Try our new research platform with insights from 80,000+ expert users
ChiefInfaf47 - PeerSpot reviewer
Chief Information Security Officer with 501-1,000 employees
Real User
Helped us address our critical vulnerabilities through static scanning
Pros and Cons
  • "One of the valuable features is that it gives us the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important."

    What is our primary use case?

    We use it for static checking.

    How has it helped my organization?

    We are a state agency, we're not a private-sector company. What we're able to do is take our main web-based application, which is not only for internal use but which the citizens of Ohio also use, and we can run this application, and others as well, through Veracode to ensure that we've done our job, our due diligence.

    We print out a report, we see the rating of the vulnerabilities that have been found: "critical" and "high", "moderate" and "low." We've been able to go from having critical vulnerabilities to where we're now into the more moderate range. We've shown improvement through the years. We can provide that information to our superiors, and to people who come in and audit us, to show that we've made progress on scanning.

    When we find a vulnerability, we do pass it on to our developers and they've been able to go in and adjust the code so that the vulnerability is no longer there. The goal, of course, is that these findings will help them as they develop new code so that these vulnerabilities are not a part of the next application. We run a follow-up scan to make sure the vulnerability has been cleared.

    The benefit, at this point, has been more internal than for our customers. Obviously we don't want them to have a problem so that they could then, theoretically, actually see the benefit. We try to be proactive.

    What is most valuable?

    • Having the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important.
    • Utilizing the software as a service. We do the scanning of the compiled code ourselves but it's on their servers, which is a plus.
    • Technical support is available if needed and that is advantageous.
    • Having online education and training is also advantageous. 

    What needs improvement?

    I attended a meeting of one of the security organizations I am associated with. At the meeting were security professionals from several major retail companies. The topic of discussion happened to be application development security. When the question was asked concerning what tools are being used, many of these major retail companies said they are using Veracode. However, they were quick to comment that the product is too expensive and that there are too many false positives which take too much time to remediate.

    Buyer's Guide
    Veracode
    July 2025
    Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: July 2025.
    865,384 professionals have used our research since 2012.

    For how long have I used the solution?

    More than five years.

    What do I think about the stability of the solution?

    The stability is very good. They haven't had too many updates or upgrades. They did a major upgrade several years ago but it came out just fine. It has been a really good product.

    What do I think about the scalability of the solution?

    I'd call us a "mid-range" agency, so it's not like we have a ton of applications that we're changing and updating. It's good for us, but I can't really answer how scalable it is because we're not really big.

    How are customer service and support?

    I don't believe that the team has had any problem going on to the website, downloading the static code, or running scans. They do it quite often without any issue and are able to read the report and rectify whatever vulnerability has been discovered. There has not been a problem walking through those steps. It's been pretty straightforward. And if our team has any problems, we've got access to someone that we can schedule a call with to work out the issues.

    We haven't had to call tech support too often, but when we have had to call them, support has been good in terms of resolution time.

    How was the initial setup?

    I was involved, on a cursory level, with the setup. Our implementation strategy was to focus on our main web-based application. The way that they developed the application here was under one static set of code, so we could scan this code and, in essence, be able to check the vulnerability of most of the applications from the different business in our agency.

    What about the implementation team?

    We did not use an integrator or a third-party. We did it with the help of Veracode.

    What was our ROI?

    We are a state agency, so we're not for profit. I tell everybody we don't make money, we spend money. To frame it in the context of the public sector, I think we are giving our citizens peace of mind. When they come in to write a permit, and we send them to a service that collects payment, that jumping-off point is secure and safe. It would be more in those terms, rather than the bottom line.

    In the public sector, return on investment is not a term that is easily understood because we do not invest. But total cost of ownership is something that we can put our arms around. When we think about potential data breaches, Veracode has certainly helped us. When you think about the cost of the product and that I have one person, not ten people, running this tool, the total cost of ownership is low. I have no devices or servers, I didn't have to do any of that here onsite. It's all in the cloud. The total cost of ownership, given the services they provide, is very low, in my opinion.

    What's my experience with pricing, setup cost, and licensing?

    We're always looking to save the taxpayers' money. I used to tell my vendors, sharpen those pencils and make the tip laser-sharp. When it can be, I want it to be less expensive, but you get what you pay for too. Vendors need to be fair and I think Veracode has been fair.

    We use their SaaS solution and it's just an annual subscription.

    Which other solutions did I evaluate?

    The state of Ohio decided to bring AppScan in and that's an IBM tool. IBM became a major vendor in the state of Ohio. But what happened is that AppScan does not offer static code vulnerability checking; dynamic is something they do offer, but it's not as complete and comprehensive as a static scan is. Even the state has gone away from AppScan, but we were looking at it, we were starting to get set up for it. But evidently, other agencies haven't found it to be as useful. So we're not going that direction, we're staying with Veracode. 

    There would have been cost savings associated with going with AppScan but we decided, because the state was not going that way, that we were not going that way either.

    What other advice do I have?

    I would absolutely recommend Veracode. I've suggested to one of the larger agencies that they implement the solution and that they come to see what we've experienced and how we use the tool.

    I really like Veracode. That is one of the reasons that we brought them onboard ten years ago. Of course, they were new back then. The different aspects of the offerings that Veracode provides to their customers are somewhat unique and, right now, I couldn't ask another thing from them.

    We have approximately 30 Java developers and four or five testers. There are also project managers using it. We have one person who manages running of the scans and that person might have one or two other people to help.

    We haven't really been utilizing it to its full potential. We probably utilize it once or twice per quarter. We are planning to increase the capacity that we've purchased. However, we're getting ready to elect a new governor in Ohio. With that election, things will change, according to his or her desires. Right now, we're in a holding pattern waiting for November to come and go.

    In terms of integrating the solution into our existing software development lifecycle, because we started so long ago - before the software development lifecycle was fully implemented - we were doing Veracode testing just because it was a good idea. Then we actually developed a lifecycle. We got into scrums and it just naturally worked its way in, so when we actually hired a testing group, Veracode was already a part of the process.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    it_user673734 - PeerSpot reviewer
    Chief Technology Officer at a tech vendor with 201-500 employees
    Real User
    Increases our confidence in the security of our sever-side and mobile apps
    Pros and Cons
    • "It has an easy-to-use interface."
    • "We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time."

    What is our primary use case?

    We use it for security scanning of SaaS and mobile software that we develop: one server-side and two mobile applications. Most customers require SAST and DAST scanning in order to purchase.

    How has it helped my organization?

    It gives us more confidence in the application security of the products we scan. We use it as part of our AppSec best practices. 

    What is most valuable?

    It has an easy-to-use interface.

    What needs improvement?

    We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time.

    What do I think about the stability of the solution?

    We have never had any problems with the solution.

    What do I think about the scalability of the solution?

    It has always worked for us, we haven't found any issues. There have been no problems with scanning small and large objects.

    How are customer service and technical support?

    Technical support is excellent. It meets our needs.

    Which solution did I use previously and why did I switch?

    We had no previous solution. Our choice of Veracode was due to Veracode being a customer and requiring that we use their tool to scan our solution.

    How was the initial setup?

    The initial setup was straightforward. As it's a SaaS solution, it took no time to set up. But because I didn't take training, I spent a bit of time figuring out the product. No implementation (or strategy for implementation) was required, beyond some simple configuration settings.

    What's my experience with pricing, setup cost, and licensing?

    No issues, the pricing seems reasonable.

    Which other solutions did I evaluate?

    We evaluated no other products for SAST when we started using Veracode. 

    What other advice do I have?

    Be aware that the first run will find a lot of issues, many of which are not real issues; it will take time to understand that. Don't change object names as that will confuse it. Make sure you get development buy-in early.

    We're looking to expand its use within the development organization and are looking into another license. Currently, we have four users of the solution, myself (security) and developers. The four of us also maintain it.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Buyer's Guide
    Veracode
    July 2025
    Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: July 2025.
    865,384 professionals have used our research since 2012.
    Global Presales Head - Security Assurance at Wipro Technologies
    Real User
    Provides faster scans but with a higher number of false positives
    Pros and Cons
    • "Veracode provides faster scans compared to other static analysis security testing tools."
    • "Veracode scans provide a higher number of false positives."
    • "The overall reporting structure is complicated, and it's difficult to understand the report."

    What is our primary use case?

    Static application security testing, which is the primary use case. 

    There were different web applications which were scanned using this tool.

    How has it helped my organization?

    Veracode scans provide a higher number of false positives. Also, the overall reporting structure is complicated, and it's difficult to understand the report.

    What is most valuable?

    Veracode provides faster scans compared to other static analysis security testing tools.

    What needs improvement?

    Veracode should provide support to more software languages, like ABAP.

    For how long have I used the solution?

    Less than one year.
    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    PeerSpot user
    reviewer1384917 - PeerSpot reviewer
    reviewer1384917Director, Customer Advocacy at Veracode
    Real User

    Thank you for taking the time to share your experience with Veracode. We appreciate your time and hope all is going well. Please let me know if there's anything I can do to help.  My role is new here and I'm working to check in with customers who have taken effort to comment on their Veracode solutions.

    PeerSpot user
    Executive Director at Parthenon-EY
    Real User
    It has almost completely eliminated the presence of SQLi vulnerabilities. Needs more timely support for newer languages and framework versions.
    Pros and Cons
    • "It has almost completely eliminated the presence of SQLi vulnerabilities."
    • "It gives feedback to developers on the effectiveness of their secure coding practices."
    • "It needs more timely support for newer languages and framework versions."

    What is our primary use case?

    • Scanning web-facing applications for potential security weaknesses.
    • Helping to document the introduction of technical debt in our code bases.

    How has it helped my organization?

    • It gives feedback to developers on the effectiveness of their secure coding practices.  
    • It has almost completely eliminated the presence of SQLi vulnerabilities.

    What is most valuable?

    • Multiple languages and framework support: We can use one tool for our SAST needs.
    • Developers report liking the IDE integration provided by this tool.

    What needs improvement?

    • More timely support for newer languages and framework versions.  
    • Integration with Slack is another request from our developers.

    For how long have I used the solution?

    Trial/evaluations only.
    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    PeerSpot user
    reviewer923928 - PeerSpot reviewer
    Team Lead / Architect at a tech services company with 1,001-5,000 employees
    Real User
    We use its static analysis during development to eliminate vulnerability issues
    Pros and Cons
    • "We use Veracode static analysis during development to eliminate vulnerability issues"
    • "I have found the user interface extremely helpful in prioritizing issues."
    • "They should improve on the static scanning time."

    What is our primary use case?

    I use Veracode to run scans on .NET applications, web applications and Windows/fat form applications. I also use it to make deployments in three-tier environments: the application server tier, web server tier and the database tier.

    How has it helped my organization?

    • Veracode has improved our penetration testing process. 
    • We use Veracode static analysis during development to eliminate vulnerability issues.

    What is most valuable?

    • I have found the user interface extremely helpful in prioritizing issues.
    • It allows me to prioritize the work to help resolve an issue.

    What needs improvement?

    They should improve on the static scanning time.

    For how long have I used the solution?

    Three to five years.
    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    PeerSpot user

    We have heard the need for faster scan times and I see this was an area you wanted to see improvement. I wanted to give you an update regarding our Static scanning. We recently extended the Veracode Static Analysis product family to include three purpose-built scan types:

    • IDE Scan, which provides fast, automated security feedback to developers in the IDE, in seconds
    • Pipeline Scan, a new, first-of-its-kind offering, which runs on every build and provides security feedback on code at a team level, with a median scan time of 90 seconds
    • Policy Scan, which returns a full security assessment of the code before release, in a median scan time of 8 minutes

    If you would like more information on our static analysis improvements let me know!

    Managing Director at Harrods
    Real User
    Provides the capability to track remediation and the handling of identified vulnerabilities. The application does not support API or Dynamic Application Security Testing
    Pros and Cons
    • "Allows us to track the remediation and handling of identified vulnerabilities."
    • "Provides the capability to track remediation and the handling of identified vulnerabilities."
    • "The security team can track the remediation and risk acceptance statistics."
    • "The solution does not support Dynamic Application Security Testing."
    • "The current version of the application does not support testing for API."

    What is our primary use case?

    We are planning on introducing a static code analysis tool to support a DevOps effort in our environment. The objective of the solution is to allow the team to identify vulnerabilities in the source code and improve the hygiene of the developed code before deployment.

    How has it helped my organization?

    This is currently still under evaluation, and it is pending review and assessment against other static code analysis solutions.

    What is most valuable?

    The solution provides the capability for the application teams to track remediation and the handling of identified vulnerabilities. The system provides workflow capabilities for the application teams to send the completed scans to the security teams for their review. In addition, the security team can track the remediation and risk acceptance statistics.

    What needs improvement?

    The solution currently does not support Dynamic Application Security Testing which is an important facet of application security testing. In addition, the current version of the application does not support testing for API.

    For how long have I used the solution?

    Trial/evaluations only.
    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    PeerSpot user
    Associat7de6 - PeerSpot reviewer
    Associate Director
    Real User
    Provides security of different Shadow IT activities in our environment, however there are limitations on reporting causing bottlenecks
    Pros and Cons
    • "The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process."
    • "It provides security of different Shadow IT activities in our environment, especially around application development and website hosting."
    • "We would like the consolidation of all the different modules. This would help, so then we would be able to see analytics and results on one screen, like a single pane of glass."
    • "Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight."

    What is our primary use case?

    Application security scanning.

    How has it helped my organization?

    It has helped us identify all the applications flaws, especially with so many open source licenses available to the developers. With this product, it allows you to plug in all those gaps where you may open up the backdoors. This tool has helped us everyday with our goal to plug in all those gaps.

    We help make changes from the initial NAS that we sign up with the vendors and any third party who might be involved in our telephone activities. They have to ensure that phone is a standby application and security tool, plus we also make the changes in the workflow for any application. Before it is deployed into operations, it has to have a security certificate which proves that it has a Veracode application security certification on it and all the flaws that have been identified have been removed.

    What is most valuable?

    It has several components in that help you identify abilities in the core. It also provides security of different Shadow IT activities in our environment, especially around application development and website hosting.

    What needs improvement?

    They are already working on, but we are looking forward to seeing it. We would like the consolidation of all the different modules. This would help, so then we would be able to see analytics and results on one screen, like a single pane of glass. 

    Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight. Therefore, you have the report ready if you want a consultation, then it sometimes takes more than three to four days to arrange a meeting. I feel to wait four days to get a consultation and understand the report around the whatever has been identified is a bottleneck. 

    For how long have I used the solution?

    Three to five years.

    What do I think about the stability of the solution?

    We have not seen any major downtime.

    How are customer service and technical support?

    I would rate their technical support as a nine out of 10.

    The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process. Therefore, they have been quite helpful.

    They have an account manager for personal relations between the customer and their technical people. This person takes care of bringing them the right person to address any issues that we have.

    Two years back, Veracode was having issues. It was taking a long time to start the application, and we worked with their technical support. They also have been constantly improving the platform.

    Which solution did I use previously and why did I switch?

    We did not previously use another solution.

    How was the initial setup?

    It was a bit complex initially when we started, because we had not been previously exposed to any such tool.

    It is a SaaS tool. So, towards the end, we did not have to install anything. We just needed an account for the platform to upload the build. There was an initial issue, because people were not previously exposed to this type of process, and it was something new that they were being asked to do.

    What was our ROI?

    It has helped us reduce our overall time to remedy any validity, which can be found after being rolled out and put into production. Though, I cannot give you the number. It is always better to safeguard the environment rather than being hacked or have production downtime. In three years, we have not had any breaches or we seen any reduction in Shadow IT.

    What's my experience with pricing, setup cost, and licensing?

    It is pricey. There is a lot of value in the product, but it is a costly tool.

    The customer should demand better turnaround times for the money that they are paying, especially around the reporting and standing up processes that we need to go through. It needs much more technical information on the platform with a tool that can help with information or have 24/7 support available, then it will be worth the price that we are paying, because right now, we don't have many options. There are not may companies who are in the market for Veracode, who want this type of in-depth analysis and examination. That is why customers, with the money that they are paying, have room for improvement in the scope of the Veracode product. 

    I recommend going for a one-year licensing with CA, because currently they are the leaders in this field with more features and a much better turn around time with a cheaper position, but there are a lot of new companies coming up in the market and they are building up their platforms. I suggest just not to get tied up with a long-term commitment, because I have seen with Black Duck that they are almost one-third of the price of the big platforms. Once there are the same features and functionality (or lot better performance) available in the market, people are going to migrate away from this platform. The market is changing so fast, and with the Black Duck acquisition, it is also expected that we may get a solution with a much faster platform with much better service at a cheaper price.

    Which other solutions did I evaluate?

    We did a PoC with Black Duck.

    What other advice do I have?

    I would rate the product as an eight out of 10 for recommend it to colleagues.

    I would rate the overall product as a seven out of 10.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    it_user802140 - PeerSpot reviewer
    Product Manager at GMS
    Real User
    All areas of the solution could use some improvement. It helps me to detect vulnerabilities.
    Pros and Cons
    • "It helps me to detect vulnerabilities."
    • "All areas of the solution could use some improvement."

    What is our primary use case?

    We are Veracode partners/distributors in Quito, Ecuador. 

    At this moment, I am reviewing the solution. 

    How has it helped my organization?

    It helps me to detect vulnerabilities.

    What is most valuable?

    I use the SAST feature the most.

    What needs improvement?

    All areas of the solution could use some improvement.

    For how long have I used the solution?

    Trial/evaluations only.
    Disclosure: My company has a business relationship with this vendor other than being a customer. We are Veracode partners/distributors in Quito, Ecuador.
    PeerSpot user
    Buyer's Guide
    Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
    Updated: July 2025
    Buyer's Guide
    Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.