Try our new research platform with insights from 80,000+ expert users
Ujjwal Sachdeva - PeerSpot reviewer
Data scientist at Advarisk
Real User
Top 5
Identifies bugs before deployment in the software-side cycle process
Pros and Cons
  • "The integration capabilities with our existing development tools are very good."
  • "The solution does take a bit more time when we use it for multiple processes."

What is our primary use case?

We use the solution for identifying bugs before deployment in the software-side cycle process.

It can be integrated with our CL and CDProp pipeline, and it can be used with multiple integrations in our Visual Studio Code editor. That's the main use case.

How has it helped my organization?

We've saved a lot of time since using Veracode. We've also been able to cut down on costs since we require a lot of penetration tests for testing our software. Veracode helps us drastically reduce these costs. We've cut our costs down by 40%.

What is most valuable?

The solution provides us with a feature that we can directly use with static and dynamic analysis. With static analysis, we can use it while the app is not running, and with dynamic analysis, we can scan our application while it is running. It provides efficiency and also saves a lot of time for penetration testing and bug testing.

The capabilities of the analysis of the code base can help us effectively detect potential vulnerabilities. This is the most valuable feature we found. It can be integrated with multiple code editors, and it can also be integrated with various CI/CD pipelines.

The dynamic analytics is efficient. It helps us identify bugs while the app is running. We find that this ability is way better than its competitor.

Our impression of the solution's ability to prevent vulnerable code from going into production is positive. Prior to Veracode, we used to deploy our apps, and it used to be an expensive process to fix the bugs and all the potential vulnerabilities after deployment. Now, we have access to AI. It has AI tools, which have been trained with a lot of data sets. It helps us to detect bugs and fix them.

We use the free access to VeriCloud's application security consulting team. The consulting team has helped us a lot, and we've had positive experiences with the vendors. It is efficient and very fast. It takes less than two or three days, and they always respond positively. They are really fast at solving our problems. It's important for us to have access to an application security consulting team at no extra cost.

We use Veracode's AI-generated fixes. They make fewer errors and are very accurate. We've had a very positive experience. They've saved approximately seven hours of debugging and error finding versus the manual penetration testing process. 

The solution's policy reporting for insurance compliance with industry standards and regulations is very helpful. It's fast as well. The team helps us at every step of the product life cycle. They provide us with very useful visibility into things like static analysis, composition analysis, and manual penetration. It significantly helps us to reduce the time that we have to manually fix the bugs, and it also provides us with an efficient solution for future cases via past analysis through its data algorithm. We've saved six to eight hours compared to manual fixing.

Veracode has had a positive impact on our organization's ability to fix flaws compared to the prior. It has reduced our costs and time, and it has also provided us with multiple security functions. That, and it's made our application a lot more secure. It really helps our devs free up time due to less debugging needed on their part.

The solution has helped us a lot with our overall security posture. Many security features were fixed prior to release, and we've been able to reduce manpower and employee count. We've reduced teams from six or seven people to two or three. 

The integration capabilities with our existing development tools are very good. The integration process was easy. It has stable APIs.

What needs improvement?

The solution does take a bit more time when we use it for multiple processes. When we use it for a single process, it takes up less time. The cost also goes up when we use it for multiple processes. 

Buyer's Guide
Veracode
June 2025
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
860,711 professionals have used our research since 2012.

For how long have I used the solution?

I have been using the solution for six months.

What do I think about the stability of the solution?

The solution is very stable. We haven't come across any bugs. 

What do I think about the scalability of the solution?

Our security team of three uses the solution. 

It's great for scaling. We can use it on multiple projects which involve multiple security flows.

How are customer service and support?

Technical support has been very fast and efficient. The team helps us at every phase of the development cycle. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We did not use a different solution. Previously, we relied on manual testing. 

How was the initial setup?

We deployed the solution in about three months. We had a team of eight working on the implementation. During the process, I was in charge of, IT was in charge of security, and the AI algorithm.

We don't require any maintenance.

What was our ROI?

Even after six months, we've seen an ROI. In terms of resources, it's great for cost-cutting. It also generally cuts costs by 40%.

What's my experience with pricing, setup cost, and licensing?

The pricing is moderate for particular processes. However, if we take an entire process in general, it can be costly. It's more economical to use it for single purposes instead of generalizing processes. 

Thanks to its algorithm, Veracode is an on-demand service that can be very cost-effective. With so many features, we no longer require many people to test.  

If they are worried about pricing, people should try out their demo feature, which is available online. That way, they can demo and evaluate how it would work for them. If it works for their team and product, they may find it can optimize their processes. Of course, it depends on the use case. 

What other advice do I have?

I'd advise colleagues considering Veracode to evaluate the specific requirements for their application and do an in-depth analysis. I would recommend it as a product.

I'd rate the solution ten out of ten. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Security Analyst at a tech services company with 11-50 employees
Reseller
Top 20
An easy-to-use tool with a helpful community and an efficient technical support team
Pros and Cons
  • "The SAST and DAST modules are great."
  • "It will be beneficial for developers if Veracode Greenlight includes Python."

What is our primary use case?

The solution is used for performing application security processes like source code assessment, dynamic assessment, and SCA.

How has it helped my organization?

We sell the product to our customers. We are a vendor.

What is most valuable?

The SAST and DAST modules are great. The scanning part is also good. It’s pretty easy and convenient to use. Everything is described within the product. Almost everything is available in the community and the guidelines.

What needs improvement?

Veracode Greenlight scans the code while the developer writes it. It will be beneficial for developers if Veracode Greenlight includes Python.

For how long have I used the solution?

I have been using the solution for almost one year.

What do I think about the stability of the solution?

The tool is stable.

What do I think about the scalability of the solution?

The scalability of the product depends upon the pricing. The price is a bit high for a small company. It is suitable for a large company.

How are customer service and support?

Support is very good. The support team resolves some issues within 24 hours.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I tried a few solutions before using Veracode. Veracode is better because it is convenient to use. The solution’s dashboard and features are pretty good. It is the topmost product among the other tools that I used. It is pretty simplified. Veracode has a lot of options to do authenticated scans. Veracode’s simplified features are helpful for people who use different authentication methodologies.

How was the initial setup?

We are using the SaaS version of the solution. The initial deployment was pretty easy. The CI/CD pipeline has a lot of dependencies, like connecting with Jenkins and Jira. If we directly upload the code to the cloud, we can deploy the product within a single day. If we do it in the CI/CD pipeline, it will take some time.

What about the implementation team?

One person can deploy the product. I haven’t had any maintenance-related issues with the solution. Whatever new vulnerabilities come, they are already updated in the database. Since we are a partner, it will be helpful if Veracode notifies us whenever it releases the vulnerability reports. We cannot always check the portal.

What's my experience with pricing, setup cost, and licensing?

The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.

What other advice do I have?

Veracode provides policy reporting to ensure compliance with industry standards and regulations. It is beneficial. The product also provides features to create custom policies. Most false-positives cases come under DAST. The false positives depend on the code. Veracode provides around 5% false positives.

The solution shows the vulnerabilities in the code and provides generic remediations for it. We must then search it on Google. The product’s community is also good. Sometimes, the product provides solutions in the community. These solutions work well on the production level.

I have also used the SCA features which help with identifying vulnerabilities in applications's third-party components. The Veracode user interface is so convenient and easy to use. Anyone can run a scan and generate a report easily.

The solution provides absolute visibility into application status at every phase of development. The users can get visibility through the CI/CD pipeline. The time taken to complete the scans depends on how much code is present in a specific application and how big the application is.

Veracode introduced a new module named Veracode Fix, which automates the fixes for insecure software with AI-generated secure code suggestions where the developer does not have to spend time searching and remediating the vulnerabilities. The developer does not have to spend time searching for vulnerabilities. Sometimes, the tool gives a generic recommendation, sometimes specific recommendations. It will be helpful if it always provides specific recommendations. The amount of time saved hinges on factors such as code complexity, the programming language employed, and the developer's proficiency in secure coding. If anyone uses Veracode throughout the entire process of building an application, from the start of development to the final production stage, can result in a time savings of around 30% to 40% when leveraging various security measures of the platform.

Veracode has had a good impact on our organization’s overall security posture. If we choose to take the complete Veracode module, we can have security from the initial step to the production phase. 

I will recommend others to implement the solution. Veracode is in the Gartner Magic Quadrant. It is doing a good job.

Overall, I rate the product a nine out of ten.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
Veracode
June 2025
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
860,711 professionals have used our research since 2012.
Boyapati Sivannarayana - PeerSpot reviewer
Devops Engineer at Accenture
Real User
Top 20
Good scanning, manages security risks, and prevents vulnerable code from going into production
Pros and Cons
  • "The deployment mode is very useful."
  • "The pricing is worth it."
  • "It's taking too much time to do a quality scan."

What is our primary use case?

We have data deployments for B2B and B2C with the product. Before we used a deployment center like Jenkins. We use it for backend content.

What is most valuable?

We've only used the solution for a year; it hasn't been that long.

The deployment mode is very useful.

We like that it can prevent vulnerable code from going into production.

We use the low-level elements and do greenlight deployment through Veracode.

It helps us manage our licensing and security risks. However, we are in the implementation process right now. So far, it's okay and working fine.

It's good that we can do a full code scan, front to back, or vice versa.

We mostly use the policy scan and vulnerability scan mostly. 

The security is okay.

What needs improvement?

The reporting can be difficult. It's not very easy.

It's taking too much time to do a quality scan. It hasn't saved us much time. Deployment was three or four months ago. We did a policy scan using a greenlight deployment. When we do the deployment in Jenkins, we can do it faster. In Veracode, it can take four hours or even eight hours.

We don't like how long it takes to do a deployment. It should deploy more quickly.

For how long have I used the solution?

I've used the solution for a year.

What do I think about the stability of the solution?

While there is no lagging or crashing, it takes too much time to deploy. 

What do I think about the scalability of the solution?

We haven't had any issues with scalability. That said, currently we are not scaling. Previously it was fine. Currently, we're not scaling. 

How are customer service and support?

Currently, we do not use support. We don't communicate with them. 

Which solution did I use previously and why did I switch?

We have used SAP and Jenkins in the past.

How was the initial setup?

The deployment takes too long.

I was not directly involved in the deployment of Veracode. I generally use Jenkins only.

Two people are typically involved in the deployment. 

Every week, on Friday, we put the servers down, and every Monday, we put them back up, to save on costs.

What about the implementation team?

The deployment is automated using Jenkins. We just need some parameters to deploy the code to the environment.

What's my experience with pricing, setup cost, and licensing?

The pricing is worth it. However, users need to go through the documentation first to get a handle on the implementation. Users might need the help of a support platform.

Which other solutions did I evaluate?

We did not evaluate other options before choosing this solution.

What other advice do I have?

I'm not sure how much visibility we are getting using the solution. 

The false positive rate we haven't really looked into. We need to learn more about it.

We are just end users, not partners. 

I'd rate the solution eight out of ten. 

It's a good idea to look at the documentation. Be very cautious when implementing servers.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Systems Engineer at Shiftmovers
Real User
Top 20
By continuously scanning our applications, we can mitigate risks that may arise in some workflows
Pros and Cons
  • "Veracode's most valuable aspect is continuous integration. It helps us integrate with other applications so that it can monitor the security process."
  • "Veracode is a little costly. It's cost-effective for a large enterprise, but it may be too expensive for small businesses."

What is our primary use case?

Veracode helps scan applications for security purposes to ensure they are safe before deployment. The solution is continuously monitoring the security of our infrastructure and workflows. About five people use the solution across our organization. 

How has it helped my organization?

Our security posture has improved since we implemented Veracode because our developers have a better understanding of the security risks that may arise due to some actions we take on various projects and tasks. We're more aware of how vulnerabilities can be introduced into our daily work. 

Veracode has reduced the amount we spend to remedy security risks by about 60 percent. Security testing is much easier than before. The time needed to address vulnerabilities can affect the workflows and lead to late delivery of our services across customers. It has helped us to mitigate risks by effectively monitoring workflows. The conditional scanning procedures we previously used have been replaced by modern systematic algorithms.

Veracode saves time and costs because it's flexible in terms of an organization's data requirements. It can provide data intelligence from various work platforms and guidance on the best practices for security mitigation so we can safeguard our data in various work processes.

The solution enables us to establish a strategic policy management infrastructure to monitor the performance of each application periodically and report on the security performance. The dynamic analysis gives us feedback from time to time and performance metrics inside the program interface. 

This platform is one of the most efficient and effective tools for upgrading applications to meet an organization's performance standards and policies. It helps us improve our development because sometimes the coding procedure might not reflect the latest threats. 

What is most valuable?

Veracode's most valuable aspect is continuous integration. It helps us integrate with other applications so that it can monitor the security process. By continuously scanning our applications, we can mitigate risks that may arise in some workflows. It streamlines compliance, policy management, and reporting on various data analytics. We use it daily to gain insight into our work processes.

The solution is built into our SecOps program. It offers modern policy management, essential support, and analytics features. It's efficient with fast and powerful risk-mitigation tools.

What needs improvement?

I think Veracode could integrate some advanced technologies to better address new threats as they arise. 

For how long have I used the solution?

We have used Veracode for about a year.

What do I think about the stability of the solution?

Veracode has been a stable product. We've had some downtime, but it has performed well overall. 

How are customer service and support?

I rate Veracode support a nine out of ten. Veracode's support team has always been helpful. When we contact them by phone or online chat, they respond quickly with a solution within the time frame established in our support contract.  

How would you rate customer service and support?

Positive

How was the initial setup?

Deploying Veracode was straightforward, and we had help from the vendor's support team. Our deployment team has six members, and the whole process took about three weeks. 

After deployment, the product requires some maintenance. We sometimes face some networking challenges that require repairs, and we need to periodically update some tools.

What was our ROI?

Veracode is a good investment, and I can recommend it to anyone who is looking for the best security tester. I estimate that we saw a 60 percent ROI this year, and it continues.

What's my experience with pricing, setup cost, and licensing?

Veracode is a little costly. It's cost-effective for a large enterprise, but it may be too expensive for small businesses. 

What other advice do I have?

I rate Veracode an eight out of ten. I would recommend it to others who need to do testing for application performance or security and risk management. 

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Geofrey Mutabazi - PeerSpot reviewer
Founder at a manufacturing company with 1-10 employees
Real User
Has been a time-saver for our developers by enabling those with different programming languages and skills to collaborate, but is expensive
Pros and Cons
  • "I appreciate the integration provided by Veracode that seamlessly integrates with our CI/CD tools and allows us to integrate with IPA as well."
  • "Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans."

What is our primary use case?

I have implemented Veracode for both static and dynamic analysis to minimize errors in my application and avoid the need for manual reviews. This enables us to create a risk-free application in the code. Additionally, I utilize external libraries and licensing to accelerate the process of identifying vulnerabilities in my software development. This helps me and the development team to provide comprehensive information about the code.

How has it helped my organization?

Veracode's capability to prevent the deployment of vulnerable code is impressive. It allows for quick detection of defects during the development cycle, leading to faster release of improved code, and ultimately ensuring that our product is free of vulnerabilities. This feature is a great advantage for our organization.

SBOM is beneficial as it enables us to verify software licensing through static scanning. This helps ensure that the product we provide in the market is compliant with industry standards and user needs. In my opinion, this is a fantastic feature.

Creating a report is easy when using a sample template that we can relate to. If we know what kind of data we want to include and how we want it to be presented, the process of creating a report can be completed quickly.

The main advantage of using Veracode is the assurance that we are developing stable, secure, and fast solutions that are free of risks. This provides us with a clear picture of our progress toward our goals. Veracode helps our developers by providing remedial action and reports in various formats, ranging from summary to detailed. This allows us to customize our reports and share visually appealing reports with the team.

Having visibility into the status of our applications at every phase of development throughout the software development cycle enhances our DevOps productivity and ensures a stable solution.

The false positive rate is valuable. The benefit is that the false positive results provide our developers with a clear understanding of their proficiency level in development. However, the drawback is that during fast penetration or testing, they may receive alerts that can cause frustration. Additionally, if they perform another test, the previous alert may not appear again, making it difficult to address the issue. Overall, I believe that false positives can boost our developers' confidence in their abilities to a certain degree.

The false positives identified through static analysis have been beneficial in saving us time. Due to our use of advanced tools and record-keeping practices, we have been able to streamline processes such as data importing, which may have otherwise required local or manual methods. This has resulted in significant cost and time savings for our team. With the ability to work remotely using tools like Veracode, we are able to provide effective reporting and management for all software applications.

Veracode has been a time-saver for our developers by enabling those with different programming languages and skills to collaborate and develop stable solutions together. As a result, we are able to save some time.

Our overall security posture has been positively impacted by Veracode. We are confident that our solutions are highly secure for our clients and stakeholders. With Veracode's assistance, we ensure that our applications and software are free from bad code and other vulnerabilities. By troubleshooting alerts, we prevent abnormal codes from reaching production, creating stable and secure solutions. Veracode helps ensure social sustainability during the UAT process before we release the final product to consumers, resulting in a highly secure end product. Veracode has enabled us to offer a stable and trusted solution that fosters transparency between our company and the end-users, supporting their needs and activities.

Veracode reduced the cost of our DevSecOps by allowing us to use a single tool that can be operated by a small team of developers. We saved around $1,500 USD using Veracode.

What is most valuable?

I believe that testing code early on is always beneficial, and using UI saves time by detecting issues in the flow before the release cycle through verification scanning. Additionally, I appreciate the integration provided by Veracode that seamlessly integrates with our CI/CD tools and allows us to integrate with IPA as well. Overall, I'm impressed with the integration and user interface.

What needs improvement?

Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans. However, we can run these scans in the background to minimize disruptions. Static scanning can be a slow process that requires some time.

The cost and scalability also have room for improvement.

For how long have I used the solution?

I have been using the solution for three years.

What do I think about the stability of the solution?

Veracode has no downtime and is highly stable.

What do I think about the scalability of the solution?

The scalability is neutral because it lacks some integration. We have 12 end-users within our software and engineering departments.

How are customer service and support?

The technical support is responsive and helps us resolve our issues quickly.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup is straightforward. I deployed the solution myself.

What about the implementation team?

The implementation was completed in-house.

What was our ROI?

Veracode assists us in increasing our sales by allowing us to redirect the funds that would have been used to pay our ex-pats to troubleshoot errors or issues with vulnerable code. Consequently, we are experiencing a higher return on investment, and our company has generated over 55 percent return on investment since implementing Veracode.

What's my experience with pricing, setup cost, and licensing?

The pricing for Veracode is high, making it difficult for beginners to afford. Whether or not Veracode is a viable option may depend on the specific needs and use cases of the user, as it may not be affordable for small businesses.

Veracode is costly, which makes it unsuitable for small organizations. However, if an organization has the budget for the solution, it is worth investing in.

What other advice do I have?

I give the solution a seven out of ten.

I believe that it is a wise decision to test our code to ensure its security. Utilizing Veracode is a beneficial practice as it examines our code and provides recommendations on areas that require improvement. This ultimately results in a stable solution. However, I advise using Veracode only if the business has the budget for it, as it can be expensive. Any organization that chooses to use Veracode, can be confident in the quality of its solution but must be prepared for the associated costs.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Shashank Niranjan - PeerSpot reviewer
Senior Software Engineer at Capgemini
Real User
Provides visibility into the application status at every phase of development which makes it easier for our DevSecOps to do their jobs
Pros and Cons
  • "Being able to scan our applications and identify all codes and defects is an extremely valuable feature."
  • "Scanning large amounts of code can be a time-consuming process and there is scope for improvement."

What is our primary use case?

We use Veracode for application scanning.

How has it helped my organization?

Veracode is able to prevent vulnerable code from going into production.

Veracode has helped us to identify the vulnerable code in our applications before we put them into production.

The solution allows us to ensure compliance with standards and regulations.

Veracode provides visibility into the application status at every phase of development which makes it easier for our DevSecOps to do their jobs.

I give a nine out of ten for Veracode's ability to identify false positives. The false positive rate has increased our developer's confidence.

Veracode has enhanced our capability to address flaws by identifying bugs that may not have been detected through static analysis data.

Veracode has had a positive impact on our organization by providing us with greater insight into our data.

Veracode helps our developers save approximately ten percent of their time by detecting code issues and enabling them to promptly fix bugs before releasing the information into production.

Veracode helps secure our private data which improves our overall security posture.

What is most valuable?

Being able to scan our applications and identify all codes and defects is an extremely valuable feature.

What needs improvement?

Scanning large amounts of code can be a time-consuming process and there is scope for improvement.

For how long have I used the solution?

I have been using the solution for nine months.

What do I think about the stability of the solution?

Veracode is stable.

What do I think about the scalability of the solution?

Veracode is scalable. We have between 300 to 500 users.

How are customer service and support?

The technical support is responsive.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used some open source solutions and the management teams decided to switch over to Veracode.

What other advice do I have?

I give the solution an eight out of ten.

We have Veracode deployed in multiple locations.

Maintenance is only required when updating the solution.

You should evaluate multiple solutions, but I suggest considering Veracode if it aligns with the organization's requirements.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Reyansh Kumar - PeerSpot reviewer
Technical Specialist at Accenture
Real User
Provides detailed analysis and reports of code vulnerabilities throughout the SDLC
Pros and Cons
  • "The user interface is excellent, the code review process is quick and provides great analytics to understand our code better, and the SAST scan is high-speed."
  • "Sometimes we get a lot of false positives even after configuring our policies, so that could be improved."

What is our primary use case?

Our primary uses are for reviews of our code and overall software environment, bug fixes, and detection of security flaws.  

We use the solution across multiple locations and regions, including Asia Pacific, EMEA, and North America. Our user base consists of 5200 individuals. 

How has it helped my organization?

The solution has given us real results when it comes to improving our overall security posture; it provides the best security and reports, indicates any flaws that may be present, and allows us to take steps to rectify them. The tool is now a part of our DevSecOps, and we truly rely on it.  

Regarding our ability to fix flaws, Veracode is very helpful; it provides a sense of confidence to our developers and a summary of reports that we can share with stakeholders such as our clients and senior management. The solution identifies security loopholes and gives us detailed feedback reports, allowing us to take action to remedy our security vulnerabilities. 

Veracode helped our developers save time; two or three development team members were previously dedicated to code security. By automating this task using the solution, those developers can reallocate their time to core software development, which is an excellent result. The time saved is in the region of 25%.   

Static Analysis' false positive rate positively affected time and costs related to tuning, leveraging data, and machine learning. Tuning data is essential as it gives us update optimization within our database, which is helpful for any organization. Veracode is the industry leader in being a one-stop shop security solution; it takes care of every aspect.  

What is most valuable?

The user interface is excellent, the code review process is quick and provides great analytics to understand our code better, and the SAST scan is high-speed.

Veracode is excellent at preventing vulnerable code from going into production; the scans are speedy and give us a detailed analysis of our code. 

We use the Software Bill of Materials feature; it's essential and advantageous. We can't do a bill of materials manually, so it's excellent that Veracode provides this. SBOM helps us manage our risks, as every company has software that needs to be run appropriately throughout the user and client base. It's necessary to have a security audit or security compliance in such applications, and Veracode enables this functionality so we can easily identify security flaws and take measurable action.

Creating a report using the SBOM feature is straightforward, and it's important to our organization because it provides a return on our investment. Previously, we sometimes required a third-party resource to create reports, but with Veracode, it's easier to take care of that on our end.  

The solution's policy reporting allows us to set our standards, group policies, and regulations, so ensuring code compliance is part of its analysis. Veracode notifies us if any flaws are detected, allowing us to take action to correct them.  

The solution provides visibility into application status at every development phase throughout the SDLC; we can use Veracode during the development, design, testing, and implementation phases. We can easily analyze our code before commencing large production deployments and fix any issues.   

What needs improvement?

Sometimes we get a lot of false positives even after configuring our policies, so that could be improved.

There is an issue where the UI occasionally breaks in between uses of the application, which can be improved. The UI could also be more catchy for the benefit of the less technical users. 

It would be good if the configuration of dynamic scanning could be less complex.

For how long have I used the solution?

We've been using the solution for over three years. 

What do I think about the stability of the solution?

The solution is stable. It wasn't before, as different organizations required new group policies and configurations. The product has yet to mature fully but has developed enough to adopt a stable position in the market.

What do I think about the scalability of the solution?

The solution is as scalable as required, but we must pay for that. 

How are customer service and support?

The technical support is good; I rate them nine out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used some open-source software, but our developers generally manually performed code-checking. Our requirement is for a solution that takes care of our software code and security throughout the SDLC. Following evaluation, we found Veracode more useful in terms of licensing, pricing, and features.

How was the initial setup?

The initial setup was straightforward; it took seven to ten days, including gathering all requirements, overall deployment, and the final implementation. The deployment team consisted of four to five members. 

The product doesn't require any maintenance; operations and support are primarily handled by Veracode, as it's a fully managed service. 

What was our ROI?

We have seen an ROI with Veracode regarding time, money, and overall organization reports. Our ROI is in the region of 25-30%.

The solution reduced the cost of our DevSecOps by lowering the headcount for those previously dedicated to security throughout the SDLC. They can now spend more time improving their code base and focusing on development.  

What's my experience with pricing, setup cost, and licensing?

The pricing and licensing are reasonable, and relatively straightforward, and different licensing and subscription models are available.

To someone considering Veracode but concerned about the price, it can be a challenge for small and mid-sized organizations, but it's a good choice for larger enterprises. If security is a primary concern for any organization, they should consider Veracode; they won't be disappointed.  

Which other solutions did I evaluate?

We evaluated GitLab, Micro Focus, and SonarQube. 

What other advice do I have?

I rate the solution nine out of ten. 

Regarding the tool's false positive rate, the analysis is good but can be affected by data and code not supported by Veracode. In these cases, we can experience some challenges, but other than that, the false positive reporting is good. In cases of unsupported code, developer confidence can be affected, as we know there may be some flaws we can't control. If they are minor enough, we can ignore them.

I advise others considering the product to go with it if it fulfills their requirements. Veracode is a tested name in the market for application security and detecting flawed code. They should evaluate other options if they fit the needs better, but I highly recommend Veracode.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Shiva Prasad Reddy - PeerSpot reviewer
Program Analyst at a tech services company with 10,001+ employees
Real User
Helps developers look at things with a different, more secure, perspective, decreasing the flaw rate
Pros and Cons
  • "It pinpoints the errors. Its accuracy is very interesting. It also elaborates on flaws, meaning it provides you with details about what is valid or not and how something can be fixed."
  • "There is also a size limit of 100 MB so we cannot upload files that are larger than that. That could be improved. Also, the duration of the scan is a bit too long."

What is our primary use case?

In my previous company, we had a healthcare app. We used Veracode to run a spontaneous static analysis as well as dynamic analysis, to resolve our vulnerabilities. We were releasing versions every month. Each month we were looking at the results of Veracode and fixing the problems.

How has it helped my organization?

It helps fix a lot of flaws and bugs. As a developer, you look at things with a different perspective with the Veracode results. You can see that certain things can be implemented in another way, how they can be more secure. As a result, it helps improve your level of understanding and decrease the number of production issues.

Using Veracode, it was very interesting to see the difference when I compared things over a three-month timeline. During the initial three months, when I started using Veracode, I found the percentage rate of flaws was around 60 to 70 percent in the entire file we were uploading. After using Veracode over the next three months, our score decreased to a 30 to 40 percent flaw rate. We were able to do our quarterly development in a very secure way.

For example, we recently encountered a flaw that might be exploited. We implemented a function to store passwords that were encrypted. That functionality was written in a pretty vulnerable manner. By looking at the code, we could see, "Okay, this might be exploited." But when Veracode pointed out multiple times, "This might be vulnerable," and "This might be vulnerable," it helped us improve our developer standards. It gave us a brief idea of how this particular code implementation could be improved.

There is also a feature called Veracode Pipeline Scan which provides instantaneous feedback. That was a major addition to our process and has worked out very well. Developers get instant feedback about their flaws, making them easy to fix while in pre-production. That is one of the major boosts that we have implemented. It enables our developers to fix things in parallel, and that has saved time, about 20 to 25 percent, and resulted in better coding. As a security guy, I can see the differences between the initial processes and the processes we have six to eight months after implementing Veracode Pipeline Scan and Veracode in general. 

Overall, it has reduced the time that we used to spend working manually to pinpoint the issues that we found. Veracode makes it an automated process. Also, we can use it in parallel. If Veracode is the main "hub," we can have "sub-hubs" such as static analysis and Veracode Pipeline Scans. Both can be done simultaneously, reducing the manpower required by a lot, and providing correct results. And it has improved our understanding of the different kinds of flaws and vulnerabilities that are in the report. Veracode, as a tool, has made things better.

In terms of security posture, when I had just joined my previous organization, there was a meeting about client feedback. Initially, their comments were that things were not very stable. They said it was easy to steal data. After using Veracode, and as our developers adapted the tool and developed secure code, the client's feedback was that things were pretty stable and good. At first, the feedback was very ruthless. We were not up to security standards. But once we started using Veracode, it became the main pillar of our security. We overcame certain challenges and the client feedback was pretty good.

What is most valuable?

It yields around 90 percent accurate results. It pinpoints the errors. Its accuracy is very interesting. It also elaborates on flaws, meaning it provides you with details about what is valid or not and how something can be fixed.

Another valuable feature is in the dynamic analysis, which provides information on which libraries are outdated so that we can improve them and get them up to date. We found a lot of outdated libraries in use in our organization. As a result, it has improved our stability. The software composition analysis keeps you updated on each kind of data it reports on, including libraries and third-party DLLs.

What needs improvement?

There is a sandbox limit of 10 so any company using Veracode needs to plan for only having those 10 sandboxes. If they increased that to 25 or 30, the scan time would decrease and the results should be more effective.

There is also a size limit of 100 MB so we cannot upload files that are larger than that. That could be improved. 

Also, the duration of the scan is a bit too long.

For how long have I used the solution?

I used Veracode in my previous company but recently changed to a new company. Overall, I have used it for around 1.5 years.

What do I think about the stability of the solution?

Its stability is fine. On a scale of one to 10, I would give it a seven for stability.

What do I think about the scalability of the solution?

It's a scalable solution.

We have it implemented in two offices, the main office in the US and a single office in India. There are only 10 to 12 people using it in our organization, meaning in India. I am not aware of how many users there are in the US.

How are customer service and support?

Their support team needs to respond in less time. It takes a lot of time for them to respond. When we reach out, we are waiting, most of the time, for two or three weeks to get a reply from them. That is the one major piece of feedback I have for Veracode.

Their technical support is very good, except for the response time. When we are stuck with something technical, they explain how to use it in multiple ways. They are supportive and that is pretty good.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We were using a couple of other tools along with Veracode. One was SonarQube and the other was Acunetix.

What other advice do I have?

The false positive rate is pretty low. When I started using Veracode, there were a lot of false positives, but that number became notably smaller. There are some false positives because new types of flaws are generated for each new version.

Initially, in general, whenever you see any kind of false positives or true negatives, it reduces your confidence. But whenever the reports are generated by Veracode, as developers we can understand that they show certain patterns of what might be a false positive. So we get an idea that this kind of a flaw might be a false positive while this kind might not be a false positive. We get clarity about the reports sent by Veracode. At a certain point, we might be sure that we can explain all the false positive data to management so that they can look into them and understand: If this kind of data or this kind of code flaw comes up, it is a false positive. We can easily associate these scenarios with false positives because they are normal and common.

During the initial phase, false positives affect our time because we can't deduce any conclusions. Static analysis is the kind of process in which you will encounter false positives in certain cases. But after a couple of implementations of machine learning, the results should be pretty accurate and the false positives should decrease.

Preventive maintenance is critical. Per my experience with Veracode, there are certain maintenance issues, but they are the normal types of things.

I would highly recommend Veracode, but initially, don't do a deep dive into the tool. Take a couple of licenses to start adapting to the tool and work out how it works and whether it's suitable for your development processes and developers, and get their feedback. I highly recommend it because it's a real time-saver, provides stability, and improves your organization's productivity.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
Updated: June 2025
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.