TrustRadius: an HG Insights company

Veracode

Score8.7 out of 10

213 Reviews and Ratings

Get a Demo

What is Veracode?

Veracode provides advanced application security solutions, trusted by enterprises to develop and maintain secure software. Its platform identifies exploitable risks, speeds up vulnerability remediation, and reduces security debt at scale using a proprietary AI-assisted remediation engine.

Categories & Use Cases

Media

Screenshot of a fix
Screenshot of the Veracode Platform
Screenshot of SCA
Screenshot of SCA Github

1 / 4

Screenshot of a fix

Most Frequent Users

Top 3 industries using Veracode.
Based on HG Insights installation data
Powered by
View all Reviews
#1 most frequent

Professional, Scientific, and Technical Services

27.1%

461 installations of 1,701

#2 most frequent

Finance and Insurance

18.2%

310 installations of 1,701

#3 most frequent

Information

17.3%

295 installations of 1,701

Reviews

What users are saying about Veracode.
View all reviews

Veracode User Experience

Incentivized
Mickey Zarev
Senior Software Engineer in Information Technology at TradingApps (11-50 employees employees)

Use Cases and Deployment Scope

It is used across the organization. We are using it for static analysis of our code. We have selected the policy that requires our release code to minimize the level of security faults. Beside static analysis we use Software Composition Analysis and we found it very helpful in rectifying vulnerabilities from third-party libraries.

Pros

  • Good integration with Jenkins and Visual Studio.
  • Parsing the code well.
  • It has good dashboard.
  • SCA graphs for transitive dependencies are very useful in identifying the vulnerabilities.

Cons

  • The main problem is slow speed of the scan - it took 11 weeks in one instance.
  • The problem was ongoing for number of months and eventually they managed to slash the running time to one day. However, since than the running time usually takes 2-3 days as the scan always stop during the run.
  • While SCA for Java works very well, there are number of issues on the C++ side. It can not recognize the libraries build by default from source code third-party vendors
  • Especially newer version produces lots of False Positives

Most Important Features

  • Thorough scan of our code.
  • Integration with our release process.
  • Accurate info about vulnerabilities in third-party libraries

Return on Investment

  • At the moment due to very slow speed to the scan, we can not fully integrate it in our development process.
  • However, we are using it for our release process.
  • The analysis that Veracode software provides gives us and our client confidence that we are producing the secure code.

Alternatives Considered

GitHub

Other Software Used

Microsoft Office 2016 (discontinued), Microsoft Visual Studio, IntelliJ IDEA, Notepad++, Microsoft 365, Atlassian Jira

Usability

Secure your code from IDE to production

Incentivized
Verified User
Manager in Information Technology (5001-10,000 employees employees)

Use Cases and Deployment Scope

We use it a a SAST and SCA tool for all the developments in our organization. All our developers analyze the code they write using the IDE plugin and Veracode Fix to help make the software more secure.

Pros

  • IDE integration
  • Gitlab Enterprise integration
  • Reporting for Product Owners

Cons

  • SAML integration when you have multiple domains
  • Scan whole repos to get a sense of security maturity
  • Authorization model for reports and dashboard

Return on Investment

  • No critical or high vulnerabilities get to production
  • Complex onboarding on teams that don't work following enterprise guidelines or that doesn't have experts devs
  • Once the devs have it working and integrated to the IDE it is easy to use for them

Alternatives Considered

Sonatype Platform, GitLab and Fortify by OpenText

Other Software Used

Appdome, OneTrust Third-Party Management, HackEDU

One-stop SDLC Security

Incentivized
Verified User
Manager in Information Technology (11-50 employees employees)

Use Cases and Deployment Scope

We use Veracode as part of our SDLC, to provide for our SAST, DAST and SCA

Pros

  • Assemblies
  • Code scanning
  • Dynamic scanning
  • Presenting results

Cons

  • The web interface needs some getting used to
  • Some parts seem a little off, as its a different piece of software that Veracode is trying to fit in

Return on Investment

  • It makes our software offering safer
  • It educates developers
  • It saves time to have everything in 1 tool

Other Software Used

Microsoft Defender for Cloud

Superior code scanning enabling faster and more secure code.

Incentivized
Verified User
Director in Information Technology (51-200 employees employees)

Use Cases and Deployment Scope

We use Veracode to perform Static Application Security Testing (SAST) and Software Composition Analysis (SCA) scans against our code, repositories, and CI/CD pipelines for code deployments. We also utilized the IDE integration for software engineers to identify code issues earlier in the development lifecycle.

One of the areas Veracode excels in is their reporting. Our application development releases required a Veracode report to be included showing now high/critical findings.

Pros

  • SAST scanning
  • SCA scanning
  • Reporting
  • CI/CD integration

Cons

  • UI and UX felt a little outdates in some of the screens.
  • Lack of flexibility on their outdated pricing model. This has since been corrected in 2023/2024.

Return on Investment

  • High effectiveness in detecting insecure code
  • Streamlined release cycle by building security controls into deployments
  • Highly customizable reporting simplifying reporting to stakeholders.

Alternatives Considered

Snyk and SonarQube Cloud

Other Software Used

Cloudflare, Zscaler Internet Access, Zscaler Private Access, PortSwigger Burp Suite, KnowBe4 Security Awareness Training, Infosec IQ, incident.io

My experience with Veracode

Incentivized
Nicolas GarcinView profile
R&D manager in Research & Development at Neoxam (501-1000 employees employees)

Use Cases and Deployment Scope

* We run static scans on a regular basis (integrated in our continuous integration) on all our major branches.
* We review the Software Composition Analysis and the "Triage flaws" section on a regular basis (minimum every week).
* We run a dynamic scan before each major version release.
* Our goal is to fix all the Very high/high/medium vulnerabilities this year. We'll then look at the minor ones.

Pros

  • Report generation
  • Flaws description and remediation strategy
  • Consultation requests

Cons

  • Scan results stability: from one scan to another, additional flaws appear whereas code did not change.
  • Entry points selection: hard to be sure selection is optimal, should be automatized or hidden.
  • Branches management: we currently use sandboxes to scan different branches of our software. Would be good to have real branches management.

Return on Investment

  • Adoption by developers: they are more aware of security aspects.
  • Allows us to see where we are in terms of applicative security
  • We're able to deliver clear security reports to our clients

Alternatives Considered

JFrog Security (Xray), Coverity Static Analysis (SAST) and CheckMark 1095

Other Software Used

SonarQube, JFrog Security (Xray), OWASP ZAP

Related Products

Products similar to Veracode that may also meet your needs.
All comparisons
Fortify on Demand, from OpenText
CompareLearn more
Checkmarx
CompareLearn more
SonarQube Server
CompareLearn more
HCL AppScan
CompareLearn more
Snyk
CompareLearn more
Coverity Static Analysis (SAST)
CompareLearn more
Sentinel Source
CompareLearn more