced.

The DAST tool is very useful and is used in preproduction.  

I rate Veracode a six out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user873345 - PeerSpot reviewer
Cyber Security Engineer at a consumer goods company with 1,001-5,000 employees
Video Review
Real User
Provides an all-in-one metrics location, I can see where everything is across my full portfolio
Pros and Cons
  • "What's important for me, from Veracode, is the all-in-one metrics location. I can see where everything is across the entire portfolio of applications I have in this program, and I can report out on it."
  • "When we scan binary, when we perform binary analysis, it could go faster. That has a lot to do with the essence of scanning binary code, it takes a little bit longer. Certain aspects, depending on what type of code it is, take a little long, especially legacy code."

How has it helped my organization?

It has given us visibility into the applications we have that are participating in the application security program.

What is most valuable?

For me, at the program manager level, I'm not a developer. What I do is run applications through a security program. What's important for me, from Veracode, is the all-in-one metrics location. I can see where everything is across the entire portfolio of applications I have in this program, and I can report out on it. That is one of the more important pieces for me, at the compliance level.

What needs improvement?

Speed. When we scan binary, when we perform binary analysis, it could go faster. That has a lot to do with the essence of scanning binary code, it takes a little bit longer. Certain aspects, depending on what type of code it is, take a little long, especially legacy code. In our case, we have quite a bit of older code. It takes some time to get through.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

As a SaaS product, you have certain expectations for it to be stable. It is a very mature platform so we haven't had any issues with its performance.

What do I think about the scalability of the solution?

It absolutely scales out. Our program is pretty small, but the eventual goal is complete application portfolio coverage. I have no expectation that we are going to have any issues with scaling.

How are customer service and technical support?

Technical support is great. The folks that I have interacted with, from services all the way through to the pen-testers have been great. They are on par with anybody else out there. In some cases, specifically for applications, they are probably a lot better than most.

Which solution did I use previously and why did I switch?

I have done a lot of product comparisons in my time, in information security. A lot of them are modules of a product, there is no single pane of glass. When I talk about metrics, I want to see everything in a single pane of glass, I want to see all of my results in one location. A lot of the other application security products out there can't do that yet. They are getting there but Veracode has already been able to do that for years. Veracode can run multiple types of tests and you can see all the results in one area.

When selecting a vendor the most important criteria are 

  • scalability
  • reliability of results - we want to see results-oriented success.

How was the initial setup?

Setup is very straightforward. Since everything is SaaS, everything is uploaded to the cloud. It's very simple to do. There is no setup on the back-end, initially. Once we start getting a little more sophisticated with integrations we are going to be just fine. Currently, we are early in the program so everything is done manually. So there is no setup. Everything is just done in the cloud.

What other advice do I have?

I give Veracode a solid nine out of 10 because it is a full-featured product. It is not just something that they are selling to you and then leaving you to figure out how to use it. They actually help you every single step of the way and they want to show you how to do it. 

Their testers, their application security consultants, really help you and help educate the developers. They walk you through every step of the way.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
reviewer1825527 - PeerSpot reviewer
Product Security Engineer at a tech services company with 5,001-10,000 employees
Real User
Good pipeline scanner, requires minimal maintenance, and helps easily reveal design flaws
Pros and Cons
  • "With the pipeline scanner, it's easier for developers to scan their products, as they don't have to export anything from their computers. They can do everything with the command line on their computer."
  • "Maybe the pipeline scanning doesn't support enough languages. It might only support Java and Python only, so that could be improved."

What is our primary use case?

I'm working on security reviews for our in-house products. We are trying to solve problems. The use case for Veracode is to discover flaws in design before our application reaches end customers. We are using Veracode as one of the tools to ensure that our products are following secure design guidelines.

How has it helped my organization?

We have some applications where Veracode found a potential XSS due improper input controls. Based on Veracode recommendations, I work with dev team and remediate the flaw. That's something that I would probably missed if I did only the manual code review.

What is most valuable?

We recently started working with pipeline scanner, which is quite useful. In Veracode, you need to import zip files for the source code. With the pipeline scanner, it's easier for developers to scan their products, as they can do everything via command line. When a scanner detects a flaw, it also generates a good explanation about that flaw and good references for mitigation. That's also very useful for us.

What needs improvement?

In terms of improvement, I don't have any valuable input. The application works fine and I don't have any negative feedback. Maybe pipeline scanner can be improved to support some additional language packages.

For how long have I used the solution?

I've used the solution for two years now. It hasn't been that long. 

What do I think about the stability of the solution?

The solution is stable. I haven't experienced any hiccups in my work in any way. 

How are customer service and support?

I haven't worked with Vercode's support and therefore cannot comment on how helpful or responsive they are. 

Which solution did I use previously and why did I switch?

I don't have experience with other SAST products.

How was the initial setup?

This solution was already deployed when I was hired. I can't speak to what the deployment process was like. 

The maintenance is minimal. I just need to create accounts for people who want to scan by themselves and that's it. It's easily maintainable.

What's my experience with pricing, setup cost, and licensing?

I don't have any insights on pricing. I don't handle any aspects of the licensing process so I can't speak to the overall costs or terms.

What other advice do I have?

We are accessing via a web browser to Veracode. I'm guessing it's some type of cloud deployment, hosted by Veracode.

We have a lot of applications that are scanned with Veracode. We did scans for some of our core products, as well as on-demand products, and web applications. I'm mostly working with web applications for now. 

Based on my experience, new users should check as many features as they can, and also read the reports carefully. That way, they can get a full picture of how this product works.

I'd rate the solution a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user873348 - PeerSpot reviewer
VP at a non-tech company with 11-50 employees
Video Review
Real User
Enables us to provide secure code training packages to our customers

How has it helped my organization?

It has helped us be more secure, and it has helped us put a package together for our customers that will take into consideration training, all the way down to the coding level.

What is most valuable?

For us, it's the partnership. We have always been very strong partners with Veracode. They provide excellent training to our sales team, so we are able to work with our customers to show them the value of secure code training.

What needs improvement?

More integration into the specific application; an open API would be good. Aside from that, I think they do a really good job in terms of the features they have. 

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

Veracode has always been a very stable product for us, a very stable product for our customers, and it has been a very stable relationship as well.

What do I think about the scalability of the solution?

We have customers of every size from several hundred to several hundred thousand. The product works well, regardless of the size of the company we are working with.

How is customer service and technical support?

We have had customers - and it has been our own experience as well - tell us that the support is second to none. They are very quick to respond, very quick to answer questions in a really knowledgeable way.

How was the initial setup?

We've had no comments from our customers other than that it is an easy setup.

Which other solutions did I evaluate?

When it comes to secure coding, Veracode is the only one we really considered.

What other advice do I have?

For us, whenever we are selecting a partner, vendors to work with who are going to be working with our customers, we have to make sure that they align regarding customer support philosophy, and that is the reason we selected to work with Veracode.

I would definitely rate Veracode a 10 out of 10, based on our customer feedback. Whenever we know the relationship is going well between Veracode and our customers, it reflects very well on us.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
PeerSpot user
Software Security Consultant at DXC Technology
Real User
Code scanning is fast with current, updated algorithms
Pros and Cons
  • "Provides consistent evaluation and results without huge fluctuations in false positives or negatives."
  • "The solution is a specialist in SAST that you can rely on. Code scanning is fast with current, updated algorithms​."
  • "It should include more informational, low level, vulnerability summaries and groupings. Large related groups of low level vulnerabilities may amount to a design flaw or another avenue for attack."

What is our primary use case?

Provides static code analysis of the customers' applications from all industries. It includes any type of code and scripts, but mostly Java, .Net, C++, and C# environments.

How has it helped my organization?

The solution is a specialist in SAST that you can rely on. Code scanning is fast with current, updated algorithms.

What is most valuable?

Provides consistent evaluation and results without huge fluctuations in false positives or negatives. 

What needs improvement?

It should include more informational, low level, vulnerability summaries and groupings. Large related groups of low level vulnerabilities may amount to a design flaw or another avenue for attack.

For how long have I used the solution?

More than five years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Raj Nachiappan - PeerSpot reviewer
Director of Solutions Architecture at VetsEZ
Real User
Easy to set up and it helps ensure that our code is secure
Pros and Cons
  • "The most valuable feature is the dynamic application security testing."
  • "In the future, I would like to see the RASP capability built-in."

What is our primary use case?

We use Veracode to ensure that the software we are building is secure.

What is most valuable?

The most valuable feature is the dynamic application security testing.

What needs improvement?

It takes a while to get a response to the software composition analysis. It is within an acceptable range but it could still be improved.

In the future, I would like to see the RASP capability built-in.

For how long have I used the solution?

We have been using Veracode SCA for three months.

What do I think about the stability of the solution?

SCA is pretty stable.

What do I think about the scalability of the solution?

Scalability doesn't really apply to a software composition analysis tool.

How are customer service and technical support?

The technical support is pretty good. When I requested help they contacted me within an hour. I don't have any issues with them.

How was the initial setup?

The initial setup is pretty straightforward.

What other advice do I have?

In summary, I think that this is a good tool and I recommend it for helping with security in software development.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
Updated: March 2025
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.