Coming October 25: PeerSpot Awards will be announced! Learn more

Veracode Static Analysis OverviewUNIXBusinessApplication

Veracode Static Analysis is #3 ranked solution in top Static Code Analysis tools. PeerSpot users give Veracode Static Analysis an average rating of 7.8 out of 10. Veracode Static Analysis is most commonly compared to Fortify Static Code Analyzer: Veracode Static Analysis vs Fortify Static Code Analyzer. Veracode Static Analysis is popular among the large enterprise segment, accounting for 71% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 16% of all views.
Veracode Static Analysis Buyer's Guide

Download the Veracode Static Analysis Buyer's Guide including reviews and more. Updated: September 2022

What is Veracode Static Analysis?

You’re Focused on Creating Innovative Software
... that moves your business, and the world, forward. Yet your biggest catalyst for change can also become your biggest source of vulnerability.

Today, application layer attacks are the most frequent pattern in confirmed data breaches. Current application security solutions can be difficult for overworked security teams to manage and scale, don’t empower developers to fix security issues, and only find certain software vulnerabilities

Veracode Static Analysis Video

Veracode Static Analysis Pricing Advice

What users are saying about Veracode Static Analysis pricing:
  • "Users in some forums mentioned that pricing for this solution can be quite high."
  • "Veracode is costly. They have different license models for different customers. What we had was based on the amount of code that has been analyzed. The license that we had was capped to a certain amount, for example, 5 Gig. There would be an extra charge for anything above 5 Gig."
  • "The price of Veracode Static Analysis is on the higher side."
  • Veracode Static Analysis Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    FranckGafsou - PeerSpot reviewer
    Security Architect Lead at a comms service provider with 10,001+ employees
    Real User
    Top 10Leaderboard
    Stable solution for managing vulnerabilities and risks, but some features need to be redesigned to make them more user-friendly
    Pros and Cons
    • "Stable and scalable, with good reporting features. Helps in detecting and managing vulnerabilities and risks."
    • "Some features could be improved in terms of user-friendliness."

    What is our primary use case?

    We use this solution because we have an important portfolio of applications, and before moving those applications to the production environment, we use the static features to scan the code: either for static analysis or for SCA (Software Composition Analysis) to find any vulnerability in our open source libraries.

    How has it helped my organization?

    When I started my job, this solution was already deployed, so I cannot compare it to how our company was prior to its deployment, but Veracode Static Analysis is a very good tool for static analysis and SCA. It not the only one in the market, but I would recommend it.

    What is most valuable?

    There are several features which I found most valuable in Veracode Static Analysis. First, it has a user-friendly interface, so it is easy to use.

    I also found its reporting features interesting because they give you visibility on the vulnerabilities and the associated risks.

    The feature of scanning open source dependencies for vulnerabilities is also very interesting. You have a dependency graph which shows you how your libraries are embedded within your code, so you can also see what kind of dependencies you have from one library to another. This means if you need to upgrade to a free vulnerability version, you can assess the impact on other libraries as well.

    There is also a feature that enables you to build your own dashboard. For example, if you want to query the database that is supporting the platform, you can build your own dashboard with some indicators regarding the vulnerabilities, your portfolio, or you can look for a specific type of library or a specific type of risk, and that's interesting when you want to have visibility on your key item. I use this feature often.

    What needs improvement?

    This solution has a clear interface, but there are times when you go to the menu of a scan, you have to open another page for the project, or if you need to link, you also have to link your scan to a specific project. Some people find it difficult to understand those different screens and menus.

    When you want to retrieve specific information about the projects that are linked to your scan, it's not easy. Those pages need to be redesigned.

    I also don't understand Veracode workspaces. Other people also find that feature difficult to understand.

    Those are the features that Veracode needs to redesign.

    Buyer's Guide
    Veracode Static Analysis
    September 2022
    Learn what your peers think about Veracode Static Analysis. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
    632,611 professionals have used our research since 2012.

    For how long have I used the solution?

    I've been using Veracode Static Analysis for more than one year.

    What do I think about the stability of the solution?

    This product is stable. We only encountered a bug which affected the results, but it was just once in a year, so this solution is stable.

    What do I think about the scalability of the solution?

    I was not involved in any scalability issues or concerns with Veracode Static Analysis. The scalability requirements for this solution would be easily met because it's a SaaS application, so it's supposed to be very scalable for customer needs. I would not expect much trouble regarding its scalability.

    How are customer service and support?

    Technical support for this solution is good. Whenever we face an issue, we schedule a consultation with them. We had the opportunity to have a slot four or five days after scheduling. Their SLA is good, but sometimes I would expect a more proactive support, or support with more availability. If we are facing an urgent issue, waiting four or five days is long. I would expect a more proactive support, but when we talk to them, in general, they provided the answers we expected.

    I'm rating their support a seven out of ten.

    Which solution did I use previously and why did I switch?

    Prior to Veracode Static Analysis, the company was using the Black Duck solution. The reason for switching could be to have a SaaS-based solution, though I am unsure if Black Duck was an on-premises or a SAAS-based solution.

    Veracode has a good recommendation and good scoring, so it was the opportunity to move to a more powerful solution with DAST, SAS, and SCA capabilities.

    Since this solution also has DAST capabilities, with the midterm or long-term projects, it was expected to unify all those capabilities within one platform. It's more of a strategic reason why the company switched to Veracode Static Analysis.

    Which other solutions did I evaluate?

    We evaluated AppScan from HCL.

    What other advice do I have?

    Veracode Static Analysis isn't deployed on-premises. It's a SaaS offering.

    We are using Veracode Static Analysis for static analysis and SCA, and there is also a need for the DAST module for dynamic scanning. We are considering running a POC for this solution, but I don't have any other updates for the time being. I know its DAST features would also be useful.

    We are currently using HCL AppScan for SAST, and because we are not very satisfied with that product, we are considering using Veracode Static Analysis for DAST.

    A lot of people are using Veracode Static Analysis in our company, approximately 300 or 400 people: development team leaders, developers, and people who are very tech-savvy and using all their time to develop applications and new programs.

    I don't have pricing insight for this solution. I was not involved in the project before this was deployed. I just read in forums that the price for Veracode Static Analysis is high, but I cannot provide any specific insight.

    What I can tell others who are looking into implementing Veracode Static Analysis is that it is a platform that provides good features. Its reporting capabilities are interesting, and overall the platform gives high quality results. You can manage your vulnerabilities and your risks quite easily, and define your own mitigation strategies within the platform.

    I'm rating this solution a seven out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Lead Security Architect at a comms service provider with 1,001-5,000 employees
    Real User
    Top 5Leaderboard
    Fabulous support, good user management, good scalability, and good security
    Pros and Cons
    • "It is a cloud-based platform, so every organization or every security team in the organization is concerned about uploading their code because ultimately the code is intellectual property. The most useful thing about Veracode is that if you want to upload the code, they accept only byte code. They do not accept the plain source code as an input. The code is converted into binary code, and it is uploaded to Veracode. So, it is quite secure. It also has the automation feature where you can integrate security during the initial stages of your software development life cycle. It is pretty much easy with Veracode. Veracode provides integration with multiple tools and platforms, such as Visual Studio, Java, and Eclipse. Developers can integrate with those tools by using Jenkins. The security consultation or the support that they provide is also really good. Its user management is also good. You can restrict the users for a particular application so that only certain developers will be able to see the code that has been scanned. Their reporting model is really good. For each customer, they provide a program manager. Every quarter, they have their reviews about how much it has scanned. They also ensure that the tool has been used efficiently."
    • "There are few languages that take time for scanning. It covers the majority of languages from C to Scala, but it doesn't support certain languages and the newer versions of certain languages. For example, it doesn't support SAP and new JavaScript frameworks such as Node.js and React JS. They can include support for these. If you go to their website, you can see the list of languages that are currently supported. The false-positive rates are also something they can work on."

    What is our primary use case?

    In my previous organization, we used to use Veracode throughout all verticals. It is a cloud-based platform, and you need to upload the code for static analysis. The code has to be uploaded as per the compilation guide provided by Veracode. So, for different languages, you have to combine the code as per the instructions in the guide.

    We used to own and manage the platform. We also used to manage the users. If there was a particular project team that needed to use Veracode to do their code scan, they used to approach us. We used to create the user accounts for them so that user accounts were limited to just the code. We also used to guide and train them on how to upload the code on Veracode, how to combine the code, and how to initiate the scan. After the scan is completed, we used to tell them and guide them about how to treat the vulnerabilities in that code, how to fix and mitigate them, and what's the next process. Apart from that, we used to create a project team to build their CI/CD pipeline, where we used to create DevSecOps automation.

    What is most valuable?

    It is a cloud-based platform, so every organization or every security team in the organization is concerned about uploading their code because ultimately the code is intellectual property. The most useful thing about Veracode is that if you want to upload the code, they accept only byte code. They do not accept the plain source code as an input. The code is converted into binary code, and it is uploaded to Veracode. So, it is quite secure. It also has the automation feature where you can integrate security during the initial stages of your software development life cycle.

    Veracode provides integration with multiple tools and platforms, such as Visual Studio, Java, and Eclipse. Developers can integrate with those tools by using Jenkins. The security consultation or the support that they provide is also really good.

    Its user management is also good. You can restrict the users for a particular application so that only certain developers will be able to see the code that has been scanned. 

    Their reporting model is really good. For each customer, they provide a program manager. Every quarter, they have their reviews about how much it has scanned. They also ensure that the tool has been used efficiently. 

    What needs improvement?

    There are few languages that take time for scanning. It covers the majority of languages from C to Scala, but it doesn't support certain languages and the newer versions of certain languages. For example, it doesn't support SAP and new JavaScript frameworks such as Node.js and React JS. They can include support for these. If you go to their website, you can see the list of languages that are currently supported.

    The false-positive rates are also something they can work on.

    For how long have I used the solution?

    I have been using Veracode for the last four years.

    What do I think about the stability of the solution?

    From my perspective, it is really good. It is one of the best SaaS solutions that I have come across. Veracode is also a leader in Gartner Quadrant.

    What do I think about the scalability of the solution?

    It is pretty good in terms of scalability. There are many users of this solution. There are also many customers of Veracode. We had around 1,000 plus users.

    How are customer service and technical support?

    The support that Veracode provides is really fabulous. They are very responsive. They provide you with a thorough analysis. If you have any questions or doubts, they help to clear them in a very simple manner.

    Which solution did I use previously and why did I switch?

    I've used Checkmarx and HPE Fortify. Now, I am using Micro Focus. As compared to Veracode, Checkmarx takes input as plain text. It takes the code as it is and does not compile the code. This is the main difference between Checkmarx and Veracode. Checkmarx also has an on-prem solution, but Veracode does not have an on-prem solution. 

    There is also a major difference in the cost and licensing model. Veracode's license model is quite complex. Comparatively, Checkmarx's license model is straightforward. You can upload any amount of code. For example, it could be 1 Gig or 2 Gig. They charge based on the number of applications, but Veracode's licensing model is pretty different. They charge based on the amount of code that has been analyzed.

    How was the initial setup?

    It is pretty much straightforward. It is a cloud-based solution. So, creating a user in Veracode is pretty much easy. It involves just a few clicks. Uploading the code is also pretty much easy. It is user-friendly and developer-friendly.

    What about the implementation team?

    When I used to maintain this for 1,000 developers, two or three people were enough to maintain it.

    What's my experience with pricing, setup cost, and licensing?

    Veracode is costly. They have different license models for different customers. What we had was based on the amount of code that has been analyzed. The license that we had was capped to a certain amount, for example, 5 Gig. There would be an extra charge for anything above 5 Gig.

    What other advice do I have?

    Veracode is well-suited for modern programming languages. Veracode is not for scanning large legacy applications with a huge codebase. It also doesn't support some unique languages such as SAP. This could be a challenge for certain people. 

    More organizations are taking the left shift approach for application security and trying to integrate security early into their software development life cycle. Veracode is good for such automation.

    I would rate Veracode Static Analysis a nine out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Veracode Static Analysis
    September 2022
    Learn what your peers think about Veracode Static Analysis. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
    632,611 professionals have used our research since 2012.
    Product Security Engineer at a tech services company with 5,001-10,000 employees
    Real User
    Top 20
    Good pipeline scanner, requires minimal maintenance, and helps easily reveal design flaws
    Pros and Cons
    • "With the pipeline scanner, it's easier for developers to scan their products, as they don't have to export anything from their computers. They can do everything with the command line on their computer."
    • "Maybe the pipeline scanning doesn't support enough languages. It might only support Java and Python only, so that could be improved."

    What is our primary use case?

    I'm working on security reviews for our in-house products. We are trying to solve problems. The use case for Veracode is to discover flaws in design before our application reaches end customers. We are using Veracode as one of the tools to ensure that our products are following secure design guidelines.

    How has it helped my organization?

    We have some applications where Veracode found a potential XSS due improper input controls. Based on Veracode recommendations, I work with dev team and remediate the flaw. That's something that I would probably missed if I did only the manual code review.

    What is most valuable?

    We recently started working with pipeline scanner, which is quite useful. In Veracode, you need to import zip files for the source code. With the pipeline scanner, it's easier for developers to scan their products, as they can do everything via command line. When a scanner detects a flaw, it also generates a good explanation about that flaw and good references for mitigation. That's also very useful for us.

    What needs improvement?

    In terms of improvement, I don't have any valuable input. The application works fine and I don't have any negative feedback. Maybe pipeline scanner can be improved to support some additional language packages.

    For how long have I used the solution?

    I've used the solution for two years now. It hasn't been that long. 

    What do I think about the stability of the solution?

    The solution is stable. I haven't experienced any hiccups in my work in any way. 

    How are customer service and support?

    I haven't worked with Vercode's support and therefore cannot comment on how helpful or responsive they are. 

    Which solution did I use previously and why did I switch?

    I don't have experience with other SAST products.

    How was the initial setup?

    This solution was already deployed when I was hired. I can't speak to what the deployment process was like. 

    The maintenance is minimal. I just need to create accounts for people who want to scan by themselves and that's it. It's easily maintainable.

    What's my experience with pricing, setup cost, and licensing?

    I don't have any insights on pricing. I don't handle any aspects of the licensing process so I can't speak to the overall costs or terms.

    What other advice do I have?

    We are accessing via a web browser to Veracode. I'm guessing it's some type of cloud deployment, hosted by Veracode.

    We have a lot of applications that are scanned with Veracode. We did scans for some of our core products, as well as on-demand products, and web applications. I'm mostly working with web applications for now. 

    Based on my experience, new users should check as many features as they can, and also read the reports carefully. That way, they can get a full picture of how this product works.

    I'd rate the solution a nine out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Prasenjit Roy - PeerSpot reviewer
    Sr. Cloud Solution Architect - SAP on Azure at Accenture
    Real User
    Top 5Leaderboard
    The solution supports a broad range of code technologies and can analyze large applications
    Pros and Cons
    • "Veracode supports a broad range of code technologies, and it can analyze large applications. Fortify takes a long time and may not be able to generate the report for larger applications. We don't have these constraints with Veracode."
    • "While Veracode is way ahead of its competitors on Gartner Magic Quadrant, it's a bit more expensive than Fortify. It's a good solution for the cost, but if we had a high budget, we would go with Checkmarx, which is much better than Veracode."

    What is our primary use case?

    I use Veracode for static and dynamic analysis.

    What is most valuable?

    Veracode supports a broad range of code technologies, and it can analyze large applications. Fortify takes a long time and may not be able to generate the report for larger applications. We don't have these constraints with Veracode.

    For how long have I used the solution?

    I've been using Veracode for four or five years.

    What do I think about the scalability of the solution?

    We have about 230 users. 

    How are customer service and support?

    We've raised a few tickets with Veracode support. Sometimes, their frontline support can resolve the issue, but we may need to escalate it and get their global team involved. The problem is usually resolved in a couple of days. Overall, support is not a concern. It's fine.

    How was the initial setup?

    Veracode is an easy-to-use browser-based solution. It isn't a standalone product like Fortify, so there's no installation. You put in the credentials and start the scan. 

    What's my experience with pricing, setup cost, and licensing?

    While Veracode is way ahead of its competitors on Gartner Magic Quadrant, it's a bit more expensive than Fortify. It's a good solution for the cost, but if we had a high budget, we would go with Checkmarx, which is much better than Veracode. 

    Which other solutions did I evaluate?

    Veracode and Micro Focus Fortify SSC are both making progress. Fortify's cloud-on-demand model is an improvement over the past. Both solutions handle the analysis part well, but Fortify needs to improve a lot of things. For one, Micro Focus Fortify hasn't been updated in a long time. They acquired the solution from HP long back, but I haven't seen much improvement. 

    Veracode's browser-based solution doesn't have cloud-on-demand functionality. You only need to give consent once on Veracode's access URL, but Micro Focus requires another consent for Dynamic Application testing for WebInspect server, so we need to use SQL Server Express for the WebInspect server. 

    We have some difficulties in a SQL Server because a client might not be able to install that in their environment. We may be able to install WebInspect, but we face some challenges dealing with SQL Server Express and other dependents. We have issues with those other supported plugins, libraries, or framework installation parts.

    What other advice do I have?

    I rate Veracode Static Analysis eight out of 10. I recommend Veracode over Micro Focus. Some companies prefer Micro Focus because they can get a discount and buy it for less than the market price. That's the only reason to use Micro Focus. Otherwise, I don't think Micro Focus can compete with Veracode.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Prakash Pillay - PeerSpot reviewer
    Director - Product Solution/Architecture at a tech vendor with 10,001+ employees
    MSP
    Top 20
    Helps improve our code quality and remove security flaws, but dynamic scanning takes time
    Pros and Cons
    • "It scans for the OWASP top-10 security flaws at the dynamic level and, at the static level, it scans for all the warnings so that developers can fix the code before we go to UAT or the next phase."
    • "I would like to see improvement on the analytics side, and in integrations with different tools. Also, the dynamic scanning takes time."

    What is our primary use case?

    For every application we develop, we want both static and dynamic security scans done before deploying them.

    How has it helped my organization?

    The solution helps us to verify if our code is error-prone or has any OWASP security flaws. It has also reduced our scanning time, but it's difficult to say by how much.

    Also, the scanning process helps a lot when it comes to improving standards and best practices. If we scan multiple times and we get the same warnings again and again, it helps us to identify that there's something we need to rectify, overall, in our standards and processes.

    In addition, the solution has helped to increase our security and development teams' productivity.

    On the whole, Veracode has improved the quality of our code and the end product. It has reduced our security debt by 40 or 50 percent. It helps protect our application from external attacks.

    What is most valuable?

    It scans for the OWASP top-10 security flaws at the dynamic level and, at the static level, it scans for all the warnings so that developers can fix the code before we go to UAT or the next phase.

    It also gives us a centralized view of issues and that is important because security is key to any application. We want to identify the flaws as early as possible. The centralized view means that everybody can see the report and remediate accordingly.

    What needs improvement?

    I would like to see improvement on the analytics side, and in integrations with different tools.

    Also, the dynamic scanning takes time.

    For how long have I used the solution?

    We have been using Veracode for more than six years.

    What do I think about the stability of the solution?

    It's a stable product.

    What do I think about the scalability of the solution?

    We have about 30 to 40 developers using the solution. We use it on a weekly basis but I can't comment on whether we will increase our use of it. That depends on our product.

    How are customer service and support?

    Technical support is average. They take some time to respond.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    We didn't use anything prior to this.

    What was our ROI?

    The ROI for us is that it improves our code quality and helps remove security flaws. It is an essential tool.

    What other advice do I have?

    It does root analysis, but fixing things is up to us. Also, it doesn't require much maintenance.

    I would highly recommend it.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    PeerSpot user
    Anshuman Kishore - PeerSpot reviewer
    Director Product Development at Mycom Osi
    Real User
    Top 20Leaderboard
    Useful static analysis, scalable, but terminology confusing
    Pros and Cons
    • "We have found the static analysis to be useful in Veracode Static Analysis. However, we are in the process of testing."
    • "Veracode Static Analysis could improve the terminology. For example, I do not know what the sandbox scan does. The terminology and the way they have used it are quite confusing. They should have a process of capturing problems that users are having on their end."

    What is most valuable?

    We have found the static analysis to be useful in Veracode Static Analysis. However, we are in the process of testing.

    What needs improvement?

    Veracode Static Analysis could improve the terminology. For example, I do not know what the sandbox scan does. The terminology and the way they have used it are quite confusing. They should have a process of capturing problems that users are having on their end.

    Veracode Static Analysis should adapt and detect the vulnerability which is coming from customers.

    For how long have I used the solution?

    I have been using Veracode Static Analysis for one and a half years.

    What do I think about the scalability of the solution?

    Veracode Static Analysis is a scalable solution.

    We have approximately 10 people using this solution in my organization. However, we do not use it daily.

    Which solution did I use previously and why did I switch?

    We previously used a free tool that is integrated into the Eclipse.

    How was the initial setup?

    The initial setup of Veracode Static Analysis is in the middle range of difficulty. We had some minor issues but we had some guidance and support. It took us approximately one month to scan all of the microservices.

    What about the implementation team?

    Our IT team did the implementation with support from the Veracode team. The Veracode team was very good.

    What's my experience with pricing, setup cost, and licensing?

    The price of Veracode Static Analysis is on the higher side.

    What other advice do I have?

    My advice to others would be to follow the instructions and they will not have any issues.

    I rate Veracode Static Analysis a seven out of ten.

    Which deployment model are you using for this solution?

    Private Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Veracode Static Analysis Report and get advice and tips from experienced pros sharing their opinions.
    Updated: September 2022
    Product Categories
    Static Code Analysis
    Buyer's Guide
    Download our free Veracode Static Analysis Report and get advice and tips from experienced pros sharing their opinions.