It's a fast solution, so we use it to search for vulnerabilities in our code, software composition analysis, and to search for vulnerabilities in our libraries.
Application Security Coordinator at Banco Votorantim
Good visibility and reporting with few false positives
Pros and Cons
- "Vericode's policy reporting for ensuring compliance with industry standards and regulations is great. I"
- "They could improve how they fix vulnerabilities. They could have more support in place to help the developers."
What is our primary use case?
How has it helped my organization?
We have some security gates and it's not possible to release some applications from production. We can look at the solution and see medium, high, or critical vulnerabilities with ease at every stage.
What is most valuable?
The speed is the most valuable aspect.
Veracode's ability to prevent vulnerable code from going into production is very good since we have a few false positives. I'd rate this feature nine out of ten.
Veracode's policy reporting for ensuring compliance with industry standards and regulations is great. It has a detailed report that we can look at to see our landscape easily.
Veracode provides visibility into application status at every phase of development Verticode static analysis, dynamic analysis, software composition analysis, and manual penetration test throughout your SDLC. It positively affects our DevSec processes. It's not possible to bypass Veracode. It's very secure.
There are very few false positives. I'd rate the false positive rate as nine out of ten. It's very good. It's very positive for developer confidence. They understand security development very well and Veracode provides excellent transparency.
It's reduced the time we've spent on tuning policies. We've saved around two hours. We used to waste around 3 hours and now we can do what we need to in 30 minutes.
It's helped our team fix flaws. The security gate helps our developers learn how to fix vulnerabilities. The solution has also helped them save time in their efforts. It provides descriptions of how to fix certain items. It saves them from having to search on the internet for fixes.
The solution has had a positive effect on our security posture. I'd rate it nine out of ten. We have very secure applications.
What needs improvement?
They could improve how they fix vulnerabilities. They could have more support in place to help the developers. That would help a lot of users.
The pricing can be improved. It is really, really expensive.
Buyer's Guide
Veracode
August 2025

Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
867,445 professionals have used our research since 2012.
For how long have I used the solution?
I've been using the solution for five years.
What do I think about the stability of the solution?
I'd rate the scalability nine out of ten.
What do I think about the scalability of the solution?
We have about 500 end users of Veracode in our organization.
I'd rate the scalability ten out of ten. It's very good.
How are customer service and support?
Technical support is good. They are always communicative and share news and new technologies. They offer new languages and frameworks regularly.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I previously used Checkmarx in the past, as well as Fortify. I used it in another company. However, in banking, it's not possible to use something like Checkmarx. Veracode is more secure and more trusted.
How was the initial setup?
I was involved in the deployment. It was not complex to deploy. It was straightforward. The implementation strategy included looking at different flags and vulnerabilities and deploying in phases.
We had five to seven people to deploy the solution.
I'm not sure if there may be maintenance required.
What about the implementation team?
We used a third party to help with the deployment. Our experience was good.
What was our ROI?
I'm not sure of the exact amount saved, however, we have noted an ROI. We have avoided application vulnerabilities in production. We don't need to rework things since we look at the vulnerabilities right in development instead of after deployment.
It has reduced the cost of dev backups in our organization.
What's my experience with pricing, setup cost, and licensing?
The pricing is expensive.
However, if you have applications and not enough people to analyze the flags, you must use Veracode as it delivers very few false positives.
Which other solutions did I evaluate?
I did evaluate other options before choosing Veracode. I looked at Checkmarx and Fortify as well as a solution made in Brazil.
What other advice do I have?
We are a customer and end-user.
I'd rate the solution nine out of ten.
I'd recommend the solution to others.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: My company does not have a business relationship with this vendor other than being a customer.

Executive Director at Precise Financial Systems Limited
Has great static scanning and has had a significant impact on our organization's ability to address flaws
Pros and Cons
- "The static scan is the most valuable feature."
- "Veracode is costly, and there is potential for improvement in its pricing."
What is our primary use case?
We use Veracode to ensure our solutions meet the security standards in the financial industry in Nigeria.
How has it helped my organization?
Veracode does an excellent job to prevent vulnerable code from entering production.
Veracode ensures that the products we create for our clients are free of any code-related issues. This keeps them satisfied with our service and encourages them to continue doing business with us.
Veracode provides peace of mind and increases confidence in our code within the market. We realized the benefits within a few months.
At first, we experienced a high number of false positives, but the Veracode team provided guidance that enabled us to significantly reduce the count.
Initially, our developers were frustrated due to the high false positive rate. However, as we managed to reduce the number of false positives and the developers recognized that these were not actual issues, their morale improved, and their acceptance of the use of Veracode increased.
The false positive rate of the static analysis reduced the time that we spend on different operations.
Veracode has had a significant impact on our organization's ability to address flaws. The solution is capable of detecting issues and providing suggestions that assist us in rectifying problems within the code.
Veracode helps our developers save time. We review the recommendations provided by the solution, adhere to our best practices, and then proceed to implement these suggestions. In cases where we might have had three lines of code, the solution is capable of reducing that to one or two lines. I would estimate that Veracode has decreased our developer time by 40 percent.
Veracode enables us to enhance our security posture by applying the knowledge we acquire through Veracode to all our new projects. Additionally, we can revisit previous projects to implement upgrades and add features, thereby enhancing their security.
Veracode helps to decrease our DevSecOps costs by saving our developers' time and aiding in the production of error-free code.
What is most valuable?
The static scan is the most valuable feature. We are also currently evaluating the Dynamic scan.
What needs improvement?
Veracode is costly, and there is potential for improvement in its pricing. In our region of the world, it is challenging to attract a significant number of sign-ups due to its unaffordability.
For how long have I used the solution?
I have been using Veracode for one year.
What do I think about the stability of the solution?
Veracode is stable.
How are customer service and support?
Based on the limited interaction we've had with technical support, I am satisfied with their service.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We used a tool in the past that was free, but we couldn't depend on the quality of the scans it provided in the free version.
What's my experience with pricing, setup cost, and licensing?
The cost of Veracode is high.
There comes a point when we must make a decision between cost and quality, and we chose to prioritize quality by selecting Veracode. The confidence that Veracode instills in both our developers and clients justifies the associated cost.
We have four solution licenses for the static analysis scans.
Which other solutions did I evaluate?
We also evaluated one of Veracode's competitors. After conversing with the sales and technical teams of both solutions, we concluded that Veracode was the best choice for us.
What other advice do I have?
I rate Veracode an eight out of ten.
We are currently in the process of investigating Veracode's capability to offer insight into the status of applications at each stage of development.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Veracode
August 2025

Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
867,445 professionals have used our research since 2012.
Insurance Agent at ICEA
The ability to prevent vulnerable code from entering production works very well
Pros and Cons
- "Code scanning is the most valuable feature."
- "The UI is not user-friendly and can be improved."
What is our primary use case?
We use Veracode to scan our codes for vulnerabilities and risks.
How has it helped my organization?
Veracodes' ability to prevent vulnerable code from entering production works very well and it can detect the type of script used.
The software bill of materials helps us understand the industry that we are in and ensures we have a stable solution.
We can easily create a report using a software bill of materials because it has good templates that we can use.
Veracode has improved our organization by allowing us to fix the flows quickly for our clients by making data coding easy.
Veracode provides visibility into all phases of development.
The visibility into our development provides confidence to our DevSecOps that they will be able to deploy on time with no errors.
The false positive rate is good but we require a lot of skills to utilize it properly.
The false positive helps our DevOps troubleshoot every stage of development and increase their efficiency which boosts their confidence.
Veracode has helped our developers save around 20 percent of their time.
It has increased our organization's ability to fix flaws. We can scan code in a video which reduces costs and risk.
Veracode has increased security in our overall security posture because it detects flaws during scans.
We have saved around $500 a month in DevOps with Veracode.
What is most valuable?
Code scanning is the most valuable feature.
The templates allow us to create wonderful reports.
The software bill of materials feature helps our supply chain security.
What needs improvement?
The backend support team of Veracode requires improvement as they are difficult to reach when we encounter issues.
The UI is not user-friendly and can be improved.
The speed of our internet connection affects the scanning process, which may take a considerable amount of time to finish. As a result, this can lead to challenges in planning and reporting, causing confusion.
For how long have I used the solution?
I have been using the solution for three years.
What do I think about the stability of the solution?
It is stable.
What do I think about the scalability of the solution?
Veracode is scalable.
How are customer service and support?
The support is slow to respond.
How would you rate customer service and support?
Neutral
How was the initial setup?
The initial setup was straightforward. I deployed the solution myself within three days.
What about the implementation team?
The implementation was completed in-house.
What was our ROI?
We have seen a 32 percent return on investment with Veracode.
What's my experience with pricing, setup cost, and licensing?
The licensing cost for Veracode is fair.
What other advice do I have?
I give the solution an eight out of ten.
Veracode is user-friendly depending on how we use it.
We have seven people using the solution.
Veracode does not require any maintenance on our end.
Veracode is a secure, reliable, and sustainable tool that all organizations should use for scanning code.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Managing Director at Century Bottling Company
The Software Bill of Materials feature helps you understand what to do to minimize risks and maintain compliance
Pros and Cons
- "I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate."
- "Static scanning takes a long time, so you need to patiently wait for the scan to achieve. I also think the software could be more accurate. It isn't 100 percent, so you shouldn't completely rely on Veracode. You need to manually verify its findings."
What is our primary use case?
I use Veracode to ensure the projects I deliver don't have vulnerabilities.
How has it helped my organization?
Veracode provides insight into vulnerabilities at every stage, so your team can progress through the development cycle more efficiently. It improves developer confidence by showing us our capabilities and the potential of our code.
Our developers improve and become more efficient using Veracode. Once we identify issues in our code, it's much easier to avoid the same mistakes in future projects. It teaches them how to overcome those vulnerabilities and errors while reducing costs.
Veracode saves a lot of time compared to traditional methods for identifying vulnerabilities. We save around $500 a month using Veracode because we don't need to hire experts.
Veracode has improved our overall security posture. We feel assured that applications we deliver to clients or use internally are highly secure. It has helped us develop strategies to create stable, secure platforms.
What is most valuable?
I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate. I love the Software Bill of Materials (SBOM) feature because it helps you explore various industries and understand what to do to minimize risks and maintain compliance. It's straightforward and ensures my applications are compliant.
It's easy to create reports using the SBOM feature because it has templates that you can customize depending on the reporting requirements. It gives me a report of the compliance requirements for any industry. It helps us internally and improves the services we provide to our clients.
Veracode is great for preventing vulnerable code from going into production because it covers various programming languages like JavaScript and PHP. You can be confident that your code is secure no matter which language you use.
What needs improvement?
Static scanning takes a long time, so you need to patiently wait for the scan to achieve. I also think the software could be more accurate. It isn't 100 percent, so you shouldn't completely rely on Veracode. You need to manually verify its findings.
For how long have I used the solution?
I've used Veracode for three years.
What do I think about the stability of the solution?
Veracode is stable. I've been working with it for a long time.
How are customer service and support?
I rate Veracode support 10 out of 10. They're friendly and responsive.
How would you rate customer service and support?
Positive
How was the initial setup?
Deploying Veracode is straightforward. I did it with one other colleague.
What's my experience with pricing, setup cost, and licensing?
We can afford Veracode, but it's too expensive for small enterprises. If you're concerned about the price, you should weigh the benefits you can achieve. It has saved us a lot of money on DevOps. We save about $500 a month by not outsourcing this work to experts.
What other advice do I have?
I rate Veracode eight out of 10.
It's an excellent product for developing a secure platform that will benefit your company and its customers while helping you build a sustainable development team. Before implementing Veracode, you need to prepare and have at least one person who understands how to use the product.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Associate Principal, Software Engineering at LTI - Larsen & Toubro Infotech
Its accuracy and support make it the best solution available in the market
Pros and Cons
- "In my experience, Veracode is one of the most powerful tools available in the market from a security perspective. It is a market leader in source code analysis."
- "I am expecting some AI-related features in it. Also, if someone is using AI-generated code, Veracode should be able to detect that."
How has it helped my organization?
Veracode helps to prevent vulnerable code from going into production. They are providing remediation support. They provide a specific solution. If a code has any vulnerability, they provide the snippet of that code. They also provide recommendations. Their support team is very active. If you have any concerns related to the vulnerabilities, they schedule a call and resolve your issues. That is very good.
With Veracode, there are fewer false positives as compared to other tools. It provides genuine vulnerabilities. It is also user-friendly. They are not only sticking to SAST testing. They also have pen testing.
The visibility that Veracode provides is good. They provide a proper dashboard for everything. We have visibility into the application status at every phase of development - Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test. I am satisfied with it. We have not integrated it with our DevOps pipeline, but it has all the features for easy integration.
Veracode helps us to fix flaws. They provide very good recommendations. It is very easy for a developer to fix the flaws. They provide a specific solution.
Veracode has helped our developers save time. It has been very useful.
What is most valuable?
In my experience, Veracode is one of the most powerful tools available in the market from a security perspective. It is a market leader in source code analysis.
What needs improvement?
I am expecting some AI-related features in it. Also, if someone is using AI-generated code, Veracode should be able to detect that.
For how long have I used the solution?
I have more than 12 years of experience working with Veracode.
What do I think about the stability of the solution?
It is stable. There are no unplanned downtimes. If they are going to have downtime because of maintenance or any other reason, they communicate that to you a week before. They not only inform you by email. They also alert you through their portal.
How are customer service and support?
Their support is good. I would rate them a ten out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I work with almost all the tools available in the market. Its competitors are AppScan and Fortify. Synopsys is also there, and Checkmark is also there.
Veracode is the best tool as of now. That is because of the quality of the product and technical support. Veracode supports all the testing options.
Veracode is a leading tool in the market for code security. It is all about the source code review from a security perspective. It identifies the vulnerabilities in the source code. Apart from this, they also provide services for run-time code. If you have your application in production, it can also find vulnerabilities in that. They also support software composition. If your application is using a third-party library, they can identify the vulnerabilities in that.
How was the initial setup?
It is straightforward. It is easy to deploy because it is a cloud-based service. It does not take long.
They are a mature company. They have already worked a lot on all the things. They keep on coming up with new features. Their R&D team is very good.
What was our ROI?
The ROI is in terms of time savings and security. If an attack happens because of a vulnerability, it costs a company and impacts its reputation. No one should be compromising on security.
What's my experience with pricing, setup cost, and licensing?
As compared to others, it is a costly solution. It is overpriced, and many organizations with a limited budget cannot afford it. That is why they are going for other tools, but those tools are not that effective. Veracode is better in terms of quality. If you want good service, you have to pay for it.
Which other solutions did I evaluate?
I am working at a consultancy, and I did a PoC with five or six top tools in the market. I found Veracode to be the best in every aspect.
I am currently looking for some AI-powered tools. I am exploring the AI capabilities of various tools.
What other advice do I have?
Overall, I would rate Veracode a nine out of ten. With AI capabilities, it would be a ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
CEO at CareerCraftly
It has also enabled us to identify and fix bugs earlier, which is cheaper than fixing issues after a product is launched
Pros and Cons
- "Veracode is easy to use even if you're not a security professional. I like the dynamic analysis feature, which offers a lot of cost savings when used in production."
- "The scanning could be a little faster. The process around three or four minutes, but it would help if it could be further reduced."
What is our primary use case?
Veracode helps us identify bugs and flaws in our code while operating it. We use the solution's static analysis feature to analyze code before running applications dynamic analysis that scans the app while it's running.
We typically run Veracode at the end of the development phase when we are ready to launch our software. We also scan for vulnerabilities after the software goes into production. It's the final phase of our development cycle.
How has it helped my organization?
Veracode has reduced the amount of time we spend manually investigating our code. It has also enabled us to identify and fix bugs earlier, so we don't need to release patches after a product is launched.
The false positive rate is quite low, which is critical. If it had a high false positive rate, it would be difficult to trust this software. We can discover lots of errors and bugs manually, but this software enables us to clear any error or compliance issue with a low false positive rate. It's highly efficient in that sense. We can trust the process, so we spend less time investigating issues manually.
In one development cycle, Veracode usually saves us four or five hours of human work that goes into checking the code, finding errors, and fixing them manually. The remediation is also built into the software.
What is most valuable?
Veracode is easy to use even if you're not a security professional. I like the dynamic analysis feature, which offers a lot of cost savings when used in production. Veracode helps prevent vulnerable code from entering production, and it has a low false-positive rate, so it can reliably find real vulnerabilities.
The software bill of materials feature has proven helpful in finding bugs and flaws that may cause problems in our product when we launch it. It has helped a lot to exponentially reduce the cost after the launch cycle. It is quite easy to create reports and perform a detailed analysis because much of the process is automated. It can fix most issues automatically.
What needs improvement?
The scanning could be a little faster. The process is around three or four minutes, but it would help if it could be further reduced.
For how long have I used the solution?
I have used it for four months.
What do I think about the stability of the solution?
We haven't experienced any downtime since we started using it. It is highly stable. We haven't seen any server crashes from their side.
What do I think about the scalability of the solution?
Veracode can handle lots of processes, so I would say it is scalable.
How are customer service and support?
I rate Veracode support eight out of 10. The response times are fast. If we have a problem, they respond within four or five hours.
How would you rate customer service and support?
Positive
How was the initial setup?
The setup process was straightforward, and the Veracode team guided us through the deployment, which took about four or five hours. It only takes one person to install the solution. It doesn't require any maintenance after deployment.
What was our ROI?
Veracode has eliminated a lot of manual security processes that cost a lot of money and time. It has saved us lots of time and money for development.
What's my experience with pricing, setup cost, and licensing?
The cost of scanning code is cheaper. It's typically $0.50 per line of code. However, it's expensive to run a high-level process that would normally require a human security expert. For example, penetration testing costs about $1,000 per application for penetration testing. The cost of these features may be too high for smaller organizations. On the other hand, Veracode's interactive application security testing is fast and cheaper compared to other software.
What other advice do I have?
I rate Veracode nine out of 10. If anyone is considering Veracode, I suggest trying a demo beforehand so that you can see how it addresses the kind of problems your organization is facing and how it works with the programs you are creating.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
COE Head at a tech services company with 1,001-5,000 employees
The dynamic analysis feature helps secure risky web applications
Pros and Cons
- "I like Veracode's static analysis. It was one of the core development tools when I worked with a telecommunication company where we were delivering new features for various applications and purposes each week, such as CRM, data channels, compliance, traffic data, etc."
- "Veracode can improve the price model and how they bill the final offer to customers. It's based on the amount of traffic. For example, you can buy 1 gigabyte distributed across various applications, and each one can consume part of the whole allotment of traffic data."
What is our primary use case?
Our primary use case for Veracode is to secure our software development lifecycle. It's deployed in a couple of countries and connected to multiple applications. It's used by five development teams, each of which has a different focus, such as digital channels, CRM, ERP, backend deployment, and billing. We also have a team that coordinates all of the efforts of the secure development policies. That team sets the guidelines and policies. The entire development team has about 20-30 people.
How has it helped my organization?
Veracode has sped up the development cycle, helping us bring products to the market faster. I work at an IT services company with hundreds of customers who have various needs for different kinds of tools. That doesn't mean we use Veracode for all our customers, but for certain customers, it's critical because the solution reduces the amount of time needed to prevent and detect issues. Bringing secure applications into production is essential.
We can't just rely on our development teams to make, test, and manually review the code. We need powerful tools that provide a strong framework for detecting vulnerabilities and scanning application components. Penetration testing is the most important because hackers break into the application and access the information.
Dynamic analysis is also crucial for web applications, which can be risky. Veracode can dynamically detect vulnerabilities and block traffic. It is sometimes hard to differentiate real users from hackers. Dynamic analysis must be implemented with a user-sensitive perspective.
I work in Latin America, and there are regulations on information security and the use of customer information. The most vital areas are things like health information and finance. You can face penalties for failing to protect customer information, so it's critical for us to secure our code during development. Any vulnerable code or application component can risk disclosing customer information from customers and allowing an outsider to penetrate the systems or databases.
Veracode offers visibility throughout the entire development lifecycle. SecOps is an essential framework inside the organization currently because we need to deliver applications to market faster while improving code quality. It's crucial to be careful when using code generated by community sources. We need to test the final applications and also the components and packages in any code repository we use.
We're deploying complex pipelines and utilizing CI/CD. For example, Veracode is important when connecting management tools, code repositories, and various cloud components. Having that integration and capacity to connect to various tools in the DevOps framework is vital for the DevOps team. Every business must decide its risk tolerance and set a threshold of vulnerability permissions in the application to detect. It's really powerful if you can configure the threshold correctly.
Developer confidence depends on their capacity to understand, and Veracode has to detect vulnerabilities and provide suggestions for correcting them. Sometimes it's an upgrade; sometimes not. It also provides different kinds of information to the developers.
Veracode has had an enormous impact on our ability to detect flaws. It's risky if we don't have the capacity to detect vulnerabilities in the earliest stage of development before the applications go into production. It's also an important time-saving tool. It reduces the time spent manually addressing vulnerabilities by about 20-30 percent.
What is most valuable?
I like Veracode's static analysis. It was one of the core development tools when I worked with a telecommunication company where we were delivering new features for various applications and purposes each week, such as CRM, data channels, compliance, traffic data, etc.
Most of the time, the key thing was to ensure the security of digital channels and reduce the risk of any breach that could cause a security issue. It's critical to maintain the security of sensitive information transferred from our customers to the sales staff. Keeping that data secure is important for the customer relationship and also for compliance and recurring sales.
I rate Veracode 10 out of 10 for its ability to prevent vulnerable code from entering production. It has a lot of useful and intuitive features. In previous settings, static analysis was one of the primary use cases, but dynamic analysis is also helpful. Veracode is highly valuable because one vulnerability could result in service downtime or worse: a leak of customer information.
The investment in the tool is justified because we can detect and prevent vulnerabilities much earlier in the process. Software composition analysis is also vital when we use open-source middleware or backend components for business-critical functions like bringing information from one source to another or connecting one application to another.
What needs improvement?
Veracode can improve the price model and how they bill the final offer to customers. It's based on the amount of traffic. For example, you can buy 1 gigabyte distributed across various applications, and each one can consume part of the whole allotment of traffic data.
You pay for all of the time that the tool is running, not for the number of scans. There are specific rules governing the amount of traffic applications can consume from the allotment you have. I would like the pricing to be more personalized. For example, some companies don't have a large budget for this kind of tool, whereas a large enterprise can acquire this kind of solution and pay for it. However, I'm an IT consultant working with various types of customers in different industries, including finance, insurance, and telecommunications.
For how long have I used the solution?
I started using Veracode at least three years ago.
What do I think about the stability of the solution?
Veracode is a highly stable platform. I haven't experienced any service disruption, and the performance is solid.
What do I think about the scalability of the solution?
I've used Veracode in a telecommunication company with a huge environment and more than a hundred applications. I don't have experience with smaller-scale use cases, but I know the cloud is quite scalable.
How are customer service and support?
I rate Veracode support nine out of 10. We get support from the resellers and direct support from Veracode analysts. We call the support team or the architect when there is a serious technical isssue.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I haven't used a commercial tool like Veracode before. It depends on where I'm working, but the most common tool we use is an open-source solution called SonarQube.
How was the initial setup?
Veracode is straightforward to deploy. It's not hard to connect it, and we had support from a local vendor to help us integrate it into our dev lifecycle. It required only one person from my team.
What about the implementation team?
We had assistance from our local reseller, and the experience was great because we had a direct connection from the partner to the brand. We have a local team member who was in charge of the resell process.
What was our ROI?
We calculate the return on investment primarily based on the risk. We calculate the ROI annually, but it's not very detailed. We factor in the risks associated with the loss of customer information loss, penalties for noncompliance, etc. In the worst-case scenario, we estimate that could potentially lose up to $1 million annually.
What's my experience with pricing, setup cost, and licensing?
The licensing model could be more flexible, and Veracode could be more accessible to smaller enterprises. We obtained Veracode through a consultancy. Veracode sets the price through consultation with our reseller, but I have yet to get a direct quotation without any other reseller in the middle. If you are worried about the price, I would say that you could request more information and do a trial, then see if you can negotiate an offer.
Which other solutions did I evaluate?
We decided to use Veracode without comparing it to any other kind of solution, we had a kind of consultancy from one of the companies, the IT services company that was one of our partners, and they worked close to us, and we selected Barracuda the tool that we needed.
What other advice do I have?
I rate Veracode nine out of 10. It's an excellent solution for securing the development lifecycle. I recommend starting with a trial and getting in touch with the account team to explore all of the different features.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Sr. Development Manager at RWS Holdings PLC
We're finding fewer and fewer issues through external security scanners or penetration testers
Pros and Cons
- "It's hard to say that any single feature is the most essential. There are many errors and vulnerabilities in software today in the standard libraries for different vendors because. We don't need to reinvent the wheel every time because we're using standard libraries, and it's important to know that your security isn't compromised because you are using libraries with vulnerabilities."
- "Sometimes Veracode gives us results about small glitches in the necessary packages. For example, we recently found issues with Veracode's native libraries for .NET 6 that were fixed in the next versions of those libraries. But sometimes you do not know which version of the library particular components are using. The downside of that is that one day, the solution found some issues in that library for the necessary package we spent. Another day, it found the same issues with another library. It will clearly state that this is the same stuff you've already analyzed. This creates some additional work, but it isn't significant. However, sometimes you see the same issue for two or three days in a row."
What is our primary use case?
Veracode is part of our overall security program. We use it to scan our daily build pipelines and all our fielded releases. The primary features we use are static application security testing and software composition analysis.
We analyze third-party libraries for known vulnerabilities and taking action. Veracode is also part of our release procedure. We put the artifacts from the record and attach them to the release documentation to provide our customers with those documents if needed.
How has it helped my organization?
Veracode has improved our product because we're gradually finding fewer and fewer issues through external security scanners or penetration testers. It plays an important role in the continuous integration quality assurance chain. We started using Veracode when it was supporting a 2017 standard. When the security standard changed to 2021, we received new issues.
We adjusted the policy and no longer have any medium-priority issues in our scan results. It has increased the quality of our security while enabling us to pass the two historical standards and maintain compliance. We have analyzed and cleaned up several thousand issues since we started using Veracode.
We use our internal policies for the WAF Security Standard, but it isn't an industry-wide policy. We do not use PCI DSS, etc., but it shouldn't be a problem to comply with that stuff. For example, PCI DSS isn't applicable to our case because we aren't managing any credit card data, working with medical devices, or doing anything involving the military. Some standards aren't applicable.
Veracode offers visibility into vulnerabilities at every step of the pipeline. Every night, we build source code and mark everything that was merged during the day. We check those reports once weekly and correct some issues that were detected. For software composition analysis, it's even easier because every time the record updates, Veracode sends emails to the security team. It also makes me aware of some newer capabilities in software composition and analysis.
It showed us a lot of flaws in various parts of our product and helped us visualize a lot of issues that we previously didn't know about. We had static code analysis, which is a bit different than Veracode. We were using a static code analyzer from Visual Studio, and it was mostly about development best practices. When we started using Veracode, we realized there were more problems that static analysis alone wasn't catching. It's an excellent tool for showing the vulnerabilities in your software.
It helps us save time and effort for a portion of our production. For example, if you're scheduling to release product improvements in the spring, you don't want to fix anything after it goes into production. From that perspective, fixing things before the code is released saves us time. It also protects our reputation because fewer issues enter production.
It sometimes saves our customers some time because they don't need to perform their own secret analysis because we've already analyzed the product and can provide them with the results much faster.
What is most valuable?
It's hard to say that any single feature is the most essential. There are many errors and vulnerabilities in software today in the standard libraries for different vendors because. We don't need to reinvent the wheel every time because we're using standard libraries, and it's important to know that your security isn't compromised because you use libraries with vulnerabilities.
We use Veracode as a quality gate. We do not do continuous delivery or continuous deployment. We're releasing about twice a year, so we use it as a quality gate in this situation. We should analyze various types of patch software. From my observations, it has been an excellent tool so far. We also have an external penetration testing effort, and the testers have not found any issues, so that tells us that Veracode has been successful at preventing issues from entering production.
I use the software bill of materials. Our product consists of many systems and components and redundancies that must be processed manually. We are in contact with the Veracode guys, and I think the next release will have this software bill of materials added. It isn't a problem with Veracode. It's a problem with the way we upload and build sources. In the implementation stage, we want the results as fast as possible, and we've done it in a way when we upload. It can be optimized when we upload it to Veracode.
What needs improvement?
Sometimes Veracode gives us results about small glitches in the necessary packages. For example, we recently found issues with Veracode's native libraries for .NET 6 that were fixed in the next versions of those libraries. But sometimes you do not know which version of the library particular components are using.
The downside of that is that one day, the solution found some issues in that library for the necessary package we spent. Another day, it found the same issues with another library. It will clearly state that this is the same stuff you've already analyzed. This creates some additional work, but it isn't significant. However, sometimes you see the same issue for two or three days in a row.
In our project, we use a lot of limited packages that link to another library, and there may be issues in those reference libraries. For example, one library might be referenced by several Google packages. When it shows you a vulnerability in one library, you will not see the issues in all libraries. We've discussed the issue with the Veracode team, and they investigate a way to fix this. Hopefully, it will not be an issue.
For how long have I used the solution?
I have used Veracode for several years. I've led our product toward Veracode standard certification.
How are customer service and support?
I rate Veracode support eight out of 10. We had to contact support several times in the early years about a licensing issue we faced. We had some false positives in the licensing report from Veracode, so we raised a ticket with the support team, and they resolved it relatively quickly. We have regular meetings with a dedicated representative from Veracode, but we also get help from our colleagues on staff. At the moment, I'm happy with their support. They provide us with the necessary level of quality.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We used SonarQ, but it's somewhat different because it's a pure static code analysis tool. Veracode has a stronger focus on web security, and we produce a web-facing product, so that's important to us. SonarQ is strictly a static code analysis tool.
How was the initial setup?
Veracode's setup was pretty straightforward, but there were a few challenges integrating it with our continuous integration system because there are lots of components. We wanted our source code scanned daily, so we had to change our build process. It's a bit tricky getting it to work with various parts of our solution. Our product is too complex, and there are lots of applications and flavors.
We did it ourselves because we have sufficient expertise. We're still tuning up our build process and reports. They have comprehensive documentation. We had help from Veracode support, who answered our questions about integrating the solution with our software. It was mostly building and tuning a little to build our software in debug mode and deploy it back into our cloud.
What was our ROI?
We can measure our ROI in the amount of issues we discover and remedy. From a quality control perspective, a problem is more expensive if a customer reports it. If we take price into consideration, we've decreased the net cost of security because we're receiving fewer issues from our customers. You must also consider the reputational cost if the customer needs to implement the fix.
If we find the issue after the fact, we need to provide our customers with the fix, and that may require some additional processes on the customer side. However, it's hard to calculate how much money it saved us.
What's my experience with pricing, setup cost, and licensing?
We are not using the licensing much because we have a strict internal licensing policy. We mostly avoid GPL licenses and their flavors. Managing the licenses can be tricky. Sometimes you add a library and build some functionality around it, so it may cause some problems to remove it from its source.
Cost is an issue at every stage because you need to evaluate what you're spending and what you expect from the project. You should use common sense and clearly understand the pros and cons. It's hard to say whether the solution is cheap or expensive because it depends on your company's needs. Some companies need Veracode for compliance requirements, and it doesn't matter how expensive it is. It's costly, but it's the best in the industry. You can get something that does the job but it's like a car. You might buy a clunker for a few hundred dollars or an Infiniti for a hundred thousand.
Which other solutions did I evaluate?
We tried another solution before we started using Veracode. I believe it was HCLAppscan.
What other advice do I have?
I rate Veracode eight out of 10. You should evaluate at least two vendors based on the company's needs. A host of issues need to be addressed, and it's a significant task. Veracode shows you many issues, but you must develop processes to address them. It was impressive when we first scanned our sources and found a thousand, but we had to develop compliance policies to deal with them. My advice is to not make the policies too strict. For example, you can start with high-priority issues.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.

Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros
sharing their opinions.
Updated: August 2025
Product Categories
Application Security Tools Static Application Security Testing (SAST) Container Security Software Composition Analysis (SCA) Static Code Analysis Application Security Posture Management (ASPM)Popular Comparisons
SonarQube Server (formerly SonarQube)
Microsoft Defender for Cloud
Prisma Cloud by Palo Alto Networks
GitLab
Snyk
Checkmarx One
Coverity Static
Black Duck SCA
Mend.io
CrowdStrike Falcon Cloud Security
GitHub Advanced Security
Orca Security
OpenText Core Application Security
OWASP Zap
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between Veracode and Checkmarx?
- Which gives you more for your money - SonarQube or Veracode?
- Checkmarx or Veracode. Which should we choose?
- Would you recommend Veracode? What are some of your use cases?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- What do I scan when changing code in Veracode?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?