Veracode Information Reviews & Insights

Score8.7 out of 10

213 Reviews and Ratings

Community insights

TrustRadius Insights for Veracode are summaries of user sentiment data from TrustRadius reviews and, when necessary, third party data sources.

Pros

Customer Support Effectiveness: Users have consistently praised Veracode's customer support for being responsive, helpful, and quick to address their needs. This level of support has been instrumental in resolving issues efficiently and maintaining user satisfaction.

Ease of Use and Integration: Reviewers appreciate the platform's user-friendly interface, well-documented steps for administration, and seamless integration with code repositories, making it easy to navigate and work with. This simplicity contributes to a smoother workflow for users across different tasks.

Comprehensive Analysis and Suggestions: Many users highlight the static code analysis platform for providing in-depth information, valuable suggestions for flaw mitigation across various programming languages, and aiding developers in promptly resolving issues. The actionable insights offered by the platform significantly enhance the development process for organizations.

Reviews

37 Reviews

Information

Superior code scanning enabling faster and more secure code.

Rating: 9 out of 10

Incentivized

December 14, 2024

Use Cases and Deployment Scope

We use Veracode to perform Static Application Security Testing (SAST) and Software Composition Analysis (SCA) scans against our code, repositories, and CI/CD pipelines for code deployments. We also utilized the IDE integration for software engineers to identify code issues earlier in the development lifecycle.

One of the areas Veracode excels in is their reporting. Our application development releases required a Veracode report to be included showing now high/critical findings.

Pros

SAST scanning
SCA scanning
Reporting
CI/CD integration

Cons

UI and UX felt a little outdates in some of the screens.
Lack of flexibility on their outdated pricing model. This has since been corrected in 2023/2024.

Likelihood to Recommend

Veracode has robust coverage of supported programming languages. We faced an issue with a competitor product where we could not scan compiled javascript (jar) files. Veracode is able to scan jar files no problem in addition to many other languages.

Verified User

Director in Information Technology (Computer Software company, 51-200 employees)

Vetted Review

4 years of experience

Detailed Analysis: Impact and Efficiency of Veracode on Cybersecurity Posture of an Organization

Rating: 8 out of 10

Incentivized

August 12, 2024

Use Cases and Deployment Scope

We use Veracode for performing Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Software Composition Analysis (SCA) scans for all of our products. These scans help us find and address security vulnerabilities early in the Secure Development Life Cycle (SDLC) of every product. We have also automated the SAST, DAST and SCA scans by adding the Veracode scan step in our CI/CD pipelines.

Pros

Veracode performs Static Application Security Testing (SAST) very well by finding flaws in the code using entry points so that it tests for everything a user can interact with in the application. This approach is very helpful for avoiding a lot of false positives early on.
Veracode performs SCA automatically on every SAST scan, so that we don't have to manually scan the application again for SCA scans.
Veracode integrates very well with the ticketing tools, so that it becomes very easy to track every finding and its status within our ticketing tool.

Cons

Veracode sometimes marks some findings as fixed and then in subsequent scans, it reopens the finding. All of this happens even when there is no change in the source code.
Triaging SCA and License risk findings on Veracode UI is very difficult when you compare it with the SAST findings. I think the "Triage Findings" UI should be same for all the types of findings for better user experience.
Veracode's integration with ticketing tools is unidirectional, meaning it only syncs the status from Veracode to the ticketing tool and not the other way around. If the integration is bidirectional, triaging findings could be very convenient.

Likelihood to Recommend

Veracode is a very powerful tool for performing Static Application Security Testing (SAST) and Software Composition Analysis (SCA) for any application. It gives very few false positives from the get go, so less work for the AppSec team for filtering out the false positives.

However, it is not very good at performing Dynamic Application Security Testing (DAST). So, its not a one-stop scanning tool that fulfills all the needs.

Verified User

Engineer in Engineering (Computer Software company, 501-1000 employees)

Vetted Review

1 year of experience

What I think about Veracode.

Rating: 9 out of 10

Incentivized

July 22, 2024

Use Cases and Deployment Scope

We have a system that needs to be safe and secure as it contains a lot of confidential information. We use Veracode to do Dynamic, Static Code and Software Composition Analysis scans. Veracode has helped us identify and fix various security and coding issues which we expect will make our system safer and more secure.

Pros

It can identify OWAP issues.
It provides help on how to fix issues.
Their support helps any problems that may arise.

Cons

Navigating around the system, especially when going back sometime take multiple clicks as it just keeps reloading the same page.
While we haven't tried the new packaging tools, however, the way we do packaging and uploading code for static code analysis has been laborious.
Setting up login process for Dynamic Code Analysis, is not easy as we need to modify scripts files.

Likelihood to Recommend

There are a lot of different things to configure to get everything up and running. If would be great if there was a Wizard that help step through all the different parts, based on what has been purchased. Once setup, the scans and reports are usually good.

Also, the emails when scans have completed should include some highlights of the results like were there any new issues discovered that need to be focused on. Otherwise, it requires constant reviewing.

Verified User

C-Level Executive in Information Technology (Computer Software company, 11-50 employees)

Vetted Review

1 year of experience

Veracode, a great security tool for everyone

Rating: 8 out of 10

Incentivized

March 18, 2024

Use Cases and Deployment Scope

To be SoC2 and ISO compliant and also to protect our SaaS, we are using this tool to scan every component that we build for SA and SCA.
we also have an obligation regarding the fix time and we use the dashboards to keep track of it.

Pros

Integrates with any CI CD tool like Jenkins
Shows result in a simple way using dashboards
allows mitigations in a clear manner

Cons

Scans fail if another scan is already in progress using the Java CLI
Module selection is slow to load when it comes to big applications
Module selection is sometimes not clear on what is scannable and what is not and why
remediation actions for SCA issue. you can recommend on how to fix it in a clear way and not forcing the user to click many times to understand it.

Likelihood to Recommend

Integrate Veracode Java CLI with Jenkins and run it on every component build pipeline

Verified User

Director in Engineering (Internet company, 201-500 employees)

Vetted Review

2 years of experience

Veracode SAST review

Rating: 8 out of 10

Incentivized

February 27, 2024

Use Cases and Deployment Scope

We replaced our old tools with Veracode 1 year ago. To reinforce our security posture and help us prevent vulnerable code from being added to our products.Each pull request must be analyzed and meet our security policy before it can be merged.We also have to maintain 5 versions and assess the conformity of each of these versions with our policy.

Pros

Low false positive rate by taking into account context and input sanitization
List and details of mitigation proposals
Clear reports and the ability to create your own dashboards

Cons

Some popular dependency managers are not currently supported (e.g. conan, pnpm)
Analysis of compiled languages requires specific preparation before compilation

Likelihood to Recommend

Well suited:
SAST is well suited to the analysis of individual commits in non-compiled languages.
New vulnerabilities are added as comments in the pull request.We generate daily compliance analyses by running nightly tasks.
This provides a daily report to the security team and the managers on SAST and SCA.
Flaw mitigation involves every developer in the investigation and proposal.
This helps the owners by reducing their workload and sharing knowledge across squads.

Less appropriate:
Cpp analysis on each commit is not appropriate for our modules, as it takes too long to get results (Caused by unsupported Conan dependency manager).
For public repositories, generated baseline files need to be saved securely to avoid sharing.

stéphane chapron

Product Security Engineer in Research & Development at Centreon (Computer Software, 51-200 employees)

Vetted Review

1 year of experience

Worth the investment

Rating: 10 out of 10

Incentivized

February 13, 2024

Use Cases and Deployment Scope

Identifying vulnerabilities in our code before they go into production.

Pros

Explains the potential issue well
Explains a possible solution
Scans the code quickly so we can start remediation ASAP
Very user friendly

Cons

Integrate with LLM functions to expand remediation options

Likelihood to Recommend

Allows a small infosec team to quickly scan large amounts of code and offer remediation solutions.

Alex Fuglaar, CISSP

Manager in Information Technology at Crowe (Telecommunications, 1001-5000 employees)

Vetted Review

3 years of experience

View profile

Vericode Use for Companies ERP Product offerings

Rating: 8 out of 10

Incentivized

August 23, 2023

Use Cases and Deployment Scope

We use Vericode to provide initial and ongoing security analysis of our software products. We supply ERP software solutions to the paper manufacturing industry. We are a leading supplier of software to this industry and it is important to us to provide a product that is thoroughly tested and free of known critical vulnerabilities. We have incorporated Vericode into our SLDC cycles and perform SCA and Dynamic scans within our release cycles. Our application is a very large full ERP application using many third party libraries. Without Vericode we would be flying without a net.

Pros

Automated scanning of software libraries for vulnerabilities
Management of multiple application, statuses and helps on security remediation
Vericode Verified program to leverage the security investment as competitive advantage

Cons

The time it takes to scan large projects makes it difficult to fit into our CI/CD/pipeline
One of our app scans times out after 2 hours and we have to upload it and scan manually but there is no visibility the CI system has as to vulnerabilities found
Integration with older development languages to scan. We have old 4GL based application that is not compatible with the tools

Likelihood to Recommend

Help raise the level of awareness throughout the organization on the importance of proper security measures for software development. Allows you to establish a campaign that touts your organizations concern and action towards continual technology threats. Working the Vericode tools into an automated build cycle allows continual focus on the security vulnerabilities within your applications. We are hoping Vericode adapts to large scale applications that allow us to auto scan our application that has over 3 million lines of code.

Verified User

C-Level Executive in Product Management (Computer Software company, 51-200 employees)

Vetted Review

2 years of experience

Veracode - Save software and superb support!

Rating: 8 out of 10

Incentivized

November 8, 2022

Use Cases and Deployment Scope

As a Developer, I have to make sure that the System we are building is safe. Therefore Veracode helped a lot by scanning our Code for vulnerabilities. Therefore our Security Department opens up a Ticket Process wherefore we simply open up a new Static Code Scan and wait for the result. When all the vulnerabilities are fixed, we get a sign-off.

Pros

Customer Service.
Easy Usability.
Well Documentation.

Cons

Details on Documentation.
Customer Communication for Appointments.

Likelihood to Recommend

I think that Veracode is a good basic code scan in order to ensure code security. It is super easy to integrate into CI-CD processes and offers good protection against common code vulnerabilities. It is less appropriate to consider it as the ONLY security consideration for your application.

Christoph Schäfer

Software Engineer in Information Technology at PwC (Computer Software, 5001-10,000 employees)

Vetted Review

4 years of experience

Catch Vulnerabilities before Hackers Do

Rating: 9 out of 10

Incentivized

September 15, 2022

Use Cases and Deployment Scope

For years Veracode has been an integral part of our process to reduce our security vulnerability footprint. All of our code is scanned through Veracode's static scan process to ensure we are removing any older vulnerabilities and not introducing new ones. We also use the software composition analysis information to ensure we aren't using any versions of third-party software which may have any vulnerabilities.

Pros

Pointing out use of 3rd-paty software versions that are out-of-date
Providing an easy way to triage flaws -- tying together the flaw, source code, and an explanation in one easy-to-use path
Providing an easy-to-use plug-in for Visual Studio allowing on-the-fly validation of code without having to complete a full scan

Cons

It would be nice if we could more easily customize post-scan reports. The reports are fairly lengthy and not everyone on the team needs all of the details.
It's not always obvious as to what features are available. For example, for years I had no idea one could promote a sandbox scan to a policy scan without having to resubmit it.

Likelihood to Recommend

I would say that Veracode is well-suited for any software development it supports. I use it with both Java and .Net based applications and find it works well for both. Veracode cannot provide detailed information if PDB files are not sent with the .Net compiled code.

Douglas Perreault

Software Engineer at Tata Consultancy Services (Internet, 10,001+ employees)

Vetted Review

8 years of experience

View profile

Veracode

Rating: 7 out of 10

Incentivized

May 1, 2022

Use Cases and Deployment Scope

We do SAST, DAST, and SCA using Veracode. The software composition part does a pretty solid job of identifying all the components involved in our applications. Being able to check for use of vulnerable methods also saves quite a bit of time in assessing the actual risk of any findings. SAST works well enough, but as is usual for such things there are a lot of false positives that need manual review. DAST can use more work, especially with single-page applications

Pros

SCA
customer support
2fa

Cons

DAST
bulk user management
SSO configuration

Likelihood to Recommend

Well suited: Monitoring application security throughout its development Not well suited: Fully automatic security assessments

Verified User

Professional in Engineering (Computer Software company, 1001-5000 employees)

Vetted Review

2 years of experience

Loading Reviews List....

Detailed Analysis: Impact and Efficiency of Veracode on Cybersecurity Posture of an Organization

Rating: 8 out of 10

Incentivized

August 12, 2024

Use Cases and Deployment Scope

Pros

Veracode performs Static Application Security Testing (SAST) very well by finding flaws in the code using entry points so that it tests for everything a user can interact with in the application. This approach is very helpful for avoiding a lot of false positives early on.
Veracode performs SCA automatically on every SAST scan, so that we don't have to manually scan the application again for SCA scans.
Veracode integrates very well with the ticketing tools, so that it becomes very easy to track every finding and its status within our ticketing tool.

Cons

Veracode sometimes marks some findings as fixed and then in subsequent scans, it reopens the finding. All of this happens even when there is no change in the source code.
Triaging SCA and License risk findings on Veracode UI is very difficult when you compare it with the SAST findings. I think the "Triage Findings" UI should be same for all the types of findings for better user experience.
Veracode's integration with ticketing tools is unidirectional, meaning it only syncs the status from Veracode to the ticketing tool and not the other way around. If the integration is bidirectional, triaging findings could be very convenient.

Likelihood to Recommend

Verified User

Engineer in Engineering (Computer Software company, 501-1000 employees)

Vetted Review

1 year of experience