Try our new research platform with insights from 80,000+ expert users
Veracode Logo

Veracode pros and cons

Vendor: Veracode
4.1 out of 5
Badge Ranked 1
3,876 followers
Start review

Pros & Cons summary

Veracode offers robust static and dynamic scanning capabilities to detect vulnerabilities, while its integration with CI/CD pipelines enables automation and consistent security checks. With effective Software Composition Analysis and technical support, users can address vulnerabilities in third-party libraries. Despite issues with scan speed, high false-positive rates, and expensive pricing for small businesses, its continuous integration assists in maintaining industry compliance. Therefore, improved integration and documentation would enhance its usability.

Buyer's Guide

Get pricing advice, tips, use cases and valuable features from real users of this product.
Get the report

Prominent pros & cons

PROS

Veracode excels in detecting and managing vulnerabilities, helping developers remediate issues efficiently.
It integrates seamlessly into CI/CD pipelines, facilitating continuous integration and secure software development practices.
The platform offers valuable features like static scanning, dynamic scanning, and software composition analysis, ensuring comprehensive security coverage.
Veracode provides exceptional technical support, known for its responsiveness and knowledge, assisting users in resolving security concerns promptly.
The scalability and cloud-based nature of Veracode allows organizations to effectively manage and conduct security scans without additional infrastructure requirements.

CONS

Veracode needs to improve its scanning speed, especially for large applications, as this affects the integration into CI/CD pipelines and developer productivity.
Reducing the high number of false positives reported by Veracode would enhance its accuracy and reduce unnecessary effort for users.
Veracode should provide better support and timely updates for newer programming languages and frameworks, which would keep it aligned with current industry needs.
Enhancements in Veracode’s API integration would help in seamless integration with development pipelines and improve automation capabilities.
Expanding language support within Veracode could benefit users dealing with less common or emerging programming languages.
 

Veracode Pros review quotes

SP
Oct 14, 2021
The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our continuous integration, continuous delivery system, so we can get insight quickly.
Read full review
reviewer1705929 - PeerSpot reviewer
Oct 28, 2021
There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place.
Read full review
Robert Hood - PeerSpot reviewer
Jul 31, 2023
The most valuable feature is the SAST capability and its integration into the Veracode pipelines.
Read full review
Buyer's Guide
Veracode
April 2025
Free Report: Veracode Reviews and More
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
DOWNLOAD NOW
850,900 professionals have used our research since 2012.
Evan Gertis - PeerSpot reviewer
Sep 14, 2021
The solution's ability to help create secure software is very valuable. We're a zero-trust networking company so we want to have the ability to say that we're practicing security seriously. Having something like Veracode allows us to have confidence when we're speaking to people about our product that we can back up what we're doing with a certification, with a reputable platform, and say, "This is what we're using to scan an application. Here's the number of vulnerabilities that are on an application. And here's the risk that we're accepting."
Read full review
OK
Oct 18, 2021
Considering that in my project, we are mostly using Software Composition Analysis as a part of Static Code Analysis, for me, the main part is reporting and highlighting necessary vulnerabilities. Veracode platform has a rather good database of different vulnerabilities in different libraries and different sources. So, finding vulnerabilities in third-party libraries is the main feature of Software Composition Analysis that we use. It is the most important feature for us.
Read full review
Saket Pandey - PeerSpot reviewer
Jun 21, 2023
The recommendations and frequent updates are the most valuable features of Veracode.
Read full review
MT
Nov 4, 2020
The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful.
Read full review
AB
Dec 20, 2020
Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code.
Read full review
SumalyaGuha - PeerSpot reviewer
Jan 9, 2023
In pipeline scanning, there is a configuration that can be set with respect to the security level of the flaw. If there is a high or a critical issue, there's a way the build can be failed and blocked before going into production.
Read full review
KM
Nov 8, 2020
In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application.
Read full review
Show 10 more reviews (out of 193)
 

Veracode Cons review quotes

SP
Oct 14, 2021
The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it.
Read full review
reviewer1705929 - PeerSpot reviewer
Oct 28, 2021
I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results.
Read full review
Robert Hood - PeerSpot reviewer
Jul 31, 2023
From what we have seen of Veracode's SCA offering, it is just average.
Read full review
Buyer's Guide
Veracode
April 2025
Free Report: Veracode Reviews and More
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
DOWNLOAD NOW
850,900 professionals have used our research since 2012.
Evan Gertis - PeerSpot reviewer
Sep 14, 2021
The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way.
Read full review
OK
Oct 18, 2021
The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it.
Read full review
Saket Pandey - PeerSpot reviewer
Jun 21, 2023
The false positive rates were quite high in our case.
Read full review
MT
Nov 4, 2020
Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated.
Read full review
AB
Dec 20, 2020
Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided.
Read full review
SumalyaGuha - PeerSpot reviewer
Jan 9, 2023
Veracode's SAST, DAST, and SCA are pretty good with respect to industry standards, but with regard to container security, they are in either beta or alpha testing. They need to get that particular feature up and running so that they take care of the container security part.
Read full review
KM
Nov 8, 2020
The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most.
Read full review
Show 10 more reviews (out of 190)

Product Categories

Product Categories
Application Security Tools
Static Application Security Testing (SAST)
Container Security
Software Composition Analysis (SCA)
Penetration Testing Services
Static Code Analysis
Application Security Posture Management (ASPM)

Popular Comparisons

Popular Comparisons
SonarQube Server (formerly SonarQube) vs Veracode Logo
SonarQube Server (formerly SonarQube) vs Veracode
Wiz vs Veracode Logo
Wiz vs Veracode
Prisma Cloud by Palo Alto Networks vs Veracode Logo
Prisma Cloud by Palo Alto Networks vs Veracode
Microsoft Defender for Cloud vs Veracode Logo
Microsoft Defender for Cloud vs Veracode
GitLab vs Veracode Logo
GitLab vs Veracode
Snyk vs Veracode Logo
Snyk vs Veracode
Checkmarx One vs Veracode Logo
Checkmarx One vs Veracode
Black Duck vs Veracode Logo
Black Duck vs Veracode
Coverity vs Veracode Logo
Coverity vs Veracode
Mend.io vs Veracode Logo
Mend.io vs Veracode
OWASP Zap vs Veracode Logo
OWASP Zap vs Veracode
SonarQube Cloud (formerly SonarCloud) vs Veracode Logo
SonarQube Cloud (formerly SonarCloud) vs Veracode
CrowdStrike Falcon Cloud Security vs Veracode Logo
CrowdStrike Falcon Cloud Security vs Veracode
Fortify on Demand vs Veracode Logo
Fortify on Demand vs Veracode
Orca Security vs Veracode Logo
Orca Security vs Veracode
See all alternatives

Product Categories

Product Categories
Application Security Tools
Static Application Security Testing (SAST)
Container Security
Software Composition Analysis (SCA)
Penetration Testing Services
Static Code Analysis
Application Security Posture Management (ASPM)

Popular Comparisons

Popular Comparisons
SonarQube Server (formerly SonarQube) vs Veracode Logo
SonarQube Server (formerly SonarQube) vs Veracode
Wiz vs Veracode Logo
Wiz vs Veracode
Prisma Cloud by Palo Alto Networks vs Veracode Logo
Prisma Cloud by Palo Alto Networks vs Veracode
Microsoft Defender for Cloud vs Veracode Logo
Microsoft Defender for Cloud vs Veracode
GitLab vs Veracode Logo
GitLab vs Veracode
Snyk vs Veracode Logo
Snyk vs Veracode
Checkmarx One vs Veracode Logo
Checkmarx One vs Veracode
Black Duck vs Veracode Logo
Black Duck vs Veracode
Coverity vs Veracode Logo
Coverity vs Veracode
Mend.io vs Veracode Logo
Mend.io vs Veracode
OWASP Zap vs Veracode Logo
OWASP Zap vs Veracode
SonarQube Cloud (formerly SonarCloud) vs Veracode Logo
SonarQube Cloud (formerly SonarCloud) vs Veracode
CrowdStrike Falcon Cloud Security vs Veracode Logo
CrowdStrike Falcon Cloud Security vs Veracode
Fortify on Demand vs Veracode Logo
Fortify on Demand vs Veracode
Orca Security vs Veracode Logo
Orca Security vs Veracode
See all alternatives
Related questions
  • 190
What is the biggest difference between Veracode and Checkmarx?
  • 99
Which gives you more for your money - SonarQube or Veracode?
  • 53
Checkmarx or Veracode. Which should we choose?
  • 7
Would you recommend Veracode? What are some of your use cases?
  • 143
Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
  • 6
What do I scan when changing code in Veracode?
  • 604
If you had to both encrypt and compress data during transmission, which would you do first and why?
  • 32
When evaluating Application Security, what aspect do you think is the most important to look for?
  • 93
What are the Top 5 cybersecurity trends in 2022?
  • 113
What are the threats associated with using ‘bogus’ cybersecurity tools?