We test two mission-critical web applications (C# Web forms).
Information Technology at a insurance company with 51-200 employees
Give us insight into code without having to upload it, saving a lot of NDA paperwork
Pros and Cons
- "Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it."
- "It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no manual upload. The code review function is great. It allows you to find flaws in source code."
- "It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help."
What is our primary use case?
How has it helped my organization?
We used to revise code with free tools (like VCG) but they are not even in the same universe. Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it.
Also, from the very relevant results and issues that were pinpointed by Veracode, I can say that our customer security was greatly enhanced by its use.
What is most valuable?
It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no manual upload. The code review function is great. It allows you to find flaws in source code, but the source code never leaves your workstation, it is all client side, no NDA needed.
What needs improvement?
It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help (but not now, now that I've learned it).
Buyer's Guide
Veracode
May 2025

Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: May 2025.
857,028 professionals have used our research since 2012.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
No, we did not detect a single glitch or fault in a year. We once had a periodic maintenance activity on the Veracode platform during a deadline, but it was clearly announced in advance, so we just went around it and had no issues.
What do I think about the scalability of the solution?
No, you don’t have such concerns on Veracode. The process is really "launch and forget" (and wait for results).
How are customer service and support?
The team that assists us with it is just great, especially considering there is a language barrier for some of our employees. Veracode did its best to get those employees in the loop with the chance to attend the meeting, as well with the aid of written English.
Which solution did I use previously and why did I switch?
VCG (Visual Code Grepper) but I am not even going to compare them. VCG is as good as they come, but Veracode is a different breed. An application went through VCG and we were pretty confident. Then, Veracode results just blew us out of our shoes.
How was the initial setup?
I manage the Veracode suite for my company, and I was personally walked through the various steps. Once I was up and running, we had another two-hour session to explain to us how a proper Veracode assessment should be planned (developers, code reviewers). As a result, I believe we have not only a pretty solid code review process up and running, but this was all provided to us at no additional cost.
What we felt is that the Veracode guys want to enjoy and use their solution first. They are not pushing to get consultancy time if that can be avoided. If you need consultancy time you can have it and the prices are convenient. We did not. All the help came at no additional cost.
What was our ROI?
It is difficult to assert, but it helps a lot with maintaining compliance with our main customers, and helps us to pinpoint some specific issues. The cost of not having Veracode would be pretty high for us.
What's my experience with pricing, setup cost, and licensing?
The licensing and prices were upfront and clear. They stand behind everything that is said during the commercial phase and during the onboarding phase. Even the most irrelevant "that can be done" was delivered, no matter how important the request was.
The licensing is fair, it is time-limited (e.g. one year) but there is a size cap for every app. If your applications are big (due third-party libraries, for example) you should discuss this beforehand and explore suitable agreements.
Which other solutions did I evaluate?
Competitors were evaluated but seemed, at once, too bloated or not relevant to all our specific requests. We were not interested in buying a product (such as a standalone program) rather we were interested in getting a tool for creating a process, and Veracode is that.
What other advice do I have?
In terms of integrating Veracode into our existing software development lifecycle, as our two existing applications are quite mature, and not changed often, we have not taken steps to have Jenkins or another CI tool that would allow us to get the full power from the Veracode environment. We look forward doing it, starting with the next app that gets developed from scratch.
CA Veracode provided AppSec best practices and guidance to our security and development team during the kickoff phase. They offered assistance on specific code issues that were hard to fix, and guidance on preparing a credible set of rules for Veracode policy, all this at no additional cost.
As Veracode licensing is generally time-related, I suggest you start the subscription once everything is ready for consumption, assign a specific person to it and declaring it mandatory at the policy level. Losing two months of great value because the devs are too busy, or because they think they don’t need it, or they fear the results, or because no one is taking charge of the Veracode process, is really a pity. Once the clock starts ticking, try to take advantage as much as you can.
I would recommend Veracode to anyone involved in high-risk environments.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Senior Infrastructure Engineer at a healthcare company with 5,001-10,000 employees
Scanning helps ensure our code is flaw-free, and remediation tools help developers track and manage flaws
Pros and Cons
- "The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are helpful to the developers to help them track and manage their flaws."
- "Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year."
What is our primary use case?
Application security management.
How has it helped my organization?
We've been able to provide reports to our clients that show applications are either flaw-free, or in the process of being remediated, and give them timely status updates on how those flaw remediations are going on.
Our customers have benefited by being able to have a little bit more assurance from us, from a trusted authority, that our code is properly flaw-free and remediated.
What is most valuable?
The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are helpful to the developers to help them track and manage their flaws.
We have been able to integrate Veracode through many of the IDEs that our developers use, using the Veracode APIs, or they've been actually been doing this manually as part of their SDLC.
What needs improvement?
Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year.
That would probably be the biggest area, access to more granular data that we could pull and use on a regular basis. Better dashboards. That kind of information.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
It's stable, absolutely. They do regular maintenance schedules. Aside from that, I can't really think of a time where it has not been a stable product or unavailable.
What do I think about the scalability of the solution?
No issues with scalability.
How are customer service and technical support?
We engage their support teams quite often actually. Part of our licensing package is a good number of hours per month for our development teams to work with their support teams at Veracode, to help solve remediation issues, troubleshoot some of the flaws that they encounter or can't understand. Their support teams have been able to work with our development teams very well.
Which solution did I use previously and why did I switch?
We were not using a previous vendor prior to this. We've used other vendors like Nessus for pen testing. We still use those. Veracode was just more of an addition.
How was the initial setup?
The setup has been more of a phase-in approach, and it's been gradual. It's been kind of a "trial-by-fire" setup with a lot of our development teams because most of our development teams aren't used to doing this. So, it's been a trial, I guess more so on our side, to get the adoption going on. It's just part of training our team to actually know there's something they need to do on a regular basis.
What was our ROI?
Regarding any cost savings relating to code fixes since we implemented Veracode in our development process, I can't say I have that information off the top of my head.
What's my experience with pricing, setup cost, and licensing?
Just do your research. Make sure you're getting the best price on this. It can be expensive to do this, so I would just make sure that you're getting the proper number of licenses. Do your analysis. Make sure you know exactly what it is you need, going in. Then just see if it can work. Try and make sure you get the best price possible.
Which other solutions did I evaluate?
I was not part of the evaluation team on this, unfortunately. But I believe the other options were evaluated as well, but I don't have access to that information.
What other advice do I have?
In terms of Veracode providing AppSec (application security best practices) and guidance to our teams, they've been able to adapt their scanning and remediation in their SDLC, which is something we did not have really before. It's been a little bit of "not the best honeymoon" so far, doing this with our developers, but they've started coming along here in the past year and a half.
The advice I'd give is look around, make sure it's the right fit for you. Make sure that the tools they offer are a good fit for your organization. And make sure this is something that you really feel would be good for your company. If you aren't currently doing this kind of analysis on your code, I would take a strong look at whether this is something that you really should be doing. It's a different world out there right now.
I would recommend Veracode very highly, especially since the program management staff that I work with from Veracode are some of the best people that I've worked with in this industry.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Veracode
May 2025

Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: May 2025.
857,028 professionals have used our research since 2012.
Project Manager at a tech vendor with 501-1,000 employees
We use scan results for training to increase sensitivity to security issues during development
Pros and Cons
- "Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines."
- "Because our application is large, it takes a long time to upload and scan."
What is our primary use case?
Static code scan.
How has it helped my organization?
We have used the results of scans to train our people and make them more sensitive to security issues during development, although we haven't done any specific integration of Veracode into our software development cycle. Engineers are better trained, so we hope to see increased compliance with our security guidelines.
We do incorporate the suggested course of action from the Veracode report (AppSec best practices and guidance) in our best practices.
Also, our customers benefit from the fact that the application is more secure.
What is most valuable?
We use the results of the scan to identify vulnerabilities in the product.
What needs improvement?
Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
No issues with stability.
What do I think about the scalability of the solution?
Because our application is large, it takes a long time to upload and scan.
How are customer service and technical support?
Based on limited usage, we are satisfied.
Which solution did I use previously and why did I switch?
We did not have a previous solution. We picked this product because our partner (SAP) uses it.
How was the initial setup?
Straightforward.
What was our ROI?
There are no directly measurable cost savings. We see security improvement as a key part of our product development.
What other advice do I have?
When asked, we let our customers and partners know that we use Veracode and that we are happy with it.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Assistant Vice President of Programming and Development at a financial services firm with 501-1,000 employees
Allows us to streamline identification of vulnerabilities and quickly address them
Pros and Cons
- "When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this, based on how the code was treated previously, but the Veracode platform allowed us to streamline our identification of these items and develop a game plan to quickly address them."
- "Code analysis tool to help identify code issues before entered into production."
- "Vulnerability Management and mitigation recommendations help with resolution of issues found, prior to deployment to production."
- "Developer Sandboxes help move scanning earlier within the SDLC."
- "The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes."
- "The Greenlight product that integrates into the IDE is not available for PHP, which is our primary language."
What is our primary use case?
Static code analysis for internally developed critical systems.
How has it helped my organization?
When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this, based on how the code was treated previously, but the Veracode platform allowed us to streamline our identification of these items and develop a game plan to quickly address them. This has also lead to better overall code quality for the team, by pointing out some dated practices that needed updating.
We have required that our critical systems pass a Veracode scan prior to code being deployed into production. We also have included a step in the development stage to run specific code through a Veracode Sandbox to encourage better code quality, early on in the development lifecycle.
Veracode has helped us meet the requirements of our yearly external audits and has improved code quality, leading to less down time and less buggy code that users will encounter.
What is most valuable?
- Code analysis tool to help identify code issues before entered into production.
- Vulnerability Management and mitigation recommendations help with resolution of issues found, prior to deployment to production.
- Developer Sandboxes help move scanning earlier within the SDLC.
- The platform itself has a lot of AppSec best practices information, especially in the mitigation recommendation process. They have also offered cybersecurity e-learning for our team.
What needs improvement?
The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes.
Also the Greenlight product that integrates into the IDE is not available for PHP, which is our primary language.
For how long have I used the solution?
More than five years.
What do I think about the stability of the solution?
No issues with stability.
What do I think about the scalability of the solution?
No issues with scalability.
How is customer service and technical support?
We have rarely needed to use tech support, and when we have it has performed as expected.
How was the initial setup?
Straightforward. Just add the applications in the portal and start scanning.
What was our ROI?
We don’t have the metrics to track specific dollars, but Veracode has saved us the cost of hundreds of employee hours by streamlining our vulnerability discovery process in legacy code, and by improving the quality of code released into production.
As we support our organization's customer-facing digital channels by writing higher quality code, we have reduced the amount of bugs or downtime a user experiences using our systems. This saves in employee time and also increases engagement with our digital channels.
What's my experience with pricing, setup cost, and licensing?
Pricing seems fair for what is offered, and licensing has been no problem. All developers are able to get the access they need.
Which other solutions did I evaluate?
Yes, but too long ago to remember which ones.
What other advice do I have?
I would definitely recommend CA Veracode.
Just make sure you define a process for your developers prior to implementing the technology.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
CISSP, CISM at a tech services company with 1,001-5,000 employees
SAST, DAST, and Greenlight point out potentially insecure coding and how to fix it
Pros and Cons
- "For our rapid, secure DevOps cycle, we have integration of the Vericode API into our build tool, and Greenlight into our IDE."
- "It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo."
- "It would help to have more training for developers to help them set it up."
What is our primary use case?
We use it for a lot of things and they're all primary: SAST, DAST, and Greenlight.
How has it helped my organization?
By using this product, we can point out not only any potentially insecure coding, but how to fix it. It's a requirement, a legal requirement. So we benefit by not breaking regulatory law.
What is most valuable?
SAST, DAST, and Greenlight are the most important features because today it's important for our regulatory compliance law to keep our product coding relatively secure.
For our rapid, secure DevOps cycle, we have integration of the Vericode API into our build tool, and Greenlight into our IDE.
What needs improvement?
I think they are doing pretty well. It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo. I think that's a real good idea.
For how long have I used the solution?
More than five years.
What do I think about the stability of the solution?
No issues with stability.
What do I think about the scalability of the solution?
No issues with scalability, other than making sure that our people know how to use it.
How are customer service and technical support?
Excellent.
Which solution did I use previously and why did I switch?
Never. I've been using it for 20 years. I tried others, like HPE's and IBM's, when I was with Visa, but this is the best.
How was the initial setup?
I think it's simple, but sometimes it would help to have more training for developers to help them set it up.
What was our ROI?
I can't give you exact numbers, but it's a lot cheaper to do it sooner rather than later.
What's my experience with pricing, setup cost, and licensing?
Pricing is worth the value.
Which other solutions did I evaluate?
They didn't have products before this one. This one pre-dated them.
What other advice do I have?
I recommend CA Veracode all the time. I am a public speaker, frequently on the speaker circuit, and I recommend it all the time. There are really three solutions at the top of the industry ratings, and Veracode is the best, in my opinion.
We are a good customer and we had been for a long time. I actually am a bit of an evangelist for them when I'm doing public speaking.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
VP of Services at a tech vendor with 51-200 employees
We're much more security conscious when writing code, to meet the benchmarks it gives us
Pros and Cons
- "We use it to get our scan results and see where our software is vulnerable or not vulnerable."
- "The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but it sometimes causes more work on our end."
What is our primary use case?
Dynamic and static scanning.
How has it helped my organization?
We're being much more security conscious whenever we're writing code, and we're trying to make sure it's giving us a benchmark, and to make sure we meet that, on a release cycle.
In terms of AppSec best practices, it has made everybody more conscious about what they're trying to accomplish, because they know at the end of the release cycle we're going to be running scans. They basically need to make sure they adhere to all the rules.
Our customers have benefited from the added application security we offer because they're more confident that our software isn't going to expose their organizations to any risk.
What is most valuable?
The ability to run scans. It's a critical piece of why we use the platform. We use it to get our scan results and see where our software is vulnerable or not vulnerable.
It's part of our SDLC now.
What needs improvement?
The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but sometimes it causes more work on our end.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
No issues with stability.
What do I think about the scalability of the solution?
Not that I know of.
How is customer service and technical support?
I have not contacted tech support.
How was the initial setup?
It seemed straightforward. I didn't actually do the work, but from what I was told, it seemed like it was fairly easy to get going.
What was our ROI?
I cannot give numbers on any cost savings related to code fixes since implementing CA Veracode in our development process.
What's my experience with pricing, setup cost, and licensing?
It's worth the value.
Which other solutions did I evaluate?
We did evaluate other options, but I can't remember who we looked at.
What other advice do I have?
I would be highly likely to recommend working with CA Veracode to colleagues.
I rate it an eight out of 10. It's a good product - I can't say that it's lighting my world on fire - but it does what it needs to do.
Just be prepared that it's going to take effort from all aspects of the business to be able to utilize and achieve the goal that you're looking to achieve with the product.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Director Software Engineering at a tech services company with 51-200 employees
We do release with both static and dynamic scans, and mitigating the flaws identified
Pros and Cons
- "All the features provided by Veracode are valuable, including static scan, dynamic scan, and MPT (Manual Penetration Testing)."
- "We use Ruby on Rails and we still don't have any support for that from Veracode."
- "The static scans on Java lack microservices architecture scanning. We have developed an in-house pattern for this and the scans can't take care of it as a single entity."
What is our primary use case?
To have a third-party analyze our code and make recommendations from a security perspective.
How has it helped my organization?
We do not pass our release without performing a static and a dynamic scan, and mitigating the flaws identified.
In terms of how our customers have benefited from the added application security of our applications, they are aware of our development process and it makes them comfortable that we have implemented industry best practices.
What is most valuable?
All the features provided by Veracode are valuable.
What needs improvement?
We use Ruby on Rails and we still don't have any support for that from Veracode.
The static scans on Java lack microservices architecture scanning. We have developed an in-house pattern for this and the scans can't take care of it as a single entity.
For how long have I used the solution?
More than five years.
What do I think about the stability of the solution?
No issues with stability.
What do I think about the scalability of the solution?
No issues with scalability.
How is customer service and technical support?
The support is good but has room for improvement. Issues don't get acknowledged quickly, repeated updating is required.
What was our ROI?
The cost savings are the efforts that it would take to do this at a stretch if this was not implemented early on in our development cycle.
What's my experience with pricing, setup cost, and licensing?
I think licensing needs to be changed or updated so that it works with adjustments. Pricing is expensive compared to the amount of scanning we perform.
Which other solutions did I evaluate?
WhiteHat.
What other advice do I have?
We have made process changes and improvements, although Veracode is not tightly integrated into our CI/CD platform yet.
I am very likely to recommend to colleauges that they work with CA Veracode.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Application & Product Security Manager at a insurance company with 1,001-5,000 employees
Allows us to integrate with it through automated processes, but needs better APIs
Pros and Cons
- "Also, our customers benefited from the added security assurance of our applications, as they’ve been able to identify OWASP top-10 application vulnerabilities without a manual tester."
- "Static analysis scanning engine is a key feature."
- "It needs better APIs, reporting that I can easily query through the APIs and, preferably, a license model that I can predict."
What is our primary use case?
Static analysis.
How has it helped my organization?
It has allowed us to integrate with it through automated processes, which saves us a lot of time and effort.
Also, our customers benefited from the added application security assurance of our software, as they’ve been able to identify OWASP top-10 application vulnerabilities without a manual tester.
What is most valuable?
Static analysis scanning engine, because we need to do static analysis; that’s why we bought the product.
What needs improvement?
- Better APIs
- Reporting that I can easily query through the APIs
- Preferably, a license model that I can predict
It would save us time when integrating with the APIs. Difficult APIs are annoying to work with and we have to trial/error our way through the integrations. The more straightforward and friendly they are, the less we have to trial/error.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
No issues with stability.
What do I think about the scalability of the solution?
Aside from the licensing, no issues with scalability.
How are customer service and technical support?
Good.
Which solution did I use previously and why did I switch?
IBM Security App Scan. In looking at Veracode vs IBM Security App Scan, I switched because of the CI/CD offerings of Veracode.
How was the initial setup?
The APIs are a bit nonsensical, but otherwise straightforward.
What was our ROI?
It has not really resulted in any cost savings related to code fixes.
What's my experience with pricing, setup cost, and licensing?
The worst part about the product is that it does not scale at all. Also, microservices apps will cost you a fortune.
Which other solutions did I evaluate?
IBM, Coverity.
What other advice do I have?
Regarding measures taken to integrate Veracode into our existing software development lifecycle, we have 100% API integration. We use the Jenkins plugin as a last resort, but we are moving away from that.
The AppSec best practices and guidance to our security and development teams are manifested in the static analysis it provides.
In terms of advice to others looking into implementing this project, I would say don’t use the UI, and do what you can to have license conversations up front.
It depends on the use case and budget, but I would recommend CA Veracode to colleagues.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.

Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros
sharing their opinions.
Updated: May 2025
Product Categories
Application Security Tools Static Application Security Testing (SAST) Container Security Software Composition Analysis (SCA) Static Code Analysis Application Security Posture Management (ASPM)Popular Comparisons
SonarQube Server (formerly SonarQube)
Prisma Cloud by Palo Alto Networks
Microsoft Defender for Cloud
GitLab
Snyk
Checkmarx One
Coverity
Black Duck
Mend.io
CrowdStrike Falcon Cloud Security
OWASP Zap
Fortify on Demand
SonarQube Cloud (formerly SonarCloud)
Orca Security
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between Veracode and Checkmarx?
- Which gives you more for your money - SonarQube or Veracode?
- Checkmarx or Veracode. Which should we choose?
- Would you recommend Veracode? What are some of your use cases?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- What do I scan when changing code in Veracode?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
How good is adding agents working in Banking and financial and Healthcare industries?