Veracode Professional, Scientific, and Technical Services Reviews & Insights

Score8.7 out of 10

213 Reviews and Ratings

Community insights

TrustRadius Insights for Veracode are summaries of user sentiment data from TrustRadius reviews and, when necessary, third party data sources.

Pros

Customer Support Effectiveness: Users have consistently praised Veracode's customer support for being responsive, helpful, and quick to address their needs. This level of support has been instrumental in resolving issues efficiently and maintaining user satisfaction.

Ease of Use and Integration: Reviewers appreciate the platform's user-friendly interface, well-documented steps for administration, and seamless integration with code repositories, making it easy to navigate and work with. This simplicity contributes to a smoother workflow for users across different tasks.

Comprehensive Analysis and Suggestions: Many users highlight the static code analysis platform for providing in-depth information, valuable suggestions for flaw mitigation across various programming languages, and aiding developers in promptly resolving issues. The actionable insights offered by the platform significantly enhance the development process for organizations.

Veracode Reviews

36 Reviews

Professional, Scientific, and Technical ServicesInformation Technology & Services28Public Relations & Communications1Research1Computer & Network Security4Human Resources2

My experience using Veracode tool

Rating: 9 out of 10

Incentivized

November 18, 2024

Use Cases and Deployment Scope

I have been using Veracode for nearly 2 years, we are using its SAST and DAST features. Previously there was no source code validation in our software development life cycle. We used this tool to shift the security to left, and tried to make the process as automate as possible. The best use case of this tool is that it can be fit anywhere with flexible plugins at different stages of SDLC. Even the support is very good and co-operative.

Pros

Veracode does integrate into IDE where the development starts. IDE Scans will help in reducing the versions of code.
The best thing about Veracode is, that it is a SAAS platform, and we can run the scan and do our other work parallelly.
Veracode dynamic analysis is pretty good as it clearly shows the requests it sends to the server and the response it receives from the server. Which helps in analyzing the vulnerabilities more easily.

Cons

Reporting work can be improved.

Likelihood to Recommend

It is best suited for the Agile model projects, where business will have the continuous releases of their products. Other than that I can't comment on the scenario where it is less appropriate as I need to experience it more.

Sairam Bathini

DevSecOps Engineer in Information Technology at DesIdea Software Technologies (Information Technology & Services, 51-200 employees)

Vetted Review

3 years of experience

View profile

My experience with Veracode

Rating: 7 out of 10

Incentivized

September 17, 2024

Use Cases and Deployment Scope

* We run static scans on a regular basis (integrated in our continuous integration) on all our major branches.
* We review the Software Composition Analysis and the "Triage flaws" section on a regular basis (minimum every week).
* We run a dynamic scan before each major version release.
* Our goal is to fix all the Very high/high/medium vulnerabilities this year. We'll then look at the minor ones.

Pros

Report generation
Flaws description and remediation strategy
Consultation requests

Cons

Scan results stability: from one scan to another, additional flaws appear whereas code did not change.
Entry points selection: hard to be sure selection is optimal, should be automatized or hidden.
Branches management: we currently use sandboxes to scan different branches of our software. Would be good to have real branches management.

Likelihood to Recommend

* (+) Report generation for our clients: reports are very comprehensive and look professional.
* (-) Veracode pipeline scan: takes too much time, need to split our application so that it can fit within the timeout (2h). Currently we're not able to use it, we still use "upload & scan" functionality in our CI pipelines. This is a showstopper to be able to break the build in case of new vuln, and also to use Fix AI based tool.

Nicolas Garcin

R&D manager in Research & Development at Neoxam (Information Technology & Services, 501-1000 employees)

Vetted Review

5 years of experience

View profile

Great DAST and Penetration Testing Platform.

Rating: 10 out of 10

Incentivized

January 16, 2024

Use Cases and Deployment Scope

We use Veracode as our primary source for Dynamic (DAST) Scans and Annual penetration testing. We were looking for ways to consolidate tooling in our organization with a centralized cloud product and Veracode provides that.

Pros

Provides robust readouts on vulnerabilities.
Allows for detailed or customized reports to fit your organizations or clients needs.
Remediating findings in the tool is exceptionally easy to understand and execute.

Cons

MPT Results should be segmented from DAST/SAST results.
MPT Reports should include more information on scoping and testing dates as generally provided by accounting firms conducting similar tests.
Vulnerability readouts should not be so hidden in the platform (It shouldn't take as many clicks to get to and view).

Likelihood to Recommend

This application is exceptionally suited for regular compliance checks/scans. Being able to 'set it and forget it' is critical to allowing continuous scanning. However, DAST Scans do not appear to allow true continuous scanning as you have to re-create scanning rules once annually (Likely due to contract terms).

Verified User

Manager in Information Technology (Information Technology & Services company, 201-500 employees)

Vetted Review

1 year of experience

Veracode Security far ahead of competitors

Rating: 8 out of 10

Incentivized

October 12, 2023

Use Cases and Deployment Scope

Primarily for scanning web applications, while others might use it to secure mobile apps, APIs, or even IoT devices. The ultimate goal is to reduce the risk of security breaches and ensure that software applications are developed and maintained. IDE integration and security testing are the best feature to identify and address security vulnerabilities in my software applications.

Pros

IDE Integration
SCA
SAST

Cons

Plug-in pipeline
CI/CD
Pull requests

Likelihood to Recommend

It used in DevOps to identify security flaw before going to production. Common and hidden areas of software can be ignored if it’s too wide, so the report and triage flaws help security teams to understand where to improve. Furthermore, MPT an great to provide details and vulnerabilities that from DAST doesn’t arise.

Verified User

Engineer in Research & Development (Computer & Network Security company, 51-200 employees)

Vetted Review

3 years of experience

Elevating Security Through Automation and Integration

Rating: 10 out of 10

Incentivized

August 30, 2023

Use Cases and Deployment Scope

We use Veraocode for Static and Dynamic scans and Software Composition Analysis (SCA) across multiple products. The Jenkins automation is a lifesaver for Static scans and SCA since it gets us out of the business of uploading builds manually. We're also utilizing the Jira integration to manage vulnerabilities, from creating new tickets to resolving and closing them when a vulnerability is no longer present. Dynamic scanning can take some tweaking to get running smoothly, however, once things are dialed in, it's another scan that can be scheduled to run automatically. Arguably the most powerful tool, Software Composition Analysis, runs along with our Static scans and gives us insight into vulnerabilities in third-party libraries, newer versions available where a vulnerability is resolved, as well as their licenses.

In all, Veracode is a critical tool that helps us remain compliant with our various annual third-party audits.

Pros

Automation
Software Composition Analysis
Integrations

Cons

More insight into errors that may be causing an issue when configuring an integration, e.g. Veracode's Jira integration.
Static Analysis can sometime get 'stuck' when using the Jenkins integration. Days, sometimes weeks can go by before we notice. Have to delete the 'stuck' scan and re-upload.
Manual Pen Test account management/reminders. I would expect the vendor to reach out and schedule the pen test annually, maybe send a notification/reminder when the date starts getting close, things like that. From my experience it was on me to initiate our MPT.

Likelihood to Recommend

Veracode is well suited for small software companies, as well as organizations supporting multiple products. A well-defined and orchestrated build process will be a huge help when setting up a build upload integration with Veracode. Once scans are running smoothly, and assuming you have an integration with your ticketing system, you will rarely have to sign into Veracode's interface.

Verified User

Vice-President in Information Technology (Information Technology & Services company, 51-200 employees)

Vetted Review

4 years of experience

Outstanding platform for tracking software development lifecycle

Rating: 9 out of 10

Incentivized

August 11, 2023

Use Cases and Deployment Scope

This product has efficient data security control tools that enhances safe working environment for all teams. It gives our team CI and CD critical data that gives us reliable development infrastructure for better results. It prevents the software development ecosystem for security threats that can affect efficient production. I have not experienced project implementation challenges since we started working with this platform.

Pros

Monitoring software development infrastructure.
Prevention of security threats.
Provision of intelligent security information.

Cons

The features are awesome.
I have familiarized with al the set features.
The overall performance is good.

Likelihood to Recommend

It is easily customizable to suit company security policies. The software has simple coding tools that enables our team to identify errors before completion of any given project. The security intelligence that has been provided over the time has saved the company the cost of security drawbacks. The customer support team is ever available when reached for any solution.

Christine Canassa

SQL Developer in Research & Development at Cofomo (Information Technology & Services, 1001-5000 employees)

Vetted Review

1 year of experience

View profile

Excellent Code Security Scanning Cloud Service

Rating: 9 out of 10

Incentivized

December 29, 2022

Use Cases and Deployment Scope

This is a very thorough tool to statically scan your source code. It works very well for us, and it's always interesting to see how your code writing changes over time as you become more security focused. We are in the process of setting up dynamic scans, but for now we are doing static scans only. They take a little time to complete, but we are scanning our entire software suite so it's to be expected. We have found a number of issues, some of which are in legacy code which we are probably not going to fix as it is actively being replaced.

Pros

Static scans
User Interface
Results of scans with detailed descriptions of what the issue is and how to potentially fix it

Cons

The time to complete a static scan

Likelihood to Recommend

The ease of integration into our CI/CD pipeline (it only added a couple of minutes extra per build) followed by a weekly static scan of our entire code base which in turn generates results of all the severe items identified. Sometimes they are false positives as it's in libraries we don't control, but we pass on the findings back to the library maintainer(s). Often we have to modify our code slightly to mitigate/patch/fix the issue.

Mike Clarkson

Senior Software Engineer in Research & Development at SRB Education Solutions Inc. (Acquired by PowerSchool) (Information Technology & Services, 501-1000 employees)

Vetted Review

1 year of experience

View profile

Veracode makes your life easy and safe.

Rating: 9 out of 10

Incentivized

December 20, 2022

Use Cases and Deployment Scope

Veracode is used to find any flaws that can affect the application in production even before the product is deployed in any environment. Almost all types of scans can be performed using Veracode. Veracode is famous for its SAST and SCA scan, which attracts users due to its transparency and security.

Pros

SAST Scan
SCA
DAST

Cons

Flagging false positive.
Linking of SCA and SAST Scan.
Needed to see an aggregated score for all the modules in an application.

Likelihood to Recommend

I will say it is a nine because the aggregated score of all the modules in an application is not shown anywhere in the Veracode. Otherwise, it's good for the easiness and stability of the application that a developer and an organization are keen to see in a penetration application, respectively.

Verified User

Engineer in Engineering (Information Technology & Services company, 10,001+ employees)

Vetted Review

1 year of experience

Software engineer's take on the product after using it for a few weeks

Rating: 8 out of 10

Incentivized

November 4, 2022

Use Cases and Deployment Scope

Our company maintains highly confidential information about our clients. Keeping our systems and data secure and protected is at the heart of what we do. We use Veracode to help us in this endeavor. We rely on Veracode's products and services to ensure that we maintain the level of trust and confidence that our clients give to us.

Pros

Double checking the security of our code
Integrating into our CI/CD process to help us catch and resolve new flaws
Helping us maintain our compliance

Cons

The documentation could really use some work
I am skeptical of the thoroughness of the scans on newer languages and frameworks
The scan takes too long
The IDE tools leave much to be desired
Too many false positives

Likelihood to Recommend

It is useful for maintaining security compliance.
The manual penetration test is very useful to have in addition to the flaw identification algorithm.

Due to the lengthy amount of time it takes to scan, it's not useful for testing every commit.
The Visual Studio extension to not make it easy for developers in day-to-day programming

Tom Toups

Sr. Software Engineer in Information Technology at HCR SOFTWARE (Information Technology & Services, 11-50 employees)

Vetted Review

12 years of experience

One Stop Security Solution for your apps

Rating: 8 out of 10

Incentivized

September 9, 2022

Use Cases and Deployment Scope

Veracode is an amazing tool that enabled us to identify several security loopholes, especially through dynamic analysis. Static analysis was helpful in plugging gaps as well. It's one of the best out there. One of the things we really loved about Veracode was the level of detail provided to identify issues and help resolve them. especially given we used several platforms such as .Net, .Net Core and Windows.

Pros

Identify security loopholes
Gives us detailed issue reports
provide a sense of confidence for the developers. We plugged some critical ones with this
provide summary reports that we can share with clients as well

Cons

Dynamic Analysis sometimes took a lot of time to run
The user interface especially accessing reporting was difficult to find
Provide direct integration with DevOps pipelines in the future if possible to run the static analysis for commits if required

Likelihood to Recommend

Best Case Scenario:
1. Review your source code and security patching on the code.
2. Run real time test and penetration testing with dynamic data
3. Instill confidence with the customers

Not so well

1. timeout on the app is annoying
2. UI is not so great

Verified User

Manager in Engineering (Information Technology & Services company, 1-10 employees)

Vetted Review

1 year of experience

Loading Reviews List....

Video reviews

View playlist

Elevating Security Through Automation and Integration

Rating: 10 out of 10

Incentivized

August 30, 2023

Use Cases and Deployment Scope

Pros

Automation
Software Composition Analysis
Integrations

Cons

More insight into errors that may be causing an issue when configuring an integration, e.g. Veracode's Jira integration.
Static Analysis can sometime get 'stuck' when using the Jenkins integration. Days, sometimes weeks can go by before we notice. Have to delete the 'stuck' scan and re-upload.
Manual Pen Test account management/reminders. I would expect the vendor to reach out and schedule the pen test annually, maybe send a notification/reminder when the date starts getting close, things like that. From my experience it was on me to initiate our MPT.

Likelihood to Recommend

Verified User

Vice-President in Information Technology (Information Technology & Services company, 51-200 employees)

Vetted Review

4 years of experience