We use it for security, to analyze our code.
Chief Technology Officer at ELEARNINGFORCE International ApS
Brings clarity to the flaws we can mitigate, increasing our security level to highest possible standard
Pros and Cons
- "It changes the DevSecOps process because we find flaws much earlier in the development life cycle, and we also spot third-party software that we don't allow on developers' machines."
- "There might be room for improvement in the in-app guidance and the tips and tricks for the developer about how to progress. We would like more insight into the development environment, where they would get guidance on how to avoid flaws."
What is our primary use case?
How has it helped my organization?
It changes the DevSecOps process because we find flaws much earlier in the development life cycle, and we also spot third-party software that we don't allow on developers' machines.
It's bringing clarity to the flaws that we can mitigate, and that's the main purpose. We can have a brisk conversation about the flaws. Not all flaws need to be fixed because there might be other protection measures implemented.
Veracode has increased our level of security to the highest possible standard, so we have been able to be ISO certified and meet Microsoft compliance. We have met many industrial standards from a compliance perspective by having this high level of security and trust in our application. That applies to our platform as well, because the dynamic analysis has opened up vulnerabilities in the platform.
What is most valuable?
We are using three of the features. Static analysis, dynamic analysis, and the code composition for third parties. We also use their Security Labs for training.
Veracode does a great job of preventing vulnerable code from going into production, and its policy reporting for compliance is also very good. It meets our needs.
And if you use it correctly and bring early feedback into the developers' environment, it provides visibility into application status at every phase of development. But if you only use it as an analysis after the product has been built, then you don't have the whole life cycle. So it really depends on how you integrate Veracode. For us, it gives full insights.
What needs improvement?
There might be room for improvement in the in-app guidance and the tips and tricks for the developer about how to progress. We would like more insight into the development environment, where they would get guidance on how to avoid flaws.
Buyer's Guide
Veracode
March 2025

Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
848,989 professionals have used our research since 2012.
For how long have I used the solution?
I have been using Veracode for the last three years.
Which solution did I use previously and why did I switch?
We use SonarCloud, which does a different type of analysis on the static code but not on the compiled code. It's a different way of detecting security flaws.
How was the initial setup?
I was involved in the deployment of the solution all the way through, from purchase to acquisition and deployment. It involved a lot of new learning. But we had a very good implementation consultant from Veracode assigned to us who made it pretty simple for us. I don't think we could have done it ourselves.
We did a proof-of-value exercise, which included educating two senior developers. The total implementation time was about two months. We focused on one area of our application and got the scanning process up and running and stable. Then we started applying it to more applications.
We only used two people from our organization to complete the work. Then we educated all the developers about using the extension with the EDI. We then found a person who would be responsible on each delivery team who ensures that their application is maintained within our policy level. Each team is responsible for keeping their application within those standards.
What about the implementation team?
We got help directly from Veracode. I would rate their help at eight or nine out of 10. They helped us implement it into our pipelines, daily processes, and software. And they helped us understand how to mitigate the flaws and how to open up consultation hours if there was something we disagreed with, such as false positives. They gave us very good onboarding and implementation.
What was our ROI?
From a commercial perspective, the impact that the Veracode certification has had on our ability to sell to large enterprises is non-debatable. The return on investment has been met, for sure. It took six months and occurred when we had finished implementing and got the certification.
What's my experience with pricing, setup cost, and licensing?
We haven't really done any price checks on the competitors.
We purchased a Security Labs license to keep our developers trained in new security practices.
Every development company is different. If someone is looking at Veracode but concerned about the price, it probably depends on their technology stack. There are pros and cons for every decision. As a happy customer, I can say that the service level that I have received from Veracode has been high and understandable every time That also counts a lot. And it's not about the software; it's about how we actually utilize the software best.
Which other solutions did I evaluate?
We had three or four other candidates from the reports that we evaluated from a user review site, but we ended up deciding to use Veracode because it had the best price and match for our technology stack.
At that time, Veracode's advantage was predominantly because it was SaaS-based software, and the implementation team was very supportive in making sure that we got it properly integrated into our processes.
What other advice do I have?
The false-positive rate is constantly maturing. It's very much based on how many respond back. It's learning based on the false positives. My team thinks that it's better to have a false positive many times than miss a real one. The effect on developer confidence in the solution when fixing vulnerabilities is that it sometimes leads to frustration because they find that it's slowing them down, but the way that the engine is constantly maturing means it is becoming better and better.
I don't think any security or quality analysis tool brings speed. But it increases the quality, both from a risk/security and reliability perspective. But if you're looking at productivity, none of these tools bring productivity. They mitigate risk. It has not made our development process faster.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.

CEO at CareerCraftly
It has also enabled us to identify and fix bugs earlier, which is cheaper than fixing issues after a product is launched
Pros and Cons
- "Veracode is easy to use even if you're not a security professional. I like the dynamic analysis feature, which offers a lot of cost savings when used in production."
- "The scanning could be a little faster. The process around three or four minutes, but it would help if it could be further reduced."
What is our primary use case?
Veracode helps us identify bugs and flaws in our code while operating it. We use the solution's static analysis feature to analyze code before running applications dynamic analysis that scans the app while it's running.
We typically run Veracode at the end of the development phase when we are ready to launch our software. We also scan for vulnerabilities after the software goes into production. It's the final phase of our development cycle.
How has it helped my organization?
Veracode has reduced the amount of time we spend manually investigating our code. It has also enabled us to identify and fix bugs earlier, so we don't need to release patches after a product is launched.
The false positive rate is quite low, which is critical. If it had a high false positive rate, it would be difficult to trust this software. We can discover lots of errors and bugs manually, but this software enables us to clear any error or compliance issue with a low false positive rate. It's highly efficient in that sense. We can trust the process, so we spend less time investigating issues manually.
In one development cycle, Veracode usually saves us four or five hours of human work that goes into checking the code, finding errors, and fixing them manually. The remediation is also built into the software.
What is most valuable?
Veracode is easy to use even if you're not a security professional. I like the dynamic analysis feature, which offers a lot of cost savings when used in production. Veracode helps prevent vulnerable code from entering production, and it has a low false-positive rate, so it can reliably find real vulnerabilities.
The software bill of materials feature has proven helpful in finding bugs and flaws that may cause problems in our product when we launch it. It has helped a lot to exponentially reduce the cost after the launch cycle. It is quite easy to create reports and perform a detailed analysis because much of the process is automated. It can fix most issues automatically.
What needs improvement?
The scanning could be a little faster. The process is around three or four minutes, but it would help if it could be further reduced.
For how long have I used the solution?
I have used it for four months.
What do I think about the stability of the solution?
We haven't experienced any downtime since we started using it. It is highly stable. We haven't seen any server crashes from their side.
What do I think about the scalability of the solution?
Veracode can handle lots of processes, so I would say it is scalable.
How are customer service and support?
I rate Veracode support eight out of 10. The response times are fast. If we have a problem, they respond within four or five hours.
How would you rate customer service and support?
Positive
How was the initial setup?
The setup process was straightforward, and the Veracode team guided us through the deployment, which took about four or five hours. It only takes one person to install the solution. It doesn't require any maintenance after deployment.
What was our ROI?
Veracode has eliminated a lot of manual security processes that cost a lot of money and time. It has saved us lots of time and money for development.
What's my experience with pricing, setup cost, and licensing?
The cost of scanning code is cheaper. It's typically $0.50 per line of code. However, it's expensive to run a high-level process that would normally require a human security expert. For example, penetration testing costs about $1,000 per application for penetration testing. The cost of these features may be too high for smaller organizations. On the other hand, Veracode's interactive application security testing is fast and cheaper compared to other software.
What other advice do I have?
I rate Veracode nine out of 10. If anyone is considering Veracode, I suggest trying a demo beforehand so that you can see how it addresses the kind of problems your organization is facing and how it works with the programs you are creating.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Veracode
March 2025

Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
848,989 professionals have used our research since 2012.
COE Head at a tech services company with 1,001-5,000 employees
The dynamic analysis feature helps secure risky web applications
Pros and Cons
- "I like Veracode's static analysis. It was one of the core development tools when I worked with a telecommunication company where we were delivering new features for various applications and purposes each week, such as CRM, data channels, compliance, traffic data, etc."
- "Veracode can improve the price model and how they bill the final offer to customers. It's based on the amount of traffic. For example, you can buy 1 gigabyte distributed across various applications, and each one can consume part of the whole allotment of traffic data."
What is our primary use case?
Our primary use case for Veracode is to secure our software development lifecycle. It's deployed in a couple of countries and connected to multiple applications. It's used by five development teams, each of which has a different focus, such as digital channels, CRM, ERP, backend deployment, and billing. We also have a team that coordinates all of the efforts of the secure development policies. That team sets the guidelines and policies. The entire development team has about 20-30 people.
How has it helped my organization?
Veracode has sped up the development cycle, helping us bring products to the market faster. I work at an IT services company with hundreds of customers who have various needs for different kinds of tools. That doesn't mean we use Veracode for all our customers, but for certain customers, it's critical because the solution reduces the amount of time needed to prevent and detect issues. Bringing secure applications into production is essential.
We can't just rely on our development teams to make, test, and manually review the code. We need powerful tools that provide a strong framework for detecting vulnerabilities and scanning application components. Penetration testing is the most important because hackers break into the application and access the information.
Dynamic analysis is also crucial for web applications, which can be risky. Veracode can dynamically detect vulnerabilities and block traffic. It is sometimes hard to differentiate real users from hackers. Dynamic analysis must be implemented with a user-sensitive perspective.
I work in Latin America, and there are regulations on information security and the use of customer information. The most vital areas are things like health information and finance. You can face penalties for failing to protect customer information, so it's critical for us to secure our code during development. Any vulnerable code or application component can risk disclosing customer information from customers and allowing an outsider to penetrate the systems or databases.
Veracode offers visibility throughout the entire development lifecycle. SecOps is an essential framework inside the organization currently because we need to deliver applications to market faster while improving code quality. It's crucial to be careful when using code generated by community sources. We need to test the final applications and also the components and packages in any code repository we use.
We're deploying complex pipelines and utilizing CI/CD. For example, Veracode is important when connecting management tools, code repositories, and various cloud components. Having that integration and capacity to connect to various tools in the DevOps framework is vital for the DevOps team. Every business must decide its risk tolerance and set a threshold of vulnerability permissions in the application to detect. It's really powerful if you can configure the threshold correctly.
Developer confidence depends on their capacity to understand, and Veracode has to detect vulnerabilities and provide suggestions for correcting them. Sometimes it's an upgrade; sometimes not. It also provides different kinds of information to the developers.
Veracode has had an enormous impact on our ability to detect flaws. It's risky if we don't have the capacity to detect vulnerabilities in the earliest stage of development before the applications go into production. It's also an important time-saving tool. It reduces the time spent manually addressing vulnerabilities by about 20-30 percent.
What is most valuable?
I like Veracode's static analysis. It was one of the core development tools when I worked with a telecommunication company where we were delivering new features for various applications and purposes each week, such as CRM, data channels, compliance, traffic data, etc.
Most of the time, the key thing was to ensure the security of digital channels and reduce the risk of any breach that could cause a security issue. It's critical to maintain the security of sensitive information transferred from our customers to the sales staff. Keeping that data secure is important for the customer relationship and also for compliance and recurring sales.
I rate Veracode 10 out of 10 for its ability to prevent vulnerable code from entering production. It has a lot of useful and intuitive features. In previous settings, static analysis was one of the primary use cases, but dynamic analysis is also helpful. Veracode is highly valuable because one vulnerability could result in service downtime or worse: a leak of customer information.
The investment in the tool is justified because we can detect and prevent vulnerabilities much earlier in the process. Software composition analysis is also vital when we use open-source middleware or backend components for business-critical functions like bringing information from one source to another or connecting one application to another.
What needs improvement?
Veracode can improve the price model and how they bill the final offer to customers. It's based on the amount of traffic. For example, you can buy 1 gigabyte distributed across various applications, and each one can consume part of the whole allotment of traffic data.
You pay for all of the time that the tool is running, not for the number of scans. There are specific rules governing the amount of traffic applications can consume from the allotment you have. I would like the pricing to be more personalized. For example, some companies don't have a large budget for this kind of tool, whereas a large enterprise can acquire this kind of solution and pay for it. However, I'm an IT consultant working with various types of customers in different industries, including finance, insurance, and telecommunications.
For how long have I used the solution?
I started using Veracode at least three years ago.
What do I think about the stability of the solution?
Veracode is a highly stable platform. I haven't experienced any service disruption, and the performance is solid.
What do I think about the scalability of the solution?
I've used Veracode in a telecommunication company with a huge environment and more than a hundred applications. I don't have experience with smaller-scale use cases, but I know the cloud is quite scalable.
How are customer service and support?
I rate Veracode support nine out of 10. We get support from the resellers and direct support from Veracode analysts. We call the support team or the architect when there is a serious technical isssue.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I haven't used a commercial tool like Veracode before. It depends on where I'm working, but the most common tool we use is an open-source solution called SonarQube.
How was the initial setup?
Veracode is straightforward to deploy. It's not hard to connect it, and we had support from a local vendor to help us integrate it into our dev lifecycle. It required only one person from my team.
What about the implementation team?
We had assistance from our local reseller, and the experience was great because we had a direct connection from the partner to the brand. We have a local team member who was in charge of the resell process.
What was our ROI?
We calculate the return on investment primarily based on the risk. We calculate the ROI annually, but it's not very detailed. We factor in the risks associated with the loss of customer information loss, penalties for noncompliance, etc. In the worst-case scenario, we estimate that could potentially lose up to $1 million annually.
What's my experience with pricing, setup cost, and licensing?
The licensing model could be more flexible, and Veracode could be more accessible to smaller enterprises. We obtained Veracode through a consultancy. Veracode sets the price through consultation with our reseller, but I have yet to get a direct quotation without any other reseller in the middle. If you are worried about the price, I would say that you could request more information and do a trial, then see if you can negotiate an offer.
Which other solutions did I evaluate?
We decided to use Veracode without comparing it to any other kind of solution, we had a kind of consultancy from one of the companies, the IT services company that was one of our partners, and they worked close to us, and we selected Barracuda the tool that we needed.
What other advice do I have?
I rate Veracode nine out of 10. It's an excellent solution for securing the development lifecycle. I recommend starting with a trial and getting in touch with the account team to explore all of the different features.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Lead Consultant DevOps and Infrastructure at a tech vendor with 5,001-10,000 employees
Prevents vulnerable code, offers end-to-end visibility, and saves our developers time
Pros and Cons
- "This static analysis helps ensure a secure application rollout across all environments."
- "The scanning takes a lot of time to complete."
What is our primary use case?
We use Veracode to scan the applications.
How has it helped my organization?
Veracode's ability to prevent vulnerable code from entering the production environment is good.
Using Veracode's ASC team is easy. I can send them an email and arrange a call from the app. They were helpful when I had issues or questions about using the app.
Free access to the ASC team is a significant advantage because they possess in-depth knowledge of the product and are readily available for assistance.
It is innovative when it comes to features.
Veracode helps our organization with security scanning. We realized the benefit of Veracode as soon as it was deployed.
The policy reporting is valuable because it provides two key benefits: first, it generates a security score for our application. Second, it offers comprehensive reporting that details both the vulnerabilities found and the potential risks they pose to our application.
Veracode can provide visibility into application status at every phase of development.
It assists our application team in fixing flaws by identifying issues and guiding the team toward resolving them.
Veracode helps our developers save time by ensuring the code is secure.
Veracode helps us improve our overall security posture. When a Veracode report shows no vulnerabilities, it indicates a strong security position. This allows the security team to sign off on approvals more efficiently, as a clean Veracode report is a key factor in their evaluation process.
Veracode is a valuable tool for a shift-left security strategy. It helps save overall development time, money, and effort by identifying and resolving security vulnerabilities early in the development lifecycle.
What is most valuable?
I find Veracode's SASD feature to be the most beneficial because it enables us to proactively identify security vulnerabilities in our application code before deployment. This static analysis helps ensure a secure application rollout across all environments.
What needs improvement?
The scanning takes a lot of time to complete.
Veracode offers comprehensive visibility into application security throughout the development lifecycle. However, due to cost constraints, we are not currently utilizing all available analysis types.
I would like Veracode to introduce infrastructure as code scanning.
Instead of relying on emails, it would be beneficial if Veracode offered a built-in tool for logging and managing issue tickets.
Veracode sometimes performs maintenance without notifying clients in advance, which can cause disruption.
For how long have I used the solution?
I have been using Veracode for two years.
What do I think about the stability of the solution?
For the most part, Veracode is stable but there are times when we have downtime due to maintenance that we are not informed of.
What do I think about the scalability of the solution?
I would rate the scalability of Veracode nine out of ten.
How are customer service and support?
Technical support has been great at fixing any issues I've had.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
My client in the banking industry previously used Black Duck before switching to Veracode.
Veracode's end-to-end testing offers a significant advantage over other solutions by providing a comprehensive security solution. This includes capabilities for static analysis, dynamic scanning, and even penetration testing. However, the cost associated with dynamic scanning and penetration testing may deter some clients from utilizing these features.
What's my experience with pricing, setup cost, and licensing?
I don't have firsthand knowledge of Veracode pricing, but based on client feedback, it seems to be expensive with additional fees for certain features.
What other advice do I have?
I would rate Veracode eight out of ten.
Maintenance is performed by Veracode.
During a Veracode evaluation, consider the following factors: Evaluate the time required for Veracode to complete a scan. Faster scans allow for quicker feedback and integration into development workflows. Consider the overall cost of Veracode, including licensing fees and any associated charges for scans. Assess Veracode's orchestration tools, particularly its compatibility with your existing CI/CD pipeline. Ideally, Veracode should offer seamless integration for easy adoption. Evaluate the availability and variety of connectors Veracode offers for integration with your development tools. A wider range of connectors simplifies the integration process.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Executive Director at Precise Financial Systems Limited
Has great static scanning and has had a significant impact on our organization's ability to address flaws
Pros and Cons
- "The static scan is the most valuable feature."
- "Veracode is costly, and there is potential for improvement in its pricing."
What is our primary use case?
We use Veracode to ensure our solutions meet the security standards in the financial industry in Nigeria.
How has it helped my organization?
Veracode does an excellent job to prevent vulnerable code from entering production.
Veracode ensures that the products we create for our clients are free of any code-related issues. This keeps them satisfied with our service and encourages them to continue doing business with us.
Veracode provides peace of mind and increases confidence in our code within the market. We realized the benefits within a few months.
At first, we experienced a high number of false positives, but the Veracode team provided guidance that enabled us to significantly reduce the count.
Initially, our developers were frustrated due to the high false positive rate. However, as we managed to reduce the number of false positives and the developers recognized that these were not actual issues, their morale improved, and their acceptance of the use of Veracode increased.
The false positive rate of the static analysis reduced the time that we spend on different operations.
Veracode has had a significant impact on our organization's ability to address flaws. The solution is capable of detecting issues and providing suggestions that assist us in rectifying problems within the code.
Veracode helps our developers save time. We review the recommendations provided by the solution, adhere to our best practices, and then proceed to implement these suggestions. In cases where we might have had three lines of code, the solution is capable of reducing that to one or two lines. I would estimate that Veracode has decreased our developer time by 40 percent.
Veracode enables us to enhance our security posture by applying the knowledge we acquire through Veracode to all our new projects. Additionally, we can revisit previous projects to implement upgrades and add features, thereby enhancing their security.
Veracode helps to decrease our DevSecOps costs by saving our developers' time and aiding in the production of error-free code.
What is most valuable?
The static scan is the most valuable feature. We are also currently evaluating the Dynamic scan.
What needs improvement?
Veracode is costly, and there is potential for improvement in its pricing. In our region of the world, it is challenging to attract a significant number of sign-ups due to its unaffordability.
For how long have I used the solution?
I have been using Veracode for one year.
What do I think about the stability of the solution?
Veracode is stable.
How are customer service and support?
Based on the limited interaction we've had with technical support, I am satisfied with their service.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We used a tool in the past that was free, but we couldn't depend on the quality of the scans it provided in the free version.
What's my experience with pricing, setup cost, and licensing?
The cost of Veracode is high.
There comes a point when we must make a decision between cost and quality, and we chose to prioritize quality by selecting Veracode. The confidence that Veracode instills in both our developers and clients justifies the associated cost.
We have four solution licenses for the static analysis scans.
Which other solutions did I evaluate?
We also evaluated one of Veracode's competitors. After conversing with the sales and technical teams of both solutions, we concluded that Veracode was the best choice for us.
What other advice do I have?
I rate Veracode an eight out of ten.
We are currently in the process of investigating Veracode's capability to offer insight into the status of applications at each stage of development.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Manager Consultant at a tech services company with 1-10 employees
Has assisted our customers in deploying safely, thereby reducing both risk and hassle
Pros and Cons
- "Static code scanning is the most valuable feature."
- "I would like Veracode to also have the ability to fix these flaws in a future release."
What is our primary use case?
We are a Veracode reseller and we utilize their solution for software vulnerability analysis. Our primary objective is to identify any security issues in open-source libraries that have been rejected. Additionally, we perform dynamic code scanning and employ Static Application Security Testing for comprehensive application security testing.
How has it helped my organization?
Veracode prevents 100 percent of vulnerable code from entering production.
Veracode has assisted our customers in deploying safely, thereby reducing both risk and hassle. Additionally, the solution has aided in reducing the costs associated with problem resolution. We noticed the benefits within the first day of using Veracode.
Veracode's policy reporting for ensuring compliance with industry standards and regulations is excellent. We only need to specify the regulation we must comply with, and the report will be generated instantly.
Veracode provides visibility into the status of applications at every phase of development. It is one comprehensive integrated system, but we can also utilize specific features like SAST if we require it.
In the absence of Veracode, the security team typically informs the developers about the policies that must be adhered to, and they enhance the code in a manner that ensures compliance. However, when Veracode is utilized, this step becomes unnecessary. Each individual focuses on their respective strengths, allowing for seamless collaboration.
We have compared Veracode with other solutions, and its false positive rate is the lowest in the industry.
Veracode's low false positive rate is key to our ability to avoid being burdened by false alerts and focus on fixing code.
Veracode's false positive rate of the static analysis has helped save us time.
Veracode helps fix flaws. Our customers have reported that it is faster and more compliant, making it easier for them to send out reports to various stakeholders when they have questions. For example, when dealing with higher-level management, we can create a report containing comprehensive statistics and informative pie charts, which greatly assists them. Additionally, this helps demonstrate the value of Veracode during internal assessments.
Veracode helps our developers save time.
Veracode helps improve our security posture as it ensures compliance and simplifies the process.
Veracode helps our developers save costs.
What is most valuable?
Static code scanning is the most valuable feature. Moreover, Veracode integrates with various frameworks and workflow solutions.
What needs improvement?
Veracode has the capability to identify flaws in the code. I would like Veracode to also have the ability to fix these flaws in a future release.
For how long have I used the solution?
I have been using Veracode for four years.
What do I think about the stability of the solution?
Veracode is an exceptionally stable solution.
What do I think about the scalability of the solution?
We can scale Veracode from one to thousands of applications within a minute.
Veracode is used by some of our customers for individual applications, as well as by others for thousands of applications.
How are customer service and support?
The technical support is great.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
In addition to previously using SonarQube, we also employed several other solutions before transitioning to Veracode due to its superior reporting capabilities.
How was the initial setup?
The initial setup is straightforward. The deployment time depends on the size of the built solution. If we consider a relatively modest number of apps, I would say that they can be up and running within a day or two. We first completed a good analysis of what our customer wanted and because Veracode is a cloud solution, we can have a code scan running within minutes. It is easy to integrate other frameworks and work with applications that are already integrated with Veracode. One product owner or software developer can handle the deployment.
What about the implementation team?
The implementation was completed in-house.
What was our ROI?
With Veracode, the benefits are clear, and we can see a return on investment through the visibility it offers. This enables us to fix flaws sooner, thereby reducing the time to market for our customers.
What's my experience with pricing, setup cost, and licensing?
Veracode provides value for the cost, with no additional charges apart from the standard licensing fee.
What other advice do I have?
I would rate Veracode a perfect ten out of ten because it consistently delivers on its promises.
Those who are concerned about Veracode's price should be aware that the solution holds value. Additionally, they should consider that other solutions are on-premises and require additional fees for reporting traffic processed, unlike Veracode.
The maintenance is all taken care of by Veracode.
Veracode is so straightforward that I have no advice to offer to anyone.
There are many companies out there that do not consider code security when thinking about cybersecurity risks. This holds true even for larger companies, where it is still a greenfield situation.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: My company has a business relationship with this vendor other than being a customer: reseller
Managing Director at Century Bottling Company
The Software Bill of Materials feature helps you understand what to do to minimize risks and maintain compliance
Pros and Cons
- "I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate."
- "Static scanning takes a long time, so you need to patiently wait for the scan to achieve. I also think the software could be more accurate. It isn't 100 percent, so you shouldn't completely rely on Veracode. You need to manually verify its findings."
What is our primary use case?
I use Veracode to ensure the projects I deliver don't have vulnerabilities.
How has it helped my organization?
Veracode provides insight into vulnerabilities at every stage, so your team can progress through the development cycle more efficiently. It improves developer confidence by showing us our capabilities and the potential of our code.
Our developers improve and become more efficient using Veracode. Once we identify issues in our code, it's much easier to avoid the same mistakes in future projects. It teaches them how to overcome those vulnerabilities and errors while reducing costs.
Veracode saves a lot of time compared to traditional methods for identifying vulnerabilities. We save around $500 a month using Veracode because we don't need to hire experts.
Veracode has improved our overall security posture. We feel assured that applications we deliver to clients or use internally are highly secure. It has helped us develop strategies to create stable, secure platforms.
What is most valuable?
I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate. I love the Software Bill of Materials (SBOM) feature because it helps you explore various industries and understand what to do to minimize risks and maintain compliance. It's straightforward and ensures my applications are compliant.
It's easy to create reports using the SBOM feature because it has templates that you can customize depending on the reporting requirements. It gives me a report of the compliance requirements for any industry. It helps us internally and improves the services we provide to our clients.
Veracode is great for preventing vulnerable code from going into production because it covers various programming languages like JavaScript and PHP. You can be confident that your code is secure no matter which language you use.
What needs improvement?
Static scanning takes a long time, so you need to patiently wait for the scan to achieve. I also think the software could be more accurate. It isn't 100 percent, so you shouldn't completely rely on Veracode. You need to manually verify its findings.
For how long have I used the solution?
I've used Veracode for three years.
What do I think about the stability of the solution?
Veracode is stable. I've been working with it for a long time.
How are customer service and support?
I rate Veracode support 10 out of 10. They're friendly and responsive.
How would you rate customer service and support?
Positive
How was the initial setup?
Deploying Veracode is straightforward. I did it with one other colleague.
What's my experience with pricing, setup cost, and licensing?
We can afford Veracode, but it's too expensive for small enterprises. If you're concerned about the price, you should weigh the benefits you can achieve. It has saved us a lot of money on DevOps. We save about $500 a month by not outsourcing this work to experts.
What other advice do I have?
I rate Veracode eight out of 10.
It's an excellent product for developing a secure platform that will benefit your company and its customers while helping you build a sustainable development team. Before implementing Veracode, you need to prepare and have at least one person who understands how to use the product.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Senior Testing Engineer at TollPlus LLC.
We like the secrets detection feature
Pros and Cons
- "One thing we like is the secret detection feature. It has helped us to discover keys stored in our settings file as a TXT document. We can address that vulnerability by using encryption. We can even scan Docker images for vulnerabilities. Static analysis is another good feature of Veracode because we can run a security scan during development to identify the vulnerabilities."
- "Veracode's container scanning could be improved. We containerize all the platforms we use inside a Docker image. For example, we create a Microsoft Docker image that we build our application on top of. I would like Veracode to implement IT scans before we commit the code."
What is our primary use case?
We use Veracode as part of our development pipelines. It gives us security feedback when we run our applications. Our applications are completely containerized in Docker images with a .NET 4.6 architecture. These are web-based applications, so we want to know that all the HTTP requests are secured. The tool provides us with feedback to ensure that our application security is robust.
We are primarily running Veracode to check for vulnerabilities after the build. There is no pre-build process. We are running a post-build static analysis and dynamic analysis. We run it at the end of the development process.
How has it helped my organization?
Veracode's ability to detect security vulnerabilities is excellent. We can feel confident that none of the vulnerabilities will make it into production. It doesn't take long to realize the benefits from it. The interface is intuitive. We could start to see value from Veracode within a couple of weeks.
We don't have many false positives. We're using the tool's default rules and haven't done much customization. We can feel confident in the solution's results.
We can identify most of the issues before the production stage, and it also enables us to develop better practices in the development process. We also have a security testing team using Veracode to discover vulnerabilities. The discovery of issues after static analysis is super-efficient. It reduces our time spent on these tasks by about 30 percent.
Veracode has had a positive impact on our overall security posture. It's comprehensive, which is critical because our applications are mostly integrated, so we don't want to take any chances.
What is most valuable?
One thing we like is the secret detection feature. It has helped us to discover keys stored in our settings file as a TXT document. We can address that vulnerability by using encryption. We can even scan Docker images for vulnerabilities. Static analysis is another good feature of Veracode because we can run a security scan during development to identify the vulnerabilities.
Veracode helps us prevent vulnerabilities from entering production. We can put it into the pipeline and set an acceptable limit for vulnerabilities. If the number of vulnerabilities is under the threshold, we can deploy automatically.
What needs improvement?
Veracode's container scanning could be improved. We containerize all the platforms we use inside a Docker image. For example, we create a Microsoft Docker image that we build our application on top of. I would like Veracode to implement IT scans before we commit the code.
For how long have I used the solution?
I have only used Veracode for a year.
What do I think about the stability of the solution?
Veracode is stable.
What do I think about the scalability of the solution?
Veracode is scalable.
How are customer service and support?
I rate Veracode support eight out of 10.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We evaluated another solution briefly but we decided to keep Veracode. Veracode has some issues with container scanning, and we have some container-based applications. We considered bringing in another tool for container scanning, but it was too expensive and Veracode was able to mitigate the issues well enough.
What's my experience with pricing, setup cost, and licensing?
Veracode is affordable. It offers a good value for the security benefits it offers, especially if you're working with applications that involve payment processing. You cannot afford to take chances there.
What other advice do I have?
I rate Veracode nine out of 10. I recommend Veracode, depending on the type of application you are scanning. It's a leading solution in this domain. Veracode is the first name that comes to mind when people are talking about security scanning.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2025
Product Categories
Application Security Tools Static Application Security Testing (SAST) Container Security Software Composition Analysis (SCA) Penetration Testing Services Static Code Analysis Application Security Posture Management (ASPM)Popular Comparisons
SonarQube Server (formerly SonarQube)
GitLab
Snyk
Checkmarx One
Mend.io
Fortify on Demand
CrowdStrike Falcon Cloud Security
Sonatype Lifecycle
GitHub Advanced Security
Acunetix
PortSwigger Burp Suite Professional
HCL AppScan
Qualys Web Application Scanning
Klocwork
GitHub
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between Veracode and Checkmarx?
- Which gives you more for your money - SonarQube or Veracode?
- Checkmarx or Veracode. Which should we choose?
- Would you recommend Veracode? What are some of your use cases?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- What do I scan when changing code in Veracode?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?