No more typing reviews! Try our Samantha, our new voice AI agent.
Ujjwal Sachdeva - PeerSpot reviewer
IT Developer at AdvaRisk
Real User
Top 10
Apr 3, 2024
Identifies bugs before deployment in the software-side cycle process
Pros and Cons
  • "The integration capabilities with our existing development tools are very good."
  • "The solution does take a bit more time when we use it for multiple processes."

What is our primary use case?

We use the solution for identifying bugs before deployment in the software-side cycle process.

It can be integrated with our CL and CDProp pipeline, and it can be used with multiple integrations in our Visual Studio Code editor. That's the main use case.

How has it helped my organization?

We've saved a lot of time since using Veracode. We've also been able to cut down on costs since we require a lot of penetration tests for testing our software. Veracode helps us drastically reduce these costs. We've cut our costs down by 40%.

What is most valuable?

The solution provides us with a feature that we can directly use with static and dynamic analysis. With static analysis, we can use it while the app is not running, and with dynamic analysis, we can scan our application while it is running. It provides efficiency and also saves a lot of time for penetration testing and bug testing.

The capabilities of the analysis of the code base can help us effectively detect potential vulnerabilities. This is the most valuable feature we found. It can be integrated with multiple code editors, and it can also be integrated with various CI/CD pipelines.

The dynamic analytics is efficient. It helps us identify bugs while the app is running. We find that this ability is way better than its competitor.

Our impression of the solution's ability to prevent vulnerable code from going into production is positive. Prior to Veracode, we used to deploy our apps, and it used to be an expensive process to fix the bugs and all the potential vulnerabilities after deployment. Now, we have access to AI. It has AI tools, which have been trained with a lot of data sets. It helps us to detect bugs and fix them.

We use the free access to VeriCloud's application security consulting team. The consulting team has helped us a lot, and we've had positive experiences with the vendors. It is efficient and very fast. It takes less than two or three days, and they always respond positively. They are really fast at solving our problems. It's important for us to have access to an application security consulting team at no extra cost.

We use Veracode's AI-generated fixes. They make fewer errors and are very accurate. We've had a very positive experience. They've saved approximately seven hours of debugging and error finding versus the manual penetration testing process. 

The solution's policy reporting for insurance compliance with industry standards and regulations is very helpful. It's fast as well. The team helps us at every step of the product life cycle. They provide us with very useful visibility into things like static analysis, composition analysis, and manual penetration. It significantly helps us to reduce the time that we have to manually fix the bugs, and it also provides us with an efficient solution for future cases via past analysis through its data algorithm. We've saved six to eight hours compared to manual fixing.

Veracode has had a positive impact on our organization's ability to fix flaws compared to the prior. It has reduced our costs and time, and it has also provided us with multiple security functions. That, and it's made our application a lot more secure. It really helps our devs free up time due to less debugging needed on their part.

The solution has helped us a lot with our overall security posture. Many security features were fixed prior to release, and we've been able to reduce manpower and employee count. We've reduced teams from six or seven people to two or three. 

The integration capabilities with our existing development tools are very good. The integration process was easy. It has stable APIs.

What needs improvement?

The solution does take a bit more time when we use it for multiple processes. When we use it for a single process, it takes up less time. The cost also goes up when we use it for multiple processes. 

Buyer's Guide
Veracode
June 2026
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
902,988 professionals have used our research since 2012.

For how long have I used the solution?

I have been using the solution for six months.

What do I think about the stability of the solution?

The solution is very stable. We haven't come across any bugs. 

What do I think about the scalability of the solution?

Our security team of three uses the solution. 

It's great for scaling. We can use it on multiple projects which involve multiple security flows.

How are customer service and support?

Technical support has been very fast and efficient. The team helps us at every phase of the development cycle. 

Which solution did I use previously and why did I switch?

We did not use a different solution. Previously, we relied on manual testing. 

How was the initial setup?

We deployed the solution in about three months. We had a team of eight working on the implementation. During the process, I was in charge of, IT was in charge of security, and the AI algorithm.

We don't require any maintenance.

What was our ROI?

Even after six months, we've seen an ROI. In terms of resources, it's great for cost-cutting. It also generally cuts costs by 40%.

What's my experience with pricing, setup cost, and licensing?

The pricing is moderate for particular processes. However, if we take an entire process in general, it can be costly. It's more economical to use it for single purposes instead of generalizing processes. 

Thanks to its algorithm, Veracode is an on-demand service that can be very cost-effective. With so many features, we no longer require many people to test.  

If they are worried about pricing, people should try out their demo feature, which is available online. That way, they can demo and evaluate how it would work for them. If it works for their team and product, they may find it can optimize their processes. Of course, it depends on the use case. 

What other advice do I have?

I'd advise colleagues considering Veracode to evaluate the specific requirements for their application and do an in-depth analysis. I would recommend it as a product.

I'd rate the solution ten out of ten. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Calinescu Tudor - PeerSpot reviewer
Security Project Leader at ATOSS AG
Real User
Oct 15, 2023
Quality of our code is much better, and we sleep well at night knowing we have closed a possible security leak
Pros and Cons
  • "It has provided what we were looking for in such an application, meaning static application security testing functionality. That was what we were interested in."
  • "False positives are a problem. Sometimes the flow paths are not accurate and don't represent real attack vectors, but this happens with every application that performs static analysis of the code. But it's under control. The number of false positives is not so high that it is unmanageable on our side."

What is our primary use case?

We use Veracode to scan server applications, and we also use it for SCA functionality and to scan pipelines of our other projects.

How has it helped my organization?

The quality of our code is much better now with structured utils meant for improving various topics related to security. Those are being applied consistently to various modules of the application. It enforces a type of structure and code changes to support future transformation.

What needs improvement?

False positives are a problem. Sometimes the flow paths are not accurate and don't represent real attack vectors, but this happens with every application that performs static analysis of the code. But it's under control. The number of false positives is not so high that it is unmanageable on our side. Once they are identified, you can mark them as false positives, and they can be accepted by the security project lead. After that, life goes on, and those will no longer be reported.

The problem is the time that you spend analyzing a flow to be sure that it is a false positive. Every problem that is reported as a security vulnerability has to be treated with maximum care by the developers. It is good, in the end, when it's a false positive instead of having a real vulnerability.

Because we are working on a huge application with lots of dependent sub-projects, there are 9 to 20 data paths. We have to check all of the vectors from all of these paths. If we decide that an attack vector might be susceptible to that attack, we start fixing it. But for the others, the attack vector is not relevant.

There is always room for improvement in any product; it's not something related specifically to Veracode. But in the case of Veracode, maybe they could improve the scanner to reduce the number of false positive events so that they remain only with the valid data paths that represent real attack vectors. We understand that this is quite hard to determine by just scanning the code.

Also, the UI of Veracode could be improved to permit better visualization of the issues and the grouping of the issues, with better filtering.

For how long have I used the solution?

We have been using Veracode for four years.

What do I think about the stability of the solution?

We have seen delays in results on the order of hours, but there haven't been any crashes of their scanner. The solution is quite reliable, and all of the results from the scanning can be easily tracked in terms of time frame. You can see how your scanning has evolved, and there are no deviations due to a bug in the scanner.

What do I think about the scalability of the solution?

For small and medium-sized projects, it's quite scalable. You can use the sandbox scanner they provide, and it is fine. But for large applications, it is not scalable. We do manual uploads, and this is not scalable.

How are customer service and support?

We haven't called their support because we know how to interpret the results provided by their platform and how to mitigate the vulnerabilities that they have reported.

However, we have exchanged several emails to discuss some technical details of the solution that we applied it to, and everything was straightforward. There are no complaints from my side regarding what they said. Everything went smoothly and quickly.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We have used certain plugins from Teamscale, which is also a static code analyzer, and it integrates with various plugins in Sonar. We have also used OWASP for static composition analysis, and we are still using the third-party application scanning from OWASP as a Maven plugin. We have also evaluated Black Duck.

Veracode was the first choice for doing static application security testing. It was ranked first a couple of times in the last few years, so it was a natural choice to go with the top product. Also, SAP has a partnership with Veracode for the application that they are selling. It was a win for us, SAP, and for Veracode.

How was the initial setup?

It took us one day to get ready to use the solution. We built the image and copied it during the night to several machines. The following day, we were ready to put it into the container registry in Azure, and then it could be used. We had a huge procedure and scripting. It was not simple.

The team that did it had about six engineers involved.

What's my experience with pricing, setup cost, and licensing?

It is an expensive solution, but it's the best solution available on the market. If you want something at the top, you have to pay a bit more than the average.

Regarding extra expenses, it depends on what you want to buy. They have certain bundles that provide support via a hotline system with customer service. They can provide you access to certain security laboratories. You can opt for several licenses to educate more developers to be responsible for the security of your applications. All of these change the initial cost.

Of course, if you add more things, you can benefit from a better price. It depends on your negotiation skills and the number of licenses you want to buy.

The price can vary from year to year, and prices usually go up. Maintenance for the servers that do the scanning takes money, as do CPU, power, and memory. And there are the reports that are kept in the history for checking and for ISO certification. Those costs build up during a year.

For example, we have to manually upload the application that we are scanning because it's quite big, and it takes one day to be scanned. That means their scanner runs for a day on this application, and then we get the results back. That means our application is heavily consuming resources of that cloud server. Those resources are no longer paid for directly by us. We delegate this job to Veracode to do it for us, and we pay for it. But we free up our servers locally and can do other jobs with them.

We aren't trying to reduce our costs. We are trying to improve the security and quality to be sure that we and our customers don't have security issues. At the end of the day, security is the most important part. With every new release and with every new year, we allocate more and more to these operations, to improve our overall security.

What other advice do I have?

Not every such application is able to prevent everything from going to production, but several issues can be spotted via the scanning of the code and resolved, and they are valid. There are many others that can be detected with additional tooling from OWASP, Sonar, et cetera.

We are not using the SBOM functionality from Veracode. We use another tool to create the software bill of materials. That solution is also able to scan Docker images, and it also provides details about what is inside the layers of the Docker image file.

In terms of visibility into application status at every phase of development, it depends on how able you are to scan your application. For large applications, you have to do manual uploads, which is the case for us. We don't do manual uploads on every build, but we trigger it at certain times when we want to create releases for customers. That helps with our accuracy, but it doesn't represent the exact moment when there is a problem in the application. We still have to analyze the commits and history, track things, and match them with the new flaws that have been found in the latest report.

Veracode doesn't save us time. We have to spend a lot of time fixing security issues, especially those that impact lots of dependencies, dependent code, and sub-projects. But in the end, we can sleep well at night knowing that we have closed a possible security leak within the code, which is better for everybody. Even if there is no real problem at that moment and you don't see any probability of that vulnerability appearing in production, it is better to take some time to fix it, and then you feel better.

It has provided what we were looking for in such an application, meaning static application security testing functionality. That was what we were interested in.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Buyer's Guide
Veracode
June 2026
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
902,988 professionals have used our research since 2012.
Pradeep Kumar. - PeerSpot reviewer
Founder and Director at Bizcarta Technologies India Pvt Ltd
Real User
Oct 6, 2023
A broad and integrated platform that provides multiple test scenarios, but it is expensive and does not provide on-premise implementation
Pros and Cons
  • "The product provides guidance to develop secure software."
  • "On-premise implementation is not available."

What is our primary use case?

It is a broad and integrated platform. It provides multiple test scenarios and has the ability to do CI/CD pipeline integration. It is used for application security and vulnerability assessment.

What is most valuable?

Veracode provides guidance to develop secure software. It is one of the valuable features.

What needs improvement?

On-premise implementation is not available.

For how long have I used the solution?

I have been using the solution for ten years.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

The tool is scalable.

How are customer service and support?

The technical support is good.

How would you rate customer service and support?

Neutral

How was the initial setup?

The product is deployed on the cloud. We have a multi-cloud environment.

What's my experience with pricing, setup cost, and licensing?

The solution is expensive.

What other advice do I have?

Veracode’s policy reporting for ensuring compliance with industry standards and regulations is good. The product's false-positive rate is low. If the tool is used effectively, vulnerable codes do not go into protection.

The SBOM feature helps identify risks in all third-party software. It is quite easy to create a report using the SBOM feature. It is an important feature. The solution provides visibility into application status at every phase of development. We have not integrated it.

Veracode has a good effect on our organization’s ability to fix flaws. Veracode has helped our developers save time. Veracode has a good impact on our organization’s overall security posture. The solution is probably not worth the money. The developers are more confident while fixing vulnerabilities due to the solution’s low false-positive rate.

Overall, I rate the tool a six out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
Sairam Bathini - PeerSpot reviewer
DevSecOps Engineer at Tata Consultancy
Real User
Sep 3, 2023
Can perform software composition analysis along with static and dynamic scans
Pros and Cons
  • "The best feature of Veracode is that we can do static and dynamic scans."
  • "Veracode should include the feature to run multiple scales at a time."

How has it helped my organization?

I have manually worked in CI/CD pipelines without Veracode. We could get automatic reports after integrating Veracode plugins into the build tool. The pipeline has become much more automatic by integrating the solution.

What is most valuable?

The best feature of Veracode is that we can do static and dynamic scans. Veracode performs software composition analysis, and we can use the solution to download different reports like the summarized report. Veracode’s interface is good.

What needs improvement?

Veracode should include the feature to run multiple scales at a time.

For how long have I used the solution?

I have been using Veracode for one year.

What do I think about the stability of the solution?

Veracode is a stable solution, except on one occasion when I faced some issues. I rate Veracode a nine out of ten for stability.

What do I think about the scalability of the solution?

Veracode has good scalability. In our organization, Veracode is used only by our team, which consists of seven members.

Which solution did I use previously and why did I switch?

We have used the JFrog XRAY tool for SCA (software composition analysis).

How was the initial setup?

Veracode’s initial setup was easy and straightforward.

What about the implementation team?

Implementing Veracode doesn't take much time. It takes only a few hours to implement the solution. Veracode was deployed by a team consisting of two to three members.

What other advice do I have?

I am into DevOps, and we have integrated Veracode into our DevOps pipeline.

I would recommend Veracode to other users.

Overall, I rate Veracode a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Shobana Raghu - PeerSpot reviewer
Application Development Analyst at a consultancy with 10,001+ employees
Real User
Aug 18, 2023
Showed us where errors were and helped us track their status, but reporting could have been more detailed
Pros and Cons
  • "I liked that I could easily find out where my errors were. Instead of going through the whole code and the scripts, it showed me where the errors were and gave me an idea of how to fix them."
  • "The reporting was detailed, but there were some things that were missing. It showed us on which line an error was found, but it could have been more detailed."

What is our primary use case?

We used it for static and dynamic testing to check if there were any vulnerabilities in the code. If there were any vulnerabilities, we would check the report downloaded from the Veracode portal and try to fix the code before deploying it.

How has it helped my organization?

Veracode helped me remove errors, and it didn't take a long time to fix any issue because I had an answer regarding where the code needed to be fixed. That feature helped us test our cases and get them deployed. It helped me fix vulnerabilities and any other errors before deployment to the applications.

The SAST and DAST scans—we used it both before code was deployed and after it was deployed—helped us run through the issues and keep track of their status. It was deployed in the pipelines, through Jenkins, and checked the logs in Kubernetes.

The solution also saved us time. I really liked the automatic scanning because there was no way to know where an issue was. Human tendency is to make mistakes, but Veracode helped us find the exact spot where an error was and change it. The reporting helped us do that in a short amount of time.

For our team, it had a very good impact. My manager used to suggest that before taking code to the next level, it was a really good idea to scan it.

What is most valuable?

I liked that I could easily find out where my errors were. Instead of going through the whole code and the scripts, it showed me where the errors were and gave me an idea of how to fix them.

What needs improvement?

The reporting was detailed, but there were some things that were missing. It showed us on which line an error was found, but it could have been more detailed.

Also, with upgrades, we had quite a difficult time tracking the reports, so there was some maintenance around that.

For how long have I used the solution?

I used Veracode for 13 months.

What do I think about the stability of the solution?

I had a situation that was due to a slow network, and I couldn't get results within a specific time. Because of that, there was a lag in production; we couldn't deploy the code on time. There was a crash, and because of that, we couldn't meet our production deadline.

The downtime happened two or three times. I thought it was due to a network issue when it happened once, but then I came to understand that it was a maintenance issue.

What other advice do I have?

Veracode is really not difficult or complex to understand. The whole concept is simple. It takes some time to get used to the tool, but it is a very simple tool to work with.

It was quite fast. Scanning my code took 25 to 30 minutes, which was quite good.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Vladimir Shilov - PeerSpot reviewer
DevSecOps at Ciklum ApS
MSP
Aug 18, 2023
With extensive reporting capabilities and a user-friendly interface, the tool is also highly scalable
Pros and Cons
  • "The most valuable features of the solution are its extensive reporting capabilities and user-friendly interface."
  • "There are certain shortcomings in Veracode's static analysis engine. I would improve Veracode's static analysis engine to make it capable of identifying vulnerabilities with low false positives."

What is our primary use case?

I have helped other companies implement Veracode Static Analysis in their IT environment. In our company, we need to scan many .NET applications using Veracode, and we could scan our software since it is a SaaS solution, after which we process the reports to improve the product.

What is most valuable?

The most valuable features of the solution are its extensive reporting capabilities and user-friendly interface.

What needs improvement?

There are certain shortcomings in Veracode's static analysis engine. I would improve Veracode's static analysis engine to make it capable of identifying vulnerabilities with low false positives.

The product is good, and if improvements are required, then such improvements should not be significant enough. There may be a slight scope to improve the product's integration capabilities. The product can also consider improving its support of different .NET versions and other programming languages, like Java.

For how long have I used the solution?

I have been using Veracode Static Analysis for three or four months.

What do I think about the stability of the solution?

Our company faced some issues with the tool, but the support team solved these issues quite quickly. The stability of the tool is high. Stability-wise, I rate the solution an eight out of ten.

What do I think about the scalability of the solution?

It is a scalable solution. We can implement the tool in different DevOps environments and projects, because of which we can create groups of applications and apply different policies to application groups, making it an enterprise-level tool. Scalability-wise, I rate the solution a ten out of ten.

How are customer service and support?

The solution's technical support helped us solve different problems related to Veracode, including some of its use cases. Veracode's support helped our company get around a problem and how to set up the scan rules correctly when we had some unexpected errors during the scanning process. I rate the technical support a nine out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have experience with Snyk. I used Snyk a year ago. Snyk doesn't support the version of the .NET applications we use in our company, so we decided to move to Veracode.

What about the implementation team?

The initial setup was easy since it is a SaaS solution and a well-documented product at the same time. In our company, we don't need to spin up a server to install something since we simply use the web interface and integrate the web interface with the DevOps environment.

On a scale of one to ten, where one is a hard setup and ten is an easy setup, I rate the initial setup phase an eight or nine.

The solution is deployed on the cloud. In our company, we use Microsoft Azure DevOps for our environment, but I don't know the environment in which Veracode gets used in our company. Veracode offers a web interface and API, so I don't know their cloud solutions.

The deployment is quite fast, but its overall quickness in terms of deployment depends on the number of applications you want to scan. If you want to scan one application, the deployment can be quickly done since we need to integrate Veracode into our DevOps environment.

What's my experience with pricing, setup cost, and licensing?

The pricing of the product depends upon the number of codes or the number of applications.

What other advice do I have?

I recommend those planning to use the solution check the system requirements and choose a solution that supports programming languages and .NET Framework versions that record scans.

I am not sure if it is one of the best solutions because I am not an expert in other solutions available in the market. Somehow, I personally feel it is one of the best tools in the market.

I rate the overall product a nine out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer. Implementer
PeerSpot user
Systems Engineer at Shiftmovers
Real User
Jul 28, 2023
By continuously scanning our applications, we can mitigate risks that may arise in some workflows
Pros and Cons
  • "Veracode's most valuable aspect is continuous integration. It helps us integrate with other applications so that it can monitor the security process."
  • "Veracode is a little costly. It's cost-effective for a large enterprise, but it may be too expensive for small businesses."

What is our primary use case?

Veracode helps scan applications for security purposes to ensure they are safe before deployment. The solution is continuously monitoring the security of our infrastructure and workflows. About five people use the solution across our organization. 

How has it helped my organization?

Our security posture has improved since we implemented Veracode because our developers have a better understanding of the security risks that may arise due to some actions we take on various projects and tasks. We're more aware of how vulnerabilities can be introduced into our daily work. 

Veracode has reduced the amount we spend to remedy security risks by about 60 percent. Security testing is much easier than before. The time needed to address vulnerabilities can affect the workflows and lead to late delivery of our services across customers. It has helped us to mitigate risks by effectively monitoring workflows. The conditional scanning procedures we previously used have been replaced by modern systematic algorithms.

Veracode saves time and costs because it's flexible in terms of an organization's data requirements. It can provide data intelligence from various work platforms and guidance on the best practices for security mitigation so we can safeguard our data in various work processes.

The solution enables us to establish a strategic policy management infrastructure to monitor the performance of each application periodically and report on the security performance. The dynamic analysis gives us feedback from time to time and performance metrics inside the program interface. 

This platform is one of the most efficient and effective tools for upgrading applications to meet an organization's performance standards and policies. It helps us improve our development because sometimes the coding procedure might not reflect the latest threats. 

What is most valuable?

Veracode's most valuable aspect is continuous integration. It helps us integrate with other applications so that it can monitor the security process. By continuously scanning our applications, we can mitigate risks that may arise in some workflows. It streamlines compliance, policy management, and reporting on various data analytics. We use it daily to gain insight into our work processes.

The solution is built into our SecOps program. It offers modern policy management, essential support, and analytics features. It's efficient with fast and powerful risk-mitigation tools.

What needs improvement?

I think Veracode could integrate some advanced technologies to better address new threats as they arise. 

For how long have I used the solution?

We have used Veracode for about a year.

What do I think about the stability of the solution?

Veracode has been a stable product. We've had some downtime, but it has performed well overall. 

How are customer service and support?

I rate Veracode support a nine out of ten. Veracode's support team has always been helpful. When we contact them by phone or online chat, they respond quickly with a solution within the time frame established in our support contract.  

How would you rate customer service and support?

Positive

How was the initial setup?

Deploying Veracode was straightforward, and we had help from the vendor's support team. Our deployment team has six members, and the whole process took about three weeks. 

After deployment, the product requires some maintenance. We sometimes face some networking challenges that require repairs, and we need to periodically update some tools.

What was our ROI?

Veracode is a good investment, and I can recommend it to anyone who is looking for the best security tester. I estimate that we saw a 60 percent ROI this year, and it continues.

What's my experience with pricing, setup cost, and licensing?

Veracode is a little costly. It's cost-effective for a large enterprise, but it may be too expensive for small businesses. 

What other advice do I have?

I rate Veracode an eight out of ten. I would recommend it to others who need to do testing for application performance or security and risk management. 

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Data Research Analyst & Business Development at DIS Research
Real User
Top 20
Jul 26, 2023
Reduces manual processes for us, saving significant time
Pros and Cons
  • "The main feature, and one of the most important, is the static code analysis. We are able to complete an analysis of the security flaws with this platform. It's very good at helping us find and fix flaws."
  • "The support team could be more responsive, and the dependency of users on the support team is too high and should be reduced."

What is our primary use case?

The most important purpose of this platform is code security. We are able to scan our code and find security flaws.

How has it helped my organization?

Veracode has saved us a lot of time because we have been able to reduce manual processes. We are able to do most things automatically with the platform. It has saved us between 30 and 40 percent of our time.

What is most valuable?

The main feature, and one of the most important, is the static code analysis. We are able to complete an analysis of the security flaws with this platform. It's very good at helping us find and fix flaws.

The sandbox environment is also one of the features we are using as well as integration with our CICD pipeline, which is very useful. The product is pretty easy to understand, which is quite good.

The policy reporting for ensuring compliance with industry standards and regulations also helps us a lot.

It gives us visibility into application status at every phase. We have definitely seen an improvement in that regard.

For how long have I used the solution?

I'm pretty new to this platform. I'm going with a trial right now and have been using it for about a month. We have spent most of our time analyzing the code.

What do I think about the stability of the solution?

It's a stable product.

What do I think about the scalability of the solution?

It is also very scalable.

How are customer service and support?

The support team could be more responsive, and the dependency of users on the support team is too high and should be reduced.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

This is the first such tool we are using.

How was the initial setup?

The initial deployment was not very complex. It took us around 15 days because we were trying to understand the policies and many other things. Our team has 15 people and everyone was involved in making some decisions regarding the solution.

We have only needed help with the product itself. That's what we have reached out to their team for. But there hasn't been any maintenance of the product for us.

What's my experience with pricing, setup cost, and licensing?

The pricing is a bit high. Although we are in a trial phase, if we are going to make the decision to purchase the software, the pricing is going to be high for us.

What other advice do I have?

We are able to justify the false positives because security flaws are one of the biggest things that Veracode's features help us with.

Overall, the product is good. It has made a very good impression. There are some flaws, as I have mentioned, but overall it looks very good, with the features I've mentioned. The impact on our security has been good. The main challenge for us will be the pricing, but if we ignore that factor, the impact has been very good and we would definitely implement Veracode.

I would suggest having a look at Veracode. Go for a trial of the system to see if Veracode is something that can help solve your problems. Pricing should be ignored because there are definitely some very specific features that help a lot. 

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
reviewer1510059 - PeerSpot reviewer
Solution Architect at a tech vendor with 10,001+ employees
Real User
Jun 20, 2023
Includes valuable static and dynamic code scanning and detailed reports
Pros and Cons
  • "The static scan and the detailed reports, which include issue information and permissions, are the most valuable features."
  • "Veracode does not support scans for .NET Blazor server applications."

What is our primary use case?

We are developers who utilize Veracode for the static and dynamic scanning of our applications.

How has it helped my organization?

Veracode provides both us and our customers with confidence that our applications do not have any issues by helping to prevent any vulnerable code from being deployed in production.

Veracode has helped us improve the way we conduct static and dynamic code testing in our organization. Based on the reports we receive, we can quickly identify what needs to be fixed immediately after the scan. For minor issues, we are given time to address them after moving into production, but for major issues, the application is unable to enter the production phase.

We utilize Veracode for static and dynamic code scanning in our software configuration and lifecycle management. It is integrated as part of our pipeline, allowing the code to be automatically scanned in the background. This enables us to review the reports promptly.

The information provided by Veracode enables us to easily rectify vulnerabilities in the workflow.

Veracode can help our developers save time, depending on the issue and the age of the application.

Veracode saves time by automating the basic tasks that were previously performed manually.

Veracode has had a positive impact on our security stance and has empowered our customers to confidently migrate their applications to the cloud.

What is most valuable?

The static scan and the detailed reports, which include issue information and permissions, are the most valuable features.

What needs improvement?

Veracode does not support scans for .NET Blazor server applications. We encounter errors whenever attempting a scan. I would appreciate it if Veracode could incorporate support for these applications.

I would like Veracode to offer code support for the latest releases of .NET whenever they are released by Microsoft.

For how long have I used the solution?

I have been using Veracode for over one year.

What do I think about the stability of the solution?

Veracode is stable.

How are customer service and support?

The technical support is helpful, but they operate on their own schedule, so in certain instances, we have to endure a considerable wait for a resolution.

How would you rate customer service and support?

Neutral

What other advice do I have?

I give Veracode an eight out of ten.

Our customer provides us with a Veracode profile account for uploading and testing code. We do not manage the solution or have any insight into how it is deployed.

I highly recommend Veracode for assisting in identifying vulnerabilities in code.

I have learned that Veracode can confidently scan and detect vulnerabilities in code. However, for older or unsupported applications, we need to seek an alternative solution.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer. MSP
PeerSpot user
Geofrey Mutabazi - PeerSpot reviewer
Founder at a manufacturing company with 1-10 employees
Real User
Apr 24, 2023
Has been a time-saver for our developers by enabling those with different programming languages and skills to collaborate, but is expensive
Pros and Cons
  • "I appreciate the integration provided by Veracode that seamlessly integrates with our CI/CD tools and allows us to integrate with IPA as well."
  • "Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans."

What is our primary use case?

I have implemented Veracode for both static and dynamic analysis to minimize errors in my application and avoid the need for manual reviews. This enables us to create a risk-free application in the code. Additionally, I utilize external libraries and licensing to accelerate the process of identifying vulnerabilities in my software development. This helps me and the development team to provide comprehensive information about the code.

How has it helped my organization?

Veracode's capability to prevent the deployment of vulnerable code is impressive. It allows for quick detection of defects during the development cycle, leading to faster release of improved code, and ultimately ensuring that our product is free of vulnerabilities. This feature is a great advantage for our organization.

SBOM is beneficial as it enables us to verify software licensing through static scanning. This helps ensure that the product we provide in the market is compliant with industry standards and user needs. In my opinion, this is a fantastic feature.

Creating a report is easy when using a sample template that we can relate to. If we know what kind of data we want to include and how we want it to be presented, the process of creating a report can be completed quickly.

The main advantage of using Veracode is the assurance that we are developing stable, secure, and fast solutions that are free of risks. This provides us with a clear picture of our progress toward our goals. Veracode helps our developers by providing remedial action and reports in various formats, ranging from summary to detailed. This allows us to customize our reports and share visually appealing reports with the team.

Having visibility into the status of our applications at every phase of development throughout the software development cycle enhances our DevOps productivity and ensures a stable solution.

The false positive rate is valuable. The benefit is that the false positive results provide our developers with a clear understanding of their proficiency level in development. However, the drawback is that during fast penetration or testing, they may receive alerts that can cause frustration. Additionally, if they perform another test, the previous alert may not appear again, making it difficult to address the issue. Overall, I believe that false positives can boost our developers' confidence in their abilities to a certain degree.

The false positives identified through static analysis have been beneficial in saving us time. Due to our use of advanced tools and record-keeping practices, we have been able to streamline processes such as data importing, which may have otherwise required local or manual methods. This has resulted in significant cost and time savings for our team. With the ability to work remotely using tools like Veracode, we are able to provide effective reporting and management for all software applications.

Veracode has been a time-saver for our developers by enabling those with different programming languages and skills to collaborate and develop stable solutions together. As a result, we are able to save some time.

Our overall security posture has been positively impacted by Veracode. We are confident that our solutions are highly secure for our clients and stakeholders. With Veracode's assistance, we ensure that our applications and software are free from bad code and other vulnerabilities. By troubleshooting alerts, we prevent abnormal codes from reaching production, creating stable and secure solutions. Veracode helps ensure social sustainability during the UAT process before we release the final product to consumers, resulting in a highly secure end product. Veracode has enabled us to offer a stable and trusted solution that fosters transparency between our company and the end-users, supporting their needs and activities.

Veracode reduced the cost of our DevSecOps by allowing us to use a single tool that can be operated by a small team of developers. We saved around $1,500 USD using Veracode.

What is most valuable?

I believe that testing code early on is always beneficial, and using UI saves time by detecting issues in the flow before the release cycle through verification scanning. Additionally, I appreciate the integration provided by Veracode that seamlessly integrates with our CI/CD tools and allows us to integrate with IPA as well. Overall, I'm impressed with the integration and user interface.

What needs improvement?

Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans. However, we can run these scans in the background to minimize disruptions. Static scanning can be a slow process that requires some time.

The cost and scalability also have room for improvement.

For how long have I used the solution?

I have been using the solution for three years.

What do I think about the stability of the solution?

Veracode has no downtime and is highly stable.

What do I think about the scalability of the solution?

The scalability is neutral because it lacks some integration. We have 12 end-users within our software and engineering departments.

How are customer service and support?

The technical support is responsive and helps us resolve our issues quickly.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup is straightforward. I deployed the solution myself.

What about the implementation team?

The implementation was completed in-house.

What was our ROI?

Veracode assists us in increasing our sales by allowing us to redirect the funds that would have been used to pay our ex-pats to troubleshoot errors or issues with vulnerable code. Consequently, we are experiencing a higher return on investment, and our company has generated over 55 percent return on investment since implementing Veracode.

What's my experience with pricing, setup cost, and licensing?

The pricing for Veracode is high, making it difficult for beginners to afford. Whether or not Veracode is a viable option may depend on the specific needs and use cases of the user, as it may not be affordable for small businesses.

Veracode is costly, which makes it unsuitable for small organizations. However, if an organization has the budget for the solution, it is worth investing in.

What other advice do I have?

I give the solution a seven out of ten.

I believe that it is a wise decision to test our code to ensure its security. Utilizing Veracode is a beneficial practice as it examines our code and provides recommendations on areas that require improvement. This ultimately results in a stable solution. However, I advise using Veracode only if the business has the budget for it, as it can be expensive. Any organization that chooses to use Veracode, can be confident in the quality of its solution but must be prepared for the associated costs.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
Updated: June 2026
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.