Try our new research platform with insights from 80,000+ expert users
SumalyaGuha - PeerSpot reviewer
Security Engineer at a comms service provider with 10,001+ employees
Real User
Gives us a good single pane of glass where developers and security professionals can manage and remediate flaws
Pros and Cons
  • "In pipeline scanning, there is a configuration that can be set with respect to the security level of the flaw. If there is a high or a critical issue, there's a way the build can be failed and blocked before going into production."
  • "Veracode's SAST, DAST, and SCA are pretty good with respect to industry standards, but with regard to container security, they are in either beta or alpha testing. They need to get that particular feature up and running so that they take care of the container security part."

What is our primary use case?

We use Veracode for static code analysis, dynamic code analysis, and software composition analysis. In our organization, we have a bunch of applications that are running on a monorepo or microservice level. We have to do SAST on those applications so that we have a code review done on a bit level. 

Going forward through the application pipeline, we do it on the dynamic level, as well, where we are scanning the public URLs of those applications to see what people can see externally. It's a type of out-to-in scanning in which we are analyzing the traffic that is sent out and even the traffic that is coming in, the response and request headers of the URLs, whenever someone is at a single URL. 

Finally, for the software composition, Veracode uses a third-party analysis tool in which it has the libraries and the functions that are being used at a source code level. They are open source or dependent files that are used for building that in-house application.

How has it helped my organization?

As a company, we have moved from using contractors and third-party consulting companies to creating our software through more of an in-house model. We are moving more into the DevOps realm with more of our own teams developing our software. Veracode fits that DevSecOps ideology. It is definitely helping us build more secure software than we previously had.

We have a bunch of applications into which we have integrated Veracode and we have seen that, in the final phase of production delivery, there are fewer vulnerabilities than we used to have.

And because Veracode has remediation and tracking within the platform, it becomes a good single pane of glass where the developers and the security professionals can operate and govern the flaws in the software. And they can take the necessary steps to remediate them.

In the metrics that we generate every month, we have seen the numbers go up with respect to remediation as well as the number of flaws that we catch. The word is spreading, and more and more application teams are using the static code analysis tool inside their pipelines. Overall, we are moving from reactive mode to proactive mode in remediating vulnerabilities through Veracode.

Veracode also helps our developers save time, in the big picture, compared to a situation without Veracode. Let's say there is an application on which no static analysis was done and the audit team says, "Hey, you don't have any static code analysis in your pipelines. You need to do something about that." They could scan the code that is already running in production and find flaws, but those flaws would take a lot more effort, time, and resources to mitigate compared to if they had been detected in a static analysis prior to the code going into production. In that way, it has definitely saved time. But if we are talking about short-term planning for sprints, it takes a little more time than usual because security is coming into the picture, as well. But overall, it helps save time.

Our security posture has gotten better since 2020. It takes time to do the integration of the platform and educate people about how to use Veracode, and then move on to remediating and validating things. But the journey that we had with Veracode has definitely helped us a lot, overall, with respect to bettering our security posture.

What is most valuable?

The static analysis is the most valuable aspect for us.

It also has the ability to block a build. In pipeline scanning, there is a configuration that can be set with respect to the security level of the flaw. If there is a high or a critical issue, there's a way the build can be failed and blocked before going into production. But the best case that I have found for blocking builds is in the staging area. You don't really want any blocking done on the production environment because there are business SLAs that the enterprise has to fulfill. The best case would be blocking the builds in the staging phase, the pre-production environment, so that everything is taken care of before it is pushed to production.

There are three integration points for Veracode. One is the IDE plugin. Whenever a developer is writing code on their IDE platform plugin for Veracode—whether IntelliJ or Visual Studio, et cetera—it tells them if that piece of code has any vulnerabilities and if there is a better way to write the code.

The next point is the pipeline integration in which, whenever a build is getting pushed from a standalone branch to the main branch, a scan is done on that commit to see if there are any vulnerabilities.

Finally, when the build is published with the whole module, it can do another scan, as well. These three scans have their own pros and cons. The policy scan, which is a build scan, does the scanning on an overall basis with regard to the different standards out there, like OS and Spin5. It scans the first-party and third-party code, which is the most holistic scan that there can be. But the point is that it scans at three different integration points or stages, so it helps developers to remediate their vulnerabilities before they have moved far in the pipeline. Shift-left is definitely possible through Veracode.

What needs improvement?

Veracode's false positive rate is a little toward the higher side. We understand that Veracode doesn't have the business context. I advocate that people look at their code, even though there is a vulnerability, to see exactly what it is. For example, a randomize function is being used to create an ID that is not being hashed. Veracode marks it as a false positive because it doesn't know if the ID is being used for cookie generation or some random ID in the log generator. We, as dev or sec people, have to go in there and analyze what the ID is being used for. But the false positive rate is definitely a little bit on the higher side.

The effect of the false positive rate on developers' confidence in the solution depends on the maturity level of that particular application team with respect to learning Veracode. In the initial stages, obviously, when developers see that, whenever they're writing code or pushing a build, there are a bunch of vulnerabilities, it may affect their confidence. But a couple of months or a couple of quarters down the line, when those same developers have already used Veracode and have raised their maturity level from one to at least three, it doesn't really affect them because they know that they have to go in there and check the vulnerabilities for themselves to determine if it's a false positive or a real vulnerability.

It has definitely taken a little more time to validate the false positives, but I would say there are a lot of true positives, as well, which have been remediated and which have been mitigated for the betterment of the security posture. But it has definitely taken a little more time to mark or validate those positives. Hence, I definitely advocate that people shift a little more to the left. They should do ID and pipeline scanning before they hit policy scanning because, with ID and pipeline scanning, you scan small chunks of code. You remediate that code faster, before it goes to the whole package and there's a bunch that you have to deal with.

Also, container security is slowly becoming a prevalent part of the development realm. Veracode's SAST, DAST, and SCA are pretty good with respect to industry standards, but with regard to container security, they are in either beta or alpha testing. They need to get that particular feature up and running so that they take care of the container security part.

In addition, there is a new concept out there, the IAST, which is interactive assessment security testing. It is a little more proactive than SAST. So if Veracode can combine that feature with their current technology, they would definitely be a front-runner again for the next five to six years.

Buyer's Guide
Veracode
August 2025
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
866,744 professionals have used our research since 2012.

For how long have I used the solution?

I've been using Veracode for the last three and a half years.

What do I think about the stability of the solution?

Once or twice a month there is maintenance on the Veracode side because they're updating some signature in their database or something else. I have seen maintenance coming up, but it's not an issue because the pipelines and integrations that we are running keep on running in the background. It's just the GUI that we are not able to access at that particular time.

What do I think about the scalability of the solution?

It's pretty scalable if our enterprise has the licenses for scaling the applications. I haven't faced any issues with regard to scalability, apart from licensing, of course.

How are customer service and support?

We have contacted Veracode's tech support a bunch of times. The only downside is the time needed to schedule a consultation call with the pro services team, keeping in mind that enterprises need to buy pro services licenses before they can use it.

When someone is scheduling a meeting with them, the issue type should be as precise as possible. In that way, they can rope in the exact SME for that particular topic, because in the development realm there are so many languages and so many types of issues out there. There are different personnel for each of those categories. So the more precise the details are for the meeting, the better the SME will be for that particular consultation.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We have only used Veracode, right from the start.

How was the initial setup?

The initial setup was pretty straightforward. They have a SaaS solution and there are a bunch of API integrations that made it pretty straightforward.

As for maintenance, all the upgrades and updates are done on Veracode's side. But there is a wrapper. When we are doing the integration, there is a package that we use to upload the files in Veracode. Sometimes there is a new release for that package and we have to update it in the GitLab repo. That's the only maintenance we need to do.

What's my experience with pricing, setup cost, and licensing?

They have made it worth the price with the kind of discount and the kinds of modifications they made for us with regard to licensing. Previously, it was per profile. But they have adjusted according to our requirements because we are a big company and we handle a lot of applications. There's a tiered discount that they have provided us, so the cost is justified.

If someone looking at Veracode is concerned about the price, it depends on their requirements. I wouldn't really recommend Veracode for a small firm, because it might be a little pricey for them. But for a large organization, with more than 1,000 applications in the enterprise, there are tiered levels of pricing. Obviously, there are other cutting-edge solutions that have become available recently, but Veracode is something that a big organization should look at.

What other advice do I have?

When it comes to managing risks, we use the remediation feature that Veracode has. Whenever there is a flaw, we do have tickets open up for it and the application owner or the developer goes through the vulnerabilities. There are times when the vulnerability is a false positive and you can mark it as such within the Veracode platform itself. And we, as security professionals, do the validation for whether the business justification is good or not. And we either have a source code review for the vulnerability or have an exception open up for the remediation step that the application or the owner is asking for. We do risks via the platform, as well as through the ticketing tool that we use.

We are also using SBOM (Software Bill of Materials) for inventing all the different kinds of modules and libraries that we are using for an application. Using the SBOM feature, you would have to leverage the API to get the inventory from the API calls that Veracode has. But in our organization, we use the GUI report generation more than the SBOM report because there is an executive summary in the GUI report with regard to first-party and third-party flaws. It also has the mitigation steps. SBOM would only give you the list of softwares, libraries, and versions that are being used. It is not as detailed as the GUI report that Veracode provides.

Things to consider when looking at Veracode include the different integration points where you want to integrate Veracode, how big your organization is, and how many applications you want to do security analysis on. If it's a big organization, Veracode is obviously a solution to evaluate, but for a small organization, below 500 apps, it might be a little pricey. Also, you will need a couple of Veracode champions on your team who know it inside out. You will need training provided by Veracode, so make sure that is included during the procurement stage. That will help you implement the tool within your organization faster and much more efficiently.

I would have given Veracode a nine out of 10 a couple of years back, but given the tools that are coming out on the market, and the scope of development, which is increasing, I would place it at eight.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Zach Handzlik - PeerSpot reviewer
Release Manager/Scrum Master at Amtech Software
Real User
Is easy to install, has low false-positive rates, and saves time with continuous integration
Pros and Cons
  • "Veracode's integration with our continuous integration solution is what I've found to be the most valuable feature. It is easy to connect the two and to run scans in an automated way without needing as much manual intervention."
  • "I do expect large applications with millions of lines of code to take a while, but it would be nice if there was a possibility to be able to have a baseline initial scan. I know that Veracode touts that there are Pipeline Scans that are supposed to take 90 seconds or less, and we've tried to do that ourselves with our ERP application. However, it actually times out after two hours of scanning. If the static scan itself or another option to run a lower tier scan can be integrated earlier on into our SDLC, it would be great. Right now, it takes so long that we usually leave it till a bit later in the cycle, whereas if it ran faster, we could push it to the time when a developer will be checking in code. That would make us feel a lot more confident that we'd be able to catch things almost instantaneously."

What is our primary use case?

We use it primarily for our application security concerns. We use the dynamic, static, and SCA scanning tools. We run our static scans after the code is compiled, and that gets uploaded automatically through our DevOps tool. We have installed an agent in one of our cloud servers that is behind a firewall to run the dynamic scan against the runtime. We run our SCA scans when we do the static scans, which is after compilation.

How has it helped my organization?

Prior to using Veracode, we hadn't really looked into security features or thought about security in the same way that we have since we started using Veracode. We were focused on what you hear about in the news, such as making sure that it is HTTPS secured. We hadn't really dug into the nitty gritty of application security and scanning our source code, running it against a runtime environment, and looking at the actual third-party solutions that we integrate or use in our code. Veracode has helped with our mindset as an organization to start thinking about things more securely by design rather than as a reactive measure. We're being more proactive with security.

What is most valuable?

Veracode's integration with our continuous integration solution is what I've found to be the most valuable feature. It is easy to connect the two and to run scans in an automated way without needing as much manual intervention.

We feel very confident about Veracode's ability to prevent vulnerable code from going into production. Having the stamp of approval helps not only from a marketability standpoint but also from an overall good feeling within the organization that we're doing our part to help keep our code free from vulnerabilities.

This solution provides visibility into application status at every phase of development. It goes from compiling the code all the way to running it in production. It covers all major aspects of the SDLC. We run static scans and SCA scans early on in the process to make sure that we catch any code that is insecure by design. If we are able to catch it earlier on, before it's actually out in the production environment, it reduces costs. The dynamic scans are run further along in our QA process. That is, once we've deployed the code and have it in a runtime environment, we run weekly scans in a dynamic environment against the code runtime to make sure that there aren't any new vulnerabilities that got introduced. We are looking at doing manual penetration testing in 2023, where we would be using a spinoff of the code that was released to the customers to make sure that there aren't any holes through which a nefarious actor could get in and exploit what was built.

Veracode's false-positive rate is low. The few instances when it looked like there were false positives, the issues were found to be either true vulnerabilities or things that were that way by design. If a developer thought that there would be a ton of false positives when using the tool, it would then diminish the value of actually using the tool. Veracode touts itself as being a tool with the lowest false-positive rate in the market. It gives inherent confidence in the tool itself, and developers are more inclined to think that if it found something, it's pretty likely that it is not a false positive. They would then work to prove it wrong rather than discounting it without even looking into it.

We haven't really found many false positives with static analysis, and there hasn't been a significant impact on our time and cost related to tuning, leveraging data, and machine learning.

Continuous integration linking definitely saves a lot of time because it takes away the step where a developer needs to manually upload the code every time to do a scan. It can run in the background, and having the Visual Studio plugin includes it directly in the development environment. If developers do get assigned a bug that they need to fix, they can pull it right up in their development environment and not have to log in to the portal. It will all be right there.

I'm primarily the one who has been involved in DevSecOps, and Veracode has definitely reduced my time. If we had gone with a conglomeration of open-source tools, it would've taken me a ton more time. Whereas with Veracode, all the documentation is out there, and I'm able to integrate everything that I need from a usability standpoint. I don't have to learn a new tool every time I need to integrate a new security scanning option. It has helped me tremendously and has saved me a lot of time.

What needs improvement?

I do expect large applications with millions of lines of code to take a while, but it would be nice if there was a possibility to be able to have a baseline initial scan. I know that Veracode touts that there are Pipeline Scans that are supposed to take 90 seconds or less, and we've tried to do that ourselves with our ERP application. However, it actually times out after two hours of scanning.

If the static scan itself or another option to run a lower tier scan can be integrated earlier on into our SDLC, it would be great. Right now, it takes so long that we usually leave it till a bit later in the cycle, whereas if it ran faster, we could push it to the time when a developer will be checking in code. That would make us feel a lot more confident that we'd be able to catch things almost instantaneously.

For how long have I used the solution?

I've been using Veracode for a little over a year now.

What do I think about the stability of the solution?

I haven't had any stability issues, bugs, or glitches.

What do I think about the scalability of the solution?

The scalability is really good. I recently added to the solution some new applications that I learned about late in the game. There were probably 10 that I had to add in rapid succession and scan as well. It was very quick and painless.

How are customer service and support?

Veracode's technical support is very responsive, and I've heard back within 24 hours regarding a couple of issues I've entered. We have actual consulting calls, which are a scheduled event, and I like the way they handle those as well. I have nothing but good things to say about them and give them a rating of ten out of ten.

How would you rate customer service and support?

Positive

How was the initial setup?

I was involved with the initial setup of Veracode, and it was straightforward. We had a third-party vendor who was evaluating it, so a little bit of the setup was done. However, adding a new application to the tool is easy and self-explanatory. It doesn't take much time at all, and the documentation is out there if we need to look up anything.

What about the implementation team?

We implemented it with the help of a third-party vendor. They had two people on their team who were working on the deployment along with me. My responsibilities included adding all of our software to the tool to run scans against it, integrating it with our DevOps solution, discussing the tool itself with internal stakeholders as to how they can use it and showing programmers how to use the tool from an internal adoption standpoint.

What's my experience with pricing, setup cost, and licensing?

I know that Veracode is a semi-pricey solution. If you are serious about security, I would recommend that you use an open-source option to learn how the scanning process works and then look into Veracode if you want to really step up your game and have an all-in-one solution.

Which other solutions did I evaluate?

We evaluated a couple of open-source tools such as Snyk and SonarQube against Veracode with the help of a third-party vendor. We didn't use any of those and landed on Veracode because of the Veracode Verified seal. This, along with Veracode being the market leader, gave Veracode an edge over the others.

The main difference between Veracode and the solutions we evaluated is that Veracode is an all-in-one solution. Though an open-source solution would've been more cost-effective, we would've had to use a bunch of different tools. It would have required more knowledge to do the integration piece and would've taken a lot more time and effort. There would have been invisible costs associated with it just by the virtue of time. In comparison, Veracode's dynamic scan, static scan, and software composition analysis are all in one place.

What other advice do I have?

My advice would be to look at the open source tools out there and see how far along you are in your security journey and what your needs are. If you're looking for the best in the market, Veracode is a great option, as far as paid solutions go, because it's a one-stop shop. If you have more time at your disposal and you don't mind integrating some solutions, then I'd recommend an open-source tool. However, if you have the resources, I would definitely recommend going for Veracode.

On a scale from one to ten, I would rate Veracode at nine.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Veracode
August 2025
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
866,744 professionals have used our research since 2012.
Everton Yoshitani - PeerSpot reviewer
VP of Engineering at Resola Inc
Real User
Top 20
I like the ease of integration and onboarding
Pros and Cons
  • "I like Veracode's ease of integration and onboarding. You can quickly and easily get started with a new project or application. That's one area where Veracode shines relative to other tools we've evaluated. Other tools need more work or an engineer to do the setup. With Veracode, you can do the onboarding in a few steps quickly."
  • "When Veracode updates the pool of tests and security checks, it could be a little more transparent about what it is releasing. It's not clear what it's adding. They do thousands of checks, and when they add more, there aren't many details about what the new tests are doing."

What is our primary use case?

Veracode is a DAST solution that we use for automated security scans of our APIs and front end. We perform daily scans of our applications so we can act on the results quickly instead of routine security audits that we might do yearly or quarterly. It's a complement to the standard penetration test suite.

How has it helped my organization?

Veracode helps us improve our overall security and build trust with our customers. For example, some of our customers have strict security requirements, and they need us to use more products. It helps our business by building confidence in our products' security. Veracode improves our sales and helps us secure contracts because we can demonstrate what we are doing to the clients. 

We can use it in our dev environment to detect issues early before they get into production. It saves time equivalent to one full-time security engineer. We have around 60 people on the team, but we don't need a security engineer. Our regular engineers can fix the issues themselves based on Veracode's report. 

What is most valuable?

I like Veracode's ease of integration and onboarding. You can quickly and easily get started with a new project or application. That's one area where Veracode shines relative to other tools we've evaluated. Other tools need more work or an engineer to do the setup. With Veracode, you can do the onboarding in a few steps quickly. 

Another beneficial feature is Veracode's reporting. The report not only outlines the security issues in detail but also offers some solutions. Even if one of our backend engineers isn't specialized in security, they can still fix the issue solely based on the suggestions in the report. 

What needs improvement?

When Veracode updates the pool of tests and security checks, it could be a little more transparent about what it is releasing. It's not clear what it's adding. They do thousands of checks, and when they add more, there aren't many details about what the new tests are doing. 

For how long have I used the solution?

I have used Veracode for 2 years.

What do I think about the stability of the solution?

I rate Veracode 10 out of 10 for stability.

How are customer service and support?

I rate Veracode support 8 out of 10.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Veracode is the first tool we purchased specifically for DAST testing. We we use altered secure tools, and we used to do penetration test, but using people. Right? Not not automated.

How was the initial setup?

Deploying Veracode was straightforward. There weren't many steps. We needed to prepare our API specifications and set up our system. 

What's my experience with pricing, setup cost, and licensing?

The price is worth it. You have to consider the cost versus the security Veracode provides. It's also cheaper than the other solutions we considered. 

What other advice do I have?

I rate Veracode 9 out of 10. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Jagusztin Laszlo - PeerSpot reviewer
Lead Architect, Presales lead at Alerant Zrt.
Real User
Top 10
Used for legacy software audits and allows us to audit the software without the source code
Pros and Cons
  • "The most valuable feature of Veracode is the binary scan feature for auditing, which allows us to audit the software without the source code."
  • "Veracode should provide more flexibility in its pricing and licensing modules so that it could be more affordable for all types of projects and not only for very active mission-critical projects."

What is our primary use case?

We use Veracode mainly for legacy software audits.

What is most valuable?

The most valuable feature of Veracode is the binary scan feature for auditing, which allows us to audit the software without the source code. Veracode's most valuable feature is the verified vulnerability database, and we can do a full software audit at our company, including all of the systems.

What needs improvement?

Veracode should provide more flexibility in its pricing and licensing modules so that it could be more affordable for all types of projects and not only for very active mission-critical projects.

With the solution's security audit feature, an enterprise should be able to cover all of its applications with the desktops. Veracode is simply too expensive for that. If you know about the price of a web application, and if you multiply it by 1,000, the return on investment doesn't work. It's okay for one or two projects running very fast, but it doesn't work for all the legacies. So, it's a huge amount of money.

There should be some lighter tool that allows you to do some audit scanned one time. Only ten percent of the applications are actively developed. About 90% of the other applications have no projects or budgets, but we are still vulnerable. It is too much if you buy it for all of that.

For how long have I used the solution?

I have been using Veracode for three years.

What do I think about the stability of the solution?

Veracode is a completely stable solution, and we had no problems with its stability. The solution was a bit slow, but it was stable.

What do I think about the scalability of the solution?

We didn’t face any issues with the solution’s scalability.

How are customer service and support?

We know only one person from Veracode, and he supported us when we had issues, and he was able to solve everything.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We have previously used Checkmarx. Veracode's pricing is cheaper than Checkmarx, and it has some unique features like binary scan. In Hungary, Checkmarx is installed more than Veracode.

How was the initial setup?

The solution’s initial setup was very easy. Only one or two people are needed for the initial setup of the solution.

What's my experience with pricing, setup cost, and licensing?

Veracode is a very expensive product.

What other advice do I have?

Veracode can list a lot of vulnerabilities, but processing all of them is a time- and resource-intensive process. I think Veracode has no innovative features because a lot of other software can do that. In our opinion, innovative features are a commodity with Veracode, but they are doing a good job.

The solution's ability to provide visibility into application status at every phase of development is valuable. It can be faster, but it can also slow down because our backlog may be much longer. There will be a lot of vulnerabilities or false positives that have to be processed. So, it is not black and white, but it is safer. Veracode has helped our developers save time.

Veracode has had a very low impact on our organization’s overall security posture because it is a very expensive product. An enterprise with 1,000 applications uses the solution for one or two applications. Veracode does not need any maintenance because it's cloud-based.

Veracode is very important to our organization’s shift-left security strategy when we have a project with enough sources to provide the license. I use Veracode’s cloud version. The return on investment with Veracode is good for one or two mission-critical projects running in the company. For other things, users should use open-source solutions or much cheaper products like SonarQube that are not as good as Veracode.

The fact that Veracode scans only binary code and doesn't scan source code concerns me sometimes. Sometimes, we have to do some source repository audits. We cannot use Veracode for source repository audits because it scans only binary code. I would recommend Veracode to other users.

Overall, I rate the solution ten out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
Ujjwal Sachdeva - PeerSpot reviewer
Data scientist at Advarisk
Real User
Top 5
Identifies bugs before deployment in the software-side cycle process
Pros and Cons
  • "The integration capabilities with our existing development tools are very good."
  • "The solution does take a bit more time when we use it for multiple processes."

What is our primary use case?

We use the solution for identifying bugs before deployment in the software-side cycle process.

It can be integrated with our CL and CDProp pipeline, and it can be used with multiple integrations in our Visual Studio Code editor. That's the main use case.

How has it helped my organization?

We've saved a lot of time since using Veracode. We've also been able to cut down on costs since we require a lot of penetration tests for testing our software. Veracode helps us drastically reduce these costs. We've cut our costs down by 40%.

What is most valuable?

The solution provides us with a feature that we can directly use with static and dynamic analysis. With static analysis, we can use it while the app is not running, and with dynamic analysis, we can scan our application while it is running. It provides efficiency and also saves a lot of time for penetration testing and bug testing.

The capabilities of the analysis of the code base can help us effectively detect potential vulnerabilities. This is the most valuable feature we found. It can be integrated with multiple code editors, and it can also be integrated with various CI/CD pipelines.

The dynamic analytics is efficient. It helps us identify bugs while the app is running. We find that this ability is way better than its competitor.

Our impression of the solution's ability to prevent vulnerable code from going into production is positive. Prior to Veracode, we used to deploy our apps, and it used to be an expensive process to fix the bugs and all the potential vulnerabilities after deployment. Now, we have access to AI. It has AI tools, which have been trained with a lot of data sets. It helps us to detect bugs and fix them.

We use the free access to VeriCloud's application security consulting team. The consulting team has helped us a lot, and we've had positive experiences with the vendors. It is efficient and very fast. It takes less than two or three days, and they always respond positively. They are really fast at solving our problems. It's important for us to have access to an application security consulting team at no extra cost.

We use Veracode's AI-generated fixes. They make fewer errors and are very accurate. We've had a very positive experience. They've saved approximately seven hours of debugging and error finding versus the manual penetration testing process. 

The solution's policy reporting for insurance compliance with industry standards and regulations is very helpful. It's fast as well. The team helps us at every step of the product life cycle. They provide us with very useful visibility into things like static analysis, composition analysis, and manual penetration. It significantly helps us to reduce the time that we have to manually fix the bugs, and it also provides us with an efficient solution for future cases via past analysis through its data algorithm. We've saved six to eight hours compared to manual fixing.

Veracode has had a positive impact on our organization's ability to fix flaws compared to the prior. It has reduced our costs and time, and it has also provided us with multiple security functions. That, and it's made our application a lot more secure. It really helps our devs free up time due to less debugging needed on their part.

The solution has helped us a lot with our overall security posture. Many security features were fixed prior to release, and we've been able to reduce manpower and employee count. We've reduced teams from six or seven people to two or three. 

The integration capabilities with our existing development tools are very good. The integration process was easy. It has stable APIs.

What needs improvement?

The solution does take a bit more time when we use it for multiple processes. When we use it for a single process, it takes up less time. The cost also goes up when we use it for multiple processes. 

For how long have I used the solution?

I have been using the solution for six months.

What do I think about the stability of the solution?

The solution is very stable. We haven't come across any bugs. 

What do I think about the scalability of the solution?

Our security team of three uses the solution. 

It's great for scaling. We can use it on multiple projects which involve multiple security flows.

How are customer service and support?

Technical support has been very fast and efficient. The team helps us at every phase of the development cycle. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We did not use a different solution. Previously, we relied on manual testing. 

How was the initial setup?

We deployed the solution in about three months. We had a team of eight working on the implementation. During the process, I was in charge of, IT was in charge of security, and the AI algorithm.

We don't require any maintenance.

What was our ROI?

Even after six months, we've seen an ROI. In terms of resources, it's great for cost-cutting. It also generally cuts costs by 40%.

What's my experience with pricing, setup cost, and licensing?

The pricing is moderate for particular processes. However, if we take an entire process in general, it can be costly. It's more economical to use it for single purposes instead of generalizing processes. 

Thanks to its algorithm, Veracode is an on-demand service that can be very cost-effective. With so many features, we no longer require many people to test.  

If they are worried about pricing, people should try out their demo feature, which is available online. That way, they can demo and evaluate how it would work for them. If it works for their team and product, they may find it can optimize their processes. Of course, it depends on the use case. 

What other advice do I have?

I'd advise colleagues considering Veracode to evaluate the specific requirements for their application and do an in-depth analysis. I would recommend it as a product.

I'd rate the solution ten out of ten. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Security Analyst at a tech services company with 11-50 employees
Reseller
Top 10
An easy-to-use tool with a helpful community and an efficient technical support team
Pros and Cons
  • "The SAST and DAST modules are great."
  • "It will be beneficial for developers if Veracode Greenlight includes Python."

What is our primary use case?

The solution is used for performing application security processes like source code assessment, dynamic assessment, and SCA.

How has it helped my organization?

We sell the product to our customers. We are a vendor.

What is most valuable?

The SAST and DAST modules are great. The scanning part is also good. It’s pretty easy and convenient to use. Everything is described within the product. Almost everything is available in the community and the guidelines.

What needs improvement?

Veracode Greenlight scans the code while the developer writes it. It will be beneficial for developers if Veracode Greenlight includes Python.

For how long have I used the solution?

I have been using the solution for almost one year.

What do I think about the stability of the solution?

The tool is stable.

What do I think about the scalability of the solution?

The scalability of the product depends upon the pricing. The price is a bit high for a small company. It is suitable for a large company.

How are customer service and support?

Support is very good. The support team resolves some issues within 24 hours.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I tried a few solutions before using Veracode. Veracode is better because it is convenient to use. The solution’s dashboard and features are pretty good. It is the topmost product among the other tools that I used. It is pretty simplified. Veracode has a lot of options to do authenticated scans. Veracode’s simplified features are helpful for people who use different authentication methodologies.

How was the initial setup?

We are using the SaaS version of the solution. The initial deployment was pretty easy. The CI/CD pipeline has a lot of dependencies, like connecting with Jenkins and Jira. If we directly upload the code to the cloud, we can deploy the product within a single day. If we do it in the CI/CD pipeline, it will take some time.

What about the implementation team?

One person can deploy the product. I haven’t had any maintenance-related issues with the solution. Whatever new vulnerabilities come, they are already updated in the database. Since we are a partner, it will be helpful if Veracode notifies us whenever it releases the vulnerability reports. We cannot always check the portal.

What's my experience with pricing, setup cost, and licensing?

The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.

What other advice do I have?

Veracode provides policy reporting to ensure compliance with industry standards and regulations. It is beneficial. The product also provides features to create custom policies. Most false-positives cases come under DAST. The false positives depend on the code. Veracode provides around 5% false positives.

The solution shows the vulnerabilities in the code and provides generic remediations for it. We must then search it on Google. The product’s community is also good. Sometimes, the product provides solutions in the community. These solutions work well on the production level.

I have also used the SCA features which help with identifying vulnerabilities in applications's third-party components. The Veracode user interface is so convenient and easy to use. Anyone can run a scan and generate a report easily.

The solution provides absolute visibility into application status at every phase of development. The users can get visibility through the CI/CD pipeline. The time taken to complete the scans depends on how much code is present in a specific application and how big the application is.

Veracode introduced a new module named Veracode Fix, which automates the fixes for insecure software with AI-generated secure code suggestions where the developer does not have to spend time searching and remediating the vulnerabilities. The developer does not have to spend time searching for vulnerabilities. Sometimes, the tool gives a generic recommendation, sometimes specific recommendations. It will be helpful if it always provides specific recommendations. The amount of time saved hinges on factors such as code complexity, the programming language employed, and the developer's proficiency in secure coding. If anyone uses Veracode throughout the entire process of building an application, from the start of development to the final production stage, can result in a time savings of around 30% to 40% when leveraging various security measures of the platform.

Veracode has had a good impact on our organization’s overall security posture. If we choose to take the complete Veracode module, we can have security from the initial step to the production phase. 

I will recommend others to implement the solution. Veracode is in the Gartner Magic Quadrant. It is doing a good job.

Overall, I rate the product a nine out of ten.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Geofrey Mutabazi - PeerSpot reviewer
Founder at a manufacturing company with 1-10 employees
Real User
Has been a time-saver for our developers by enabling those with different programming languages and skills to collaborate, but is expensive
Pros and Cons
  • "I appreciate the integration provided by Veracode that seamlessly integrates with our CI/CD tools and allows us to integrate with IPA as well."
  • "Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans."

What is our primary use case?

I have implemented Veracode for both static and dynamic analysis to minimize errors in my application and avoid the need for manual reviews. This enables us to create a risk-free application in the code. Additionally, I utilize external libraries and licensing to accelerate the process of identifying vulnerabilities in my software development. This helps me and the development team to provide comprehensive information about the code.

How has it helped my organization?

Veracode's capability to prevent the deployment of vulnerable code is impressive. It allows for quick detection of defects during the development cycle, leading to faster release of improved code, and ultimately ensuring that our product is free of vulnerabilities. This feature is a great advantage for our organization.

SBOM is beneficial as it enables us to verify software licensing through static scanning. This helps ensure that the product we provide in the market is compliant with industry standards and user needs. In my opinion, this is a fantastic feature.

Creating a report is easy when using a sample template that we can relate to. If we know what kind of data we want to include and how we want it to be presented, the process of creating a report can be completed quickly.

The main advantage of using Veracode is the assurance that we are developing stable, secure, and fast solutions that are free of risks. This provides us with a clear picture of our progress toward our goals. Veracode helps our developers by providing remedial action and reports in various formats, ranging from summary to detailed. This allows us to customize our reports and share visually appealing reports with the team.

Having visibility into the status of our applications at every phase of development throughout the software development cycle enhances our DevOps productivity and ensures a stable solution.

The false positive rate is valuable. The benefit is that the false positive results provide our developers with a clear understanding of their proficiency level in development. However, the drawback is that during fast penetration or testing, they may receive alerts that can cause frustration. Additionally, if they perform another test, the previous alert may not appear again, making it difficult to address the issue. Overall, I believe that false positives can boost our developers' confidence in their abilities to a certain degree.

The false positives identified through static analysis have been beneficial in saving us time. Due to our use of advanced tools and record-keeping practices, we have been able to streamline processes such as data importing, which may have otherwise required local or manual methods. This has resulted in significant cost and time savings for our team. With the ability to work remotely using tools like Veracode, we are able to provide effective reporting and management for all software applications.

Veracode has been a time-saver for our developers by enabling those with different programming languages and skills to collaborate and develop stable solutions together. As a result, we are able to save some time.

Our overall security posture has been positively impacted by Veracode. We are confident that our solutions are highly secure for our clients and stakeholders. With Veracode's assistance, we ensure that our applications and software are free from bad code and other vulnerabilities. By troubleshooting alerts, we prevent abnormal codes from reaching production, creating stable and secure solutions. Veracode helps ensure social sustainability during the UAT process before we release the final product to consumers, resulting in a highly secure end product. Veracode has enabled us to offer a stable and trusted solution that fosters transparency between our company and the end-users, supporting their needs and activities.

Veracode reduced the cost of our DevSecOps by allowing us to use a single tool that can be operated by a small team of developers. We saved around $1,500 USD using Veracode.

What is most valuable?

I believe that testing code early on is always beneficial, and using UI saves time by detecting issues in the flow before the release cycle through verification scanning. Additionally, I appreciate the integration provided by Veracode that seamlessly integrates with our CI/CD tools and allows us to integrate with IPA as well. Overall, I'm impressed with the integration and user interface.

What needs improvement?

Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans. However, we can run these scans in the background to minimize disruptions. Static scanning can be a slow process that requires some time.

The cost and scalability also have room for improvement.

For how long have I used the solution?

I have been using the solution for three years.

What do I think about the stability of the solution?

Veracode has no downtime and is highly stable.

What do I think about the scalability of the solution?

The scalability is neutral because it lacks some integration. We have 12 end-users within our software and engineering departments.

How are customer service and support?

The technical support is responsive and helps us resolve our issues quickly.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup is straightforward. I deployed the solution myself.

What about the implementation team?

The implementation was completed in-house.

What was our ROI?

Veracode assists us in increasing our sales by allowing us to redirect the funds that would have been used to pay our ex-pats to troubleshoot errors or issues with vulnerable code. Consequently, we are experiencing a higher return on investment, and our company has generated over 55 percent return on investment since implementing Veracode.

What's my experience with pricing, setup cost, and licensing?

The pricing for Veracode is high, making it difficult for beginners to afford. Whether or not Veracode is a viable option may depend on the specific needs and use cases of the user, as it may not be affordable for small businesses.

Veracode is costly, which makes it unsuitable for small organizations. However, if an organization has the budget for the solution, it is worth investing in.

What other advice do I have?

I give the solution a seven out of ten.

I believe that it is a wise decision to test our code to ensure its security. Utilizing Veracode is a beneficial practice as it examines our code and provides recommendations on areas that require improvement. This ultimately results in a stable solution. However, I advise using Veracode only if the business has the budget for it, as it can be expensive. Any organization that chooses to use Veracode, can be confident in the quality of its solution but must be prepared for the associated costs.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Shashank Niranjan - PeerSpot reviewer
Senior Software Engineer at Capgemini
Real User
Provides visibility into the application status at every phase of development which makes it easier for our DevSecOps to do their jobs
Pros and Cons
  • "Being able to scan our applications and identify all codes and defects is an extremely valuable feature."
  • "Scanning large amounts of code can be a time-consuming process and there is scope for improvement."

What is our primary use case?

We use Veracode for application scanning.

How has it helped my organization?

Veracode is able to prevent vulnerable code from going into production.

Veracode has helped us to identify the vulnerable code in our applications before we put them into production.

The solution allows us to ensure compliance with standards and regulations.

Veracode provides visibility into the application status at every phase of development which makes it easier for our DevSecOps to do their jobs.

I give a nine out of ten for Veracode's ability to identify false positives. The false positive rate has increased our developer's confidence.

Veracode has enhanced our capability to address flaws by identifying bugs that may not have been detected through static analysis data.

Veracode has had a positive impact on our organization by providing us with greater insight into our data.

Veracode helps our developers save approximately ten percent of their time by detecting code issues and enabling them to promptly fix bugs before releasing the information into production.

Veracode helps secure our private data which improves our overall security posture.

What is most valuable?

Being able to scan our applications and identify all codes and defects is an extremely valuable feature.

What needs improvement?

Scanning large amounts of code can be a time-consuming process and there is scope for improvement.

For how long have I used the solution?

I have been using the solution for nine months.

What do I think about the stability of the solution?

Veracode is stable.

What do I think about the scalability of the solution?

Veracode is scalable. We have between 300 to 500 users.

How are customer service and support?

The technical support is responsive.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used some open source solutions and the management teams decided to switch over to Veracode.

What other advice do I have?

I give the solution an eight out of ten.

We have Veracode deployed in multiple locations.

Maintenance is only required when updating the solution.

You should evaluate multiple solutions, but I suggest considering Veracode if it aligns with the organization's requirements.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
Updated: August 2025
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.