Try our new research platform with insights from 80,000+ expert users
it_user842937 - PeerSpot reviewer
Systems Architect at a tech vendor with 201-500 employees
Vendor
Enables us to automatically submit each new build for scanning and get results directly into our JIRA
Pros and Cons
  • "With the tools that Veracode provides, our developers are actually able to comprehend what the vulnerability was and then resolve it. So a lot of knowledge has been grown as a result, around security, with our developers."
  • "The most important feature is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to production or provide something to a client... Dynamic scanning actually hits our Web applications, to try to detect any well known Web application vulnerabilities as well."
  • "Veracode has a nice API that they provide to allow for custom things to be built, or automation. We actually have integrated Veracode into our software development cycle using their API. We actually are able to automatically, every time a new build of a software is completed, submit that application, kick off a scan, and we get results in a much more automated fashion."
  • "When those scans kick, Veracode integrates back into our JIRA and actually open tickets with the appropriate development teams. We can use that as a measurement of vulnerabilities opened, closed; we can tie them to releases. So, we get a whole lot more statistical information about security in our software products."
  • "The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually, but I believe that it's something have on their roadmap."

What is our primary use case?

Security scanning of the applications, of software that my company built.

How has it helped my organization?

We have a large developer base at our company ranging in a variety of skills sets. Some are very security aware, others really don't have the knowledge. What Veracode provides is really good feedback on what vulnerabilities were found in their code: examples, definitions, ways to mitigate. One of the huge benefits we've seen is just a bigger security awareness within our development staff.

Further, with the tools that Veracode provides, they're actually able to comprehend what the vulnerability was and then resolve it. So a lot of knowledge has been grown as a result, around security, with our developers.

Veracode provides application security best practices and guides our security and development teams because most of the time, in the issues that it opens, it has lots of links and details in there. There are also regular emails and newsletters and they send out about trends. So, there's a fair amount of communication and there are also a lot of details within the issues that they find. There's always plenty of material that they link to in issues. They do a really good job of providing a lot of communication and detailed documentation around our application security tools.

Our customers have benefited in the fact that know that we put security right in front, as a priority. It's not an afterthought. They're a lot more aware that we're security conscientious, instead of just, "The software works, here you go."

We also have reports. Some of our customers have asked for various types of reporting and security related stuff. Now, we're also able to give them these reports, essentially from Veracode's scans of our software. So, we have a lot more documentation about it. Instead of answering one-off questionnaires from our clients, we actually have a canned report we can provide. Again, all this material, we didn't have a year ago. We were just ad hoc answering things and hoping that they didn't question it anymore, and we really didn't have any good evidence. They were just taking us at our word.

What is most valuable?

The most important one is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to production or provide something to a client.

We pair that with dynamic scanning, which actually hits our Web applications, to try to detect any well-known Web application vulnerabilities as well. It's really just a way for us to stay ahead of it and provide some assurances and security with the software that we deliver.

Also, Veracode has a nice API that they provide to allow for custom things to be built, or automation. We actually have integrated Veracode into our software development cycle using their API. We actually are able to automatically, every time a new build of a software is completed, submit that application, kick off a scan, and we get results in a much more automated fashion. So the API is a huge thing that we use from Veracode, in addition to those two types of scans.

In terms of integrating Veracode into our existing software development life cycle, we heavily use JIRA today for bug tracking issues, time management, and the like, for our development team. When those scans kick, Veracode integrates back into our JIRA and actually open tickets with the appropriate development teams. We can use that as a measurement of vulnerabilities opened, closed; we can tie them to releases. So, we get a whole lot more statistical information about security in our software products. That's really what we use in measuring there, the integration back to JIRA in issues found.

What needs improvement?

From a technical standpoint, I'm pretty happy with everything. The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually, but I believe that it's something have on their roadmap.

Other than that, I don't really get too involved in the cost sides of things that's in my job, I'm more of a technical focus, but I have heard from my manager and a couple other people that the solution is quite expensive. So that is possibly one factor that could turn somebody away from Veracode. But, like I said, I really don't know much more about that. Technically, I'm very impressed and happy with what they've had to offer.

Buyer's Guide
Veracode
July 2025
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: July 2025.
865,384 professionals have used our research since 2012.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

I have not run into one issue with stability with it. I'm throwing stuff at it all day and I can't think of one time where I've had an issue with submitting a scan or getting a scan to complete. It's been pretty flawless.

What do I think about the scalability of the solution?

The one thing we hit was some licensing limitation. Again, it went back to cost, I believe. We had to go back and change our licensing model with Veracode to be able to scan all the things that we wanted to. I think there was some confusion up front with their licensing or cost. 

Like I said, that's really the only area that I've heard some gripes about, but I'm far removed. I'm not sure if it was scalability or a licensing mishap, but we did have some issues early on, with the amount of things that we wanted to scan and what their limits were for us. But ever since whatever was straightened out there, I have not had an issue of scalability.

How are customer service and support?

Initially, I had some questions back and forth and I was able to get everything resolved, mostly via email. Overall, I thought the response time was good, the answers were concise and accurate. Within 24 hours I was getting a response via email from their support. For what I needed to set up, I really thought their support was great and really sharp.

I don't work with the support that often, now that things are established. But to get off the ground running, they were extremely helpful.

Which solution did I use previously and why did I switch?

We had never done anything like this in the past. This was the solution that we chose. We didn't really evaluate anything else. I know that my boss has been a fan of some CA products in the past and really recommended this one. I did some digging on it, from a technical standpoint, and I said I believed it would be able to scan all our stuff, support our platforms, the languages that we write our applications in, so that's how we landed on Veracode.

How was the initial setup?

Without the API, it would have been extremely complex. It would have been very painful because it would have been a very manual process of submitting applications. 

I am fortunate enough that I have a pretty strong development background, so I do a lot of coding myself. For the person without development experience, using the API would have been very difficult. Where I work, we're a little unique in that sense.

But the rest of it, it's a cloud-based solution. I'm kicking off all my stuff over to Veracode and it's running in their environments and producing results. There's not a whole lot of setup besides that. It's not a big cost on an any infrastructure that we have to run or support. So, pretty painless really.

What was our ROI?

I wish I had some numbers - this is really not my area. I would assume that it's got to be a fair amount of cost savings, only because we're touching things earlier. We didn't have anything before. I don't have good stats to provide except for the fact that now we have something in our process, where before we didn't. Before, security things were only being addressed if somebody actually found something or, even worse, if a customer found something. We don't have a lot of historical data but it's got to be substantial.

I believe, from a technical standpoint, it's paying off for the rest of the organization. I think ethically it's the right thing to do. Educating our staff - I don't really know how you measure that in a dollar amount - but our developers are getting education and are becoming more aware of security in their software. Me being a technical guy, those two things are huge, and the dollars don't add up enough. I'm not sure how you would measure it.

It probably pays off more over time as well. We're still only a year into it. So we're still learning a lot ourselves.

What's my experience with pricing, setup cost, and licensing?

If you're licensing, and you're looking at licensing models, you might want to ask Veracode about their microservice, depending on the company. If you are a microservice architecture, I would suggest asking them about their microservice pricing. I would suggest that you evaluate that with your code and their other licensing model, which is like a lump sum in size of artifacts, and just make sure that you price that out with them, because there might be some tradeoffs that can be made in price.

Which other solutions did I evaluate?

There were some, but we didn't get serious about them because they didn't have everything that we wanted.

What other advice do I have?

I would advise that you figure out a way to integrate it into your software development lifecycle in a way that it's not intrusive to your developers. That was really something that I set out to do. I didn't want my developers to have to go into their code, and kick off scans, and upload their code. So, I would really suggest looking at your integrations, your JIRA, your Jenkins, all of your add-ons, and hopefully that fits into the SDLC process, and then automating via their API.

Essentially, what we were able to achieve is, my developers still live within JIRA and the issues get opened from Veracode into JIRA and they work on things that way. They can remediate it, kick it that way, and if they need to they can log into Veracode. But I'd suggest making the SDLC process integrated as much as you can to make it something that developers aren't having to spend a lot of time doing every day.

Overall, I would give Veracode a nine out of 10, just because nothing is perfect. But it does everything for us and it was so painless. I speak very highly of it for those reasons.

I would highly recommend CA Veracode. Every engineer that I've dealt with has been really sharp. The review process they have is really good and the knowledge they have has been tremendous. I really recommend working with them.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Chief Technology Officer
Real User
Integrates easily into our workflow, Jenkins submits the code and the analysis runs automatically
Pros and Cons
  • "It eases integration into our workflow. Veracode is part of our Jenkins build, so whenever we build our software, Jenkins will automatically submit the code bundle over to Veracode, which automatically kicks off the static analysis. It sends an email when it's done, and we look at the report."
  • "When we do have errors, Veracode is always available, their consultants, to help us either mitigate the error, or provide technical assistance on pointing exactly where the problem is and how we could probably fix it. I'm always amazed at how knowledgeable they are."
  • "They also have what's called a Software Composition Analysis that can point out errors and fixes for third-party software frameworks, which is very nice."
  • "The Web portal, at times, is not necessarily intuitive. I can get around when I want to but there are times when I have to email my account manager on: "Hey, where do I find this report?" Or "How do I do this?" They always respond with, "Here's how you do it." But that points to a somewhat non-intuitive portal."

What is our primary use case?

The primary use is as a static analysis tool. But we also use Greenlight and dynamic, and we're currently having a manual penetration test.

How has it helped my organization?

Firstly, it prevents me from putting out software that has security vulnerabilities, which is a big thing and can be one of the most important things. 

Also, we just finished a vendor due diligence with a very large company that wants to do business with us, and one of their security questions was "Do you do static analysis?" I was able to just send a very professionally done report. They know Veracode and they said, "Okay, great. This is terrific." 

That very reason is why, three years ago when I first got to this company, I said, "We have to get hooked up with Veracode right away, so it's not like an afterthought." Because I'd been in a situation where you do it after the fact and you end up with 3,000 errors, medium to critical errors.

It helps us put out better software more quickly, and gives me the piece of mind that we've done everything we can to prevent any security exploits.

It's something that our customers don't think about, and the benefit would be that as long as there are no data breaches, there's no hacking within our system, they get a non-functional benefit. We work with pharmacies and they just expect that the system is secure. I would view that as a benefit to them - maybe something that they don't think about - but nonetheless, it's there. 

What is most valuable?

Certainly it eases integration into our workflow. Veracode is part of our Jenkins build, so whenever we build our software, Jenkins will automatically submit the code bundle over to Veracode, which automatically kicks off the static analysis. It sends an email when it's done, and we look at the report.

Once it's set up - and it's pretty easy to set up - it pretty much just works and I don't really have to think about it, outside of whenever I get my emails to look at the reports.

It was a very easy integration that we did within the first week of going live with the software.

So ease of use, ease of integration.

What needs improvement?

The Web portal, at times, is not necessarily intuitive. I can get around when I want to but there are times when I have to email my account manager on: "Hey, where do I find this report?" Or "How do I do this?" They always respond with, "Here's how you do it." But that points to a somewhat non-intuitive portal. 

With that said, I hate when companies redo their portals all the time. So it's kind of a catch-22, but that would be my only critique.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

It's always been pretty rock solid. 

What do I think about the scalability of the solution?

No scalability issues that I'm aware of. 

How are customer service and technical support?

Exceptional.

Which solution did I use previously and why did I switch?

Veracode was really my first introduction to static code analysis. The way I came across it in my previous company was, they were going through security due diligence and we didn't have any code analysis software. The company, a very large health plan, said, "Here are three that we recommend." Veracode happened to have been one of them, along with HPE and another company, maybe it was IBM, I don't know. We took a look at all of them and we made a decision to go with Veracode.

How was the initial setup?

It was easy. It's very straightforward. There's nothing complicated about it.

What was our ROI?

I haven't really thought about cost savings related to code fixes, since we implemented Veracode, other than: It's always easier and much cheaper to catch errors and fix them before you go to production, versus catching them while in production. Just like it's much easier to fix things before production, as opposed to having somebody hack your system and to find out that you have a cross-site script error.

But again, I've never quantified it in terms of whether it's saved me money. 

Just off the cuff, the cost of the license is small in comparison to the value it brings. I don't have to buy the software myself, I don't have to have specially trained security professionals that monitor this stuff. But I haven't really broken it down to quantify it into dollars, as such.

What's my experience with pricing, setup cost, and licensing?

I think it's a great value. It's at a price point that a small company like mine can afford to use versus, if it was too exorbitant, I wouldn't be able to use this product.

About licensing, just go ahead and get them.

Get a license at the beginning of a project. Don't wait until the end, because you want to use the product throughout the entire software development lifecycle, not just at the end. You could be surprised, and not in a positive way, with all the vulnerabilities there are in your code.

Which other solutions did I evaluate?

When I was at the last company, I looked at HPE (now Micro Focus) Fortify vs Veracode and maybe IBM had a product, but they were overly complex and overly expensive. I remember talking to our Veracode account rep, who also was my account rep originally here at Focus Script, and she did a fabulous job of explaining it, doing a demo, showing how easy it was to use, and that's what sold me. Again, it was recommended from a very large health plan as one of the more reputable systems out there.

What other advice do I have?

CA Veracode provides application security (AppSec) best practices and guidance to our teams in a couple ways. First of all, they have an e-learning module that has courses that we have required our developers to take. That's a best practice.

Secondly, when we do have errors, Veracode is always available, their consultants, to help us either mitigate the error, or provide technical assistance on pointing exactly where the problem is and how we could probably fix it. I'm always amazed at how knowledgeable they are. 

They also have what's called a Software Composition Analysis that can point out errors and fixes for third-party software frameworks, which is very nice. The list goes on... And again, having received, early on, education from them on how best to integrate this in the workflow, those are areas where we've relied on best practices from Veracode.

I'm in healthcare, and it's very important - and I'm sure in other industries just as well - but the stakes are very high. If we get hacked, if there's a data breach, it could put us out of business. It's a very good price point for a small company to have these kinds of capabilities, something we can afford for our application.

I am very likely to recommend it to colleagues. As I mentioned, I brought it to this company, and I've already recommended and provided references to a few other companies over the last couple of years.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Veracode
July 2025
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: July 2025.
865,384 professionals have used our research since 2012.
it_user837504 - PeerSpot reviewer
Information Technology at a insurance company with 51-200 employees
Real User
Give us insight into code without having to upload it, saving a lot of NDA paperwork
Pros and Cons
  • "Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it."
  • "It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no manual upload. The code review function is great. It allows you to find flaws in source code."
  • "It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help."

What is our primary use case?

We test two mission-critical web applications (C# Web forms).

How has it helped my organization?

We used to revise code with free tools (like VCG) but they are not even in the same universe. Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it.

Also, from the very relevant results and issues that were pinpointed by Veracode, I can say that our customer security was greatly enhanced by its use.

What is most valuable?

It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no manual upload. The code review function is great. It allows you to find flaws in source code, but the source code never leaves your workstation, it is all client side, no NDA needed.

What needs improvement?

It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help (but not now, now that I've learned it).

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No, we did not detect a single glitch or fault in a year. We once had a periodic maintenance activity on the Veracode platform during a deadline, but it was clearly announced in advance, so we just went around it and had no issues.

What do I think about the scalability of the solution?

No, you don’t have such concerns on Veracode. The process is really "launch and forget" (and wait for results).

How are customer service and technical support?

The team that assists us with it is just great, especially considering there is a language barrier for some of our employees. Veracode did its best to get those employees in the loop with the chance to attend the meeting, as well with the aid of written English.

Which solution did I use previously and why did I switch?

VCG (Visual Code Grepper) but I am not even going to compare them. VCG is as good as they come, but Veracode is a different breed. An application went through VCG and we were pretty confident. Then, Veracode results just blew us out of our shoes.

How was the initial setup?

I manage the Veracode suite for my company, and I was personally walked through the various steps. Once I was up and running, we had another two-hour session to explain to us how a proper Veracode assessment should be planned (developers, code reviewers). As a result, I believe we have not only a pretty solid code review process up and running, but this was all provided to us at no additional cost.

What we felt is that the Veracode guys want to enjoy and use their solution first. They are not pushing to get consultancy time if that can be avoided. If you need consultancy time you can have it and the prices are convenient. We did not. All the help came at no additional cost.

What was our ROI?

It is difficult to assert, but it helps a lot with maintaining compliance with our main customers, and helps us to pinpoint some specific issues. The cost of not having Veracode would be pretty high for us.

What's my experience with pricing, setup cost, and licensing?

The licensing and prices were upfront and clear. They stand behind everything that is said during the commercial phase and during the onboarding phase. Even the most irrelevant "that can be done" was delivered, no matter how important the request was.

The licensing is fair, it is time-limited (e.g. one year) but there is a size cap for every app. If your applications are big (due third-party libraries, for example) you should discuss this beforehand and explore suitable agreements.

Which other solutions did I evaluate?

Competitors were evaluated but seemed, at once, too bloated or not relevant to all our specific requests. We were not interested in buying a product (such as a standalone program) rather we were interested in getting a tool for creating a process, and Veracode is that.

What other advice do I have?

In terms of integrating Veracode into our existing software development lifecycle, as our two existing applications are quite mature, and not changed often, we have not taken steps to have Jenkins or another CI tool that would allow us to get the full power from the Veracode environment. We look forward doing it, starting with the next app that gets developed from scratch.

CA Veracode provided AppSec best practices and guidance to our security and development team during the kickoff phase. They offered assistance on specific code issues that were hard to fix, and guidance on preparing a credible set of rules for Veracode policy, all this at no additional cost.

As Veracode licensing is generally time-related, I suggest you start the subscription once everything is ready for consumption, assign a specific person to it and declaring it mandatory at the policy level. Losing two months of great value because the devs are too busy, or because they think they don’t need it, or they fear the results, or because no one is taking charge of the Veracode process, is really a pity. Once the clock starts ticking, try to take advantage as much as you can.

I would recommend Veracode to anyone involved in high-risk environments.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
it_user836430 - PeerSpot reviewer
Senior Infrastructure Engineer at a healthcare company with 5,001-10,000 employees
Real User
Scanning helps ensure our code is flaw-free, and remediation tools help developers track and manage flaws
Pros and Cons
  • "The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are helpful to the developers to help them track and manage their flaws."
  • "Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year."

What is our primary use case?

Application security management.

How has it helped my organization?

We've been able to provide reports to our clients that show applications are either flaw-free, or in the process of being remediated, and give them timely status updates on how those flaw remediations are going on.

Our customers have benefited by being able to have a little bit more assurance from us, from a trusted authority, that our code is properly flaw-free and remediated.

What is most valuable?

The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are helpful to the developers to help them track and manage their flaws.

We have been able to integrate Veracode through many of the IDEs that our developers use, using the Veracode APIs, or they've been actually been doing this manually as part of their SDLC.

What needs improvement?

Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year.

That would probably be the biggest area, access to more granular data that we could pull and use on a regular basis. Better dashboards. That kind of information.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It's stable, absolutely. They do regular maintenance schedules. Aside from that, I can't really think of a time where it has not been a stable product or unavailable. 

What do I think about the scalability of the solution?

No issues with scalability.

How are customer service and technical support?

We engage their support teams quite often actually. Part of our licensing package is a good number of hours per month for our development teams to work with their support teams at Veracode, to help solve remediation issues, troubleshoot some of the flaws that they encounter or can't understand. Their support teams have been able to work with our development teams very well.

Which solution did I use previously and why did I switch?

We were not using a previous vendor prior to this. We've used other vendors like Nessus for pen testing. We still use those. Veracode was just more of an addition.

How was the initial setup?

The setup has been more of a phase-in approach, and it's been gradual. It's been kind of a "trial-by-fire" setup with a lot of our development teams because most of our development teams aren't used to doing this. So, it's been a trial, I guess more so on our side, to get the adoption going on. It's just part of training our team to actually know there's something they need to do on a regular basis.

What was our ROI?

Regarding any cost savings relating to code fixes since we implemented Veracode in our development process, I can't say I have that information off the top of my head.

What's my experience with pricing, setup cost, and licensing?

Just do your research. Make sure you're getting the best price on this. It can be expensive to do this, so I would just make sure that you're getting the proper number of licenses. Do your analysis. Make sure you know exactly what it is you need, going in. Then just see if it can work. Try and make sure you get the best price possible.

Which other solutions did I evaluate?

I was not part of the evaluation team on this, unfortunately. But I believe the other options were evaluated as well, but I don't have access to that information.

What other advice do I have?

In terms of Veracode providing AppSec (application security best practices) and guidance to our teams, they've been able to adapt their scanning and remediation in their SDLC, which is something we did not have really before. It's been a little bit of "not the best honeymoon" so far, doing this with our developers, but they've started coming along here in the past year and a half.

The advice I'd give is look around, make sure it's the right fit for you. Make sure that the tools they offer are a good fit for your organization. And make sure this is something that you really feel would be good for your company. If you aren't currently doing this kind of analysis on your code, I would take a strong look at whether this is something that you really should be doing. It's a different world out there right now.

I would recommend Veracode very highly, especially since the program management staff that I work with from Veracode are some of the best people that I've worked with in this industry.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
it_user835104 - PeerSpot reviewer
Project Manager at a tech vendor with 501-1,000 employees
Real User
We use scan results for training to increase sensitivity to security issues during development
Pros and Cons
    • "Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines."
    • "Because our application is large, it takes a long time to upload and scan."

    What is our primary use case?

    Static code scan.

    How has it helped my organization?

    We have used the results of scans to train our people and make them more sensitive to security issues during development, although we haven't done any specific integration of Veracode into our software development cycle. Engineers are better trained, so we hope to see increased compliance with our security guidelines.

    We do incorporate the suggested course of action from the Veracode report (AppSec best practices and guidance) in our best practices.

    Also, our customers benefit from the fact that the application is more secure.

    What is most valuable?

    We use the results of the scan to identify vulnerabilities in the product.

    What needs improvement?

    Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines.

    For how long have I used the solution?

    One to three years.

    What do I think about the stability of the solution?

    No issues with stability.

    What do I think about the scalability of the solution?

    Because our application is large, it takes a long time to upload and scan.

    How are customer service and technical support?

    Based on limited usage, we are satisfied.

    Which solution did I use previously and why did I switch?

    We did not have a previous solution. We picked this product because our partner (SAP) uses it.

    How was the initial setup?

    Straightforward.

    What was our ROI?

    There are no directly measurable cost savings. We see security improvement as a key part of our product development.

    What other advice do I have?

    When asked, we let our customers and partners know that we use Veracode and that we are happy with it.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Assistan84a9 - PeerSpot reviewer
    Assistant Vice President of Programming and Development at a financial services firm with 501-1,000 employees
    Real User
    Allows us to streamline identification of vulnerabilities and quickly address them
    Pros and Cons
    • "When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this, based on how the code was treated previously, but the Veracode platform allowed us to streamline our identification of these items and develop a game plan to quickly address them."
    • "Code analysis tool to help identify code issues before entered into production."
    • "Vulnerability Management and mitigation recommendations help with resolution of issues found, prior to deployment to production."
    • "Developer Sandboxes help move scanning earlier within the SDLC."
    • "The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes."
    • "The Greenlight product that integrates into the IDE is not available for PHP, which is our primary language."

    What is our primary use case?

    Static code analysis for internally developed critical systems.

    How has it helped my organization?

    When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this, based on how the code was treated previously, but the Veracode platform allowed us to streamline our identification of these items and develop a game plan to quickly address them. This has also lead to better overall code quality for the team, by pointing out some dated practices that needed updating.

    We have required that our critical systems pass a Veracode scan prior to code being deployed into production. We also have included a step in the development stage to run specific code through a Veracode Sandbox to encourage better code quality, early on in the development lifecycle.

    Veracode has helped us meet the requirements of our yearly external audits and has improved code quality, leading to less down time and less buggy code that users will encounter.

    What is most valuable?

    • Code analysis tool to help identify code issues before entered into production.
    • Vulnerability Management and mitigation recommendations help with resolution of issues found, prior to deployment to production.
    • Developer Sandboxes help move scanning earlier within the SDLC.
    • The platform itself has a lot of AppSec best practices information, especially in the mitigation recommendation process. They have also offered cybersecurity e-learning for our team. 

    What needs improvement?

    The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes.

    Also the Greenlight product that integrates into the IDE is not available for PHP, which is our primary language.

    For how long have I used the solution?

    More than five years.

    What do I think about the stability of the solution?

    No issues with stability.

    What do I think about the scalability of the solution?

    No issues with scalability.

    How is customer service and technical support?

    We have rarely needed to use tech support, and when we have it has performed as expected.

    How was the initial setup?

    Straightforward. Just add the applications in the portal and start scanning.

    What was our ROI?

    We don’t have the metrics to track specific dollars, but Veracode has saved us the cost of hundreds of employee hours by streamlining our vulnerability discovery process in legacy code, and by improving the quality of code released into production. 

    As we support our organization's customer-facing digital channels by writing higher quality code, we have reduced the amount of bugs or downtime a user experiences using our systems. This saves in employee time and also increases engagement with our digital channels.

    What's my experience with pricing, setup cost, and licensing?

    Pricing seems fair for what is offered, and licensing has been no problem. All developers are able to get the access they need.

    Which other solutions did I evaluate?

    Yes, but too long ago to remember which ones.

    What other advice do I have?

    I would definitely recommend CA Veracode.

    Just make sure you define a process for your developers prior to implementing the technology.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    it_user694200 - PeerSpot reviewer
    it_user694200Manager at a tech services company with 10,001+ employees
    Real User

    How good is adding agents working in Banking and financial and Healthcare industries?

    it_user833553 - PeerSpot reviewer
    CISSP, CISM at a tech services company with 1,001-5,000 employees
    Real User
    SAST, DAST, and Greenlight point out potentially insecure coding and how to fix it
    Pros and Cons
    • "For our rapid, secure DevOps cycle, we have integration of the Vericode API into our build tool, and Greenlight into our IDE."
    • "It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo."
    • "It would help to have more training for developers to help them set it up."

    What is our primary use case?

    We use it for a lot of things and they're all primary: SAST, DAST, and Greenlight.

    How has it helped my organization?

    By using this product, we can point out not only any potentially insecure coding, but how to fix it. It's a requirement, a legal requirement. So we benefit by not breaking regulatory law.

    What is most valuable?

    SAST, DAST, and Greenlight are the most important features because today it's important for our regulatory compliance law to keep our product coding relatively secure.

    For our rapid, secure DevOps cycle, we have integration of the Vericode API into our build tool, and Greenlight into our IDE.

    What needs improvement?

    I think they are doing pretty well. It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo. I think that's a real good idea.

    For how long have I used the solution?

    More than five years.

    What do I think about the stability of the solution?

    No issues with stability.

    What do I think about the scalability of the solution?

    No issues with scalability, other than making sure that our people know how to use it.

    How are customer service and technical support?

    Excellent.

    Which solution did I use previously and why did I switch?

    Never. I've been using it for 20 years. I tried others, like HPE's and IBM's, when I was with Visa, but this is the best.

    How was the initial setup?

    I think it's simple, but sometimes it would help to have more training for developers to help them set it up.

    What was our ROI?

    I can't give you exact numbers, but it's a lot cheaper to do it sooner rather than later.

    What's my experience with pricing, setup cost, and licensing?

    Pricing is worth the value. 

    Which other solutions did I evaluate?

    They didn't have products before this one. This one pre-dated them.

    What other advice do I have?

    I recommend CA Veracode all the time. I am a public speaker, frequently on the speaker circuit, and I recommend it all the time. There are really three solutions at the top of the industry ratings, and Veracode is the best, in my opinion.

    We are a good customer and we had been for a long time. I actually am a bit of an evangelist for them when I'm doing public speaking.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    it_user833550 - PeerSpot reviewer
    VP of Services at a tech vendor with 51-200 employees
    Real User
    We're much more security conscious when writing code, to meet the benchmarks it gives us
    Pros and Cons
    • "We use it to get our scan results and see where our software is vulnerable or not vulnerable."
    • "The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but it sometimes causes more work on our end."

    What is our primary use case?

    Dynamic and static scanning.

    How has it helped my organization?

    We're being much more security conscious whenever we're writing code, and we're trying to make sure it's giving us a benchmark, and to make sure we meet that, on a release cycle.

    In terms of AppSec best practices, it has made everybody more conscious about what they're trying to accomplish, because they know at the end of the release cycle we're going to be running scans. They basically need to make sure they adhere to all the rules.

    Our customers have benefited from the added application security we offer because they're more confident that our software isn't going to expose their organizations to any risk.

    What is most valuable?

    The ability to run scans. It's a critical piece of why we use the platform. We use it to get our scan results and see where our software is vulnerable or not vulnerable.

    It's part of our SDLC now.

    What needs improvement?

    The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but sometimes it causes more work on our end.

    For how long have I used the solution?

    One to three years.

    What do I think about the stability of the solution?

    No issues with stability.

    What do I think about the scalability of the solution?

    Not that I know of.

    How is customer service and technical support?

    I have not contacted tech support.

    How was the initial setup?

    It seemed straightforward. I didn't actually do the work, but from what I was told, it seemed like it was fairly easy to get going.

    What was our ROI?

    I cannot give numbers on any cost savings related to code fixes since implementing CA Veracode in our development process.

    What's my experience with pricing, setup cost, and licensing?

    It's worth the value.

    Which other solutions did I evaluate?

    We did evaluate other options, but I can't remember who we looked at.

    What other advice do I have?

    I would be highly likely to recommend working with CA Veracode to colleagues. 

    I rate it an eight out of 10. It's a good product - I can't say that it's lighting my world on fire - but it does what it needs to do.

    Just be prepared that it's going to take effort from all aspects of the business to be able to utilize and achieve the goal that you're looking to achieve with the product.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Buyer's Guide
    Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
    Updated: July 2025
    Buyer's Guide
    Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.