Try our new research platform with insights from 80,000+ expert users
Raj Nachiappan - PeerSpot reviewer
Director of Solutions Architecture at VetsEZ
Real User
Penetration Testing solution used by development team for static code analysis
Pros and Cons
  • "Our development team use this solution for static code analysis and pen testing."
  • "The runtime code analysis could be improved so that we can see every element in one place."

What is our primary use case?

Our development team use this solution for static code analysis and pen testing.

What needs improvement?

The runtime code analysis could be improved so that we can see every element in one place.

For how long have I used the solution?

I have used this solution for two years. 

What other advice do I have?

I would rate this solution an eight out of ten. 

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
reviewer1825527 - PeerSpot reviewer
Product Security Engineer at a tech services company with 5,001-10,000 employees
Real User
Good pipeline scanner, requires minimal maintenance, and helps easily reveal design flaws
Pros and Cons
  • "With the pipeline scanner, it's easier for developers to scan their products, as they don't have to export anything from their computers. They can do everything with the command line on their computer."
  • "Maybe the pipeline scanning doesn't support enough languages. It might only support Java and Python only, so that could be improved."

What is our primary use case?

I'm working on security reviews for our in-house products. We are trying to solve problems. The use case for Veracode is to discover flaws in design before our application reaches end customers. We are using Veracode as one of the tools to ensure that our products are following secure design guidelines.

How has it helped my organization?

We have some applications where Veracode found a potential XSS due improper input controls. Based on Veracode recommendations, I work with dev team and remediate the flaw. That's something that I would probably missed if I did only the manual code review.

What is most valuable?

We recently started working with pipeline scanner, which is quite useful. In Veracode, you need to import zip files for the source code. With the pipeline scanner, it's easier for developers to scan their products, as they can do everything via command line. When a scanner detects a flaw, it also generates a good explanation about that flaw and good references for mitigation. That's also very useful for us.

What needs improvement?

In terms of improvement, I don't have any valuable input. The application works fine and I don't have any negative feedback. Maybe pipeline scanner can be improved to support some additional language packages.

For how long have I used the solution?

I've used the solution for two years now. It hasn't been that long. 

What do I think about the stability of the solution?

The solution is stable. I haven't experienced any hiccups in my work in any way. 

How are customer service and support?

I haven't worked with Vercode's support and therefore cannot comment on how helpful or responsive they are. 

Which solution did I use previously and why did I switch?

I don't have experience with other SAST products.

How was the initial setup?

This solution was already deployed when I was hired. I can't speak to what the deployment process was like. 

The maintenance is minimal. I just need to create accounts for people who want to scan by themselves and that's it. It's easily maintainable.

What's my experience with pricing, setup cost, and licensing?

I don't have any insights on pricing. I don't handle any aspects of the licensing process so I can't speak to the overall costs or terms.

What other advice do I have?

We are accessing via a web browser to Veracode. I'm guessing it's some type of cloud deployment, hosted by Veracode.

We have a lot of applications that are scanned with Veracode. We did scans for some of our core products, as well as on-demand products, and web applications. I'm mostly working with web applications for now. 

Based on my experience, new users should check as many features as they can, and also read the reports carefully. That way, they can get a full picture of how this product works.

I'd rate the solution a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Buyer's Guide
Veracode
July 2025
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: July 2025.
865,384 professionals have used our research since 2012.
reviewer1596348 - PeerSpot reviewer
IT security architect at a consumer goods company with 10,001+ employees
Real User
Effective static analysis, plenty of tools, but needs better support for languages
Pros and Cons
  • "The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools."
  • "The solution could improve the Dynamic Analysis Security Testing(DAST)."

What is our primary use case?

We are using this solution for static analysis.

What is most valuable?

The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools.

What needs improvement?

The solution could improve the Dynamic Analysis Security Testing(DAST).

There could be better support for different languages. It is very difficult in some languages to prepare the solution for the static analysis and this procedure is really hard for a pipeline, such as GitHub. They should make it easy to scan projects for any language like they do in other vendors, such as Checkmarx.

We have found there are a lot of false positives and the severity rating we have been receiving has been different compared to other vendor's solutions. For example, in Veracode, we receive a rating of low but in others solutions, we receive a rating of high when doing the glitch analysis.

For how long have I used the solution?

We have been using this solution for approximately six years.

How are customer service and technical support?

We have not had much free expert support from the vendor. We have had to have a team of highly skilled individuals to make the solution work.

How was the initial setup?

The initial setup is difficult. For example, in Android, if I need to scan an ordinary APK Android application, we need to generate the APK and when you are working in GitHub, you need to do a lot of work to make these combinations able to be scanned by Veracode.

What about the implementation team?

We did the implementation ourselves.

Which other solutions did I evaluate?

I have previously evaluated Checkmarx.

What other advice do I have?

The solution is good at finding issues and provide some very useful tools. I would advise those wanting to implement this solution to purchase professional support from the vendor. If you do not, you run the risk of having many problems such as the ones we have faced.

The DAST tool is very useful and is used in preproduction.  

I rate Veracode a six out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
reviewer1542384 - PeerSpot reviewer
Senior Project Manager at a computer software company with 501-1,000 employees
Vendor
Comprehensive features and good integrations but needs better documentation
Pros and Cons
  • "It's comprehensive from a feature standpoint."
  • "The reports on offer are too verbose."

What is most valuable?

The SAST feature is the most valuable aspect of the solution.

The stability has been quite good overall. The performance is reliable. 

The scalability on offer is good. I don't see any constraints.

From a usability standpoint and the way it can be integrated into the pipelines, etc., it's very good.

It's comprehensive from a feature standpoint. 

What needs improvement?

The reports on offer are too verbose. They might want to consider t restructuring their reports to better give a very good summary or overview in the first five or so pages and then go ahead and drill into the details of each and every vulnerability beyond that.

The documentation could be improved. They could, for example, provide more details in terms of how to fix issues related to sign-ups. There isn't enough detailed information out there to assist users.

For how long have I used the solution?

I joined this company very recently. Therefore, I've only used the solution for a few months. However, this company has used Veracode for at least the last two to three years. They've had it for a while.

What do I think about the stability of the solution?

The stability overall is quite reliable. There are no bugs or glitches. It doesn't crash or freeze. Its performance is very good.

What do I think about the scalability of the solution?

The solution can scale well. If a company is considering expanding, it should be able to do so without issue.

We do have a limited amount of users on the solution right now.

How are customer service and technical support?

I've never had a need, up to this point, to reach out to technical support. I haven't really come across any technical issues during my short tenure with the product. Therefore, I can't speak to how helpful or responsive they are. I don't have any insights I could share. 

How was the initial setup?

We have a few team members that specialize in the solution.

Our team handles the maintenance of the solution.

What's my experience with pricing, setup cost, and licensing?

I don't have enough information to be able to comment on the cost of licensing the product. That's more of a sales question. I don't handle any aspect of that part of the solution.

What other advice do I have?

We are customers and end-users. We don't really have a business relationship with Veracode.

I'm more from the performance testing side of things. I've just added the security testing to my list of responsibilities recently.

We're using a mix of deployment models. We use both on-premises and cloud deployments. 

It's a good tool. I've done some comparisons with both SAST and DAST. It gives us this end-to-end sort of feature that we appreciate. Therefore, rather than you doing SAST with one tool and DAST with another tool, I prefer going with Veracode, which offers both. 

You can learn both static and dynamic scans with a single tool. You could effectively negotiate a price and do that. If you got some simple apps, from a CAC standpoint, I'd recommend folks to use Veracode.

I'd rate the solution at a seven out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Chief Executive Officer at Cybrella
Real User
Deployment was easy, configurable, and simple to manage
Pros and Cons
  • "The installation was straightforward."
  • "There needs to be better API integration to the development team's pipeline, which is something that is missing and needs to be improved."

What needs improvement?

There needs to be better API integration to the development team's pipeline, which is something that is missing and needs to be improved.

For how long have I used the solution?

We have been using the solution for approximately three months.

How was the initial setup?

The installation was straightforward.

What other advice do I have?

I rate Veracode Manual Penetration Testing a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
reviewer1465254 - PeerSpot reviewer
Software Engineer at a tech services company with 1,001-5,000 employees
Real User
Verification that an app is secure gives us higher credibility with clients and better performance
Pros and Cons
  • "It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail."
  • "I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help."

What is our primary use case?

We use the Static Analysis, Dynamic Analysis, and SCA, the software composition analysis.

How has it helped my organization?

The Static Analysis has identified flaws.

From a developer point of view, it has really helped me to know about many security best practices that I need to follow.

There are also security specialists, although it's not my area, who work on strategy to mitigate flaws. It classifies things into three levels: high, medium, and low, the latter being the ones that you can live with. It tells you which are very critical and you need to fix. That helps management to determine the strategy of what to fix next.

When you reach a level of security in your application and you get verification from Veracode that your app is secure, that helps in selling products. Mitigating flaws and being sure that your product is secure is going to give you higher credibility with clients and better performance.

In our use case, some of our products have dependencies in separate apps. Before going into production, each dependency has its own sandbox to help us identify the vulnerabilities in that certain dependency. Then there is the software composition analysis, the SCA, that helps us scan all the vulnerabilities when those modules are integrated with each other. Before deploying the whole app into production, we fix the flaws and increase the score. We have a whole company policy that some high-level security experts put in place. Before we move on to the next level of scanning we need to get to a certain score. That has really helped us. Each time, they make the analysis a little harder, to dive deeper into the code and go through different scenarios to find more flaws. That has really helped us have the minimum required number of issues and security flaws, when we go into production.

What is most valuable?

The most valuable features are the application analyses: 

  • Static Analysis
  • Dynamic Analysis
  • SCA, the software composition analysis, to scan all the models together. 

These are the three features we've mostly been using.

It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail. 

You can detect which line is causing the issue and it gives you some insights about, for example, if you have a dependency problem in your inputs or some known vulnerabilities. It even gives you an article so that you can read about it and know how to mitigate it in some cases. Sometimes there are well-known flaws in third-parties and you should upgrade to another version to resolve your issues. Veracode guides you.

I haven't tried any other platforms, but from what I have seen, it is really fast. You just upload the files, which is easy to do, and you can follow the scanning progress on the platform. Once it's done you get an email and you just access the platform. I don't know what other tools are like, but for me, Veracode is user-friendly.

What needs improvement?

I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help. 

I would also like to see more integration with other frameworks. There were some .NET Core versions that weren't supported back when we started, but now they're providing more support for it.

For how long have I used the solution?

I've used Veracode since October, 2018.

What do I think about the stability of the solution?

The solution we are using is stable. So far, it seems to be really practical.

What do I think about the scalability of the solution?

In our company, other products are using it, not just our product. So it's surely being used by other developers. There is also management between the applications. Each team has its own hierarchy in the company and the organizational levels are handled well in the solution. We have an upper manager and the administrator of the app. And each product has its own dashboards and its own access rights, so I cannot see the results of other people.

How are customer service and technical support?

There was a time when we needed support from them. We organized a call because the license the company had included the possibility to have a support call with one of the Veracode guys, when we first started using it. They were very helpful, showing us how to use it. They provided support on how to integrate the extension. We had a one hour call with them and they were really helpful.

They also asked for some feedback. It feels really good to have that community working together. We feel engaged with the whole Veracode community.

What other advice do I have?

I've participated in some of the online courses, which helped. There are some levels that the team should have. You follow some courses, you get to level one, and then you move on to the next level. Each level of certification was really useful to learn about some of the flaws and some of the vulnerabilities that we could face. They give you some great use cases and how to remedy things in C# and many different languages. The online course also shows you how a developer can make some mistakes in his code, and how those mistakes can be used to bypass app security. By knowing that, you can avoid doing it in the future.

There were also some events organized recently—security labs—and they were also useful. There were tasks and I even had to work on them outside of work, but they were really helpful and a challenge.

The training also helped us to identify the existing vulnerabilities in our code and some of the third-parties that we are using that have vulnerabilities in them. We know we need to upgrade them.

My advice is that you should follow the training, initially. It was really helpful, even at the first level. Then, go on and read all the detailed documentation online. There are even some video tutorials which are really helpful. These are the steps that I followed.

There is a section on the supported frameworks. Veracode supports a wide variety of languages, but it would be good to check that before diving into the analysis and why it's not detecting your code.

I have been really satisfied with the areas of Veracode that I have had a chance to work with.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Raj Nachiappan - PeerSpot reviewer
Director of Solutions Architecture at VetsEZ
Real User
Easy to set up and it helps ensure that our code is secure
Pros and Cons
  • "The most valuable feature is the dynamic application security testing."
  • "In the future, I would like to see the RASP capability built-in."

What is our primary use case?

We use Veracode to ensure that the software we are building is secure.

What is most valuable?

The most valuable feature is the dynamic application security testing.

What needs improvement?

It takes a while to get a response to the software composition analysis. It is within an acceptable range but it could still be improved.

In the future, I would like to see the RASP capability built-in.

For how long have I used the solution?

We have been using Veracode SCA for three months.

What do I think about the stability of the solution?

SCA is pretty stable.

What do I think about the scalability of the solution?

Scalability doesn't really apply to a software composition analysis tool.

How are customer service and technical support?

The technical support is pretty good. When I requested help they contacted me within an hour. I don't have any issues with them.

How was the initial setup?

The initial setup is pretty straightforward.

What other advice do I have?

In summary, I think that this is a good tool and I recommend it for helping with security in software development.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
reviewer1359297 - PeerSpot reviewer
Software Engineer at a financial services firm with 501-1,000 employees
Real User
Source composition analysis component gives our developers comfort in using new libraries
Pros and Cons
  • "The source composition analysis component is great because it gives our developers some comfort in using new libraries."
  • "I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan."

What is our primary use case?

This was intended to scan all of our custom development efforts to ensure a certain level of (secure) code quality. Right now the scope of that effort is limited to web exposed systems but with maturity, we hope to increase that scope.

How has it helped my organization?

The Veracode platform probably hasn't improved our organization overall, although through no fault of theirs. Veracode is just one more tool that generates work for our developers.

What is most valuable?

The source composition analysis component is great because it gives our developers some comfort in using new libraries.

What needs improvement?

I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan. For instance, we have CI scans that run automatically, and sometimes the files don't get upload and/or processed by Veracode. Now, there's a static scan that hasn't been completed, which blocks all future scans. The only way we know this is an issue is going into the Web UI, check each application, and look for stalled scans. This is time-consuming and frustrating.

For how long have I used the solution?

I have been using Veracode for three years.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
Updated: July 2025
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.