Try our new research platform with insights from 80,000+ expert users
Development Manager at a computer software company with 1,001-5,000 employees
Real User
Significantly improves our productivity, helps us in complying with our security policy, and reports all necessary vulnerabilities
Pros and Cons
  • "Considering that in my project, we are mostly using Software Composition Analysis as a part of Static Code Analysis, for me, the main part is reporting and highlighting necessary vulnerabilities. Veracode platform has a rather good database of different vulnerabilities in different libraries and different sources. So, finding vulnerabilities in third-party libraries is the main feature of Software Composition Analysis that we use. It is the most important feature for us."
  • "The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it."

What is our primary use case?

At this moment in time, in my project, we are mostly using Static Analysis from Veracode. We automated it and added it as a step to our daily pipeline. We also tried using the pipeline plugin from Veracode that gives an immediate evaluation of your code. We're also using agent-based Software Composition Analysis. I have not exactly used it in my project, but I participated in investigating it and setting it up.

I know two flavors of doing Software Composition Analysis. The first one is a part of a daily static scan where you're uploading all your third-party libraries. The second one is by using agent-based, which gives more reporting capabilities but not doesn't affect policy scans, etc. We use both of them.

We use Software Composition Analysis as a part of our daily build pipeline, so we use Jenkins Plugin from Veracode. Every night, we upload our sources to the Veracode platform. In the morning, we receive results of Static Code Analysis and Software Composition Analysis. 

How has it helped my organization?

We are able to receive results for vulnerabilities in other libraries. We can then react to it and fix our code and those dependencies.

We do have a policy in regards to security. As a part of that policy, we cannot have very high-end issues. Usually, when you change third-party libraries, you need to do some level of regression testing. Our release cycle is long, and it could be half a year between releases or sometimes even more. By using Software Composition Analysis, we're checking our sources on a regular basis, and if needed, we change our libraries in our code, So, we are checking and mitigating any vulnerabilities if they are not applicable to our solution.

We use static scanning. This is the main use of Veracode for us. We package our application every day and send it to Veracode. We receive static code analysis results and also the software composition analysis results every day because the first focus for us is on quality improvement. The security improvement is definitely static scanning. We do have a process for analyzing and mitigating results around this static scanning. So far, we have been able to comply with our internal policy. At this moment in time, we are at the stage of releasing our product, and according to our internal policy, certain important issues from 2017 had to be addressed and fixed.

Veracode gives the possibility to find different vulnerabilities and flaws in code, and it also makes things relatively easy because everything is automated. Implementing such a high-quality tool like Veracode, immediately made us aware of a lot of issues, but the volume of issues that we had to address was really high. The support from top management made it easy to fix the issues that Veracode identified in the product that has a long history of more than 20 years. Without the support of higher management in organizing and defining a process of fixing those issues, it wouldn't have been possible to fix all those issues. We took the reports received from Veracode, planned our activities, reviewed everything, and started acting on it as a result. The new release that we have is according to our policy, which is an important thing for us.

It definitely helps in reducing the risk of a security breach, which is rather important for us for providing our customers with a secure product. Among our customers, there are a lot of big companies that take security seriously. So, for us, it is really important. The fact that we have executive sponsorship shows that security is very important for our management. This initiative started because we're treating security really seriously.

It is improving our productivity significantly. We just finished a big chunk of results processing, and we are still in the process of setting up our processes. When you're first doing that scan with Veracode, you receive a bunch of results and an overwhelming amount of flaws in your code. All those results need to be investigated. For some of them, it is sufficient to have mitigations, but some of them need to be fixed. We just finished those fixes, and there were a significant amount of security findings from Veracode.

What is most valuable?

Considering that in my project, we are mostly using Software Composition Analysis as a part of Static Code Analysis, for me, the main part is reporting and highlighting necessary vulnerabilities. Veracode platform has a rather good database of different vulnerabilities in different libraries and different sources. So, finding vulnerabilities in third-party libraries is the main feature of Software Composition Analysis that we use. It is the most important feature for us.

What needs improvement?

The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it.

Buyer's Guide
Veracode
August 2025
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
867,349 professionals have used our research since 2012.

For how long have I used the solution?

I believe it has been about two years because Software Composition Analysis is a part of the policy scan, and our journey with Veracode has been for about two years.

What do I think about the stability of the solution?

It is stable. I didn't feel that many problems with it. We did have a few glitches with the platform, but they were not that many. So, I can say that it is stable.

What do I think about the scalability of the solution?

I can't say anything about the scalability of this solution because we are not bothered about keeping its infrastructure up and running. We use Veracode Cloud, and we are not supporting or deploying it. It is just a service for us, and we consider it as a service. We submit the information and receive reports back from that solution.

In our project, every night, we are currently scanning our development branch and three versions of our releases. We have four applications, and I believe that from my team, at least 15 scans happen every night. We have a partnership with another company that provides a part of our functionality. They provide releases to us to embed in our solution. We also do the scanning for their part and inform them about the issues that we've found.

We will increase the number of scanned versions because with each and every release, during the support period, we're supporting versions of our product, and we're also fixing the security stuff. We will be increasing the volume of scans, but it will come to a logical point. When a version is no longer supported, we will definitely remove it from Veracode. So, all in all, at any moment in time, I foresee four or maybe five versions to support multiplied by four applications. There is also a development branch for each application, so there will be around 20-25 automated scans per night.

How are customer service and support?

I am very pleased with the Veracode support because so far, there were no issues where they were not able to help us. Sometimes, in our questions to Veracode, we ask about the deep aspects of functionality, and so far, we've received answers for all those questions, and they were mostly good. I would rate them a nine out of 10 just because I didn't like some of their answers. Because of our approach of having each version as a separate sandbox in Veracode, we had questions about the consistency of results between different sandboxes, but then we realized that these are peculiarities of the platform. It is nothing serious or special. It was mostly related to our expectations from those algorithms, but it actually works perfectly. I can give a 10 for Veracode's support, but then they will have no growth to improve.

How was the initial setup?

It was pretty straightforward. The problem that we had was mostly about our solution's architecture because the solution itself is big and heterogeneous. Some parts or regions are using the Java platform, and some parts are in the .NET code. The main problem was to correctly build our solution for Veracode. This was the only challenge. Veracode provided us with good functionality with their Jenkins Plugin that made it possible for us to automate our daily development. So, the main problem for us was mostly related to properly building our solution and using it in Veracode. It was pretty straightforward. There was nothing complex, but it needed some work from our side.

The strategy for Veracode implementation was pretty straightforward. From the very beginning, we stuck to the idea that it should be automated because all modern DevOps practices and approaches, such as Infrastructure as a Code, are widely used in our company. So, from the very beginning, we decided that it should be coded, and it should be stored in source control and uploaded. Veracode became a part of our process of everyday deployment, and it was a part of our strategy to make it a part of our life and use it as much as we can.

The number of people involved depended on the stage. At the initial stage, when we were evaluating it, there were somewhere around six or seven people who were making the decision of buying Veracode and other stuff. We have different companies and products inside our organization, and each and every product team is responsible for implementing it. We were the pioneers in using the solution from Veracode, and later on, it spread out to other projects. Now, we're acquiring additional licenses and so on. We planned everything with the help of the developer team. We follow the agile approach in our development, so everything was planned. User stories were created, and we just acted on them.

Which other solutions did I evaluate?

I participated in the review of tools. We reviewed not only Veracode. There were also other candidates for our main tool for static scan and software composition analysis. So, I have been involved in all activities around Veracode from the very beginning. What I liked about Veracode is that it is not just one product. It is a big ecosystem. It even has integration with Visual Studio, etc. First of all, we took a look at the scope of scanning. We compared the results of scanning and the functionality. Veracode had really great reporting functionality. In the end, we came up with the conclusion that Veracode fits best to our needs, and I believe we were right.

What other advice do I have?

My advice would be to adopt Veracode to serve your processes. I believe that the processes inside the company shouldn't be changed significantly with the introduction of new tools. Definitely, for each and every new tool, you need to build some process around usage in terms of administration and control. Veracode has a relatively big ecosystem of tools, which is a big advantage, and my advice would be to check all those tools and see how they can fit into your process, and how they can improve them. There are a lot of options and a lot of tools provided by Veracode that can fit each and every process. Whether you are using a waterfall process or DevOps practices in your organization, with Veracode, you can add necessary steps to your process without making significant changes in the processes that you have.

We take security seriously, and Veracode is not the only thing that we have for security. We do manual penetration testing to security test our applications. We also have some dynamic scanning. We follow some practices while engineering and architecting our solutions. At each and every step, we are trying to cover our solution with the necessary security testing activities or security design principles. Veracode is a big part of our security, but it is not the only one. We are fixing all issues, especially those that are non-compliant with our policy.

We don't use any connections with Software Composition Analysis. It is a separate product in the ecosystem that makes it possible for you to deeply scan your third-party libraries. This is the only way we use it. 

In terms of Veracode SCA reducing our overall scan times, I believe that it is not applicable at this point. In the case of agent-based scanning, the situation that we recently had has shown that you cannot fully substitute Software Composition Analysis from a static scan with agent-based. That's because, in the end, documents that you provide together with the release are the policy scan results generated by static scan. You can reduce the amount of time for your scanning, but in the end, you need at least one scan where you will figure out all third-party states as a part of the policy scan report. You cannot use only agent-based Software Composition Analysis because they are two separate sources of information. We can use Software Composition Analysis and then somehow merge results from two sources in one document for it, which is inconvenient. We are having nightly builds for Veracode, and it doesn't matter to us whether it takes more than 30 minutes or less than 30 minutes. We haven't measured the time, but with the approach that we have set in our company, we can leave it for longer time periods, and after nightly build, everything is okay for us. So, Jenkins just does its job of uploading, and no one monitors it. We are just monitoring that the jobs are stable and results are available. Considering that we're doing it at night, it is not that important for us for how long it runs.

It hasn't exactly increased our fix rate because it is not about our code. It is about the third-party code. We definitely have to mitigate, and sometimes, we have to change libraries to a newer version, so it somehow affects our fix rate, but mostly, the static scan affects our fix rate because it shows flaws in our code. So, I don't see any significant improvement with Veracode Software Composition Analysis in terms of our fix rate. I don't see a direct relationship between Veracode Software Composition Analysis and our fix rate, whereas Static Analysis works and gives us the necessary results and plans for fixing and doing our next steps in security.

It has not yet helped our company with certification and audits. We haven't yet shared those green results with our customers, and we didn't have any certifications the last time.

I would rate Veracode Software Composition Analysis a nine out of 10.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
reviewer1436241 - PeerSpot reviewer
DevSecOps Consultant at a comms service provider with 10,001+ employees
Real User
By using Pipeline Scan, which supports synchronous scans, our code is secure
Pros and Cons
  • "There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic."
  • "Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights."

What is our primary use case?

We use the Veracode SAST solution to scan the Java, Node.js, and Python microservices as part of our CI/CD pipeline, wherein we are using our CI/CD server as Bamboo, Jenkins, and GitLab CI/CD. 

We have teams for both our cloud pipeline and on-prem pipeline, and both teams use this solution. We are using Veracode to constantly run the internal application source code and ensure the code's security hygiene.

How has it helped my organization?

Before, the pentesting was happening at later part of the SDLC. Now, we have been getting early feedback about insights from Veracode, including traction around the application security aspects. Developers keep coming to us and asking the questions. Vericode has built a bridge between the development and security teams, which is something really helpful in an organization.

Veracode has helped us build security training in our clients' organizations.

The solution’s policy reporting for ensuring compliance with industry standards and regulations is very helpful. We use Veracode to scan for vulnerabilities. This help us comply with regulatory standards for the European region. While the policy scanning takes time, it is very good from a compliance point of view.

What is most valuable?

There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic. 

We are using the Veracode APIs to build the Splunk dashboards, which is something very nice, as we are able to showcase the application security hygiene to our stakeholders and leadership. 

We have been using Veracode Greenlight for the IDE scanning. 

Veracode has good documentation, integrations, and tools, so it has been a very good solution. 

Veracode is pretty good about providing recommendations, remedies, and guidelines on issues that are occurring.

It is an excellent solution. It finds a good number of the securities used, providing good coverage across the languages that we require at our client site.

We have been using the solution’s Static Analysis Pipeline Scan, which is excellent. When we started, it took more time because we were doing asynchronous scans. However, in the last six months, Veracode has come with the Pipeline Scan, which supports synchronous scans. It has been helping us out a lot. Now, we don't worry when the pentesting report comes in. By using Veracode, the code is secure, and there are no issues that will stop the release later on in the SDLC. 

The speed of the Pipeline Scan is very nice. It takes less than 10 minutes. This is very good, because our policy scans used to take hours.

Veracode is good in terms of giving feedback.

What needs improvement?

We would like to see fewer false positives. 

Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights.

Veracode has a little bit of noise. Sometimes you will get a lot of issues, which you just need to triage. While the solution is excellent, it does come with a little bit of noise.

For how long have I used the solution?

We have been using the solution for a year and a half.

What do I think about the stability of the solution?

The stability is good, except every month it needs maintenance. So far, we haven't had an outage during UK working hours, e.g., where we are unable access the platform. There were some issues out-of-the-box, but now it's pretty much fine.

What do I think about the scalability of the solution?

More than 100 people are using the Veracode solution in our organization. Mostly, the guys who use Veracode are developers, QA engineers, product owners, Scrum Masters, and some data scientists.

We have a three-person team of security guys who maintain the entire service. The security guys have automation skills and can write the code. We are one squad in a company out of 21 squads. We are a security who helps other development teams with Veracode as part of their DevSecOps.

We have adapted Veracode across three line of our client's business. In the future, we may expand Veracode into more lines of business. 

How are customer service and technical support?

The technical support sometimes takes 48 hours to get back to us. Some of the support staff are not that great. There is no extra support on Slack channel nor is there a chat. Instead, we just have to wait for an email. They gave us a mobile number, which sometimes doesn't work. Then, if it does, it takes time. The technical support is something that needs to be improved.

Veracode's application security team is very helpful. If we are not getting the answers that we need, this team will come and assist us. For example, we had a call with their application security team who helped us determine best practices. They are good and very professional. 

Their account team is helpful and knowledgeable.

We use the solution’s support for cloud-native applications, like AWS Lambda. We have a cloud pipeline, where some of our microservices functions are getting developed there. Less than five of our squad use this service.

Which solution did I use previously and why did I switch?

Because of my consulting background, I have used other solutions prior to the use of Veracode. However, Veracode was the first solution implemented of its type. Before Veracode, developers didn't know how they could develop secure software. After Veracode was implemented, developers knew when they wrote code that they could scan it in their IDEs. Also, while pushing a deployment, they can get feedback from the Pipeline Scan.

How was the initial setup?

The initial setup is straightforward. It took us three months to deploy the entire solution across all the squad at our site via Pipeline Scan as well as have the squads adopt it. If you are familiar with security, you can be up and running with the solution in a week's time.

Our implementation strategy was to give the Greenlight ID plugin to all the developers and enable the microservices. Then, we wanted to let the non-human account use the new unlimited account and all the source code. This has helped us in last year and a half, as we have over 150 microservices being scanned by the Veracode platform.

What about the implementation team?

Customer support was amazing during the evaluation phase.

What was our ROI?

The ROI seems good so far. The client is happy with what they invested in Veracode. Having our developers now think about security is also helping us out.

The solution has reduced the cost of AppSec a little bit for our organization through the automation of pentesting.

We have seen a 30 percent reduction in pentesting. Using Veracode, we can do faster releases.

What's my experience with pricing, setup cost, and licensing?

Veracode's price is high. I would like them to better optimize their pricing. 

Which other solutions did I evaluate?

Veracode's price is a little higher than other tools. However, they are the market leader.

Micro Focus Fortify doesn't have good APIs. Instead, they are relying on CLI. Whereas, Veracode is more API and DevSecOps friendly. Veracode's scanning time is better than Fortify's. 

What other advice do I have?

It is an excellent solution. I would recommend adopting it. If you come from a security background, Veracode is an easy solution. If you don't come from a security background, the adoption of Veracode will take a bit of time.

Veracode has been integrated with our IDEs. It has been also integrated with our DevOps CI/CD server, which is Bamboo, Jenkins, or GitLab CI/CD. It is all pretty neat and clean. 

I would rate this solution as a nine out of 10.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Veracode
August 2025
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
867,349 professionals have used our research since 2012.
reviewer2131128 - PeerSpot reviewer
Application Security Engineer at a financial services firm with 1,001-5,000 employees
Real User
Issues are identified before go-live
Pros and Cons
  • "It has improved the quality of code being delivered for test and its vulnerability resolutions timeline has improved."
  • "In the next release, I would like a proper way of packaging files for scanning and the packing of IOS apps and API Dynamic scan methodology."

What is our primary use case?

I'm a security practitioner and I use it for security and vulnerability scanning and assessments.

How has it helped my organization?

The main purpose of getting Veracode was to serve as a solution for scanning lines of code which was lacking in the organization. It has improved the quality of code being delivered for test and its vulnerability resolutions timeline has improved.

What is most valuable?

The static scan module is the most valuable. 

What needs improvement?

In the next release, I would like a proper way of packaging files for scanning and the packing of IOS apps and API Dynamic scan methodology. 

Also, there seem to be lots of false positives. This can be improved upon. 

For how long have I used the solution?

I've been using Veracode for about six months.

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

It is scalable.

How are customer service and support?

The technical support has been quite helpful. I had a consultation yesterday and it was straightforward and explanatory. They seem to be okay. The customer rep helped resolve the issues observed. Although there were issues encountered which were not answered, I was referred to the support option on Veracode. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I've used quite a few other solutions including SonarQube which is similar to Veracode. The challenge with SonarQube was financial, it charges per line of code while Veracode charges per application.

How was the initial setup?

Initially, the setup was complex for those who had not done solution integration. However, my team was able to pick up after the refresher course. 

What about the implementation team?

We implemented the solution in-house.

What was our ROI?

We've just concluded the onboarding this year. I can see improvement, but I can't really equate it to a monetary value. This will be determined by the financial team. 

What's my experience with pricing, setup cost, and licensing?

My advice to anyone considering Veracode will be to negotiate with the team directly and define what constitutes an additional application.  

Which other solutions did I evaluate?

We evaluated other options.

What other advice do I have?

The process of packaging scannable modules is not straightforward. 

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Calinescu Tudor - PeerSpot reviewer
Security Project Leader at ATOSS AG
Real User
Top 10
Helps provide an overview of all security problems we have in all our applications
Pros and Cons
  • "It has given our management a view into issues with all of our product lines. We have three products and all of them were scanned. As a result, the project lead for each product has taken measures to improve things."
  • "It's problematic if you want to integrate it with your pipelines because the documentation is not so well written and it's full of typos. It is not presented in a structured way. It does not say, "If you want to achieve this particular thing, you have to do steps 1, 2, and 3." Instead, it contains bits of information in different parts, and you have to read everything and then understand the big picture."

What is our primary use case?

We are using the static application security testing from Veracode and the Software Composition Analysis solution for the main product that we are developing. We don't use the Software Composition Analysis for checking license requirements, but only for finding problems in third-party dependencies.

How has it helped my organization?

It has given our management a view into issues with all of our product lines. We have three products and all of them were scanned. As a result, the project lead for each product has taken measures to improve things.

We also use a third-party dependency check from OWASP that is included in one of our other solutions. The Software Composition Analysis from Veracode is on top of that. It offers integration with the Veracode platform so that we can visualize all of these security problems at once. It is great to have an overview of all of the security problems that we have on all of our applications.

What is most valuable?

The most important thing that we have used Veracode for is the static application testing. That was our main target.

What needs improvement?

The UI is messy because it freezes sometimes and some of the UI components are blocked and I do not know why that is happening. It's not happening only to me. Colleagues have reported to me that they have this issue.

For how long have I used the solution?

We have been using Veracode for more than a year, but we have only been using the Software Composition Analysis for a few months.

What do I think about the stability of the solution?

We haven't run it often enough to check if it is stable or not.

How are customer service and support?

The support guys are good professionals. We have received valuable comments on proposals from their side. They are reliable partners and have good expertise.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We use various techniques to improve our security. We use an OWASP software application networking model to improve security in our different products. We use a number of native plugins to check licenses and vulnerabilities in the third-party libraries that are part of the application. We also have several plugins from SonarLint that are integrated in another tool that we use for quality assurance.

We put Veracode in place because we have an agreement with SAP and we must fulfill some security checks to become partners for their solution. Veracode's functionalities resolve all of the security checks that were demanded of us.

We use a different company for pen tests, three times per year, and it usually takes two or three weeks each time.

How was the initial setup?

There isn't much of an implementation. We upload binaries to the Veracode platform and they are scanned and processed according to certain policies and security requirements. Then we get the results.

We are working on implementing Veracode SCA with our biggest product.

We want to integrate the software composition analysis with our CI pipeline and we are working on it, but because of the size of the application we have encountered some difficulties, things we have to tackle technically.

It's problematic if you want to integrate it with your pipelines because the documentation is not so well written and it's full of typos. It is not presented in a structured way. It does not say, "If you want to achieve this particular thing, you have to do steps 1, 2, and 3." Instead, it contains bits of information in different parts, and you have to read everything and then understand the big picture. Hopefully, then, you can integrate it.

Regarding the recommendations provided by Veracode scanning engine, we have our own way of dealing with the software composition issues. We plan to change them, but not very soon because it was really hard to impose Veracode on our whole group and for all product lines, as Veracode is a relatively new technology for us. We have had it for one year, but the change has not been so easy. We will try to combine all of our strategies in the Veracode platform in the future.

What was our ROI?

We hope that we will have a successful integration in the near future and that it will bring major benefits, at least for the managers and the people who are responsible for analyzing the flows and for keeping security under control. The amount of management effort will be reduced at that point.

What's my experience with pricing, setup cost, and licensing?

For our company, the price is reasonable for the benefits that we get.

We paid for a one-year license. The contract was reasonable in terms of financial features. The pricing itself depends on the size of the company and on how much the company is willing to pay for these security extensions and how much the company is willing to invest in security in the first place.

What other advice do I have?

Veracode was rated by industry reviews as the top player in this field for static application security testing and SCA. My advice would be to investigate the market because it will give you an idea of what is the best and most cost-effective solution for your company.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Ajit Matthew - PeerSpot reviewer
Sr. Partner IT and Information Security at themathcompany
Real User
Easy to use, responsive technical support, and it provides levels of certification for compliance
Pros and Cons
  • "The Veracode technical support is very good. They are responsive and very knowledgeable."
  • "The training lab is not very user-friendly and takes a long time to set up."

What is our primary use case?

We use Veracode for static and dynamic code analysis, as well as software composition analysis (SCA). Using it ensures that our products are compliant, and it also provides an external method to assure our customers that our products are free from any flaws, or application security issues.

Our product resides on the Azure Cloud, and we have Veracode access it directly.

How has it helped my organization?

Using Veracode has helped to improve our organization in that we now have discipline in terms of periodically scanning our systems. We do this every six months, and it is done to meet our compliance requirements.

We are now at the point where it is integrated as part of our software lifecycle automation. I can't point to a particular example of how it has improved our product, although it has helped in terms of validating our product. Also, it has shown us the competency of our teams.

What is most valuable?

The certification levels are helpful. They are different levels where I think that five is the highest, and we are at level four. Having that badge and showing that we are compliant to that level helps one's reputation in the market.

The interface is easy to use.

What needs improvement?

The training lab is not very user-friendly and takes a long time to set up. This is an area that should be improved because we've not used it as much as we should have.

For how long have I used the solution?

We have been using Veracode for more than a year, since January 2021.

What do I think about the stability of the solution?

This is a pretty stable product. I would rate the stability an eight out of ten.

What do I think about the scalability of the solution?

I can't specifically speak to scalability because we only engage with them for a single product. However, I do think that scaling might be expensive and is probably something that needs to be negotiated.

How are customer service and support?

The Veracode technical support is very good. They are responsive and very knowledgeable. Every time we wanted to set up a meeting, they responded very quickly. In terms of the instructions that they provide, the details are very explicit and although there's a lot to refer to, we can get what we want fast. We don't get lost in what we need to look at.

I would rate the customer support an eight out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We did not use another similar solution prior to Veracode.

How was the initial setup?

I was not heavily involved in the initial setup and deployment, although I understand that it was straightforward. We were able to start using it and scanning our code on day one.

It's all on the web, so there is not much to set up. We just have to configure the access so that the web tool can connect, and it takes it from there.

Except for the Lab component, we didn't have to keep contacting our Veracode account manager.

What about the implementation team?

We completed the deployment ourselves.

There were two people involved. The first was our IT person, and the second was a senior member of the engineering team. There is no maintenance required.

What was our ROI?

It's too early to say whether we have seen ROI because we're marketing our product and services to newer customers. We haven't had visibility from that perspective, yet.

What's my experience with pricing, setup cost, and licensing?

The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us. It's an expensive product but we are paying for quality.

Which other solutions did I evaluate?

We evaluated two or three different products before choosing Veracode. 

The reasons that we chose Veracode were their reputation and ease of use. Also, one of the senior people on the team had previous experience with it.

Another point is that their pre-sales team was very professional. Their discussions helped us in terms of getting to what we wanted.

What other advice do I have?

My advice for anybody who is looking into Veracode is that it's one of the very few solutions that can perform dynamic, static, and software composition analysis.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Prasenjit Roy - PeerSpot reviewer
Sr. Cloud Solution Architect - SAP on Azure at Accenture
Real User
The solution supports a broad range of code technologies and can analyze large applications
Pros and Cons
  • "Veracode supports a broad range of code technologies, and it can analyze large applications. Fortify takes a long time and may not be able to generate the report for larger applications. We don't have these constraints with Veracode."
  • "While Veracode is way ahead of its competitors on Gartner Magic Quadrant, it's a bit more expensive than Fortify. It's a good solution for the cost, but if we had a high budget, we would go with Checkmarx, which is much better than Veracode."

What is our primary use case?

I use Veracode for static and dynamic analysis.

What is most valuable?

Veracode supports a broad range of code technologies, and it can analyze large applications. Fortify takes a long time and may not be able to generate the report for larger applications. We don't have these constraints with Veracode.

For how long have I used the solution?

I've been using Veracode for four or five years.

What do I think about the scalability of the solution?

We have about 230 users. 

How are customer service and support?

We've raised a few tickets with Veracode support. Sometimes, their frontline support can resolve the issue, but we may need to escalate it and get their global team involved. The problem is usually resolved in a couple of days. Overall, support is not a concern. It's fine.

How was the initial setup?

Veracode is an easy-to-use browser-based solution. It isn't a standalone product like Fortify, so there's no installation. You put in the credentials and start the scan. 

What's my experience with pricing, setup cost, and licensing?

While Veracode is way ahead of its competitors on Gartner Magic Quadrant, it's a bit more expensive than Fortify. It's a good solution for the cost, but if we had a high budget, we would go with Checkmarx, which is much better than Veracode. 

Which other solutions did I evaluate?

Veracode and Micro Focus Fortify SSC are both making progress. Fortify's cloud-on-demand model is an improvement over the past. Both solutions handle the analysis part well, but Fortify needs to improve a lot of things. For one, Micro Focus Fortify hasn't been updated in a long time. They acquired the solution from HP long back, but I haven't seen much improvement. 

Veracode's browser-based solution doesn't have cloud-on-demand functionality. You only need to give consent once on Veracode's access URL, but Micro Focus requires another consent for Dynamic Application testing for WebInspect server, so we need to use SQL Server Express for the WebInspect server. 

We have some difficulties in a SQL Server because a client might not be able to install that in their environment. We may be able to install WebInspect, but we face some challenges dealing with SQL Server Express and other dependents. We have issues with those other supported plugins, libraries, or framework installation parts.

What other advice do I have?

I rate Veracode Static Analysis eight out of 10. I recommend Veracode over Micro Focus. Some companies prefer Micro Focus because they can get a discount and buy it for less than the market price. That's the only reason to use Micro Focus. Otherwise, I don't think Micro Focus can compete with Veracode.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Chris Sawyer - PeerSpot reviewer
Full Stack Engineer at TCDRS
Real User
Gives us peace of mind regarding our website's security environment
Pros and Cons
  • "The dynamic scanning tool is what I like the best. Compared to other tools that I've used for dynamic scanning, it's much faster and easier to use."
  • "I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use."

What is our primary use case?

We have a website built on the Microsoft stack, with .NET. Veracode comes in and scans our code and, for the static side of it, we zip up the CS files and the JavaScript files, and upload them for scanning.

How has it helped my organization?

It gives us peace of mind regarding what our website's security environment looks like. It provides that quality check to make sure that we have as few vulnerabilities as possible.

What is most valuable?

The dynamic scanning tool is what I like the best. Compared to other tools that I've used for dynamic scanning, it's much faster and easier to use.

What needs improvement?

I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use.

Also, with the dynamic tool, sometimes a scan gets stuck and it can be hard to get a hold of the right person in a timely manner to find out why it got stuck and to get it unstuck, or to create a new one.

Overall, speed and customer support could be improved.

For how long have I used the solution?

I have been using Veracode at my current job for about two years and I used it at my previous job for at least six years or so.

What do I think about the stability of the solution?

It's very stable. It's very good that way. I haven't run into too many times where their website is down. Usually, it's just for maintenance and they'll let you know ahead of time.

What do I think about the scalability of the solution?

Since it's a cloud offering, we don't have to worry about its scalability.

We don't utilize our current offering to its fullest, so we don't have plans to expand use of it.

How are customer service and support?

Their technical support is pretty good. It depends on who you get. As I mentioned, sometimes it's hard to get an answer from them quickly about why a scan got stuck or what's going on with it. 

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I've used Checkmarx and IBM AppScan.

What was our ROI?

I don't know what ROI might be in terms of a dollar amount, but the peace of mind and quality it gives us, making sure we don't get hacked, are types of ROI.

Which other solutions did I evaluate?

The "gold star" goes to Veracode's dynamic scanning capabilities. I've used other static scanners that may be a little bit better than Veracode, but the dynamic is a lot faster and a lot easier to use. The other ones I have used can be very complex when setting up the scans.

What other advice do I have?

Veracode only has a cloud offering. You upload your binary files for static scanning, or you whitelist your IP and have them come in and scan your website. It doesn't require any maintenance on our end.

Overall, it's really good. It's a lot better than other offerings I've seen. The dynamic scanner works really well. The static scanner is still good, but it could be improved.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Anshuman Kishore - PeerSpot reviewer
Director Product Development at Mycom Osi
Real User
Top 20
Useful static analysis, scalable, but terminology confusing
Pros and Cons
  • "We have found the static analysis to be useful in Veracode Static Analysis. However, we are in the process of testing."
  • "Veracode Static Analysis could improve the terminology. For example, I do not know what the sandbox scan does. The terminology and the way they have used it are quite confusing. They should have a process of capturing problems that users are having on their end."

What is most valuable?

We have found the static analysis to be useful in Veracode Static Analysis. However, we are in the process of testing.

What needs improvement?

Veracode Static Analysis could improve the terminology. For example, I do not know what the sandbox scan does. The terminology and the way they have used it are quite confusing. They should have a process of capturing problems that users are having on their end.

Veracode Static Analysis should adapt and detect the vulnerability which is coming from customers.

For how long have I used the solution?

I have been using Veracode Static Analysis for one and a half years.

What do I think about the scalability of the solution?

Veracode Static Analysis is a scalable solution.

We have approximately 10 people using this solution in my organization. However, we do not use it daily.

Which solution did I use previously and why did I switch?

We previously used a free tool that is integrated into the Eclipse.

How was the initial setup?

The initial setup of Veracode Static Analysis is in the middle range of difficulty. We had some minor issues but we had some guidance and support. It took us approximately one month to scan all of the microservices.

What about the implementation team?

Our IT team did the implementation with support from the Veracode team. The Veracode team was very good.

What's my experience with pricing, setup cost, and licensing?

The price of Veracode Static Analysis is on the higher side.

What other advice do I have?

My advice to others would be to follow the instructions and they will not have any issues.

I rate Veracode Static Analysis a seven out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
Updated: August 2025
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.