Try our new research platform with insights from 80,000+ expert users
UmarQureshi - PeerSpot reviewer
Security Lead at a retailer with 10,001+ employees
Real User
Helps to reduce false positives and prevent vulnerable code from entering production, but does not support incremental scanning
Pros and Cons
  • "Veracode Fix is a new feature that functions similarly to auto-remediation for low or medium flaw codes."
  • "The language version support could be improved."

What is our primary use case?

We utilize Veracode to assist in establishing secure-by-design and development processes for our web applications, as well as transitioning from other systems to microservices.

How has it helped my organization?

Once Veracode is correctly tuned, its ability to prevent vulnerable code from entering production increases.

An SBOM is a list that can help us manage our risks by tailoring it with software competition analysis, scanning for vulnerabilities, and addressing third-party risks. As part of the supply chain, an SBOM provides a visual representation of the components present in our application, enabling us to take appropriate action.

Creating an SBOM is straightforward. 

From a central perspective and a risk standpoint, the SBOM holds significant importance and must be integrated into our environment for the Software Development Life Cycle users.

Veracode has provided us with the opportunity to secure our applications. It enables us to identify risks and develop a strategy based on the results obtained from Veracode. These results are utilized to target developer training policies that we have created for pipeline and policy scanning. Additionally, Veracode provides us with guidance on resource allocation for teams. Overall, Veracode has proven to be highly useful. We obtained data from Veracode starting from day one of usage and witness its complete value within the initial six months of utilization.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is commendable. They dedicate ample time to conduct thorough research and executing internal campaigns. Instead of hastily releasing new features and language support, they meticulously perform six to nine-month testing to ensure proper formatting and functionality.

I give Veracode's false positive rate an eight out of ten.

A seasoned developer with the appropriate mindset understands the necessity of fine-tuning regarding false positives, as this can impact novice developers.

Veracode's low false positive rate in static analysis has had a positive impact on the time we spend fine-tuning policies.

Veracode greatly influences our organization's ability to address flaws. Resource allocation, strategy, and trading have had a significant impact, particularly when considering the redirection of traffic. Starting from the point of deviation becomes crucial in this context. Without comprehending the potential flaws that may arise within our environment, we cannot determine the appropriate direction to mitigate and reduce them over time.

Veracode assists our developers in saving time when used correctly. It took us approximately one year to align all the developers' mindsets, but once we achieved this, our team matured, and tasks became easier.

Veracode has been beneficial for our organization's security posture.

Veracode has reduced the cost of our DevSecOps by helping us decrease development time, remediation efforts, and the expenses associated with fixing flaws at a later stage.

What is most valuable?

Veracode Fix is a new feature that functions similarly to auto-remediation for low or medium flaw codes. Essentially, it serves as a means to demonstrate to developers how to create secure coding modules and solutions. I am excited about it because I believe it will accelerate development time.

What needs improvement?

The language version support could be improved. For instance, I recall a situation where there was a slight delay in supporting the application for a specific job because there were concerns regarding the vulnerabilities present in the new languages.

Veracode combines container scanning and software composition analysis into a single package. This has always been an issue because people want the freedom to choose one or the other. However, we are almost compelled to purchase both components together.

I would like to request the inclusion of incremental scanning in a future release. By scanning only the portions of code where changes were made instead of the entire code, we can significantly reduce the scanning time.

I would like to see what Veracode plans to do regarding endpoint protection, PAN testing, DAST, RAST, and similar areas. I haven't seen any developments in these aspects yet. Products like Contrast are more advanced in this regard. So, as teams become more mature, what steps can we take to adopt the mindset and processes required for such advancements?

Buyer's Guide
Veracode
August 2025
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
867,370 professionals have used our research since 2012.

For how long have I used the solution?

I have been using Veracode for over four years.

What do I think about the stability of the solution?

Veracode has experienced occasional downtimes, but for the most part, it has remained stable.

What do I think about the scalability of the solution?

Veracode is capable of scaling to accommodate the needs of large organizations.

How are customer service and support?

The technical support is excellent. They have application security experts. If we have an issue within the platform, we can reach out to either a Success Manager or a technical representative, and they usually respond within twenty-four hours. Additionally, as a developer or end users, we can schedule consultations and speak to someone who understands a specific language, which is really helpful.

How would you rate customer service and support?

Positive

What's my experience with pricing, setup cost, and licensing?

Aside from the standard licensing fees, we also have to pay for a competent Success Manager. We initially received a favorable deal in the first year, presumably to secure our business, but we have since observed a gradual annual increase in costs.

I would definitely recommend having a Success Manager in the first year. Once the teams become more mature, companies like Synopsys, Veracode, Checkmarx, and others are large enough to offer competitive deals if they are interested in our business. For small businesses, using open source tools would be worth considering. With Veracode, we pay for the research they have conducted and have gained a deep understanding of various flaws. Their risk rating aligns well with our requirements, which is beneficial. We rely on this tool and find it fantastic from a data perspective. The data provided has greatly assisted us in our strategic decision-making.

Which other solutions did I evaluate?

I have tested all of the solutions. I have tested Synopsys, Veracode, and Checkmarx. Checkmarx is a truly excellent product. The only drawback was that their dashboard was subpar, resulting in poor data quality.

What other advice do I have?

I would rate Veracode a seven out of ten. Although it doesn't fulfill all our requirements, I am still impressed with it and find the solution appealing.

Veracode has excelled in SAST, DAST, and IAST, but conducting scans, secret scanning, and IAC are new areas for them.

Veracode alone cannot solve our issues or problems. We need to have an agile mindset and ensure that security is embedded and maintained. We need to educate developers to be able to use these tools effectively and incorporate them into their everyday processes.

Veracode can be hosted within Europe or at our local location if needed. However, I believe they offer various instances. Personally, I prefer the SaaS solution over on-prem, mainly because unless we have specific data privacy requirements, using the SaaS solution is more convenient. Opting for on-prem would require additional resources, such as setting it up and engaging with Veracode support, which can be a more complex process. 

Veracode handles the maintenance. All we need to do is set up the files for pipeline scans. Our engineering teams can handle that. In terms of policies, we should review them annually. Credentials will naturally expire on an annual basis, so they need to be reviewed as well. If we want to pursue additional tasks like GitHub integrations, then the setup process is required.  

I recommend evaluating the top four solutions listed in the Gartner report or any other reliable source of information. Test them thoroughly and ensure that the vendor truly understands the organization's environment before making a commitment.

It is crucial for individuals to comprehend and establish a workflow environment before they commence providing tools, and I believe there is indeed a wealth of information pertaining to data dashboards. Although it may require time, we can collaborate with Veracode to construct it. Overall, it is beneficial. It is truly excellent. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
L3 Security Engineer at a computer software company with 51-200 employees
Real User
Top 20
Makes our code secure and integrates well with GitHub
Pros and Cons
  • "I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabilities."
  • "Their scanning engine is sometimes a little bit slow. They can improve the scan time."

What is our primary use case?

We use Veracode to find any vulnerabilities and for risk management.

How has it helped my organization?

There are multiple ways to use Veracode. We can use Veracode directly in our ID environment, and we can use it in the UI environment in our platform. We can integrate it with GitHub or GitLab. We can also install SourceClear as an agent.

It helps to reduce the application risk rate. It checks for any vulnerabilities or CVE IDs against its database. If any vulnerabilities are present, it gives suggestions, remediations, and fixes. They have recently started with Veracode Fix, so the auto-fix capability is there for your code.

Previously, it was very difficult to find vulnerabilities and scan threats. It is a primary need to maintain the security of our code. Veracode is a good option. It provides all kinds of features for developers.

Veracode checks for vulnerabilities in the static code, third-party libraries, and infrastructure. If there are any vulnerabilities in your static code, it will provide them. It can also auto-fix them with Veracode Fix. For Web APIs, there is a solution called DAST Essentials. It came out recently, but it is a very good solution.

It has been a year since I have been using Veracode, and it has been very helpful. It gave me the vulnerabilities present in my code, such as SQL injection, and the fixes for them. It gives good suggestions to improve the score of our code base. It gives a lot of things.

I started using Veracode Fix about one month back. It can automatically fix whatever vulnerabilities are present in the code. In GitHub, it shows the line numbers that it has fixed. It also provides a reason to fix them. It also gives a report based on your policies. If any high-severity vulnerability was there, it tells you how it was fixed. Everything is given in detail in the reports. It is very good.

Veracode's policy reporting is good for ensuring compliance with industry standards and regulations. I would rate it an eight out of ten for that.

Veracode provides visibility into application status at every phase of development, but the option of infrastructure and deployment security is not there in Veracode. They have probably started working on that.

We use third-party libraries, and it suggests using only the safest versions. It gives suggestions on vulnerabilities that are present and how to fix them. It is very good. It makes our code secure.

Veracode saves 10% to 20% time of developers. 

What is most valuable?

I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabilities. It maps everything for you. It gives suggestions and remediations.

What needs improvement?

They should provide infrastructure management. They have not included any infrastructure security. Kubernetes images are also not there.

Their scanning engine is sometimes a little bit slow. They can improve the scan time.

For how long have I used the solution?

I have been using Veracode for more than one year.

What do I think about the stability of the solution?

It is stable. I would rate it an 8 out of 10 for stability.

What do I think about the scalability of the solution?

It is scalable. We have 5 projects. In every team, 2-3 people are using Veracode. We have a dashboard, and through that dashboard, we log in to our account. We are also using a GitHub wrapper.

We have a sprint of 2 weeks, so every 2 weeks, we deploy code. We have a team of 10 people, and at a time, at least 5 people are involved in the deployment.

How are customer service and support?

They have an Application Security Consultation team. Veracode support is also there. We can email them for any issues, and we can also connect with the ACS team through a Zoom meeting.

Their documentation is also very good. In the case of any issues, we follow the documentation.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I have previously worked with SonarQube. The decision to switch to Veracode was taken by our management.

Veracode is better than SonarQube. In SonarQube, you need to give individual code, and then it fetches the details. With Veracode, you can get details about your entire application. Veracode Fix is also there to auto-fix the code. For web applications also, so many things are there with Veracode.

What other advice do I have?

It is a very good product. Veracode Fix is also there. It gives very good solutions about the code and its reusability and fixes. It has been there for the last 17 years. Without such a solution, it is very difficult to find vulnerabilities and manage fixes. 

I would recommend using Veracode. It has good features. It scans your source code and your third-party libraries. There are a lot of new products in the market, but Veracode is good.

Overall, I would rate Veracode an 8 out of 10.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Veracode
August 2025
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
867,370 professionals have used our research since 2012.
Senior Consultant at Material Vision
Consultant
A very good tool for dynamic application testing, but its price is a little high
Pros and Cons
  • "One thing that I like about Veracode is that it is quite a good tool for dynamic application testing."
  • "The negative that I found is that it has a subscription-based model."

What is our primary use case?

We are quite new to security systems. We have not adopted Veracode at the enterprise level. We are using the GitHub Advanced Security system. We were looking for static code analysis or software configuration analysis tools in the market. That is when we explored Veracode.

We want to centralize our security systems so that any repository that developers are using or creating in our organization follows the same set of standards. We want to have all the security checks and all the static code analysis done at the same level and with one client.

How has it helped my organization?

We have had challenges with security because developers come from different organizations and different backgrounds. They have different ways of coding. Based on their experience, they write the code, but there is a very high chance of having vulnerabilities in their code. The PR reviews used to take a lot of time for the reviewer. By implementing such a solution at the enterprise level, we assume that we will save a lot of time for developers and code reviewers because everything will be done by the tool. It will impact us a lot.

Veracode is quite good. It checks the security vulnerabilities in our packages. It discovers them very nicely, but it is not a tool for improving code quality. It does not provide very good static code analysis.

Veracode's policy reporting is fine for ensuring compliance with industry standards and regulations.

Veracode provides visibility into application status at every phase of development.

Veracode saves our developers' time. They are not doing manual PR reviews. It has saved about 20% of the time because we are still in the adoption phase.

We have a lot of confidential data of clients. We do not want our application to be exposed outside. We have configured a code quality gate, so before production itself, it blocks the PR deployment and allows it once all the security checks are passed.

Veracode is one of the tools that helps to verify external dependencies. Veracode helps a lot there.

What is most valuable?

One thing that I like about Veracode is that it is quite a good tool for dynamic application testing. It is a little bit better than DeepSource and SonarQube in terms of software composition analysis and dynamic application testing. 

When I was looking into it, my initial impression was that it has a good UI as compared to other competitors.

What needs improvement?

A negative issue I found is that it has a subscription-based model. 

If Veracode can provide static analysis in terms of how we can improve the code quality, it will be quite a good feature.

For how long have I used the solution?

I have been using Veracode for 2 years.

What do I think about the stability of the solution?

It is quite stable.

What do I think about the scalability of the solution?

We have not deployed it on our on-premise system, so it is quite scalable. There are no issues with that. I would rate it a 6 out of 10 for scalability.

How are customer service and support?

We have not used their support extensively, but when we were choosing Veracode, I felt that they have a very good support system. The support they provided was good.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I also work with SonarQube. I did not switch from SonarQube to Veracode. We are using a combination of both because SonarQube provides good code quality, but Veracode does not. Veracode provides very good dynamic application testing and software configuration analysis, but SonarQube does not. A combination of both is meeting our needs.

Configuring SonarQube at the cloud level based on our requirements is quite challenging. The support is based on the community. It is not something we consider as an enterprise-level tool, whereas this is not the case with Veracode. These things are better in Veracode.

How was the initial setup?

I was not involved in its deployment. I am in the quality team. The DevSecOps team takes care of its deployment. That team has 8 to 10 people.

It does not require any maintenance. Everything is done automatically by the vendor.

What about the implementation team?

Everything was done in-house.

What was our ROI?

It is too early for that, but Veracode will save us development effort and time. That will be the return on investment for us in the future. We will be able to measure its overall cost-effectiveness by comparing what we are paying for the service and how much developer time it is saving. 

What's my experience with pricing, setup cost, and licensing?

We are still considering it at the enterprise level. It has a subscription-based model. We find its price a little high based on the features it provides. In addition to the standard licensing costs, there are no additional costs.

To someone who is looking at Veracode but is concerned about the price, I would recommend exploring it themselves. They might not need the same features that we need. They might be looking at some other aspects of security. I would recommend exploring it and doing a price evaluation based on their needs. 

Which other solutions did I evaluate?

We also explored DeepSource for some time, but we did not go for it. The functionality that DeepSource provides is somewhere between Veracode and SonarQube. Veracode was a little bit better, and that is why we went for Veracode.

What other advice do I have?

We do not use the free access to Veracode's Application Security Consulting team, but we are planning to use it. We have not yet used the Veracode Fix feature that produces AI-generated fixes. It is a new feature.

The fact that Veracode does not scan source code, only binary code, does not concern us. We are using multiple tools. Veracode is one of them.

Overall, I would rate Veracode a 7 out of 10. We are still adopting Veracode. We have not gone through all the features that Veracode provides. Its rating would probably increase after a few months of use. I would recommend Veracode to others.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Cyber Security Consultant at a computer software company with 51-200 employees
Consultant
Top 20
Integrates seamlessly and saves time and costs
Pros and Cons
  • "The integration with DevOps pipelines is seamless."
  • "The scans were sometimes not accurate in version 2022. There were some false positives in the vulnerability reports. We used to get false positives, and we were responsible for checking all of the alerts and determining whether they were true positives or false positives. They might have already improved it. If they have not, they can look into how to mitigate false positives."

What is our primary use case?

I used Veracode in my previous company. My role was to assist the team in identifying the vulnerabilities in the reports. I identified those and diverted them. The software team was responsible for taking appropriate actions to fix those.

We used Veracode in our environment to have account verifications or transaction confirmations. Apart from that, we had event registration as well as membership confirmation.

How has it helped my organization?

Veracode provides visibility into application status at every phase of development. My role was to analyze the vulnerabilities and pass them on to the software team. The severity of a risk was provided by us, and the software team was responsible for mitigating that. It helped us a lot in mitigating the vulnerabilities. We were able to proactively react to anything malicious.

It helped with early vulnerability detection and automated security testing. These were two things for which I usually used to use Veracode.

The static analysis and the dynamic testing methodologies for security vulnerabilities helped us in our development process. It allowed our developers to address issues before they became complex or expensive to fix. That was one of the things that helped us a lot.

Veracode helped us with the Log4j vulnerability. At that time, we relied completely on Veracode.

Veracode helped our developers save time. Proactively fixing the vulnerabilities saved a lot of time. It saved 50% to 60% of the time. Fixing them after the sprint is over takes more resources and time and also costs us. Veracode saved time as well as the cost.

Veracode helped us with the shift-left security strategy, but we did not rely much on Veracode for that because we already had something for that. Veracode was good enough overall.

What is most valuable?

The scanning is most valuable. The scans given by Veracode are one of the key features that I like.

The integration with DevOps pipelines is seamless. 

What needs improvement?

The scans were sometimes not accurate in version 2022. There were some false positives in the vulnerability reports. We used to get false positives, and we were responsible for checking all of the alerts and determining whether they were true positives or false positives. They might have already improved it. If they have not, they can look into how to mitigate false positives.

For how long have I used the solution?

I have used Veracode for almost two years. 

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

It is scalable. The agents were deployed on about 2,000 machines. For administration, we had a SOC team. It was filler work for them, but we had a team of 13 people.

How are customer service and support?

Dennis from Veracode helped us right from the deployment. If there was any critical task, he used to help us with that. We hardly had to reach out to their support for any issues.

Which solution did I use previously and why did I switch?

I have used different solutions. I have used Darktrace. I have used CrowdStrike and Carbon Black. In my current company, I am using CrowdStrike.

When I was using Veracode, each agent needed to be deployed on each machine. I do not know what they are using now. CrowdStrike is a single platform with a single agent. You can deploy it on all the machines. That is one of the advantages. Moreover, I have become used to the GUI of CrowdStrike over the last year or so. I am more comfortable with CrowdStrike, but it depends on person to person. I would rate Veracode an eight and CrowdStrike a nine out of ten. I am a bit biased toward CrowdStrike because I am currently using it in my organization. I am not using Veracode here.

How was the initial setup?

I was involved in its deployment. It was super easy. The support that was provided by them was fabulous.

There was a delay from our end. It took us almost 90 days to deploy it, which included approvals and other things.

What about the implementation team?

We had a consultant from Veracode. His name was Dennis. We were satisfied with his job. 

What was our ROI?

I used it for two years in my last organization, and we saved a lot of costs. It was not related to the product; it was related to the risks that we used to get. On the technology side, it surely saved a lot.

What other advice do I have?

They keep on working on their product. They keep on upgrading that. The threat landscape keeps on evolving, and there are new threats every day. The Veracode team helped us in mitigating and remediating them and guiding us with those particular threats. I would surely recommend Veracode. I even tried to recommend it over here, but I am not one responsible person for that decision over here.

They have recently introduced a feature called "Veracode Fix" that produces AI-generated fixes. I read about it somewhere. It does vulnerability identification and prioritization and some behavioral analysis. It does dynamic analysis of any malware or any abnormal or malicious behavior. It is evolving. One more thing that I read was pattern recognition. The AI algorithm that has been provided recognizes patterns. It can assist in recognizing patterns and trends in security data.

It has policy reporting for ensuring compliance with industry standards and regulations, but we did not use that.

To those who want to use Veracode or any similar solution, I would advise being aware of their environment and security posture and seeing where it fits into their security posture. If they proactively work on the alerts provided by Veracode, they will surely save a lot of money, time, and resources. I would suggest working proactively on the alerts given by Veracode.

Overall, I would rate Veracode an eight out of ten.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Robert Hood - PeerSpot reviewer
Information Security Architect at a tech vendor with 5,001-10,000 employees
Real User
Great SAST, good DAST, and helps save a significant amount of time
Pros and Cons
  • "The most valuable feature is the SAST capability and its integration into the Veracode pipelines."
  • "From what we have seen of Veracode's SCA offering, it is just average."

What is our primary use case?

My company is a financial and technical enterprise with involvement in healthcare as well. We use Veracode for scanning, utilizing both SAST and DAST approaches. The purpose of static testing is to assess our code for vulnerabilities before deployment. After completing this step and addressing any identified issues, we run dynamic application security testing on the applications we've created to ensure there are no vulnerabilities introduced after the build. These could be issues that arise during the execution of the code, rather than being inherent to the code itself.

Additionally, we are currently considering or in the process of transitioning to Veracode for a specific function known as Software Composition Analysis, which is among the services they offer.

In terms of my use cases, I oversee approximately 200 development teams managing around three to four hundred projects. About 30 percent of these projects are connected to Veracode. Moreover, I manage a user base of over 700 individuals, and many of our build pipelines include immediate SAST scanning during the building process.

We currently use Vericode Cloud, specifically the public cloud. At the moment, I am in the process of deploying two Veracode ISM management servers from their platform. These servers will be responsible for scanning our internal applications that are not exposed to the external world. One significant aspect is that our company decided to transition to the cloud approximately three years ago. Initially, we had 27 data centers scattered worldwide, but now we have reduced that number to five. By the end of this year, we plan to further decrease it to three, and eventually, we will likely have only one or two data centers in the future. However, there are certain things that we cannot migrate to the cloud.

How has it helped my organization?

Veracode's ability to prevent vulnerable code from being deployed into production is excellent. It is considered one of the best scanning tools available. We have conducted several comparisons between Veracode and other products in the market, and Veracode consistently ranks first among those we have tested.

With Veracode, the amount of vulnerable code that gets through is almost negligible. When we run a scan, we don't expect to find any significant vulnerabilities because the SAST usually catches almost everything.

Veracode's policy reporting for ensuring compliance with industry standards and regulations is excellent. It is applicable to us as a multinational company with PCI and HIPAA requirements, and we also engage in government projects. Consequently, we are obliged to adhere to any relevant regulations, which is why we have implemented numerous policies that automatically alert us when any action might potentially violate the established guidelines.

Although Veracode can offer visibility into the application's status at every phase of development, we do not rely on manual penetration testing because we have our own testing team. Instead, we use SAST from the moment our developers start typing the code until the deployment phase. 

The visibility has significantly expedited our DevSecOps process. Now that we've integrated Veracode and included it in our build pipelines, we can provide feedback on potential issues and vulnerabilities in their code much more quickly. Our team appreciates and is delighted with this improvement because, previously, we had to wait until the builds were completed, then run DAST and subsequently present them with ten pages of issues, which would take them ten to fifteen days to address. By adopting a left-shifting approach, we've moved the bar further to the left, reaching a point where we can hardly get closer than we are now while they are actively coding. The only way to provide them with even faster information about potential vulnerabilities in their code would be to offer feedback as they type and when they push the code to the main build. Unfortunately, as of now, there are no tools available that can accomplish this.

Veracode has been a great benefit because it allows developers to log in to their code and examine the specific vulnerabilities they were informed about. Typically, there is a description of why and how the vulnerability occurred, along with guidance on how to resolve it. Veracode significantly aids our organization in fixing flaws.

Veracode helps our developers save time. While I cannot provide a precise estimate of the actual time saved, I can explain that the more we shift the SAST to the left, meaning running it as soon as the developers enter their code, the more time we can save. This is because when developers have the code fresh in their minds, they have a better understanding of what they wrote and how to fix any vulnerabilities based on the provided descriptions. On the contrary, if we shift the SAST further to the right when the code is already completed and possibly being reviewed by a different developer, it will take more time for them to understand the original code and the vulnerability's context. Thus, the original developer could have fixed the vulnerability in a shorter period of time. Additionally, considering the learning curve for new developers down the line, it becomes even more crucial to have the original developer fix the vulnerability promptly. If we only run DAST without SAST, we might end up with a long list of ten thousand potential vulnerabilities, which would require weeks of work just to address them all sequentially from the start.

Veracode has had a significant impact on our organization's security posture. When I first arrived, we were only connected to about three different teams. Originally, we only had seven or eight teams. Now, we have almost two hundred teams. One of the most significant changes is that even with those seven or eight teams, only two or so were using Veracode. However, we gradually added more teams as they came on board. Subsequently, there was a major organizational change, and Teams were divided into smaller, more compact, and agile units, which is the new trend in the industry. As a result, the teams are now much smaller, more diverse, and more agile. We are now connected to 70 percent of the two hundred teams. We have expanded considerably, but there is still more to achieve. The efficiencies have improved significantly, and the developers are satisfied with this progress. This shift is excellent for security because we were usually known as the "no people," but now we are transforming into the "yes" and "let me help you with that" people.

Veracode has reduced the cost of our DevSecOps, just from the 25 percent time-saving. The most expensive factor is not computers or technology, but rather, it's people. If I were to add together all of the salaries of the individuals and compare the amount of time saved to the total salary cost, I could cover the expenses for my infrastructure twice over a year. 

What is most valuable?

The most valuable feature is the SAST capability and its integration into the Veracode pipelines.

What needs improvement?

From what we have seen of Veracode's SCA offering, it is just average. The SBOM is adequate, but it's essentially the same as what everyone else is doing. In terms of SCA, they are about average compared to other systems. Therefore, I would like to see some improvements. 

SAST, DAST, and SCA in a single pane of glass would be a good upgrade to Veracode.

We are a Jira and Confluence shop and I would like to have a really good integration with those tools. 

We have a ticketing system that not too many companies have ever heard of. In fact, I had never heard of it before coming here. Instead of using a well-known industry standard like ServiceNow, we use a ticketing system called Cherwell, which also has an open API. Having an API for the ticketing system would be really beneficial.

I would prefer if Veracode offered more options for licensing, such as a pipeline or project license instead of a user license. Currently, I have around seven hundred users, but I manage fewer projects. Therefore, I believe it would be more beneficial and efficient for me if Veracode could adopt a project-based pricing model. In reality, I have multiple teams working on various projects simultaneously. Pricing based on the number of projects I have up and running would be more suitable for my needs compared to the number of developers working on a particular project.

One thing that I would like to be able to do is to receive a daily summary of the emails I currently receive. With numerous ongoing projects, constant scanning occurs, resulting in a high volume of emails about what is being processed. I believe it would be helpful if Veracode could create a daily summary of these emails. This way, I can easily track the number of actual emails I receive without having to go through each one individually. As of now, I already have 65 emails from Veracode, specifically regarding the processes that ran today.

For how long have I used the solution?

I have been using Veracode for three years.

What do I think about the stability of the solution?

I have almost never seen any downtime with Veracode.

What do I think about the scalability of the solution?

The scalability is excellent because we utilize Veracode on their cloud infrastructure, and we handle dozens of projects daily.

How are customer service and support?

I've never had a problem that didn't get solved, or at the very least, get immediate feedback. So, I would say their technical support is very good.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I previously utilized a solution provided by IBM in my previous organization, but later we transitioned to a company named WhiteHat Security. The reason for this switch was that when we conducted a scan using the IBM solution, it returned a result of ten thousand vulnerabilities. It was my responsibility to review the vulnerability report and clear out any false positives. However, this task was extremely time-consuming, taking nearly forty hours to complete. The reason behind the prolonged effort was the spidering scan performed by the IBM solution, which continually traversed different pages through various links, leading to repetitive errors that required matching and deduplication. Out of the ten thousand vulnerabilities, approximately a thousand were legitimate, and the scanning capability was limited to DAST. To address these challenges, we migrated to WhiteHat Security. With WhiteHat's scanning process, the number of vulnerabilities was reduced significantly to around six or seven hundred. Their approach outperformed my manual efforts in identifying duplicates and further eliminated non-duplicate vulnerabilities that were caused by the same piece of code.

When I joined my current company they were already using Veracode.

How was the initial setup?

The initial setup was straightforward. We connected to the Veracode cloud, so essentially, we are operating on their public cloud. Whenever we run any process, we send our code to them. They execute it, and we receive feedback from the execution.

I have not been involved in the initial deployment of Veracode, but I have been involved in deploying the pipelines, creating and building out the ISMs, and also administering users. Recently, we moved and integrated it with our single sign-on. Since we're using Okta, we performed the integrations, and now everyone connects through Okta.

What about the implementation team?

We utilized a value-added reseller, and they provided integrators themselves. Additionally, we have direct connections with Veracode. So, my understanding is that we likely received assistance from both the value-added reseller's team and Veracode.

We have monthly calls with Veracode. I work directly with engineers and have access to their email addresses and telephone numbers. This way, whenever there's a problem or an issue, I can easily reach out to someone. Additionally, I receive almost daily emails regarding recent developments and occurrences.

What was our ROI?

We have seen a return on investment. We have two hundred teams, and approximately 70 percent of them are integrated with Veracode, running pipeline scans on about 50 percent of those. The remaining teams conduct manual SAST scans instead of using pipeline scans. We have likely saved 25 percent or more of the time it takes developers to go from a startup project to the final build and deployment, just by addressing vulnerabilities.

What's my experience with pricing, setup cost, and licensing?

We pay based on the number of developers working on a particular project.

Which other solutions did I evaluate?

Our organization evaluated four or five different solutions before selecting Veracode. The issue with the others was that they only offered either SAST or DAST, but not both, whereas Veracode provides both.

What other advice do I have?

I would rate Veracode an eight out of ten. Veracode needs to improve its SCA capabilities to become a market leader rather than a market follower. Another noteworthy area they are starting to focus on is container security. I assume they will compete with Laceworks and other companies in that domain, which makes it worth keeping an eye on.

Veracode's software build of materials feature is integrated into the software composition analysis, which we are currently exploring for utilization. However, at this time, we are using a third-party product for that purpose.

Veracode's false positive rate is very low based on what we have found. However, there are instances where it becomes confused, identifying one type of vulnerability when it is actually a different type that appears similar. Nevertheless, we always conduct verifications before approving a list of vulnerabilities for the developers to address. We thoroughly go through and verify at least most of the different types to ensure their validity. My team verifies the false positives, so the developers almost never see them. Because we don't encounter many false positives, we don't spend a lot of time fine-tuning policies. We'll make some minor adjustments, and it should mostly resolve the issue until we encounter a different type of false positive. Then, we'll have to address it separately.

One of the other things that I have observed recently is a tool called Veracode Fix. We have not examined it yet, but it's worth considering. Normally, we avoid implementing too many automated fixes because sometimes they end up causing even more issues, particularly when dealing with legacy code while transitioning to Veracode. Allowing automation could potentially lead to the application being permanently shut down, especially in cases like Software Composition Analysis and Software Bill of Materials where we may need to upgrade to a different or less vulnerable, open source piece of code. If we upgrade without ensuring compatibility with our existing setup, it could break numerous things. Hence, we previously attempted to use automated fixes, but the outcome was negative, and we have decided never to repeat that mistake. Therefore, it's something we plan to explore, but we need to ascertain if there have been any changes in that type of setup.

For someone who wants to use Veracode but is concerned about the cost, the amount of time saved, especially on the SAST side of things, makes it worthwhile.

We are a multi-cloud organization primarily using AWS, with 25 percent of our infrastructure on Azure and a smaller portion on Google Cloud. We are currently using Google services only because we are a Google shop rather than a Microsoft Office shop. As a result, all of our emails are managed through Google, and we rely on Google Docs and other related tools. 

There are four architects and a group of DevSecOps professionals who work directly with the development and operations teams. They form the security component of the organization and are responsible for operating Veracode on a daily basis. Their primary role is to assist the developers in integrating Veracode into their workflows, setting up pipelines, and collaborating with them when vulnerabilities are identified. They are available to help the developers understand why they received a vulnerability and guide them on how to address and eliminate it.

The only maintenance we will have to deal with is related to the ISM servers. These ISM servers are actually controlled by our company. There is an on-prem link to the Veracode cloud. When they conduct their scan, they access the server, which acts as a jump box. This enables them to scan our internal applications that do not have direct access to the outside world.

Veracode is a good Dynamic Application Security Testing tool, but it excels as an outstanding Static Application Security Testing solution for organizations that prioritize serious security measures.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
reviewer2333736 - PeerSpot reviewer
Cloud system engineer at a consultancy with 1-10 employees
Real User
Top 5Leaderboard
Runs comprehensive scans and links the vulnerable code to the weekly reports identifying what services are affected
Pros and Cons
  • "The automation of Veracode is great because we no longer have to run manual testing."
  • "The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users."

What is our primary use case?

We use Veracode to identify vulnerabilities in code to ensure the security and integration of the apps.

How has it helped my organization?

Veracode effectively identifies vulnerabilities within the code. My role is to analyze these vulnerabilities and assign a severity level before forwarding them to the development team. This allows them to address the issues before deployment to production.

Whenever Veracode releases a new feature, we seek the expertise of Veracode's application security consulting team to understand its functionality and how it contributes to code security. The team demonstrates exceptional responsiveness and promptly addresses our questions, eliminating the need for unnecessary back-and-forth communication.

In today's digital world, cybersecurity is more important than ever. Veracode offers a comprehensive suite of features that help developers secure their code through automated scanning. This scanning identifies vulnerabilities and detects malicious code, preventing it from entering production.

Veracode has helped reduce our time to remediate security flaws.

The policy reporting for ensuring compliance with industry standards and regulations has been positive for our organization.

Veracode provides visibility into application status at every phase of development.

It has been instrumental in enhancing our organization's ability to fix flaws while simultaneously reducing our manpower requirements allowing us to focus on other issues.

Veracode has helped our developers save 20 percent of their time.

Implementing Veracode has significantly bolstered our security posture. We can uncover more vulnerabilities and streamline our detection process. We've become more proactive in identifying and addressing security threats. This allows us to focus on building secure applications with confidence.

Veracode has proven to be a solid choice for our organization's shift-left security strategy, compared to other solutions like Darktrace.

To ensure secure software from development to deployment, we leverage Veracode throughout our CI/CD pipeline, enhancing our app security at every stage.

Veracode helps us prevent vulnerable code from entering production, strengthening our third-party application security.

Among Veracode's features, vulnerability scanning stands out for its effectiveness in identifying and remediating security weaknesses, ultimately mitigating threats to our applications. 

The integration capabilities have positively affected our existing development tools when integrating with other cloud solutions. It is easy to integrate and the support team is helpful during the integration process.

Veracode helped improve our compliance posture with our existing solutions.     

What is most valuable?

The automation of Veracode is great because we no longer have to run manual testing. 

The weekly report logs are great because we can address any vulnerability issues that are detected quickly.

Veracode runs comprehensive scans and links the vulnerable code to the weekly reports identifying what services are affected and forecasting the next steps.

What needs improvement?

The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users.

I would like Veracode to introduce more sophisticated AI features.  

For how long have I used the solution?

I have been using Veracode for one year.

What do I think about the stability of the solution?

I would rate the stability of Veracode nine out of ten.

What do I think about the scalability of the solution?

Veracode supports scaling up whenever we want to keep up with our growing app portfolio.

I would rate the scalability of Veracode eight out of ten.

How are customer service and support?

The experience I had with their technical support has been great.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I recently changed companies, and my current employer does not use Veracode. However, I have discussed implementing it with them because it offers more mature features compared to other solutions.

How was the initial setup?

The initial deployment took around four months and required five people.

What's my experience with pricing, setup cost, and licensing?

Veracode is affordable for large organizations, but its pricing may be out of reach for small and medium companies.

What other advice do I have?

I would rate Veracode an eight out of ten. Veracode's pricing hinders my overall rating of the solution. 

Veracode was deployed in two regions with 25-plus users.

Veracode requires some maintenance to keep the scanning accurate.

While I highly recommend Veracode, affordability for smaller organizations may be a significant hurdle due to its pricing structure. It's crucial to carefully evaluate their budget constraints and explore alternative solutions if necessary.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
reviewer2288880 - PeerSpot reviewer
Junior Developer Intern at a insurance company with 10,001+ employees
Real User
Top 10
Provides extraordinary support, scalable, stable, and has automatic expiration and renewal features
Pros and Cons
  • "What I found most valuable in Veracode is that it gives me a part-by-part report of the entire EAR file and lets me set up the application for a limited time. Once that expires, Veracode allows you to automatically renew it, which is one of the features I find remarkable in Veracode."
  • "An area for improvement I found in Veracode is the connectivity because currently, my company uses a plugin for the dev-ops cloud-based connectivity. A pretty helpful feature would be if Veracode gives a direct code for connecting to the Oracle server directly and authenticating it via a unique server."

What is our primary use case?

My use case for Veracode is for a front-end application, specifically an agent compensation calculation engine. That application is deployed through an EAR file, and then Veracode scans the EAR file and gives me the scan report to help me change and improve the file for future deployments.

What is most valuable?

What I found most valuable in Veracode is that it gives me a part-by-part report of the entire EAR file and lets me set up the application for a limited time. For example, I'm running an application via the dev ops pipeline. Hence, I need to create a pipeline application and a sandbox to connect with Veracode and then add my application. When you create a sandbox, you can create it full-time or for a limited time, so I created it for a limited time. Once that expires, Veracode allows you to automatically renew it, which is one of the features I find remarkable in Veracode.

I also like that for each integration in Veracode, there's documentation.

I also find the Veracode support team extraordinary because the team goes above and beyond to ensure you get the best experience.

I find Veracode essential in preventing vulnerable code from going into production because if there's a vulnerability, the solution finds it. For example, my code has many JavaScript front-end and EAR files with some vulnerabilities. Right now, I'm deploying my code, but in the future, I may have to improve it and change it to ensure the servers are secure, so in that way, Veracode becomes more important for the industry today.

Policy reporting in Veracode is good in terms of ensuring compliance with industry standards and regulations. I like that the solution is more flexible when working with applications, mainly because my organization has a good firewall. Veracode is flexible and allows the organization to connect to the firewall in various ways. The Veracode policy is flexible and has an entire page and record that connects with my application, industry, company, and server in different ways. It does not disturb my policies so that I can get my application to work.

The false positive rate for Veracode is about seventy-thirty because it gives the most accurate report. For example, my organization depends on the Veracode analysis to ensure the code is on point, so the organization is building the next BI based on the Veracode analysis.

Veracode has also helped my organization save time because, without the report, the development team would spend a lot of time figuring out what is wrong and why the application is vulnerable. Veracode points out what is happening and why the file size must be reduced, so it helps reduce mistakes in terms of time.

What needs improvement?

An area for improvement I found in Veracode is the connectivity because currently, my company uses a plugin for the dev-ops cloud-based connectivity. A pretty helpful feature would be if Veracode gives a direct code for connecting to the Oracle server directly and authenticating it via a unique server. Currently, my organization has to find a roundabout for that and then needs to build a separate pipeline and then connect that pipeline for Veracode to start.

For how long have I used the solution?

I've been using Veracode for the past two months.

What do I think about the stability of the solution?

Veracode has always been stable. It has good stability.

What do I think about the scalability of the solution?

I found Veracode scalable because it supports a variety of platforms. Though the support for other platforms is less, Veracode has been incorporating more support over time and offering other solutions as well.

If you're unable to set up the solution, the Veracode team has a consultation call to help you set up the solution. The team would even raise set-up-related issues with the Veracode engineering team, which was how I reached Veracode Technical Support, which was a good experience.

How are customer service and support?

I found Veracode Support extraordinary. I've been having an issue for the past month, and the team reached out to me and has been working with me for the past month, giving me various solutions to figure out how to solve the issue. It turns out it was a firewall issue, and I just had to go to the back-end and allow the back-end application, and now it is working fine.

The Veracode Support team was helpful and escalated my situation from level one to level two to level three, and finally, had the appropriate team reach out to me based on my issue. Then, within the span of two weeks, the team finally figured out the issue I was facing and gave me the final results and how I could fix it, so I found support good, fast, and responsive.

Overall, I had a pleasant experience with Veracode Support, so I rate support as eight out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I didn't use a previous solution before Veracode.

How was the initial setup?

I wasn't involved in the initial deployment of Veracode.

What's my experience with pricing, setup cost, and licensing?

I have no information on the pricing or licensing cost for Veracode.

What other advice do I have?

I've not used the Software Bill of Materials in Veracode.

I'm unsure how the false positive rate affects developer confidence in Veracode on fixing vulnerabilities because I'm more of a DevOps user and don't work on development but automation.

I'm also unsure of the effect of Veracode on my organization's ability to fix flaws because I've not used it directly to fix any flaws. I report to the dev team, who then takes the report and fixes the flaws accordingly.

I'm unsure of the impact Veracode had on the overall security posture of my organization, as I didn't use it for that.

In my organization, Veracode has a hybrid cloud deployment.

The solution doesn't require any maintenance.

My rating for Veracode, overall, is eight out of ten.

What I'd tell others looking into buying the solution is that as far as DevOps is concerned, Veracode is a must-have. It's been helpful for my organization DevOps-wise, though I have no information on other Veracode offerings. I recommend that others buy Veracode.

My organization has a business relationship with Veracode. It's a Veracode partner.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
reviewer2249226 - PeerSpot reviewer
Executive Assistant at a tech company with 51-200 employees
Real User
Performs static analysis, dynamic analysis, and software composition analysis
Pros and Cons
  • "Veracode offers various security features."
  • "The technical support service has room for improvement."

What is our primary use case?

We use Veracode for its code analysis features, which include static code analysis, dynamic code analysis, and checking for security flaws in our code. Mainly, we utilize Veracode for application security, making code security one of our primary use cases.

How has it helped my organization?

Since implementing Veracode, we have seen significant improvements in our code's security and the overall code development process. Veracode has been instrumental in enhancing our code security and streamlining the development workflow. In the past, we relied heavily on third-party applications that were not directly aligned with our codebase. However, now we can seamlessly integrate Veracode into our application process, saving a substantial amount of time. Veracode has not only improved our security setup but also enhanced the overall security of our organization.

Before implementing Veracode, the same process that used to take one hour now only takes 15 to 20 minutes.

Veracode's policy reporting for insurance compliance with industry standards and regulations is good. We can integrate numerous reports, and the positive reporting feature is also highly commendable.

Veracode provides visibility into the application's status at every phase of development.

Veracode works very well overall, and our security has been greatly improved, significantly impacting our ability to fix flaws.

The security process has been improved. Before using Veracode, we used to perform it manually. However, at that time, there was no application that could be integrated with the code. Now, with Veracode, we can directly integrate it with our code. As a result, security checks are being done automatically, saving us 30 to 40 percent of our time.

What is most valuable?

Veracode offers various security features. Veracode performs the analysis using three different methods: static analysis, dynamic analysis, and software composition analysis. These security features are the best, and the most valuable features.

What needs improvement?

Veracode's ability to prevent vulnerable code from going into production is commendable. However, we have encountered numerous cases of false positives that need improvement.

The technical support service has room for improvement. There are times when we rely on them, but we are not receiving an adequate response.

The stability has room for improvement.

For how long have I used the solution?

I have been using Veracode for one and a half years.

What do I think about the stability of the solution?

Veracode is stable, but there is room for improvement.

What do I think about the scalability of the solution?

Veracode is highly scalable. We have not had any issues with scalability. 

Which solution did I use previously and why did I switch?

Before I joined my organization, they used a third-party application to check code. Since I joined, we have been using Veracode.

How was the initial setup?

The initial setup was somewhat complex. The deployment took a couple of weeks because we needed to resolve numerous technical issues that we had to understand first. We had six people involved in the deployment.

What's my experience with pricing, setup cost, and licensing?

Veracode's price is reasonable.

What other advice do I have?

I would rate Veracode an eight out of ten. I recommend Veracode to others.

Veracode's false positives significantly impact our developers. When we encounter numerous false positive cases, we are required to conduct extensive reviews. How much it affects our developers depends on the number of false positive cases we are encountering and the significance of addressing them concerning the criticality of writing the code.

Veracode can save time in our DevSecOps process, but it may not significantly reduce costs.

Organizations that have security flaws in their code and seek to enhance their core security can consider Veracode as one of the best options for investment. Veracode is easy to implement and can effectively address the flaws in the code, provided that cost is not a significant concern.

Maintenance is required from time to time, specifically regarding false positives. We need to verify whether the system is functioning properly and communicate with the support team. The intervals for these checks occur after approximately 30 or 60 days, which we have selected, and we must strive to improve the system during these instances.

Veracode is deployed at two locations within our organization.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
Updated: August 2025
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.