Allows developers to run their own scans.
Security Consultant at a tech company with 501-1,000 employees
Allows developers to run their own scans. I would like to see the false positives corrected.
What is most valuable?
How has it helped my organization?
Reduced dependency on the security team to run scans. It helped the organizations to scan a large number of applications on a regular basis.
What needs improvement?
I would like to see the following:
- Correction of the regularly received false positives
- Options to manage comments and mitigations
- Better UI functionality
For how long have I used the solution?
We have used this solution for a year.
Buyer's Guide
Veracode
March 2025

Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
848,989 professionals have used our research since 2012.
What do I think about the stability of the solution?
A few months ago, there were issues with the scanners and tickets were opened. However, they were resolved. This is a stable product.
What do I think about the scalability of the solution?
There have not been any scalability issues yet.
How are customer service and support?
I would give technical support a rating of 8/10. At times, we have not seen the best support in terms of issues faced during a scan.
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Software Engineer at a financial services firm with 501-1,000 employees
Source composition analysis component gives our developers comfort in using new libraries
Pros and Cons
- "The source composition analysis component is great because it gives our developers some comfort in using new libraries."
- "I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan."
What is our primary use case?
This was intended to scan all of our custom development efforts to ensure a certain level of (secure) code quality. Right now the scope of that effort is limited to web exposed systems but with maturity, we hope to increase that scope.
How has it helped my organization?
The Veracode platform probably hasn't improved our organization overall, although through no fault of theirs. Veracode is just one more tool that generates work for our developers.
What is most valuable?
The source composition analysis component is great because it gives our developers some comfort in using new libraries.
What needs improvement?
I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan. For instance, we have CI scans that run automatically, and sometimes the files don't get upload and/or processed by Veracode. Now, there's a static scan that hasn't been completed, which blocks all future scans. The only way we know this is an issue is going into the Web UI, check each application, and look for stalled scans. This is time-consuming and frustrating.
For how long have I used the solution?
I have been using Veracode for three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Veracode
March 2025

Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
848,989 professionals have used our research since 2012.
Software Developer/Architect at a insurance company with 201-500 employees
Static, dynamic, and manual scan features were useful for us.
What is most valuable?
We used the application for the web. Static, dynamic, and manual scan features were all very useful for us. All of them helped us fix many security flaws.
How has it helped my organization?
It made us change our approach to coding. We tried to make sure our application stayed secure and safe.
What needs improvement?
The current features were enough for us. Although reports are well documented, it was difficult for us to understand them at first.
For how long have I used the solution?
We have been using the solution for about a year.
What do I think about the stability of the solution?
We did not encounter any issues with stability.
What do I think about the scalability of the solution?
We did not encounter any issues with scalability.
How are customer service and technical support?
We didn't use the technical support, so I can't comment on this question.
Which solution did I use previously and why did I switch?
We did not use a previous solution. This was the first security application we used.
How was the initial setup?
It was very easy to setup. Everything on the website was clearly explained.
What's my experience with pricing, setup cost, and licensing?
I don't know about the prices.
Which other solutions did I evaluate?
We did not evaluate any alternative solutions.
What other advice do I have?
If it's the first time you are using a security application, be ready for some new tools which you will require you to revitalize the flaws reported.
Reports are very well documented. Once you understand what it means and you get used to it, you will see that it is detailed and clearly explained.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Project Manager at a computer software company with 501-1,000 employees
Comprehensive features and good integrations but needs better documentation
Pros and Cons
- "It's comprehensive from a feature standpoint."
- "The reports on offer are too verbose."
What is most valuable?
The SAST feature is the most valuable aspect of the solution.
The stability has been quite good overall. The performance is reliable.
The scalability on offer is good. I don't see any constraints.
From a usability standpoint and the way it can be integrated into the pipelines, etc., it's very good.
It's comprehensive from a feature standpoint.
What needs improvement?
The reports on offer are too verbose. They might want to consider t restructuring their reports to better give a very good summary or overview in the first five or so pages and then go ahead and drill into the details of each and every vulnerability beyond that.
The documentation could be improved. They could, for example, provide more details in terms of how to fix issues related to sign-ups. There isn't enough detailed information out there to assist users.
For how long have I used the solution?
I joined this company very recently. Therefore, I've only used the solution for a few months. However, this company has used Veracode for at least the last two to three years. They've had it for a while.
What do I think about the stability of the solution?
The stability overall is quite reliable. There are no bugs or glitches. It doesn't crash or freeze. Its performance is very good.
What do I think about the scalability of the solution?
The solution can scale well. If a company is considering expanding, it should be able to do so without issue.
We do have a limited amount of users on the solution right now.
How are customer service and technical support?
I've never had a need, up to this point, to reach out to technical support. I haven't really come across any technical issues during my short tenure with the product. Therefore, I can't speak to how helpful or responsive they are. I don't have any insights I could share.
How was the initial setup?
We have a few team members that specialize in the solution.
Our team handles the maintenance of the solution.
What's my experience with pricing, setup cost, and licensing?
I don't have enough information to be able to comment on the cost of licensing the product. That's more of a sales question. I don't handle any aspect of that part of the solution.
What other advice do I have?
We are customers and end-users. We don't really have a business relationship with Veracode.
I'm more from the performance testing side of things. I've just added the security testing to my list of responsibilities recently.
We're using a mix of deployment models. We use both on-premises and cloud deployments.
It's a good tool. I've done some comparisons with both SAST and DAST. It gives us this end-to-end sort of feature that we appreciate. Therefore, rather than you doing SAST with one tool and DAST with another tool, I prefer going with Veracode, which offers both.
You can learn both static and dynamic scans with a single tool. You could effectively negotiate a price and do that. If you got some simple apps, from a CAC standpoint, I'd recommend folks to use Veracode.
I'd rate the solution at a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Associate Consultant at a comms service provider with 201-500 employees
Efficient at finding vulnerabilities but the number of false positives should be reduced
Pros and Cons
- "The most valuable feature is the efficiency of the tool in finding vulnerabilities."
- "A high number of false positives are reported and this should be reduced."
What is our primary use case?
I am a consultant and SourceClear is one of the solutions that I use to provide services.
This solution is used by people who want to verify the security of their own applications.
What is most valuable?
The most valuable feature is the efficiency of the tool in finding vulnerabilities.
What needs improvement?
A high number of false positives are reported and this should be reduced.
For how long have I used the solution?
I have been using SourceClear for about a year and a half.
What do I think about the stability of the solution?
This is a stable solution.
What do I think about the scalability of the solution?
We have no complaints about scalability. We have between 200 and 300 clients.
How are customer service and technical support?
We have not been in touch with Veracode's technical support.
Which solution did I use previously and why did I switch?
We have also used Checkmarx, where you can train the tool for false positives and ultimately reduce them.
How was the initial setup?
The initial setup is a little bit complex.
What about the implementation team?
It would be better to have some assistance when implementing this solution.
What other advice do I have?
Overall, SourceClear is working fine for us and our main complaint is in regard to the high number of false positives. Nonetheless, I would recommend Checkmarx over SourceClear.
I would rate this solution a six out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Lead Security Engineer at a tech vendor with 201-500 employees
Our customers get the security of bug-free code, but raw file scans would help
Pros and Cons
- "Scanning of .war and .jar is key for us."
- "Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries."
What is our primary use case?
SAST. We have not yet integrated it into our software development lifecycle as it doesn't have the feature that enables us to integrate it with our repository.
How has it helped my organization?
It helps in achieving secure programming. Veracode provides us with industry best practices according to OWASP, CERT, and SANS. Our customers get the security of bug-free code and assurance regarding the application.
What is most valuable?
Scanning of .war and .jar.
What needs improvement?
Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries.
For how long have I used the solution?
Trial/evaluations only.
What do I think about the stability of the solution?
No stability issues yet.
What do I think about the scalability of the solution?
No scalability issues yet.
Which solution did I use previously and why did I switch?
We used SonarQube but to improve security in SAST we choose this.
How was the initial setup?
Setup is straightforward.
What's my experience with pricing, setup cost, and licensing?
The pricing is good for static code analysis.
Which other solutions did I evaluate?
Checkmarx, SonarQube.
What other advice do I have?
Implement this solution if you see WAF and SOC in your future.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Managing Principal Consultant at a tech vendor with 11-50 employees
Easy to scale and does a good job, but only for a limited number of technologies
Pros and Cons
- "The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs."
- "I would like to see expanded coverage for supporting more platforms, frameworks, and languages."
What is our primary use case?
Our primary use case for this solution is application security.
What is most valuable?
The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs.
What needs improvement?
This solution does a good job, but it is limited to only a few technologies. I would like to see expanded coverage for supporting more platforms, frameworks, and languages.
Specifically, I would like to see support for mobile frameworks like Xaramin and React JS, as well as extended support for iOS applications.
For how long have I used the solution?
Five years.
What do I think about the scalability of the solution?
This solution is quite scalable.
We have approximately fifty users, but we definitely have plans to add more.
How are customer service and technical support?
I have used their technical support and they are quite good.
Which solution did I use previously and why did I switch?
We did not use another solution prior to this one.
How was the initial setup?
The initial setup of this solution is straightforward.
What's my experience with pricing, setup cost, and licensing?
This solution is on the pricey side. They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey.
Which other solutions did I evaluate?
We evaluated other options, but we chose Veracode.
What other advice do I have?
My advice for anybody who is interested in implementing this solution is to ensure that your technology is actually supported because the coverage is quite patchy. It is possible that if you use a framework or a language that Veracode does not support then it will give quite poor results.
I would rate this solution a six out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
VP of Services at a tech vendor with 51-200 employees
We're much more security conscious when writing code, to meet the benchmarks it gives us
Pros and Cons
- "We use it to get our scan results and see where our software is vulnerable or not vulnerable."
- "The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but it sometimes causes more work on our end."
What is our primary use case?
Dynamic and static scanning.
How has it helped my organization?
We're being much more security conscious whenever we're writing code, and we're trying to make sure it's giving us a benchmark, and to make sure we meet that, on a release cycle.
In terms of AppSec best practices, it has made everybody more conscious about what they're trying to accomplish, because they know at the end of the release cycle we're going to be running scans. They basically need to make sure they adhere to all the rules.
Our customers have benefited from the added application security we offer because they're more confident that our software isn't going to expose their organizations to any risk.
What is most valuable?
The ability to run scans. It's a critical piece of why we use the platform. We use it to get our scan results and see where our software is vulnerable or not vulnerable.
It's part of our SDLC now.
What needs improvement?
The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but sometimes it causes more work on our end.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
No issues with stability.
What do I think about the scalability of the solution?
Not that I know of.
How is customer service and technical support?
I have not contacted tech support.
How was the initial setup?
It seemed straightforward. I didn't actually do the work, but from what I was told, it seemed like it was fairly easy to get going.
What was our ROI?
I cannot give numbers on any cost savings related to code fixes since implementing CA Veracode in our development process.
What's my experience with pricing, setup cost, and licensing?
It's worth the value.
Which other solutions did I evaluate?
We did evaluate other options, but I can't remember who we looked at.
What other advice do I have?
I would be highly likely to recommend working with CA Veracode to colleagues.
I rate it an eight out of 10. It's a good product - I can't say that it's lighting my world on fire - but it does what it needs to do.
Just be prepared that it's going to take effort from all aspects of the business to be able to utilize and achieve the goal that you're looking to achieve with the product.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.

Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2025
Product Categories
Application Security Tools Static Application Security Testing (SAST) Container Security Software Composition Analysis (SCA) Penetration Testing Services Static Code Analysis Application Security Posture Management (ASPM)Popular Comparisons
SonarQube Server (formerly SonarQube)
GitLab
Snyk
Checkmarx One
Mend.io
Fortify on Demand
CrowdStrike Falcon Cloud Security
Sonatype Lifecycle
GitHub Advanced Security
Acunetix
PortSwigger Burp Suite Professional
HCL AppScan
Qualys Web Application Scanning
Klocwork
GitHub
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between Veracode and Checkmarx?
- Which gives you more for your money - SonarQube or Veracode?
- Checkmarx or Veracode. Which should we choose?
- Would you recommend Veracode? What are some of your use cases?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- What do I scan when changing code in Veracode?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?